Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

windefence32?! hijacked browser...need help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: windefence32?! hijacked browser...need help

Unread postby 0v3rK!LL » November 8th, 2009, 11:09 am

Logfile of random's system information tool 1.06 (written by random/random)
Run by FLO at 2009-11-08 15:08:23
Microsoft Windows XP Professional Service Pack 3
System drive C: has 24 GB (79%) free of 31 GB
Total RAM: 2038 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:43, on 08.11.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\G Data\AntiVirus\AVKTray\AVKTray.exe
C:\Programme\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Sandboxie\SbieCtrl.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Symantec\Norton AntiBot\agent\bin\NABMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\Programme\G Data\AntiVirus\AVK\AVKService.exe
C:\Programme\G Data\AntiVirus\AVK\AVKWCtl.exe
C:\Programme\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\Programme\Gemeinsame Dateien\G DATA\GDScan\GDScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\Dokumente und Einstellungen\FLO\Desktop\RSIT.exe
C:\Programme\trend micro\FLO.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: G Data WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G Data\AntiVirus\Webfilter\AVKWebIE.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: G Data WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G Data\AntiVirus\Webfilter\AVKWebIE.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPStart] C:\Programme\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [G DATA AntiVirus Trayapplication] C:\Programme\G Data\AntiVirus\AVKTray\AVKTray.exe
O4 - HKLM\..\Run: [NortonAntiBot] "C:\Programme\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SandboxieControl] "C:\Programme\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-21-1220945662-1580436667-1177238915-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7285374116
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe
O23 - Service: G DATA AntiVirus Proxy (AVKProxy) - G Data Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: G Data Scheduler (AVKService) - G Data Software AG - C:\Programme\G Data\AntiVirus\AVK\AVKService.exe
O23 - Service: G Data Dateisystem Wächter (AVKWCtl) - G Data Software AG - C:\Programme\G Data\AntiVirus\AVK\AVKWCtl.exe
O23 - Service: G Data Scanner (GDScan) - G Data Software AG - C:\Programme\Gemeinsame Dateien\G DATA\GDScan\GDScan.exe
O23 - Service: PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - D:/PostgreSQL/8.4/bin/pg_ctl.exe
O23 - Service: SymantecAntiBotAgent - Symantec - C:\Programme\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Programme\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe

--
End of file - 5669 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0124123D-61B4-456f-AF86-78C53A0790C5}]
G Data WebFilter - C:\Programme\G Data\AntiVirus\Webfilter\AVKWebIE.dll [2009-09-18 594504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0124123D-61B4-456f-AF86-78C53A0790C5} - G Data WebFilter - C:\Programme\G Data\AntiVirus\Webfilter\AVKWebIE.dll [2009-09-18 594504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2009-11-03 16342528]
"SynTPStart"=C:\Programme\Synaptics\SynTP\SynTPStart.exe [2009-11-03 102400]
"G DATA AntiVirus Trayapplication"=C:\Programme\G Data\AntiVirus\AVKTray\AVKTray.exe [2009-09-18 924232]
"NortonAntiBot"=C:\Programme\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe [2008-09-08 1378840]
"TrueImageMonitor.exe"=C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe [2009-09-12 5082488]
"Acronis Scheduler2 Service"=C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe [2009-09-12 357800]
"Malwarebytes Anti-Malware (reboot)"=C:\Programme\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"=C:\Programme\Sandboxie\SbieCtrl.exe [2009-09-30 387584]
"Skype"=C:\Programme\Skype\Phone\Skype.exe [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2009-11-03 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoRecentDocsNetHood"=1
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\Skype\Plugin Manager\skypePM.exe"="C:\Programme\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Programme\Skype\Phone\Skype.exe"="C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-11-08 14:23:43 ----D---- C:\Programme\ESET
2009-11-08 02:05:26 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Malwarebytes
2009-11-08 02:05:09 ----D---- C:\Programme\Malwarebytes' Anti-Malware
2009-11-08 02:05:09 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-11-07 21:30:59 ----D---- C:\rsit
2009-11-07 19:54:52 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-11-07 15:38:54 ----D---- C:\Programme\Zone Labs
2009-11-07 15:37:54 ----D---- C:\WINDOWS\Internet Logs
2009-11-07 13:32:48 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Acronis
2009-11-07 13:23:16 ----D---- C:\Programme\PokerStrategy
2009-11-07 13:15:46 ----D---- C:\Programme\Gemeinsame Dateien\Acronis
2009-11-07 13:15:45 ----D---- C:\Programme\Acronis
2009-11-07 12:21:08 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Talkback
2009-11-07 12:20:58 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Thunderbird
2009-11-07 02:08:09 ----N---- C:\WINDOWS\system32\pxinsi64.exe
2009-11-07 02:08:09 ----N---- C:\WINDOWS\system32\pxcpyi64.exe
2009-11-07 02:07:47 ----D---- C:\Programme\Gemeinsame Dateien\DivX Shared
2009-11-07 02:07:47 ----D---- C:\Programme\DivX
2009-11-07 01:10:33 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Symantec
2009-11-07 01:06:03 ----D---- C:\Programme\Symantec
2009-11-07 00:48:38 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Downloaded Installations
2009-11-06 20:30:29 ----A---- C:\WINDOWS\system32\tsccvid.dll
2009-11-06 20:30:27 ----D---- C:\WINDOWS\system32\QuickTime
2009-11-06 20:30:07 ----D---- C:\Programme\Gemeinsame Dateien\TechSmith Shared
2009-11-06 20:30:04 ----D---- C:\Programme\TechSmith
2009-11-06 18:49:30 ----A---- C:\WINDOWS\system32\ctfmon.exe.backup
2009-11-06 17:35:19 ----D---- C:\WINDOWS\system32\appmgmt
2009-11-06 16:19:48 ----RASHD---- C:\cmdcons
2009-11-06 16:18:30 ----A---- C:\WINDOWS\zip.exe
2009-11-06 16:18:30 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-11-06 16:18:30 ----A---- C:\WINDOWS\SWSC.exe
2009-11-06 16:18:30 ----A---- C:\WINDOWS\SWREG.exe
2009-11-06 16:18:30 ----A---- C:\WINDOWS\sed.exe
2009-11-06 16:18:30 ----A---- C:\WINDOWS\PEV.exe
2009-11-06 16:18:30 ----A---- C:\WINDOWS\NIRCMD.exe
2009-11-06 16:18:30 ----A---- C:\WINDOWS\MBR.exe
2009-11-06 16:18:30 ----A---- C:\WINDOWS\grep.exe
2009-11-06 16:12:07 ----D---- C:\WINDOWS\ERDNT
2009-11-06 13:21:51 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\vlc
2009-11-06 13:00:14 ----A---- C:\WINDOWS\system32\msstdfmt.dll
2009-11-06 01:32:24 ----AD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2009-11-06 00:39:56 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2009-11-05 23:21:59 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\G DATA
2009-11-05 23:21:48 ----D---- C:\Programme\Gemeinsame Dateien\G DATA
2009-11-05 23:21:48 ----D---- C:\Programme\G Data
2009-11-05 17:42:50 ----N---- C:\WINDOWS\system32\spmsg2.dll
2009-11-05 17:42:48 ----HDC---- C:\WINDOWS\$NtUninstallXPSEPSCLP$
2009-11-05 07:56:57 ----D---- C:\Programme\MSXML 4.0
2009-11-05 07:53:39 ----D---- C:\WINDOWS\system32\windowspowershell
2009-11-05 07:52:35 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-11-05 07:52:12 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2009-11-05 07:51:34 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2009-11-05 00:33:43 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sunbelt
2009-11-04 20:43:10 ----D---- C:\Programme\Windows Live Safety Center
2009-11-04 18:49:52 ----D---- C:\Programme\Trend Micro
2009-11-04 16:35:42 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2009-11-04 00:41:43 ----D---- C:\Programme\Panda Security
2009-11-04 00:37:03 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\QuickScan
2009-11-03 23:55:55 ----D---- C:\aircrack-ng-1.0-win
2009-11-03 23:46:15 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\ACD Systems
2009-11-03 23:45:31 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ACD Systems
2009-11-03 23:45:24 ----D---- C:\Programme\Gemeinsame Dateien\ACD Systems
2009-11-03 23:45:24 ----D---- C:\Programme\ACD Systems
2009-11-03 23:29:51 ----D---- C:\Programme\VideoLAN
2009-11-03 23:23:54 ----D---- C:\Programme\AltBinz
2009-11-03 23:06:43 ----D---- C:\Lyrics
2009-11-03 23:06:42 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\MiniLyrics
2009-11-03 23:06:13 ----D---- C:\Programme\Minilyrics
2009-11-03 22:59:36 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe
2009-11-03 22:59:25 ----D---- C:\Programme\Gemeinsame Dateien\Adobe
2009-11-03 22:59:25 ----D---- C:\Programme\Adobe
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\vxblock.dll
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\pxwave.dll
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\pxsfs.dll
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\pxmas.dll
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\pxinsa64.exe
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\pxdrv.dll
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\pxcpya64.exe
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\pxafs.dll
2009-11-03 22:57:35 ----N---- C:\WINDOWS\system32\px.dll
2009-11-03 22:57:32 ----D---- C:\Programme\Winamp
2009-11-03 22:57:32 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Winamp
2009-11-03 22:52:03 ----A---- C:\WINDOWS\system32\TURegOpt.exe
2009-11-03 22:52:02 ----A---- C:\WINDOWS\system32\uxtuneup.dll
2009-11-03 22:51:41 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\TuneUp Software
2009-11-03 22:51:32 ----D---- C:\Programme\TuneUp Utilities 2010
2009-11-03 22:51:11 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software
2009-11-03 22:51:07 ----SHD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-11-03 22:49:09 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Macromedia
2009-11-03 22:49:09 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Adobe
2009-11-03 22:45:48 ----D---- C:\Programme\DAEMON Tools Lite
2009-11-03 22:45:26 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\DAEMON Tools Lite
2009-11-03 22:45:23 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\DAEMON Tools Lite
2009-11-03 22:42:25 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\skypePM
2009-11-03 22:41:48 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Skype
2009-11-03 22:41:28 ----D---- C:\Programme\Gemeinsame Dateien\Skype
2009-11-03 22:41:26 ----RD---- C:\Programme\Skype
2009-11-03 22:41:19 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype
2009-11-03 22:36:22 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Miranda Fusion
2009-11-03 22:36:16 ----D---- C:\Programme\MirandaFusion
2009-11-03 22:18:25 ----D---- C:\WINDOWS\ie8updates
2009-11-03 22:17:58 ----D---- C:\WINDOWS\WBEM
2009-11-03 22:16:23 ----HDC---- C:\WINDOWS\ie8
2009-11-03 22:15:13 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-03 22:09:40 ----D---- C:\WINDOWS\system32\XPSViewer
2009-11-03 22:09:36 ----D---- C:\Programme\MSBuild
2009-11-03 22:09:35 ----D---- C:\WINDOWS\system32\en-US
2009-11-03 22:09:27 ----D---- C:\Programme\Reference Assemblies
2009-11-03 22:09:00 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-11-03 22:09:00 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-11-03 22:08:59 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-11-03 22:08:20 ----RSD---- C:\WINDOWS\assembly
2009-11-03 22:07:50 ----D---- C:\WINDOWS\Microsoft.NET
2009-11-03 22:06:01 ----HDC---- C:\WINDOWS\$NtUninstallKB943729$
2009-11-03 22:05:54 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-11-03 22:05:53 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2009-11-03 22:05:31 ----D---- C:\Programme\Windows Media Connect 2
2009-11-03 22:03:59 ----D---- C:\WINDOWS\system32\LogFiles
2009-11-03 22:03:54 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2009-11-03 21:57:33 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Windows Genuine Advantage
2009-11-03 21:56:41 ----A---- C:\WINDOWS\system32\wups2.dll
2009-11-03 21:56:41 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2009-11-03 21:56:40 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-11-03 21:56:40 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2009-11-03 21:56:40 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2009-11-03 18:53:37 ----D---- C:\Programme\Windows Sidebar
2009-11-03 18:53:34 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Norton
2009-11-03 18:52:53 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NortonInstaller
2009-11-03 18:48:55 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Mozilla
2009-11-03 18:48:11 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\WinRAR
2009-11-03 18:47:25 ----RD---- C:\Sandbox
2009-11-03 18:47:04 ----D---- C:\Programme\WinRAR
2009-11-03 18:46:52 ----A---- C:\WINDOWS\Sandboxie.ini
2009-11-03 18:46:43 ----D---- C:\Programme\Sandboxie
2009-11-03 18:45:20 ----D---- C:\Programme\Synaptics
2009-11-03 18:45:20 ----A---- C:\WINDOWS\system32\SynTPCo4.dll
2009-11-03 18:45:20 ----A---- C:\WINDOWS\system32\SynTPAPI.dll
2009-11-03 18:45:20 ----A---- C:\WINDOWS\system32\SynCtrl.dll
2009-11-03 18:45:20 ----A---- C:\WINDOWS\system32\SynCOM.dll
2009-11-03 18:44:19 ----D---- C:\WINDOWS\Options
2009-11-03 18:44:19 ----D---- C:\Programme\Atheros
2009-11-03 18:43:55 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\InstallShield
2009-11-03 18:43:55 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Atheros
2009-11-03 18:33:25 ----A---- C:\WINDOWS\system32\ChCfg.exe
2009-11-03 18:33:07 ----D---- C:\WINDOWS\system32\RTCOM
2009-11-03 18:33:06 ----A---- C:\WINDOWS\system32\ksuser.dll
2009-11-03 18:33:02 ----A---- C:\WINDOWS\SoundMan.exe
2009-11-03 18:33:02 ----A---- C:\WINDOWS\SkyTel.exe
2009-11-03 18:33:02 ----A---- C:\WINDOWS\RtlUpd.exe
2009-11-03 18:33:01 ----A---- C:\WINDOWS\RTLCPL.exe
2009-11-03 18:33:00 ----D---- C:\Programme\Realtek
2009-11-03 18:33:00 ----A---- C:\WINDOWS\RTHDCPL.exe
2009-11-03 18:33:00 ----A---- C:\WINDOWS\MicCal.exe
2009-11-03 18:33:00 ----A---- C:\WINDOWS\alcwzrd.exe
2009-11-03 18:33:00 ----A---- C:\WINDOWS\Alcmtr.exe
2009-11-03 18:32:59 ----HD---- C:\Programme\InstallShield Installation Information
2009-11-03 18:32:58 ----A---- C:\WINDOWS\RtlExUpd.dll
2009-11-03 18:32:58 ----A---- C:\WINDOWS\HideWin.exe
2009-11-03 18:32:56 ----D---- C:\Programme\Gemeinsame Dateien\InstallShield
2009-11-03 18:31:24 ----A---- C:\WINDOWS\system32\igfxres.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igxprd32.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igxpgd32.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igxpdx32.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igxpdv32.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igmedcompkrn.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igklg450.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igklg400.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxzoom.exe
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxtray.exe
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxsrvc.exe
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxsrvc.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxress.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxpph.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxpers.exe
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxext.exe
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxexps.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxdo.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxdev.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxCoIn_v4885.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\igfxcfg.exe
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\ig4icd32.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\ig4dev32.dll
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\hkcmd.exe
2009-11-03 18:29:32 ----A---- C:\WINDOWS\system32\hccutils.dll
2009-11-03 18:29:29 ----D---- C:\WINDOWS\system32\Lang
2009-11-03 18:29:29 ----A---- C:\WINDOWS\system32\igxpun.exe
2009-11-03 18:29:29 ----A---- C:\WINDOWS\system32\difxapi.dll
2009-11-03 18:26:43 ----D---- C:\Programme\Mozilla Thunderbird
2009-11-03 18:24:02 ----D---- C:\Programme\Spybot - Search & Destroy
2009-11-03 18:24:02 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-11-03 18:23:22 ----D---- C:\Programme\Mozilla Firefox
2009-11-03 18:21:58 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-11-03 18:21:56 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-11-03 18:21:56 ----D---- C:\Programme\Intel
2009-11-03 18:21:47 ----D---- C:\Intel
2009-11-03 18:20:45 ----D---- C:\WINDOWS\pss
2009-11-03 18:16:21 ----D---- C:\Programme\xp-AntiSpy
2009-11-03 18:15:07 ----RASH---- C:\boot.ini
2009-11-03 18:13:42 ----SHD---- C:\RECYCLER
2009-11-03 18:13:36 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Auslogics
2009-11-03 18:13:33 ----D---- C:\Programme\Auslogics
2009-11-03 18:10:54 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-03 18:10:54 ----RSD---- C:\WINDOWS\Fonts
2009-11-03 18:10:54 ----RD---- C:\WINDOWS\Web
2009-11-03 18:10:54 ----HD---- C:\WINDOWS\inf
2009-11-03 18:10:54 ----D---- C:\WINDOWS\WinSxS
2009-11-03 18:10:54 ----D---- C:\WINDOWS\twain_32
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Temp
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\wins
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\wbem
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\usmt
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\spool
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\ShellExt
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\Setup
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\ras
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\oobe
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\npp
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\mui
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\Macromed
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\inetsrv
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\IME
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\icsxml
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\ias
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\export
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\drivers
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\dhcp
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\de-de
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\de
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\config
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\3com_dmi
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\3076
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\2052
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\1054
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\1042
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\1041
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\1037
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\1033
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\1031
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\1028
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32\1025
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system32
2009-11-03 18:10:54 ----D---- C:\WINDOWS\system
2009-11-03 18:10:54 ----D---- C:\WINDOWS\security
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Resources
2009-11-03 18:10:54 ----D---- C:\WINDOWS\repair
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Provisioning
2009-11-03 18:10:54 ----D---- C:\WINDOWS\PeerNet
2009-11-03 18:10:54 ----D---- C:\WINDOWS\pchealth
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Network Diagnostic
2009-11-03 18:10:54 ----D---- C:\WINDOWS\mui
2009-11-03 18:10:54 ----D---- C:\WINDOWS\msapps
2009-11-03 18:10:54 ----D---- C:\WINDOWS\msagent
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Media
2009-11-03 18:10:54 ----D---- C:\WINDOWS\L2Schemas
2009-11-03 18:10:54 ----D---- C:\WINDOWS\java
2009-11-03 18:10:54 ----D---- C:\WINDOWS\ime
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Help
2009-11-03 18:10:54 ----D---- C:\WINDOWS\ehome
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Driver Cache
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Debug
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Cursors
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Connection Wizard
2009-11-03 18:10:54 ----D---- C:\WINDOWS\Config
2009-11-03 18:10:54 ----D---- C:\WINDOWS\AppPatch
2009-11-03 18:10:54 ----D---- C:\WINDOWS\addins
2009-11-03 18:10:54 ----D---- C:\WINDOWS
2009-11-03 18:00:38 ----D---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Identities
2009-11-03 18:00:37 ----HD---- C:\Programme\Uninstall Information
2009-11-03 18:00:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-11-03 18:00:08 ----SD---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\Microsoft
2009-11-03 18:00:08 ----ASH---- C:\Dokumente und Einstellungen\FLO\Anwendungsdaten\desktop.ini
2009-11-03 17:58:21 ----D---- C:\WINDOWS\SoftwareDistribution
2009-11-03 17:58:19 ----SD---- C:\WINDOWS\system32\Microsoft
2009-11-03 17:58:19 ----D---- C:\WINDOWS\Prefetch
2009-11-03 17:58:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-03 17:26:52 ----D---- C:\WINDOWS\system32\xircom
2009-11-03 17:26:52 ----D---- C:\Programme\xerox
2009-11-03 17:26:52 ----D---- C:\Programme\microsoft frontpage
2009-11-03 17:26:23 ----D---- C:\WINDOWS\system32\PreInstall
2009-11-03 17:26:22 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2009-11-03 17:26:21 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-03 17:26:08 ----A---- C:\WINDOWS\control.ini
2009-11-03 17:26:08 ----A---- C:\AUTOEXEC.BAT
2009-11-03 17:25:58 ----A---- C:\WINDOWS\OEWABLog.txt
2009-11-03 17:25:53 ----A---- C:\WINDOWS\system32\mapi32.dll
2009-11-03 17:25:05 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-03 17:25:05 ----RD---- C:\WINDOWS\Offline Web Pages
2009-11-03 17:25:05 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2009-11-03 17:25:00 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-11-03 17:24:55 ----HD---- C:\Programme\WindowsUpdate
2009-11-03 17:24:51 ----D---- C:\Programme\Online-Dienste
2009-11-03 17:24:33 ----D---- C:\WINDOWS\system32\DirectX
2009-11-03 17:24:26 ----A---- C:\WINDOWS\system32\atrace.dll
2009-11-03 17:24:23 ----A---- C:\WINDOWS\system32\desktop.ini
2009-11-03 17:24:23 ----A---- C:\WINDOWS\desktop.ini
2009-11-03 17:24:16 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2009-11-03 17:24:15 ----A---- C:\WINDOWS\system32\acctres.dll
2009-11-03 17:24:14 ----D---- C:\Programme\Gemeinsame Dateien\Dienste
2009-11-03 17:24:11 ----SD---- C:\WINDOWS\Tasks
2009-11-03 17:24:11 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2009-11-03 17:24:10 ----D---- C:\Programme\Gemeinsame Dateien\MSSoap
2009-11-03 17:24:06 ----D---- C:\WINDOWS\srchasst
2009-11-03 17:24:02 ----A---- C:\WINDOWS\system32\wuweb.dll
2009-11-03 17:24:02 ----A---- C:\WINDOWS\system32\wups.dll
2009-11-03 17:24:02 ----A---- C:\WINDOWS\system32\wucltui.dll
2009-11-03 17:24:02 ----A---- C:\WINDOWS\system32\wuauserv.dll
2009-11-03 17:24:02 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2009-11-03 17:24:02 ----A---- C:\WINDOWS\system32\wuaueng.dll
2009-11-03 17:24:01 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2009-11-03 17:24:01 ----A---- C:\WINDOWS\system32\wuapi.dll
2009-11-03 17:24:01 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2009-11-03 17:24:01 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2009-11-03 17:24:01 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2009-11-03 17:24:01 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2009-11-03 17:24:01 -------- C:\WINDOWS\system32\wuauclt.exe
2009-11-03 17:24:01 -------- C:\WINDOWS\system32\qmgr.dll
2009-11-03 17:23:56 ----D---- C:\Programme\Movie Maker
2009-11-03 17:23:37 ----A---- C:\WINDOWS\system32\safrslv.dll
2009-11-03 17:23:37 ----A---- C:\WINDOWS\system32\safrdm.dll
2009-11-03 17:23:37 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2009-11-03 17:23:37 ----A---- C:\WINDOWS\system32\racpldlg.dll
2009-11-03 17:23:33 ----A---- C:\WINDOWS\system32\fltMc.exe
2009-11-03 17:23:33 ----A---- C:\WINDOWS\system32\fltlib.dll
2009-11-03 17:23:32 ----D---- C:\WINDOWS\system32\Restore
2009-11-03 17:23:32 ----A---- C:\WINDOWS\system32\srrstr.dll
2009-11-03 17:23:32 ----A---- C:\WINDOWS\system32\srclient.dll
2009-11-03 17:23:32 -------- C:\WINDOWS\system32\srsvc.dll
2009-11-03 17:23:31 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2009-11-03 17:23:31 ----A---- C:\WINDOWS\system32\msconf.dll
2009-11-03 17:23:31 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2009-11-03 17:23:31 ----A---- C:\WINDOWS\system32\mnmdd.dll
2009-11-03 17:23:31 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2009-11-03 17:23:31 ----A---- C:\WINDOWS\system32\ils.dll
2009-11-03 17:23:28 ----D---- C:\Programme\NetMeeting
2009-11-03 17:23:28 ----A---- C:\WINDOWS\system32\msoert2.dll
2009-11-03 17:23:28 ----A---- C:\WINDOWS\system32\msoeacct.dll
2009-11-03 17:23:26 ----A---- C:\WINDOWS\system32\inetres.dll
2009-11-03 17:23:26 ----A---- C:\WINDOWS\system32\inetcomm.dll
2009-11-03 17:23:24 ----D---- C:\Programme\Outlook Express
2009-11-03 17:23:24 ----A---- C:\WINDOWS\system32\mstinit.exe
2009-11-03 17:23:24 ----A---- C:\WINDOWS\system32\mstask.dll
2009-11-03 17:23:24 -------- C:\WINDOWS\system32\schedsvc.dll
2009-11-03 17:23:23 ----A---- C:\WINDOWS\system32\isign32.dll
2009-11-03 17:23:23 ----A---- C:\WINDOWS\system32\inetcfg.dll
2009-11-03 17:23:23 ----A---- C:\WINDOWS\system32\icwphbk.dll
2009-11-03 17:23:23 ----A---- C:\WINDOWS\system32\icwdial.dll
2009-11-03 17:23:17 ----D---- C:\Programme\Gemeinsame Dateien\System
2009-11-03 17:23:12 ----D---- C:\Programme\Internet Explorer
2009-11-03 17:22:32 ----D---- C:\Programme\ComPlus Applications
2009-11-03 17:22:30 ----A---- C:\WINDOWS\vbaddin.ini
2009-11-03 17:22:30 ----A---- C:\WINDOWS\vb.ini
2009-11-03 17:22:24 ----D---- C:\WINDOWS\Registration
2009-11-03 17:22:16 ----D---- C:\Programme\Windows Media Player
2009-11-03 17:22:16 ----D---- C:\Programme\Online Services
2009-11-03 17:22:09 ----D---- C:\Programme\Messenger
2009-11-03 17:22:05 ----D---- C:\Programme\MSN Gaming Zone
2009-11-03 17:22:05 ----A---- C:\WINDOWS\system32\write.exe
2009-11-03 17:21:55 ----A---- C:\WINDOWS\system32\sndvol32.exe
2009-11-03 17:21:55 ----A---- C:\WINDOWS\system32\hticons.dll
2009-11-03 17:21:55 ----A---- C:\WINDOWS\system32\avwav.dll
2009-11-03 17:21:55 ----A---- C:\WINDOWS\system32\avtapi.dll
2009-11-03 17:21:55 ----A---- C:\WINDOWS\system32\avmeter.dll
2009-11-03 17:21:54 ----A---- C:\WINDOWS\system32\winchat.exe
2009-11-03 17:21:47 ----A---- C:\WINDOWS\system32\getuname.dll
2009-11-03 17:21:46 ----A---- C:\WINDOWS\system32\winmine.exe
2009-11-03 17:21:46 ----A---- C:\WINDOWS\system32\sol.exe
2009-11-03 17:21:46 ----A---- C:\WINDOWS\system32\charmap.exe
2009-11-03 17:21:46 ----A---- C:\WINDOWS\system32\calc.exe
2009-11-03 17:21:45 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2009-11-03 17:21:45 ----A---- C:\WINDOWS\system32\tskill.exe
2009-11-03 17:21:45 ----A---- C:\WINDOWS\system32\reset.exe
2009-11-03 17:21:45 ----A---- C:\WINDOWS\system32\mshearts.exe
2009-11-03 17:21:45 ----A---- C:\WINDOWS\system32\freecell.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\tslabels.ini
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\tscon.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\shadow.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\rwinsta.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\regini.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\qwinsta.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\qappsrv.exe
2009-11-03 17:21:44 ----A---- C:\WINDOWS\system32\msg.exe
2009-11-03 17:21:43 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2009-11-03 17:21:43 ----A---- C:\WINDOWS\system32\logoff.exe
2009-11-03 17:21:43 ----A---- C:\WINDOWS\system32\cdmodem.dll
2009-11-03 17:21:37 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2009-11-03 17:21:25 ----D---- C:\Programme\MSN
2009-11-03 17:21:24 ----A---- C:\WINDOWS\system32\accwiz.exe
2009-11-03 17:21:23 ----D---- C:\Programme\Windows NT
2009-11-03 17:21:23 ----A---- C:\WINDOWS\system32\sndrec32.exe
2009-11-03 17:21:23 ----A---- C:\WINDOWS\system32\mplay32.exe
2009-11-03 17:21:23 ----A---- C:\WINDOWS\system32\hypertrm.dll
2009-11-03 17:21:22 ----A---- C:\WINDOWS\system32\spider.exe
2009-11-03 17:21:22 ----A---- C:\WINDOWS\system32\mspaint.exe
2009-11-03 17:21:22 ----A---- C:\WINDOWS\system32\clipbrd.exe
2009-11-03 17:21:21 ----A---- C:\WINDOWS\system32\tsgqec.dll
2009-11-03 17:21:21 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2009-11-03 17:21:21 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2009-11-03 17:21:20 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-11-03 17:21:20 ----A---- C:\WINDOWS\system32\aaclient.dll
2009-11-03 17:21:19 ----A---- C:\WINDOWS\system32\sessmgr.exe
2009-11-03 17:21:19 ----A---- C:\WINDOWS\system32\remotepg.dll
2009-11-03 17:21:19 ----A---- C:\WINDOWS\system32\rdshost.exe
2009-11-03 17:21:19 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2009-11-03 17:21:19 ----A---- C:\WINDOWS\system32\rdchost.dll
2009-11-03 17:21:19 ----A---- C:\WINDOWS\system32\mstsc.exe
2009-11-03 17:21:19 -------- C:\WINDOWS\system32\termsrv.dll
2009-11-03 17:21:18 ----D---- C:\WINDOWS\system32\MsDtc
2009-11-03 17:21:18 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2009-11-03 17:21:18 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2009-11-03 17:21:18 ----A---- C:\WINDOWS\system32\rdpclip.exe
2009-11-03 17:21:18 ----A---- C:\WINDOWS\system32\qprocess.exe
2009-11-03 17:21:18 ----A---- C:\WINDOWS\system32\mtxoci.dll
2009-11-03 17:21:18 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2009-11-03 17:21:18 ----A---- C:\WINDOWS\system32\icaapi.dll
2009-11-03 17:21:18 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2009-11-03 17:21:17 ----A---- C:\WINDOWS\system32\xolehlp.dll
2009-11-03 17:21:17 ----A---- C:\WINDOWS\system32\msdtctm.dll
2009-11-03 17:21:17 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2009-11-03 17:21:17 ----A---- C:\WINDOWS\system32\msdtclog.dll
2009-11-03 17:21:17 ----A---- C:\WINDOWS\system32\msdtc.exe
2009-11-03 17:21:16 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2009-11-03 17:21:16 ----A---- C:\WINDOWS\system32\mtxex.dll
2009-11-03 17:21:16 ----A---- C:\WINDOWS\system32\mtxdm.dll
2009-11-03 17:21:16 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2009-11-03 17:21:15 ----D---- C:\WINDOWS\system32\Com
2009-11-03 17:21:15 ----A---- C:\WINDOWS\system32\stclient.dll
2009-11-03 17:21:15 ----A---- C:\WINDOWS\system32\comrepl.dll
2009-11-03 17:21:15 ----A---- C:\WINDOWS\system32\comaddin.dll
2009-11-03 17:21:15 ----A---- C:\WINDOWS\system32\colbact.dll
2009-11-03 17:21:15 ----A---- C:\WINDOWS\system32\clbcatex.dll
2009-11-03 17:21:15 ----A---- C:\WINDOWS\system32\catsrvut.dll
2009-11-03 17:21:15 ----A---- C:\WINDOWS\system32\catsrvps.dll
2009-11-03 17:21:14 ----A---- C:\WINDOWS\system32\comuid.dll
2009-11-03 17:21:14 ----A---- C:\WINDOWS\system32\comsvcs.dll
2009-11-03 17:21:14 ----A---- C:\WINDOWS\system32\comsnap.dll
2009-11-03 17:21:14 ----A---- C:\WINDOWS\system32\catsrv.dll
2009-11-03 17:21:13 ----A---- C:\WINDOWS\system32\clbcatq.dll
2009-11-03 17:21:06 ----A---- C:\WINDOWS\system32\servdeps.dll
2009-11-03 17:21:06 ----A---- C:\WINDOWS\system32\mmfutil.dll
2009-11-03 17:21:06 ----A---- C:\WINDOWS\system32\licwmi.dll
2009-11-03 17:21:06 ----A---- C:\WINDOWS\system32\cmprops.dll
2009-11-03 17:20:13 ----A---- C:\WINDOWS\system32\h323log.txt
2009-11-03 17:18:38 ----A---- C:\WINDOWS\system32\usbui.dll
2009-11-03 17:17:22 ----A---- C:\WINDOWS\imsins.BAK
2009-11-03 17:17:20 ----SHD---- C:\WINDOWS\Installer
2009-11-03 17:17:20 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-03 17:17:19 ----D---- C:\Programme\Gemeinsame Dateien\ODBC
2009-11-03 17:17:19 ----A---- C:\WINDOWS\ODBCINST.INI
2009-11-03 17:17:15 ----RD---- C:\Programme
2009-11-03 17:17:15 ----D---- C:\Programme\Gemeinsame Dateien\SpeechEngines
2009-11-03 17:17:15 ----D---- C:\Programme\Gemeinsame Dateien\Microsoft Shared
2009-11-03 17:17:15 ----D---- C:\Programme\Gemeinsame Dateien
2009-11-03 17:17:11 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2009-11-03 17:17:10 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2009-11-03 17:17:10 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2009-11-03 17:17:09 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2009-11-03 17:17:09 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdur.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdru.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2009-11-03 17:17:08 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2009-11-03 17:17:06 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2009-11-03 17:17:06 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2009-11-03 17:17:06 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2009-11-03 17:17:06 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2009-11-03 17:17:06 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2009-11-03 17:17:06 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2009-11-03 17:17:06 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2009-11-03 17:17:04 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2009-11-03 17:17:04 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2009-11-03 17:17:04 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2009-11-03 17:17:04 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2009-11-03 17:17:04 ----RA---- C:\WINDOWS\system32\kbdest.dll
2009-11-03 17:17:03 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2009-11-03 17:17:03 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2009-11-03 17:17:03 ----RA---- C:\WINDOWS\system32\kbdro.dll
2009-11-03 17:17:03 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2009-11-03 17:17:03 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2009-11-03 17:17:02 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2009-11-03 17:17:02 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2009-11-03 17:17:02 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2009-11-03 17:17:02 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2009-11-03 17:17:02 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2009-11-03 17:17:02 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2009-11-03 17:17:02 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2009-11-03 17:17:02 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2009-11-03 17:16:57 ----A---- C:\WINDOWS\system32\spxcoins.dll
2009-11-03 17:16:57 ----A---- C:\WINDOWS\system32\irclass.dll
2009-11-03 17:16:57 ----A---- C:\WINDOWS\system32\dgsetup.dll
2009-11-03 17:16:57 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2009-11-03 17:16:56 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2009-11-03 17:16:54 ----A---- C:\WINDOWS\TASKMAN.EXE
2009-11-03 17:16:54 ----A---- C:\WINDOWS\system32\batt.dll
2009-11-03 17:16:53 ----A---- C:\WINDOWS\system32\storprop.dll
2009-11-03 17:16:53 ----A---- C:\WINDOWS\NOTEPAD.EXE
2009-11-03 17:16:44 ----ASH---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini
2009-11-03 17:16:30 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-03 17:16:30 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-03 17:16:24 ----SD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft
2009-11-03 17:16:00 ----D---- C:\Dokumente und Einstellungen
2009-11-03 17:15:59 ----SHD---- C:\System Volume Information
2009-10-13 18:22:08 ----A---- C:\WINDOWS\system32\nlite.cmd
2009-10-13 17:57:46 ----A---- C:\WINDOWS\system32\wmspdmod.dll
2009-10-13 17:57:44 ----A---- C:\WINDOWS\system32\msv1_0.dll
2009-10-13 17:57:39 ----A---- C:\WINDOWS\system32\msasn1.dll
2009-10-13 17:57:37 ----N---- C:\WINDOWS\system32\wininet.dll
2009-10-13 17:57:36 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-10-13 17:57:36 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-10-13 17:57:34 ----N---- C:\WINDOWS\system32\mshtml.dll
2009-10-13 17:57:17 ----A---- C:\WINDOWS\system32\strmdll.dll
2009-10-13 17:57:05 -------- C:\WINDOWS\system32\ntoskrnl.exe
2009-10-13 17:56:49 ----A---- C:\WINDOWS\system32\query.dll
2009-10-13 17:56:40 ----A---- C:\WINDOWS\system32\wmvcore.dll
2009-10-13 17:56:29 ----A---- C:\WINDOWS\system32\wmnetmgr.dll
2009-10-13 17:56:27 ----A---- C:\WINDOWS\system32\logagent.exe
2009-10-13 17:56:19 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-10-13 17:56:16 ----A---- C:\WINDOWS\system32\atl.dll
2009-10-13 17:55:23 ----A---- C:\WINDOWS\system32\jscript.dll
2009-10-13 17:55:18 ----A---- C:\WINDOWS\system32\wkssvc.dll
2009-10-13 17:55:15 ----A---- C:\WINDOWS\system32\quartz.dll
2009-10-13 17:55:06 ----A---- C:\WINDOWS\system32\avifil32.dll
2009-10-13 17:54:54 ----A---- C:\WINDOWS\system32\rpcrt4.dll
2009-10-13 17:54:16 ----A---- C:\WINDOWS\system32\wdigest.dll
2009-10-13 17:54:16 ----A---- C:\WINDOWS\system32\secur32.dll
2009-10-13 17:54:15 ----A---- C:\WINDOWS\system32\schannel.dll
2009-10-13 17:54:13 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-10-13 17:54:11 ----A---- C:\WINDOWS\system32\kerberos.dll
2009-10-13 17:54:04 ----A---- C:\WINDOWS\system32\shell32.dll
2009-10-13 17:53:11 ----A---- C:\WINDOWS\system32\localspl.dll
2009-10-13 17:53:06 ----A---- C:\WINDOWS\system32\t2embed.dll
2009-10-13 17:53:05 ----A---- C:\WINDOWS\system32\fontsub.dll
2009-10-13 17:53:00 ----A---- C:\WINDOWS\system32\tlntsess.exe
2009-10-13 17:52:56 ----A---- C:\WINDOWS\system32\winhttp.dll
2009-10-13 17:52:51 -------- C:\WINDOWS\system32\kernel32.dll
2009-10-13 17:52:39 ----A---- C:\WINDOWS\system32\netapi32.dll
2009-10-13 17:52:08 ----A---- C:\WINDOWS\system32\gdi32.dll
2009-10-13 17:51:37 -------- C:\WINDOWS\system32\services.exe
2009-10-13 17:51:36 ----A---- C:\WINDOWS\system32\sc.exe
2009-10-13 17:51:36 -------- C:\WINDOWS\system32\rpcss.dll
2009-10-13 17:51:35 ----A---- C:\WINDOWS\system32\pdh.dll
2009-10-13 17:51:16 ----A---- C:\WINDOWS\system32\advapi32.dll
2009-10-13 17:50:51 ----A---- C:\WINDOWS\system32\msxml3.dll
2009-10-13 17:50:41 ----A---- C:\WINDOWS\system32\msxml6.dll
2009-10-13 17:50:24 ----A---- C:\WINDOWS\system32\mscms.dll
2009-10-13 17:50:14 ----A---- C:\WINDOWS\system32\mtxclu.dll
2009-10-13 17:50:01 ----A---- C:\WINDOWS\system32\wshext.dll
2009-10-13 17:50:01 ----A---- C:\WINDOWS\system32\wscript.exe
2009-10-13 17:49:59 ----A---- C:\WINDOWS\system32\vbscript.dll
2009-10-13 17:49:50 ----A---- C:\WINDOWS\system32\scrrun.dll
2009-10-13 17:49:49 ----A---- C:\WINDOWS\system32\scrobj.dll
2009-10-13 17:49:47 ----A---- C:\WINDOWS\system32\cscript.exe
2009-10-13 17:49:38 -------- C:\WINDOWS\system32\mswsock.dll
2009-10-13 17:49:37 ----A---- C:\WINDOWS\system32\dnsapi.dll
2009-10-13 17:43:11 -------- C:\WINDOWS\system32\es.dll

======List of files/folders modified in the last 1 months======

2009-11-06 18:49:30 ----A---- C:\WINDOWS\system32\ctfmon.exe
2009-11-06 16:32:10 ----N---- C:\WINDOWS\system.ini
2009-11-03 22:05:40 ----N---- C:\WINDOWS\win.ini
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\wzcsvc.dll
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\wzcsapi.dll
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\pjlmon.dll
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\pid.dll
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\msyuv.dll
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\iyuv_32.dll
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\hid.dll
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\dmutil.dll
2009-10-13 18:05:37 ----A---- C:\WINDOWS\system32\cnbjmon.dll
2009-10-13 18:05:37 -------- C:\WINDOWS\system32\ntkrnlpa.exe
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\wowfaxui.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\wowfax.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrvpa.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrvoica.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrv80a.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrv42a.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrsvpia.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrshuta.exe
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrsdpia.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrrtosa.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrprbda.exe
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrmlnka.exe
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrlbva.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrfaxa.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrdtea.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrdpa.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrcoina.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\usrcntra.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\tsbyuv.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\streamci.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\sprio800.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\sprio600.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\spnike.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\paqsp.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\mdwmdmsp.dll
2009-10-13 18:04:25 ----A---- C:\WINDOWS\system32\dvdplay.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 GRD;G Data Rootkit Detector Driver; \??\C:\WINDOWS\system32\drivers\GRD.sys []
R1 intelppm;Intel-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40448]
R1 WmiAcpi;Microsoft Windows-Verwaltungsschnittstelle für ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 GDTdiInterceptor;GDTdiInterceptor; \??\C:\WINDOWS\system32\drivers\GDTdiIcpt.sys []
R3 afcdp;afcdp; C:\WINDOWS\system32\DRIVERS\afcdp.sys [2009-11-07 159168]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2009-09-30 1585728]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2009-11-03 161792]
R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GDMnIcpt;GDMnIcpt; \??\C:\WINDOWS\system32\drivers\MiniIcpt.sys []
R3 GearAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\drivers\GEARAspiWDM.sys [2008-02-22 16168]
R3 HDAudBus;Microsoft UAA-Bustreiber für High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class-Treiber; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HookCentre;HookCentre; \??\C:\WINDOWS\system32\drivers\HookCentre.sys []
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2009-11-03 5851488]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-11-03 4419584]
R3 mouhid;Maus-HID-Treiber; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2009-10-13 12288]
R3 SymantecAntiBotDriver;SymantecAntiBotDriver; \??\C:\Programme\Symantec\Norton AntiBot\agent\driver\AntiBotDriver.sys []
R3 SymantecAntiBotFilter;SymantecAntiBotFilter; \??\C:\Programme\Symantec\Norton AntiBot\agent\driver\AntiBotFilter.sys []
R3 SymantecAntiBotShim;SymantecAntiBotShim; \??\C:\Programme\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys []
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2009-11-03 215904]
R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Miniporttreiber für universellen Microsoft USB-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 SBRE;SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys []
S3 amhnmh7z;amhnmh7z; C:\WINDOWS\system32\drivers\amhnmh7z.sys []
S3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2007-07-26 547904]
S3 catchme;catchme; \??\C:\DOKUME~1\FLO\LOKALE~1\Temp\catchme.sys []
S3 SbieDrv;SbieDrv; \??\C:\Programme\Sandboxie\SbieDrv.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Filtertreiber für Systemwiederherstellung; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe [2009-09-12 660936]
R2 afcdpsrv;Acronis Nonstop Backup service; C:\Programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe [2009-11-07 2326920]
R2 AVKProxy;G DATA AntiVirus Proxy; C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe [2009-10-23 1126472]
R2 AVKService;G Data Scheduler; C:\Programme\G Data\AntiVirus\AVK\AVKService.exe [2009-08-08 397896]
R2 AVKWCtl;G Data Dateisystem Wächter; C:\Programme\G Data\AntiVirus\AVK\AVKWCtl.exe [2009-10-21 1241688]
R2 postgresql-8.4;PostgreSQL Server 8.4; D:/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 -D D:/PostgreSQL/8.4/data -w []
R2 SymantecAntiBotAgent;SymantecAntiBotAgent; C:\Programme\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe [2008-09-08 4910104]
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher; C:\Programme\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe [2008-09-08 539160]
R3 GDScan;G Data Scanner; C:\Programme\Gemeinsame Dateien\G DATA\GDScan\GDScan.exe [2009-07-27 300616]
S3 aspnet_state;ASP.NET-Zustandsdienst; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 SbieSvc;Sandboxie Service; C:\Programme\Sandboxie\SbieSvc.exe [2009-09-30 65024]

-----------------EOF-----------------
0v3rK!LL
Regular Member
 
Posts: 17
Joined: November 4th, 2009, 3:10 pm
Advertisement
Register to Remove

Re: windefence32?! hijacked browser...need help

Unread postby Dakeyras » November 8th, 2009, 11:55 am

Hi :)

Any other issues remaining before we clean up the tools used and I provide some online safety advice?

If you use a Router, I would reset this and apply a new Admin password. Reason being it would be prudent to do so considering the infections that were present.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: windefence32?! hijacked browser...need help

Unread postby 0v3rK!LL » November 8th, 2009, 1:10 pm

I'm still surprised that there were at least 2 files left on my system which were not detected by lots of antivirus, anti-malware and online virus scanners...are these files so unknown?! was this trojan so f***ing bad? do I have to reset all of my passwords which were saved in firefox secured by a master pin code?

yeah and I'm of course interested in preventing such malware in the future, though I have to say that I regularly update my system and my security software which seemed to be not that effective...

and by the way thank you very much again!
0v3rK!LL
Regular Member
 
Posts: 17
Joined: November 4th, 2009, 3:10 pm

Re: windefence32?! hijacked browser...need help

Unread postby Dakeyras » November 8th, 2009, 4:17 pm

Hi. :)

Every anti-malware application uses its own database and specific methodology for detecting and removing such. So some will detect infections others do not.

Overall the main infection was bad because of its back-door capabilities and the ramifications of such. With this in mind, yes it would be prudent to change all online passwords and those stored on your computer as a extra precaution. Tedious it may be but I highly advice you do so.

Next:

Congratulations your computer now appears to be malware free!

Disclaimer: Given the nature of the infections that were present on the machine, I give no guarantees about the security of this computer and have to the best of my abilities tried to both identify and eradicate all malware.

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Image

OTC:

Please download OTC and save it to desktop. This tool will remove all the tools(and logs created)
we used to clean your pc.

  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCl attempting to contact the internet, please allow it to do so.

Any left over merely delete yourself and empty the Recycle Bin.

Re-enable Sandboxie:

  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad: <-- Start >> Run... type in notepad and select OK
Code: Select all
@Echo Off
SC Start SbieSvc
SC Config SbieSvc start= automatic
Del%0
  • Go to File >> Save As
  • Save File name as "Enable.bat" <-- Make sure to include the quotes.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look like this: Image

Now double click on the desktop Disable.bat to run the batch file. It will self-delete when completed.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed security application, G Data AntiVirus 2010 automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:


Be careful when opening attachments and downloading files:

  • Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  • Never open emails from unknown senders.
  • Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  • Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Hosts File:

At present you appear to be using the Immunise feature with Spybot - Search & Destroy, either keep this updated or use one of the below.

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:


Only use one of the above if you decided to discontinue using Spybot - Search & Destroy Immunise feature.

Advised Optional Installation:

There is no sign of a software firewall installed on your system. Regardless if using a hardware type(Router in-built) and or using the inbuilt Windows Service Pack 3 firewall this is a necessary application as it will also provide outbound protection where as the aforementioned do not.

I highly advise you download ONE of the following firewalls and install it. Restart the computer for changes to take effect.


This article is a excellent resource regarding the aforementioned firewalls: Understanding and Using Firewalls

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein:

So how did I get infected in the first place?

Some consider this article outdated, personally I still think it bares relevance and the author is well respected in the Anti-Malware community and by myself also!

Any questions, feel free to ask? If not stay safe!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: windefence32?! hijacked browser...need help

Unread postby 0v3rK!LL » November 8th, 2009, 7:09 pm

hey...I installed zonealarm firewall before your last post. after that I had a very very slow windows bootup. I was suspicious and scanned my system again with malwarebytes software and ESET (they both found nothing) and also with combofix. Hope you could also review the combofix log now if there is no suspicious content listed depending on your eyes. thank you.

by the way: what about zone alarm/pro? do you think it is as good as your mentioned firewalls? or would you really recommend one of those? which one should be the best?

cheers
0v3rK!LL
Regular Member
 
Posts: 17
Joined: November 4th, 2009, 3:10 pm

Re: windefence32?! hijacked browser...need help

Unread postby 0v3rK!LL » November 8th, 2009, 7:10 pm

ComboFix 09-11-05.05 - FLO 08.11.2009 22:48.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2038.1369 [GMT 0:00]
ausgeführt von:: c:\dokumente und einstellungen\FLO\Desktop\ComboFix.exe
AV: G Data AntiVirus 2010 *On-access scanning disabled* (Updated) {71310606-6F3B-49F2-9A81-8315AA75FBB3}
.

((((((((((((((((((((((( Dateien erstellt von 2009-10-08 bis 2009-11-08 ))))))))))))))))))))))))))))))
.

2009-11-08 22:14 . 2009-11-08 22:14 -------- d-----w- c:\programme\ESET
2009-11-08 18:35 . 2009-11-08 20:04 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-08 18:35 . 2009-09-22 02:01 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-11-08 18:35 . 2009-09-22 02:01 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-11-08 18:35 . 2009-09-22 02:01 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-08 18:35 . 2009-11-08 18:35 -------- d-----w- c:\windows\system32\ZoneLabs
2009-11-08 15:49 . 2009-11-08 15:49 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\DivX
2009-11-08 02:05 . 2009-11-08 02:05 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Malwarebytes
2009-11-08 02:05 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:05 . 2009-11-08 02:05 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2009-11-08 02:05 . 2009-11-08 02:05 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-11-08 02:05 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 18:20 . 2009-11-07 18:20 4330171 ----a-w- C:\aircrack-ng-1.0-win.zip
2009-11-07 15:38 . 2009-11-07 15:38 -------- d-----w- c:\programme\Zone Labs
2009-11-07 15:37 . 2009-11-08 22:20 -------- d-----w- c:\windows\Internet Logs
2009-11-07 14:58 . 2009-06-30 10:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-07 13:24 . 2009-11-07 13:24 9158 ----a-r- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Microsoft\Installer\{D7DCC734-7F6F-4E82-9B74-0BAB4BB36C4A}\_94D18E1C7EA5B46C37BE1D.exe
2009-11-07 13:24 . 2009-11-07 13:24 172940 ----a-r- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Microsoft\Installer\{D7DCC734-7F6F-4E82-9B74-0BAB4BB36C4A}\_70C3F2E6E21773A503CD98.exe
2009-11-07 13:24 . 2009-11-07 13:24 172940 ----a-r- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Microsoft\Installer\{D7DCC734-7F6F-4E82-9B74-0BAB4BB36C4A}\_6FEFF9B68218417F98F549.exe
2009-11-07 13:23 . 2009-11-07 13:23 -------- d-----w- c:\programme\PokerStrategy
2009-11-07 13:16 . 2009-11-07 13:16 159168 ----a-w- c:\windows\system32\drivers\afcdp.sys
2009-11-07 13:16 . 2009-11-07 13:16 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys
2009-11-07 13:16 . 2009-11-07 13:16 570016 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-11-07 13:15 . 2009-11-07 13:15 157248 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-11-07 13:15 . 2009-11-07 13:16 -------- d-----w- c:\programme\Gemeinsame Dateien\Acronis
2009-11-07 13:15 . 2009-11-07 13:15 -------- d-----w- c:\programme\Acronis
2009-11-07 12:21 . 2009-11-07 12:21 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Talkback
2009-11-07 12:20 . 2009-11-07 12:21 -------- d-----w- c:\dokumente und einstellungen\FLO\Lokale Einstellungen\Anwendungsdaten\Thunderbird
2009-11-07 12:20 . 2009-11-07 12:21 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Thunderbird
2009-11-07 02:08 . 2009-09-25 16:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-07 02:08 . 2009-09-25 16:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-07 02:07 . 2009-11-07 02:08 -------- d-----w- c:\programme\DivX
2009-11-07 02:07 . 2009-11-07 02:07 -------- d-----w- c:\programme\Gemeinsame Dateien\DivX Shared
2009-11-07 01:10 . 2009-11-07 01:10 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Symantec
2009-11-07 01:06 . 2009-11-07 01:06 -------- d-----w- c:\programme\Symantec
2009-11-07 00:48 . 2009-11-07 01:09 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Downloaded Installations
2009-11-06 20:30 . 2008-07-10 13:56 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-11-06 20:30 . 2009-11-06 20:30 -------- d-----w- c:\windows\system32\QuickTime
2009-11-06 20:30 . 2009-11-06 20:30 -------- d-----w- c:\programme\Gemeinsame Dateien\TechSmith Shared
2009-11-06 20:30 . 2009-11-06 20:30 -------- d-----w- c:\programme\TechSmith
2009-11-06 19:51 . 2009-11-06 19:51 68976 ----a-w- c:\windows\system32\drivers\GRD.sys
2009-11-06 19:40 . 2009-11-06 19:40 55624 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2009-11-06 19:40 . 2009-11-06 19:40 51784 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-11-06 19:40 . 2009-11-06 19:40 34632 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2009-11-06 14:57 . 2009-11-06 14:57 -------- d-----w- c:\dokumente und einstellungen\FLO\dwhelper
2009-11-06 13:21 . 2009-11-08 22:44 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\vlc
2009-11-06 13:00 . 2000-04-03 23:05 118784 ----a-w- c:\windows\system32\msstdfmt.dll
2009-11-06 01:32 . 2009-11-06 17:34 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-11-06 00:39 . 2009-10-01 09:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 23:52 . 2009-11-05 23:57 -------- d-----w- c:\dokumente und einstellungen\FLO\Lokale Einstellungen\Anwendungsdaten\QuickPar
2009-11-05 23:22 . 2009-11-05 23:22 27848 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2009-11-05 23:21 . 2009-11-06 19:42 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\G DATA
2009-11-05 23:21 . 2009-11-06 19:40 -------- d-----w- c:\programme\Gemeinsame Dateien\G DATA
2009-11-05 23:21 . 2009-11-06 19:40 -------- d-----w- c:\programme\G Data
2009-11-05 23:02 . 2008-04-14 05:52 26624 ----a-w- c:\dokumente und einstellungen\LocalService\Anwendungsdaten\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-05 18:00 . 2009-11-05 18:00 -------- d-----w- c:\dokumente und einstellungen\FLO\Lokale Einstellungen\Anwendungsdaten\Symantec
2009-11-05 17:42 . 2006-06-29 13:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-11-05 14:10 . 2009-11-05 14:10 -------- d-sh--w- c:\dokumente und einstellungen\NetworkService\IETldCache
2009-11-05 07:56 . 2009-11-05 07:56 -------- d-----w- c:\programme\MSXML 4.0
2009-11-05 07:51 . 2009-11-05 07:51 -------- d-----r- c:\dokumente und einstellungen\LocalService\Favoriten
2009-11-05 00:33 . 2009-11-05 00:33 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Sunbelt
2009-11-04 20:43 . 2009-11-06 17:35 -------- d-----w- c:\programme\Windows Live Safety Center
2009-11-04 20:41 . 2009-11-04 20:41 -------- d-sh--w- c:\dokumente und einstellungen\FLO\IECompatCache
2009-11-04 20:40 . 2009-11-04 20:40 -------- d-sh--w- c:\dokumente und einstellungen\FLO\PrivacIE
2009-11-04 18:49 . 2009-11-08 15:08 -------- d-----w- c:\programme\Trend Micro
2009-11-04 18:42 . 2009-11-04 18:42 -------- d-sh--w- c:\dokumente und einstellungen\LocalService\IETldCache
2009-11-04 16:35 . 2009-11-08 02:02 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Lavasoft
2009-11-04 10:49 . 2009-11-04 10:49 -------- d-----w- c:\dokumente und einstellungen\FLO\Lokale Einstellungen\Anwendungsdaten\Identities
2009-11-04 00:41 . 2009-11-07 14:57 -------- d-----w- c:\programme\Panda Security
2009-11-04 00:37 . 2009-11-04 00:41 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\QuickScan
2009-11-04 00:11 . 2008-11-11 12:59 24376 ----a-w- c:\windows\system32\drivers\ts_lb.sys
2009-11-03 23:55 . 2009-11-03 23:56 -------- d-----w- C:\aircrack-ng-1.0-win
2009-11-03 23:46 . 2009-11-03 23:46 -------- d-----w- c:\dokumente und einstellungen\FLO\Lokale Einstellungen\Anwendungsdaten\ACD Systems
2009-11-03 23:46 . 2009-11-03 23:46 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\ACD Systems
2009-11-03 23:45 . 2009-11-03 23:45 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\ACD Systems
2009-11-03 23:45 . 2009-11-03 23:45 -------- d-----w- c:\programme\Gemeinsame Dateien\ACD Systems
2009-11-03 23:45 . 2009-11-03 23:45 -------- d-----w- c:\programme\ACD Systems
2009-11-03 23:32 . 2009-11-05 23:20 -------- d-----w- c:\dokumente und einstellungen\FLO\Lokale Einstellungen\Anwendungsdaten\Downloaded Installations
2009-11-03 23:29 . 2009-11-03 23:29 -------- d-----w- c:\programme\VideoLAN
2009-11-03 23:23 . 2009-11-03 23:25 -------- d-----w- c:\programme\AltBinz
2009-11-03 23:20 . 2009-11-03 23:20 -------- d-----w- c:\dokumente und einstellungen\FLO\Lokale Einstellungen\Anwendungsdaten\Adobe
2009-11-03 23:06 . 2009-11-05 23:27 -------- d-----w- C:\Lyrics
2009-11-03 23:06 . 2009-11-06 15:04 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\MiniLyrics
2009-11-03 23:06 . 2009-11-03 23:06 -------- d-----w- c:\programme\Minilyrics
2009-11-03 23:00 . 2009-11-03 23:00 -------- d-----w- c:\dokumente und einstellungen\LocalService\Anwendungsdaten\TuneUp Software
2009-11-03 22:59 . 2009-11-03 22:59 -------- d-----w- c:\programme\Gemeinsame Dateien\Adobe
2009-11-03 22:52 . 2009-10-30 13:34 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2009-11-03 22:52 . 2009-10-30 13:27 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2009-11-03 22:51 . 2009-11-03 22:51 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\TuneUp Software
2009-11-03 22:51 . 2009-11-03 22:52 -------- d-----w- c:\programme\TuneUp Utilities 2010
2009-11-03 22:51 . 2009-11-03 22:51 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TuneUp Software
2009-11-03 22:51 . 2009-11-03 22:51 -------- d-sh--w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-11-03 22:45 . 2009-11-06 18:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-03 22:45 . 2009-11-06 20:39 -------- d-----w- c:\programme\DAEMON Tools Lite
2009-11-03 22:45 . 2009-11-06 20:51 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\DAEMON Tools Lite
2009-11-03 22:45 . 2009-11-03 22:45 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DAEMON Tools Lite
2009-11-03 22:42 . 2009-11-08 18:47 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\skypePM
2009-11-03 22:42 . 2009-11-03 22:42 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-03 22:41 . 2009-11-08 22:19 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Skype
2009-11-03 22:41 . 2009-11-03 22:41 -------- d-----w- c:\programme\Gemeinsame Dateien\Skype
2009-11-03 22:41 . 2009-11-06 17:36 -------- d-----r- c:\programme\Skype
2009-11-03 22:41 . 2009-11-03 22:41 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2009-11-03 22:38 . 2009-11-03 22:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-03 22:36 . 2009-11-03 22:36 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Miranda Fusion
2009-11-03 22:36 . 2009-11-03 22:36 -------- d-----w- c:\programme\MirandaFusion
2009-11-03 22:33 . 2009-11-03 22:33 -------- d-sh--w- c:\dokumente und einstellungen\FLO\IETldCache
2009-11-03 22:18 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-03 22:18 . 2009-11-05 07:57 -------- d-----w- c:\windows\ie8updates
2009-11-03 22:18 . 2009-08-29 07:54 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-03 22:18 . 2009-08-29 07:54 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-03 22:18 . 2009-08-29 07:54 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-03 22:18 . 2009-08-29 07:54 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-11-03 22:18 . 2009-08-29 07:54 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-03 22:18 . 2009-08-29 07:54 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-11-03 22:16 . 2009-11-03 22:18 -------- dc-h--w- c:\windows\ie8
2009-11-03 22:09 . 2009-11-05 17:42 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-03 22:09 . 2009-11-03 22:09 -------- d-----w- c:\programme\MSBuild
2009-11-03 22:09 . 2009-11-03 22:09 -------- d-----w- c:\programme\Reference Assemblies
2009-11-03 22:09 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-03 22:09 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-03 22:09 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-03 22:09 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-03 22:09 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-03 22:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-03 22:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 20:47 . 2009-11-03 18:26 -------- d-----w- c:\programme\Mozilla Thunderbird
2009-11-06 18:49 . 2008-04-14 05:52 24064 ----a-w- c:\windows\system32\ctfmon.exe
2009-11-05 23:28 . 2001-08-23 12:00 80488 ----a-w- c:\windows\system32\perfc007.dat
2009-11-05 23:28 . 2001-08-23 12:00 448970 ----a-w- c:\windows\system32\perfh007.dat
2009-11-05 23:15 . 2009-11-03 18:53 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Norton
2009-11-04 11:00 . 2009-11-03 18:24 -------- d-----w- c:\programme\Spybot - Search & Destroy
2009-11-03 23:32 . 2009-11-03 18:03 12328 ----a-w- c:\dokumente und einstellungen\FLO\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-11-03 23:05 . 2009-11-03 22:57 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Winamp
2009-11-03 22:58 . 2009-11-03 22:57 -------- d-----w- c:\programme\Winamp
2009-11-03 18:53 . 2009-11-03 18:53 -------- d-----w- c:\programme\Windows Sidebar
2009-11-03 18:53 . 2009-11-03 18:52 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\NortonInstaller
2009-11-03 18:48 . 2009-11-03 18:48 0 ----a-w- c:\windows\nsreg.dat
2009-11-03 18:46 . 2009-11-03 18:46 -------- d-----w- c:\programme\Sandboxie
2009-11-03 18:45 . 2009-11-03 18:45 -------- d-----w- c:\programme\Synaptics
2009-11-03 18:45 . 2009-11-03 18:32 -------- d-----w- c:\programme\Gemeinsame Dateien\InstallShield
2009-11-03 18:44 . 2009-11-03 18:45 215904 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-11-03 18:44 . 2009-11-03 18:45 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-11-03 18:44 . 2009-11-03 18:45 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-11-03 18:44 . 2009-11-03 18:45 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2009-11-03 18:44 . 2009-11-03 18:45 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-11-03 18:44 . 2009-11-03 18:44 -------- d-----w- c:\programme\Atheros
2009-11-03 18:44 . 2009-11-03 18:32 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-11-03 18:43 . 2009-11-03 18:43 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\InstallShield
2009-11-03 18:43 . 2009-11-03 18:43 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Atheros
2009-11-03 18:42 . 2007-07-22 13:41 161792 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-03 18:29 . 2009-11-03 18:29 920088 ----a-w- c:\windows\system32\igxpun.exe
2009-11-03 18:24 . 2009-11-03 18:24 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-11-03 18:21 . 2009-11-03 18:21 -------- d-----w- c:\programme\Intel
2009-11-03 18:16 . 2009-11-03 18:16 -------- d-----w- c:\programme\xp-AntiSpy
2009-11-03 18:13 . 2009-11-03 18:13 -------- d-----w- c:\dokumente und einstellungen\FLO\Anwendungsdaten\Auslogics
2009-11-03 18:13 . 2009-11-03 18:13 -------- d-----w- c:\programme\Auslogics
2009-11-03 18:05 . 2009-11-03 17:25 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-03 17:26 . 2009-11-03 17:26 -------- d-----w- c:\programme\microsoft frontpage
2009-11-03 17:24 . 2009-11-03 17:24 -------- d-----w- c:\programme\Online-Dienste
2009-11-03 17:24 . 2009-11-03 17:24 -------- d-----w- c:\programme\Gemeinsame Dateien\Dienste
2009-11-03 17:22 . 2009-11-03 17:22 21740 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-13 18:22 . 2009-10-13 18:22 42 ----a-w- c:\windows\system32\nlite.cmd
2009-10-13 18:04 . 2001-08-18 02:55 77891 ----a-w- c:\windows\system32\usrmlnka.exe
2009-10-13 17:57 . 2009-10-13 17:57 604160 ----a-w- c:\windows\system32\wmspdmod.dll
2009-10-13 17:57 . 2009-10-13 17:57 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-13 17:57 . 2009-10-13 17:57 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-10-13 17:57 . 2009-10-13 17:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-10-13 17:57 . 2009-10-13 17:57 2147840 ------w- c:\windows\system32\ntoskrnl.exe
2009-10-13 17:56 . 2009-10-13 17:56 1441792 ----a-w- c:\windows\system32\query.dll
2009-10-13 17:56 . 2009-10-13 17:56 938496 ----a-w- c:\windows\system32\wmnetmgr.dll
2009-10-13 17:56 . 2009-10-13 17:56 100864 ----a-w- c:\windows\system32\logagent.exe
2009-10-13 17:56 . 2009-10-13 17:56 206336 ----a-w- c:\windows\system32\mswebdvd.dll
2009-10-13 17:56 . 2009-10-13 17:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-10-13 17:55 . 2009-10-13 17:55 134144 ----a-w- c:\windows\system32\wkssvc.dll
2009-10-13 17:55 . 2009-10-13 17:55 1296896 ----a-w- c:\windows\system32\quartz.dll
2009-10-13 17:55 . 2009-10-13 17:55 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-10-13 17:54 . 2009-10-13 17:54 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-10-13 17:54 . 2009-10-13 17:54 1847936 ----a-w- c:\windows\system32\win32k.sys
2009-10-13 17:54 . 2009-10-13 17:54 56832 ----a-w- c:\windows\system32\secur32.dll
2009-10-13 17:54 . 2009-10-13 17:54 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-10-13 17:54 . 2009-10-13 17:54 147456 ----a-w- c:\windows\system32\schannel.dll
2009-10-13 17:54 . 2009-10-13 17:54 737792 ----a-w- c:\windows\system32\lsasrv.dll
2009-10-13 17:54 . 2009-10-13 17:54 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-10-13 17:53 . 2009-10-13 17:53 348672 ----a-w- c:\windows\system32\localspl.dll
2009-10-13 17:53 . 2009-10-13 17:53 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-10-13 17:53 . 2009-10-13 17:53 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-10-13 17:53 . 2009-10-13 17:53 82944 ----a-w- c:\windows\system32\tlntsess.exe
2009-10-13 17:52 . 2009-10-13 17:52 354304 ----a-w- c:\windows\system32\winhttp.dll
2009-10-13 17:52 . 2009-10-13 17:52 333952 ----a-w- c:\windows\system32\drivers\srv.sys
2009-10-13 17:52 . 2009-10-13 17:52 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-10-13 17:52 . 2009-10-13 17:52 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2009-10-13 17:52 . 2009-10-13 17:52 286720 ----a-w- c:\windows\system32\gdi32.dll
2009-10-13 17:52 . 2009-11-03 17:21 2067968 ----a-w- c:\windows\system32\mstscax.dll
2009-10-13 17:51 . 2009-11-03 17:21 453120 ----a-w- c:\windows\system32\wbem\wmiprvsd.dll
2009-10-13 17:51 . 2009-11-03 17:21 227840 ----a-w- c:\windows\system32\wbem\wmiprvse.exe
2009-10-13 17:51 . 2009-10-13 17:51 111104 ------w- c:\windows\system32\services.exe
2009-10-13 17:51 . 2009-10-13 17:51 401408 ------w- c:\windows\system32\rpcss.dll
2009-10-13 17:51 . 2009-10-13 17:51 35328 ----a-w- c:\windows\system32\sc.exe
2009-10-13 17:51 . 2009-10-13 17:51 286720 ----a-w- c:\windows\system32\pdh.dll
2009-10-13 17:51 . 2009-11-03 17:21 473600 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-10-13 17:51 . 2009-10-13 17:51 678400 ----a-w- c:\windows\system32\advapi32.dll
2009-10-13 17:50 . 2009-10-13 17:50 1106944 ----a-w- c:\windows\system32\msxml3.dll
2009-10-13 17:50 . 2009-10-13 17:50 1379840 ----a-w- c:\windows\system32\msxml6.dll
2009-10-13 17:50 . 2009-10-13 17:50 74240 ----a-w- c:\windows\system32\mscms.dll
2009-10-13 17:50 . 2009-11-03 17:21 91648 ----a-w- c:\windows\system32\mtxoci.dll
2009-10-13 17:50 . 2009-11-03 17:21 161792 ----a-w- c:\windows\system32\msdtcuiu.dll
2009-10-13 17:50 . 2009-11-03 17:21 956928 ----a-w- c:\windows\system32\msdtctm.dll
2009-10-13 17:50 . 2009-10-13 17:50 66560 ----a-w- c:\windows\system32\mtxclu.dll
2009-10-13 17:50 . 2009-11-03 17:21 428032 ----a-w- c:\windows\system32\msdtcprx.dll
2009-10-13 17:50 . 2009-11-03 17:21 58880 ----a-w- c:\windows\system32\msdtclog.dll
2009-10-13 17:50 . 2009-10-13 17:50 90112 ----a-w- c:\windows\system32\wshext.dll
2009-10-13 17:50 . 2009-10-13 17:50 155648 ----a-w- c:\windows\system32\wscript.exe
2009-10-13 17:49 . 2009-10-13 17:49 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-10-13 17:49 . 2009-10-13 17:49 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-10-13 17:49 . 2009-10-13 17:49 135168 ----a-w- c:\windows\system32\cscript.exe
2009-10-13 17:49 . 2009-10-13 17:49 225856 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-10-13 17:49 . 2009-10-13 17:49 361600 ------w- c:\windows\system32\drivers\tcpip.sys
2009-10-13 17:49 . 2009-10-13 17:49 247296 ------w- c:\windows\system32\mswsock.dll
2009-10-13 17:49 . 2009-10-13 17:49 273024 ----a-w- c:\windows\system32\drivers\bthport.sys
2009-10-13 17:43 . 2009-11-03 17:23 691712 ----a-w- c:\windows\system32\inetcomm.dll
2009-10-13 17:43 . 2009-10-13 17:43 253952 ------w- c:\windows\system32\es.dll
2009-10-13 17:43 . 2009-10-13 17:43 203136 ----a-w- c:\windows\system32\drivers\RMCast.sys
2009-10-08 13:57 . 2008-07-29 18:59 614912 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 13:57 . 2001-08-23 12:00 23040 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-08 13:57 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\programme\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\programme\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-11-06 18:49 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[-] 2009-11-06 18:49 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\dllcache\ctfmon.exe
[7] 2008-04-14 . 01B4E6E990B6C5EA8856D96C7FD044B2 . 15360 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ctfmon.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\programme\Sandboxie\SbieCtrl.exe" [2009-09-30 387584]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\programme\Synaptics\SynTP\SynTPStart.exe" [2009-11-03 102400]
"G DATA AntiVirus Trayapplication"="c:\programme\G Data\AntiVirus\AVKTray\AVKTray.exe" [2009-09-18 924232]
"NortonAntiBot"="c:\programme\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" [2008-09-08 1378840]
"TrueImageMonitor.exe"="c:\programme\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5082488]
"Acronis Scheduler2 Service"="c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357800]
"Malwarebytes Anti-Malware (reboot)"="c:\programme\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-22 1011080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2009-11-03 16342528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-11-06 24064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"Adobe ARM"="c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [05.11.2009 23:22 27848]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [07.11.2009 14:58 28552]
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [07.11.2009 13:16 902432]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [06.11.2009 19:51 68976]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe [07.11.2009 13:16 2326920]
R2 AVKProxy;G DATA AntiVirus Proxy;c:\programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe [22.09.2009 15:28 1126472]
R2 AVKService;G Data Scheduler;c:\programme\G Data\AntiVirus\AVK\AVKService.exe [08.08.2009 12:33 397896]
R2 AVKWCtl;G Data Dateisystem Wächter;c:\programme\G Data\AntiVirus\AVK\AVKWCtl.exe [23.09.2009 14:01 1241688]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [06.11.2009 19:40 51784]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [07.11.2009 13:16 159168]
R3 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [06.11.2009 19:40 55624]
R3 GDScan;G Data Scanner;c:\programme\Gemeinsame Dateien\G DATA\GDScan\GDScan.exe [27.07.2009 03:03 300616]
R3 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [06.11.2009 19:40 34632]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 postgresql-8.4;PostgreSQL Server 8.4;D:/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "D:/PostgreSQL/8.4/data" -w --> D:/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 SbieDrv;SbieDrv;c:\programme\Sandboxie\SbieDrv.sys [30.09.2009 09:15 116736]

--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Zusätzlicher Suchlauf -------
.
FF - ProfilePath - c:\dokumente und einstellungen\FLO\Anwendungsdaten\Mozilla\Firefox\Profiles\914cbo57.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk
FF - component: c:\programme\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}\components\AvkWebFilterFF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 22:54
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spat.sys >>UNKNOWN [0x8A0D0938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9E08B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9E08B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9E08B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9E08B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB9E08B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9E08B40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\postgresql-8.4]
"ImagePath"="D:/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"D:/PostgreSQL/8.4/data\" -w"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\postgresql-8.4]
"ImagePath"="D:/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"D:/PostgreSQL/8.4/data\" -w"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'explorer.exe'(1128)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Zeit der Fertigstellung: 2009-11-08 22:56
ComboFix-quarantined-files.txt 2009-11-08 22:56

Vor Suchlauf: 8 Verzeichnis(se), 25.303.216.128 Bytes frei
Nach Suchlauf: 10 Verzeichnis(se), 25.228.709.888 Bytes frei

- - End Of File - - B93C7AD7F11091C0DBB3DAD61C2A861D
0v3rK!LL
Regular Member
 
Posts: 17
Joined: November 4th, 2009, 3:10 pm

Re: windefence32?! hijacked browser...need help

Unread postby Dakeyras » November 9th, 2009, 5:35 am

Hi. :)

hey...I installed zonealarm firewall before your last post. after that I had a very very slow windows bootup.
It is entirely feasible that ZA just does not play nice with your system and or not knowing which exact version you have. Be it the just the standalone freeware Firewall, Firewall plus Internet Security a system conflict may be occurring.

The actual stand alone Firewall itself is a fine application however it tends to come bundled with extra tool-bars in the guise of security enhancements which in fact they are not but merely dubious search bars(browser helper objects) in disguise.

By all means try any of the others I suggested but leave of doing so for the time being less further complications arise.

Next:

Now please answer myself this, why have you ran the very powerful application Combofix again without trained supervision may I ask?

Did you not understand what I posted here? I do not post such information because I enjoy reading my own words far from it............trust myself on this, if Combofix is used incorrectly without the guidance of a individual trained in its use the chance of your computer ending up nothing more than a expensive door-stop is quite a distinct possibility. ;)

OK from researching the Combofix log provided it does indeed appear your computer is still compromised and I had no way of knowing this because you inadvertently deleted the original log.

At present there are malware patched system files and the master boot record is compromised with a Root-Kit type infection. I will attempt to remove the malware but only as long as you refrain from ruining anymore self fixes OK!

Saying that in good conscience I will provide two options on how best to proceed as follows:

1 - We repair the Master Boot Record and you carry out a reformat and reinstallation of the Windows operating system, and that is the course I strongly recommend.

2 - I attempt to remove the malware.

Acknowledge the above and that you will agree with my request, give me your decision on how you wish to proceed and either way I will gladly continue to assist your good self.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: windefence32?! hijacked browser...need help

Unread postby 0v3rK!LL » November 9th, 2009, 6:45 am

Hi and thank you again, man ;-)
Yeah you can count on me.

I think I'm done now with that specific fu**ing windows installation and I'm going to reformat and reinstall it. Doesn't this repair the Master Boot Record itself by doing so?

Hope you won't recommend me to delete my partitions as I'm not able to save my 2nd partition now, because I'm still waiting for an external hdd being sent to me.

Would you please provide me with a quotation of the lines of the ComboFix log that show you which files are infected (and also the MBR infection)? I would like to know which these are.
Can you also seen what kind of malware it is and what it does or probably already did with me/my system?

Thank you!

Cheers
0v3rK!LL
Regular Member
 
Posts: 17
Joined: November 4th, 2009, 3:10 pm

Re: windefence32?! hijacked browser...need help

Unread postby Dakeyras » November 9th, 2009, 7:21 am

Hi. :)

Hi and thank you again, man ;-)
Yeah you can count on me.
OK and you're welcome!

I appreciate your frustration but please refrain from using profane language even if munged via asterisk's.

I think I'm done now with that specific fu**ing windows installation and I'm going to reformat and reinstall it. Doesn't this repair the Master Boot Record itself by doing so?

Hope you won't recommend me to delete my partitions as I'm not able to save my 2nd partition now, because I'm still waiting for an external hdd being sent to me.
Bit a dilemma then, as no way to save the partitions with a reformat and reinstallation of the Windows operating system.

We would have to repair the MBR before the reformat and reinstallation of the Windows operating system, as this type of MBR Root-Kit actually survives the format and your system would become infected all over again.

Would you please provide me with a quotation of the lines of the ComboFix log that show you which files are infected (and also the MBR infection)? I would like to know which these are.
Can you also seen what kind of malware it is and what it does or probably already did with me/my system?
By all means:-

Malware patched files:-

------- Sigcheck -------

[-] 2009-11-06 18:49 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[-] 2009-11-06 18:49 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\dllcache\ctfmon.exe
MBR Root-Kit:-

Stealth MBR rootkit/Mebroot/Sinowal detector

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spat.sys >>UNKNOWN [0x8A0D0938]<<

\Driver\atapi IRP hooks detected !
What the above basically means is your computer is compromised and if left untreated more malware will get on-board the system and any numerous scenarios may occur none of which are good..............your computer can never be trusted online, it may end up what as known as a Zombie computer and in turn be used to infect others online with out your knowledge and eventually it could very well cease to function at all.

Next:

To be quite honest repairing the MBR via the Recovery Console is the best option and any personal files or folders backup to a form of removable media. Then format the Hard-Drive is the most viable option here.

Repair MBR:

You will need to use the Microsoft Windows XP Professional CD-ROM you have for this procedure.

  • Restart your computer with the Windows XP Setup disk in the CDROM drive.
  • If you are prompted to press a key to start the computer from CDROM, do so quickly. Otherwise it may try to boot from the hard drive.
    A blue screen will appear and begin loading Windows XP Setup from the CD.
    You will be prompted to "press F6 to install any third party SCSI or RAID drivers". Ignore this.
    Depress the keyboard R key to enter the Recovery Console.

Next:

AT the C:\Windows> prompt

  • Type in the following exactly fixmbr and hit enter.
  • Then at the next prompt type in Exit and hit enter.
  • Windows should continue to load as normally.

Then carry out a reformat and reinstallation of the Windows operating system.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: windefence32?! hijacked browser...need help

Unread postby 0v3rK!LL » November 9th, 2009, 8:58 am

alright...

I have 2 partitions... c:\and d:\ - will the mbr fixing delete the partitions? if not I could keep my existing data on d:\

mhm...I used a tool to replace the ctfmon.exe by a dummy so that it is not loading all the time...and I already get a recovery console selection option when booting (this console was installed by ComboFix when I ran it the first time.

Maybe these are explanations for the 'detections' that ComboFix made?

If not, I just gonna do this repair action...
0v3rK!LL
Regular Member
 
Posts: 17
Joined: November 4th, 2009, 3:10 pm

Re: windefence32?! hijacked browser...need help

Unread postby Dakeyras » November 9th, 2009, 9:28 am

Hi. :)

I have 2 partitions... c:\and d:\ - will the mbr fixing delete the partitions? if not I could keep my existing data on d:\
As far as I am aware if you repair the MBR the information on the D:\ partition may become in-accessible, so it would be prudent to create back-ups first. One of the drawbacks of such a set up if the partition on a HDD that contains either the MBR/Operating System becomes compromised/corrupted.

So, repair the MBR then, then wipe the drive, format and start over.

mhm...I used a tool to replace the ctfmon.exe by a dummy so that it is not loading all the time...and I already get a recovery console selection option when booting (this console was installed by ComboFix when I ran it the first time.
It might be why the files flagged though they are legitimate system files and that is not a recommended method for disabling ctfmon.exe.

Fair play by all means you can access the RC by the one installed and run the exact same commands to repair the MBR.

You have to bare in mind before I was even aware of the other problems I had already advised you that the system was infected with a Back-Door Trojan.

If not, I just gonna do this repair action...
It is the course of action I recommend. For the reasons I originally stated here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: windefence32?! hijacked browser...need help

Unread postby 0v3rK!LL » November 9th, 2009, 11:31 am

If I plugin in an external hdd device to my laptop in order to copy my data from d:\ is there no harm for it then?

And don't you think norton internet security 2010 has a good firewall included?
0v3rK!LL
Regular Member
 
Posts: 17
Joined: November 4th, 2009, 3:10 pm

Re: windefence32?! hijacked browser...need help

Unread postby Dakeyras » November 9th, 2009, 12:32 pm

Hi. :)

And don't you think norton internet security 2010 has a good firewall included?
I am not familiar with that particular security suite I'm afraid. All I can say is any security is better than having none installed providing nothing else bar the Norton less a system conflict occurs............However such bundled applications tend to be very system resource intensive and can be problematic to uninstall at times.

I can provide some advice about what to install after the reformat and reinstallation of the Windows operating system if you so wish.

If I plugin in an external hdd device to my laptop in order to copy my data from d:\ is there no harm for it then?
Aye that should be fine, however to err on the side of caution so no infections are transfered do so as follows:-

Flash_Disinfector:

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your Flash/USB Drive. Plug it in. <-- In your case it will be the external HDD.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Next:

Create a folder on the external HDD, call it say My Backups.

Transfer the data you wish to save to the aforementioned folder.

Check for updates with both your installed Anti-Virus & Malwarebytes Anti-Malware.

Right click on the backup folder and scan with each of the above in turn.

Safely disconnect your external Hard-Drive as described here.

Next:

Let myself know the outcome please and or if you require further assistance, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: windefence32?! hijacked browser...need help

Unread postby NonSuch » November 12th, 2009, 5:46 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 13 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware