1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Can't connect to AV or Microsoft websites

Discussion in 'Malware and Virus Removal Archive' started by Mrjayde, 2011/03/16.

  1. 2011/03/16
    Mrjayde

    Mrjayde Inactive Thread Starter

    Joined:
    2011/03/16
    Messages:
    7
    Likes Received:
    0
    [Resolved] Can't connect to AV or Microsoft websites

    Hi, hope somebody can help.

    I'm trying to help out somebody with her computer problem. The computer cannot connect to any anti virus websites (McAfee, Norton, AVG, etc.) or anything from Microsoft. My advice was to buy a new computer (its old and slow) but than I found this website and people with similar problems and saying that a virus is probably at fault.

    Any help would be greatly appreciated.

    I followed the instructions as best I could

    1) Malwarebytes Log:


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6079

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    16.03.2011 20:19:02
    mbam-log-2011-03-16 (20-18-41).txt

    Scan type: Quick scan
    Objects scanned: 138212
    Time elapsed: 10 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    2) Gmer log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-03-16 22:25:26
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6E040L0 rev.NAR61HA0
    Running: yk8idhm6.exe; Driver: C:\DOKUME~1\Edith\LOKALE~1\Temp\awlcapod.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    pnidata C:\WINDOWS\System32\DRIVERS\secdrv.sys unknown last section [0xEFE97F00, 0x24000, 0x48000000]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\ctfmon.exe[220] WS2_32.dll!connect 71A1406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
    .text C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[232] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00E55C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
    .text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtQueryInformationProcess 7C91E01B 5 Bytes JMP 017DADCD
    .text C:\WINDOWS\System32\svchost.exe[1140] NETAPI32.dll!NetpwPathCanonicalize 597DA259 5 Bytes JMP 017DAD64
    .text C:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtQueryInformationProcess 7C91E01B 5 Bytes JMP 0080ADCD
    .text C:\WINDOWS\Explorer.EXE[1600] WS2_32.dll!connect 71A1406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
    .text C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe[1972] WS2_32.dll!connect 71A1406A 5 Bytes JMP 011F5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
    .text C:\WINDOWS\system32\RunDll32.exe[2000] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00A55C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
    .text C:\WINDOWS\system32\igfxtray.exe[2020] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00BF5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
    .text C:\WINDOWS\system32\hkcmd.exe[2028] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00C35C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
    .text ...

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs NaiFiltr.sys
    AttachedDevice \FileSystem\Fastfat \Fat NaiFiltr.sys

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] njqjjed <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed@DisplayName Time Installer
    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed@Type 32
    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed@Start 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed@ObjectName LocalSystem
    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed@Description Verwaltet die Datum- und Uhrzeitsynchronisierung auf allen Clients und Servern im Netzwerk. Wenn dieser Dienst beendet wird, ist die Datum- und Uhrzeitsynchronisierung nicht verf?gbar. Wenn der Dienst deaktiviert wird, k?nnen alle anderen Dienste, die explizit davon abh?ngen, nicht gestartet werden.
    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed\Parameters
    Reg HKLM\SYSTEM\CurrentControlSet\Services\njqjjed\Parameters@ServiceDll C:\WINDOWS\system32\mgzwt.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed@DisplayName Time Installer
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed@Type 32
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed@Start 2
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed@ObjectName LocalSystem
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed@Description Verwaltet die Datum- und Uhrzeitsynchronisierung auf allen Clients und Servern im Netzwerk. Wenn dieser Dienst beendet wird, ist die Datum- und Uhrzeitsynchronisierung nicht verf?gbar. Wenn der Dienst deaktiviert wird, k?nnen alle anderen Dienste, die explizit davon abh?ngen, nicht gestartet werden.
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed\Parameters (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\njqjjed\Parameters@ServiceDll C:\WINDOWS\system32\mgzwt.dll

    ---- EOF - GMER 1.0.15 ----

    3) MBRCheck

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0000000d

    Kernel Drivers (total 126):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EC000 \WINDOWS\system32\hal.dll
    0xF9A8D000 \WINDOWS\system32\KDCOM.DLL
    0xF999D000 \WINDOWS\system32\BOOTVID.dll
    0xF953D000 ACPI.sys
    0xF9A8F000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF952C000 pci.sys
    0xF958D000 isapnp.sys
    0xF9B55000 pciide.sys
    0xF980D000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF959D000 MountMgr.sys
    0xF950D000 ftdisk.sys
    0xF9A91000 dmload.sys
    0xF94E7000 dmio.sys
    0xF9815000 PartMgr.sys
    0xF95AD000 VolSnap.sys
    0xF94CF000 atapi.sys
    0xF95BD000 disk.sys
    0xF95CD000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF94B0000 fltmgr.sys
    0xF949E000 sr.sys
    0xF9487000 KSecDD.sys
    0xF93FA000 Ntfs.sys
    0xF93CD000 NDIS.sys
    0xF93B2000 Mup.sys
    0xF97AD000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xF9352000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xF933E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF98AD000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xF931B000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF98B5000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xF92E5000 \SystemRoot\system32\DRIVERS\HSFBS2S2.sys
    0xF92C2000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF91C3000 \SystemRoot\system32\DRIVERS\HSFDPSP2.sys
    0xF911B000 \SystemRoot\system32\DRIVERS\HSFCXTS2.sys
    0xF98BD000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF98C5000 \SystemRoot\System32\DRIVERS\RTL8139.SYS
    0xF98CD000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xF9107000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF97BD000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF98D5000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF90F6000 \SystemRoot\System32\DRIVERS\serial.sys
    0xF9A41000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xF97CD000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF97DD000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF902F000 \SystemRoot\system32\drivers\cmuda.sys
    0xF900B000 \SystemRoot\system32\drivers\portcls.sys
    0xF97ED000 \SystemRoot\system32\drivers\drmk.sys
    0xF9C8D000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF97FD000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF9A49000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xF8FF4000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF95FD000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF960D000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF98DD000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xF8FE3000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF961D000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF98E5000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF98ED000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF8FB2000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF962D000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF98F5000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF9AA7000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF8F5B000 \SystemRoot\System32\DRIVERS\update.sys
    0xF9A65000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF966D000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF0DFA000 \SystemRoot\system32\drivers\ialmkchw.sys
    0xF0DDC000 \SystemRoot\system32\drivers\ialmsbw.sys
    0xF968D000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF9AA9000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF98FD000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xF9AAB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF9C57000 \SystemRoot\System32\Drivers\Null.SYS
    0xF9AAD000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF990D000 \SystemRoot\System32\drivers\vga.sys
    0xF9AAF000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF9AB1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF9915000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF991D000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF9372000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xF0D3B000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xF0CE3000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF0CBB000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xF0C99000 \SystemRoot\System32\drivers\afd.sys
    0xF96BD000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF0C6E000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xF0BD7000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xF96ED000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF0BB6000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xF96FD000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xF9A2D000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF972D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF9925000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF993D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF9A3D000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xF974D000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF0AF0000 \SystemRoot\system32\DRIVERS\SMIksdrv.sys
    0xF0885000 \SystemRoot\system32\DRIVERS\SMIEXP.SYS
    0xF0845000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF9ABB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF8F3B000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF994D000 \SystemRoot\System32\watchdog.sys
    0xBF9C1000 \SystemRoot\System32\drivers\dxg.sys
    0xF9CB5000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF9E1000 \SystemRoot\System32\ialmdnt5.dll
    0xBF9D3000 \SystemRoot\System32\ialmrnt5.dll
    0xBFA03000 \SystemRoot\System32\ialmdev5.DLL
    0xBFA34000 \SystemRoot\System32\ialmdd5.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF07E2000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xF049F000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF0462000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF05EA000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF0076000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xF9A93000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xEFFAC000 \SystemRoot\System32\DRIVERS\srv.sys
    0xF004E000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xEFE94000 \SystemRoot\System32\DRIVERS\secdrv.sys
    0xEFB83000 \SystemRoot\System32\Drivers\HTTP.sys
    0xF998D000 \SystemRoot\system32\DRIVERS\NaiFiltr.sys
    0xF067A000 \SystemRoot\system32\DRIVERS\usb8023.sys
    0xF9895000 \SystemRoot\system32\DRIVERS\RNDISMP.SYS
    0xEF693000 \??\C:\DOKUME~1\Edith\LOKALE~1\Temp\awlcapod.sys
    0xEF669000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C910000 \WINDOWS\system32\ntdll.dll

    Processes (total 34):
    0 System Idle Process
    4 System
    436 C:\WINDOWS\system32\smss.exe
    648 csrss.exe
    672 C:\WINDOWS\system32\winlogon.exe
    716 C:\WINDOWS\system32\services.exe
    728 C:\WINDOWS\system32\lsass.exe
    896 C:\WINDOWS\system32\svchost.exe
    944 svchost.exe
    1140 C:\WINDOWS\system32\svchost.exe
    1184 svchost.exe
    1284 svchost.exe
    1600 C:\WINDOWS\explorer.exe
    1684 C:\WINDOWS\system32\spoolsv.exe
    1972 C:\PROGRA~1\McAfee.com\VSO\mcvsshld.exe
    2000 C:\WINDOWS\system32\rundll32.exe
    2008 C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
    2020 C:\WINDOWS\system32\igfxtray.exe
    2028 C:\WINDOWS\system32\hkcmd.exe
    196 C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    220 C:\WINDOWS\system32\ctfmon.exe
    232 C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    344 C:\Programme\McAfee Security Scan\2.0.181\SSScheduler.exe
    1252 C:\Programme\Java\jre6\bin\jqs.exe
    1408 C:\Programme\McAfee.com\Agent\Mcdetect.exe
    1432 C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
    1508 C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
    1528 C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    1692 C:\WINDOWS\system32\svchost.exe
    1768 C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe
    1740 C:\PROGRA~1\McAfee.com\VSO\McShield.exe
    2928 alg.exe
    3260 C:\WINDOWS\system32\wscntfy.exe
    2624 C:\Dokumente und Einstellungen\Edith\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: Maxtor6E040L0, Rev: NAR61HA0

    Size Device Name MBR Status
    --------------------------------------------
    38 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: ADFE55CD0C6ED2E00B22375835E4C2736CE9AD11


    Done!

    4) DDS log

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Edith at 22:33:26,76 on 16.03.2011
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.247.62 [GMT 1:00]
    .
    AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\system32\RunDll32.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Programme\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Programme\Java\jre6\bin\jqs.exe
    c:\programme\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Dokumente und Einstellungen\Edith\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.it/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = 127.0.0.1
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\googletoolbar3.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\programme\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\googletoolbar3.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
    uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    mRun: [VirusScan Online] "c:\progra~1\mcafee.com\vso\mcvsshld.exe "
    mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
    mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
    mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [QuickTime Task] "c:\programme\quicktime\qttask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 10.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe "
    mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe "
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\dokumente und einstellungen\edith\startmenü\programme\autostart\PowerReg Scheduler.exe
    StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\mcafee~1.lnk - c:\programme\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\micros~1.lnk - c:\programme\microsoft office\office10\OSA.EXE
    StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\stimon.lnk - c:\programme\usb2.0 uvc webcam\usb2.0 uvc webcam\STIMON.exe
    IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programme\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programme\gemeinsame dateien\microsoft shared\web folders\PKMCDO.DLL
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programme\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxsrvc.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\dokume~1\edith\anwend~1\mozilla\firefox\profiles\3ouwwh82.default\
    FF - component: c:\programme\mozilla firefox 3.1 beta 2\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\programme\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\mozilla firefox 3.1 beta 2\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\programme\mozilla firefox 3.1 beta 2\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 McDetect.exe;McAfee WSC Integration;c:\programme\mcafee.com\agent\Mcdetect.exe [2005-12-14 126976]
    R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-14 122368]
    R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2004-12-15 131072]
    R2 TeamViewer5;TeamViewer 5;c:\programme\teamviewer\version5\TeamViewer_Service.exe [2009-11-27 185640]
    R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2004-12-15 225401]
    R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2004-12-15 23888]
    R3 usbsmi;USB 2.0 UVC WebCam;c:\windows\system32\drivers\SMIksdrv.sys [2010-11-24 154880]
    S2 gupdate;Servizio di Google Update (gupdate);c:\programme\google\update\GoogleUpdate.exe [2010-9-8 136176]
    S2 njqjjed;Time Installer;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\programme\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2004-12-15 245760]
    S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2009-11-9 25088]
    .
    =============== Created Last 30 ================
    .
    2011-03-16 19:06:27 -------- d-----w- c:\dokume~1\edith\anwend~1\Malwarebytes
    2011-03-16 19:06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-16 19:06:01 -------- d-----w- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
    2011-03-16 19:05:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-16 19:05:53 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
    2011-03-16 18:25:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-16 18:25:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-16 18:06:06 -------- d-----w- c:\dokume~1\alluse~1\anwend~1\MFAData
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 22:34:23,85 ===============

    5) DDS attach

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 15.12.2004 17:42:46
    System Uptime: 16.03.2011 20:23:18 (2 hours ago)
    .
    Motherboard: | | P4i65GV
    Processor: Intel(R) Celeron(R) CPU 2.66GHz | mPGA478 | 2663/133mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 38 GiB total, 28,455 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: TeamViewer VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: TeamViewer GmbH
    Name: TeamViewer VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: teamviewervpn
    .
    ==== System Restore Points ===================
    .
    RP32: 18.12.2010 19:23:25 - Systemprüfpunkt
    RP33: 21.12.2010 17:32:40 - Systemprüfpunkt
    RP34: 23.12.2010 15:13:45 - Systemprüfpunkt
    RP35: 31.12.2010 17:50:02 - Systemprüfpunkt
    RP36: 04.01.2011 15:26:00 - Systemprüfpunkt
    RP37: 09.01.2011 18:34:26 - Systemprüfpunkt
    RP38: 18.01.2011 10:30:51 - Systemprüfpunkt
    RP39: 20.01.2011 14:07:51 - Systemprüfpunkt
    RP40: 24.01.2011 14:22:00 - Systemprüfpunkt
    RP41: 28.01.2011 12:28:31 - Systemprüfpunkt
    RP42: 31.01.2011 10:07:34 - Systemprüfpunkt
    RP43: 31.01.2011 20:50:37 - Adobe Reader 8.1.2 - Deutsch wird entfernt
    RP44: 31.01.2011 20:53:55 - Installed Adobe Reader X - Deutsch.
    RP45: 03.02.2011 09:14:45 - Systemprüfpunkt
    RP46: 16.02.2011 09:12:56 - Systemprüfpunkt
    RP47: 24.02.2011 13:26:51 - Systemprüfpunkt
    RP48: 01.03.2011 09:53:16 - Systemprüfpunkt
    RP49: 02.03.2011 19:07:44 - Systemprüfpunkt
    RP50: 04.03.2011 08:57:04 - Systemprüfpunkt
    RP51: 11.03.2011 20:50:24 - Systemprüfpunkt
    RP52: 15.03.2011 15:22:36 - Systemprüfpunkt
    RP53: 16.03.2011 19:23:51 - Java(TM) 6 Update 24 wird installiert
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Reader X - Deutsch
    Apple Software Update
    C-Media 3D Audio
    Canon Utilities Easy-PhotoPrint
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix für Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Intel(R) 537EP Modem
    Intel(R) Extreme Graphics 2 Driver
    Java Auto Updater
    Java(TM) 6 Update 24
    Malwarebytes' Anti-Malware
    McAfee Security Scan Plus
    McAfee SecurityCenter
    McAfee VirusScan
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 2.0 Language Pack - DEU
    Microsoft .NET Framework 3.0
    Microsoft .NET Framework 3.0 German Language Pack
    Microsoft Encarta Weltatlas
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional mit FrontPage
    Move Networks Media Player for Internet Explorer
    Mozilla Firefox (3.1b2)
    MSXML 6.0 Parser (KB925673)
    Pirelli USB Driver
    QuickTime
    Sicherheitsupdate für Windows XP (KB883939)
    Sicherheitsupdate für Windows XP (KB890046)
    Sicherheitsupdate für Windows XP (KB893756)
    Sicherheitsupdate für Windows XP (KB896358)
    Sicherheitsupdate für Windows XP (KB896422)
    Sicherheitsupdate für Windows XP (KB896423)
    Sicherheitsupdate für Windows XP (KB896428)
    Sicherheitsupdate für Windows XP (KB899587)
    Sicherheitsupdate für Windows XP (KB899588)
    Sicherheitsupdate für Windows XP (KB899591)
    Sicherheitsupdate für Windows XP (KB901214)
    Sid Meier's Civilization 4
    Skype Toolbars
    Skypeâ„¢ 5.1
    TeamViewer 5
    Update für Windows XP (KB894391)
    Update für Windows XP (KB896727)
    Update für Windows XP (KB898461)
    Update für Windows XP (KB904942)
    USB2.0 UVC WebCam
    WebFldrs XP
    Windows Communication Foundation
    Windows Communication Foundation Language Pack - DEU
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Presentation Foundation
    Windows Presentation Foundation Language Pack (DEU)
    Windows Workflow Foundation
    Windows Workflow Foundation DE Language Pack
    Windows XP-Hotfix - KB834707
    Windows XP-Hotfix - KB873333
    Windows XP-Hotfix - KB873339
    Windows XP-Hotfix - KB885250
    Windows XP-Hotfix - KB885835
    Windows XP-Hotfix - KB885836
    Windows XP-Hotfix - KB885884
    Windows XP-Hotfix - KB886185
    Windows XP-Hotfix - KB887472
    Windows XP-Hotfix - KB887742
    Windows XP-Hotfix - KB888113
    Windows XP-Hotfix - KB888302
    Windows XP-Hotfix - KB890175
    Windows XP-Hotfix - KB890859
    Windows XP-Hotfix - KB890923
    Windows XP-Hotfix - KB891781
    Windows XP-Hotfix - KB893066
    Windows XP-Hotfix - KB893086
    Windows XP Service Pack 2
    WinRAR archiver
    XML Paper Specification Shared Components Language Pack 1.0
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== End Of File ===========================
     
    Mrjayde,
    #1
  2. 2011/03/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    Your MBAM log says "No action taken" after each line.
    Re-run it, FIX all issues and post new log.

    When done...

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/03/17
    Mrjayde

    Mrjayde Inactive Thread Starter

    Joined:
    2011/03/16
    Messages:
    7
    Likes Received:
    0
    Thanks, broni.

    I'm sure I asked Anti Malware to remove infected files. I ran it again and it found two entries which I asked it to remove and I think it did.

    1) AM log

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6079

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    17.03.2011 17:25:20
    mbam-log-2011-03-17 (17-25-20).txt

    Scan type: Quick scan
    Objects scanned: 138278
    Time elapsed: 11 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    2) Combofix log

    ComboFix 11-03-16.06 - Edith 17.03.2011 17:47:54.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.247.107 [GMT 1:00]
    ausgeführt von:: c:\dokumente und einstellungen\Edith\Desktop\ComboFix.exe
    AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2011-02-17 bis 2011-03-17 ))))))))))))))))))))))))))))))
    .
    .
    2011-03-16 19:06 . 2011-03-16 19:06 -------- d-----w- c:\dokumente und einstellungen\Edith\Anwendungsdaten\Malwarebytes
    2011-03-16 19:06 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-16 19:06 . 2011-03-16 19:06 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
    2011-03-16 19:05 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-16 19:05 . 2011-03-16 19:06 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
    2011-03-16 18:32 . 2011-03-16 18:32 -------- d-----w- c:\windows\Sun
    2011-03-16 18:28 . 2011-03-16 18:28 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
    2011-03-16 18:25 . 2011-03-16 18:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-16 18:25 . 2011-03-16 18:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-16 18:24 . 2011-03-16 18:24 -------- d-----w- c:\programme\Java
    2011-03-16 18:06 . 2011-03-16 18:06 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\MFAData
    2011-03-03 11:28 . 2011-03-03 11:28 -------- d-----w- c:\programme\Gemeinsame Dateien\Skype
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-01 68856]
    "Skype "= "c:\programme\Skype\Phone\Skype.exe" [2011-01-26 15026056]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VSOCheckTask "= "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2005-03-02 143360]
    "VirusScan Online "= "c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 196608]
    "MCAgentExe "= "c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
    "MCUpdateExe "= "c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2003-11-17 155648]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2003-11-17 118784]
    "QuickTime Task "= "c:\programme\QuickTime\qttask.exe" [2008-09-06 413696]
    "Adobe Reader Speed Launcher "= "c:\programme\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM "= "c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched "= "c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
    .
    c:\dokumente und einstellungen\Edith\Startmen\Programme\Autostart\
    PowerReg Scheduler.exe [2005-12-13 256000]
    .
    c:\dokumente und einstellungen\Edith\Startmen\Programme\Autostart\
    PowerReg Scheduler.exe [2005-12-13 256000]
    .
    c:\dokumente und einstellungen\Edith\Startmen\Programme\Autostart\
    PowerReg Scheduler.exe [2005-12-13 256000]
    .
    c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
    McAfee Security Scan Plus.lnk - c:\programme\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    STIMON.lnk - c:\programme\USB2.0 UVC WebCam\USB2.0 UVC WebCam\STIMON.exe [2010-11-24 933888]
    .
    c:\dokumente und einstellungen\Edith\Startmen\Programme\Autostart\
    PowerReg Scheduler.exe [2005-12-13 256000]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe "=
    "c:\\Programme\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Dokumente und Einstellungen\\Edith\\temp\\TeamViewer\\Version4\\TeamViewer.exe "=
    "c:\\Dokumente und Einstellungen\\Edith\\temp\\TeamViewer\\Version5\\TeamViewer.exe "=
    "c:\\Programme\\TeamViewer\\Version5\\TeamViewer.exe "=
    "c:\\Programme\\Google\\Google Earth\\client\\googleearth.exe "=
    "c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Programme\\Google\\Google Earth\\plugin\\geplugin.exe "=
    "c:\\Programme\\Skype\\Phone\\Skype.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9163:TCP "= 9163:TCP:ecreav
    .
    R2 TeamViewer5;TeamViewer 5;c:\programme\TeamViewer\Version5\TeamViewer_Service.exe [27.11.2009 16:24 185640]
    R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [15.12.2004 18:19 23888]
    R3 usbsmi;USB 2.0 UVC WebCam;c:\windows\system32\drivers\SMIksdrv.sys [24.11.2010 10:41 154880]
    S2 gupdate;Servizio di Google Update (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [08.09.2010 09:07 136176]
    S2 njqjjed;Time Installer;c:\windows\system32\svchost.exe -k netsvcs [18.08.2001 20:00 14336]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16.03.2011 20:06 38224]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\programme\McAfee Security Scan\2.0.181\McCHSvc.exe [15.01.2010 13:49 227232]
    S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [09.11.2009 18:12 25088]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    njqjjed
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2011-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    2011-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\programme\Google\Update\GoogleUpdate.exe [2010-09-08 08:07]
    .
    2011-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\programme\Google\Update\GoogleUpdate.exe [2010-09-08 08:07]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    uStart Page = hxxp://www.yahoo.it/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = 127.0.0.1
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\dokumente und einstellungen\Edith\Anwendungsdaten\Mozilla\Firefox\Profiles\3ouwwh82.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\Mozilla Firefox 3.1 Beta 2\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\programme\Mozilla Firefox 3.1 Beta 2\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    .
    - - - - Entfernte verwaiste Registrierungseinträge - - - -
    .
    HKLM-Run-Cmaudio - cmicnfg.cpl
    AddRemove-Encarta World Atlas 2.0 - D:\setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-17 17:58
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    Scanne versteckte Prozesse...
    .
    Scanne versteckte Autostarteinträge...
    .
    Scanne versteckte Dateien...
    .
    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\njqjjed]
    "ServiceDll "= "c:\windows\system32\mgzwt.dll "
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker4 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------
    .
    - - - - - - - > 'explorer.exe'(3296)
    c:\progra~1\mcafee.com\vso\McVSSkt.dll
    c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\system32\msi.dll
    c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.DEU
    .
    Zeit der Fertigstellung: 2011-03-17 18:04:59
    ComboFix-quarantined-files.txt 2011-03-17 17:04
    .
    Vor Suchlauf: 10 Verzeichnis(se), 30.373.101.568 Bytes frei
    Nach Suchlauf: 12 Verzeichnis(se), 30.342.512.640 Bytes frei
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 4289FB7F1E3A666ADD3FB3AB9AED056A
     
    Mrjayde,
    #3
  5. 2011/03/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't see any AV program running.
    I can see some McAfee leftovers, but it doesn't look active to me.
    Please, explain.

    ===================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\mgzwt.dll


Driver::
njqjjed

NetSvc::
njqjjed

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\njqjjed]

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #4
  6. 2011/03/18
    Mrjayde

    Mrjayde Inactive Thread Starter

    Joined:
    2011/03/16
    Messages:
    7
    Likes Received:
    0
    The person who owns the machine is not very computer literate and let the McAfee AV expire without replacing it. I've tried to download a new AV software but was not able to download anything on the account of not being able to connet to any AV websites.

    Now it looks like that I can access all the websites again I couldn't before. I'm going to download MS Security Essentials or another free virus software and install it, unless there is something else I should be doing first ...

    In any case ... thank you very much for your assistance.

    Here is the combofix.txt after following your instructions:

    ComboFix 11-03-17.02 - Edith 18.03.2011 15:55:26.2.1 - x86
    ausgeführt von:: c:\dokumente und einstellungen\Edith\Desktop\ComboFix.exe
    Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Edith\Desktop\CFScript.txt
    AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    .
    FILE ::
    "c:\windows\system32\mgzwt.dll "
    .
    .
    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\mgzwt.dll
    .
    Infizierte Kopie von c:\windows\system32\userinit.exe wurde gefunden und desinfiziert
    Kopie von - c:\windows\ERDNT\cache\userinit.exe wurde wiederhergestellt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NJQJJED
    -------\Service_njqjjed
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2011-02-18 bis 2011-03-18 ))))))))))))))))))))))))))))))
    .
    .
    2011-03-16 19:06 . 2011-03-16 19:06 -------- d-----w- c:\dokumente und einstellungen\Edith\Anwendungsdaten\Malwarebytes
    2011-03-16 19:06 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-16 19:06 . 2011-03-16 19:06 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
    2011-03-16 19:05 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-16 19:05 . 2011-03-16 19:06 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
    2011-03-16 18:32 . 2011-03-16 18:32 -------- d-----w- c:\windows\Sun
    2011-03-16 18:28 . 2011-03-16 18:28 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
    2011-03-16 18:25 . 2011-03-16 18:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-16 18:25 . 2011-03-16 18:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-16 18:24 . 2011-03-16 18:24 -------- d-----w- c:\programme\Java
    2011-03-16 18:06 . 2011-03-16 18:06 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\MFAData
    2011-03-03 11:28 . 2011-03-03 11:28 -------- d-----w- c:\programme\Gemeinsame Dateien\Skype
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-01 68856]
    "Skype "= "c:\programme\Skype\Phone\Skype.exe" [2011-01-26 15026056]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VSOCheckTask "= "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2005-03-02 143360]
    "VirusScan Online "= "c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 196608]
    "MCAgentExe "= "c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
    "MCUpdateExe "= "c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2003-11-17 155648]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2003-11-17 118784]
    "QuickTime Task "= "c:\programme\QuickTime\qttask.exe" [2008-09-06 413696]
    "Adobe Reader Speed Launcher "= "c:\programme\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM "= "c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched "= "c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
    .
    c:\dokumente und einstellungen\Edith\Startmen\Programme\Autostart\
    PowerReg Scheduler.exe [2005-12-13 256000]
    .
    c:\dokumente und einstellungen\Edith\Startmen\Programme\Autostart\
    PowerReg Scheduler.exe [2005-12-13 256000]
    .
    c:\dokumente und einstellungen\Edith\Startmen\Programme\Autostart\
    PowerReg Scheduler.exe [2005-12-13 256000]
    .
    c:\dokumente und einstellungen\Edith\Startmen\Programme\Autostart\
    PowerReg Scheduler.exe [2005-12-13 256000]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe "=
    "c:\\Programme\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Dokumente und Einstellungen\\Edith\\temp\\TeamViewer\\Version4\\TeamViewer.exe "=
    "c:\\Dokumente und Einstellungen\\Edith\\temp\\TeamViewer\\Version5\\TeamViewer.exe "=
    "c:\\Programme\\TeamViewer\\Version5\\TeamViewer.exe "=
    "c:\\Programme\\Google\\Google Earth\\client\\googleearth.exe "=
    "c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Programme\\Google\\Google Earth\\plugin\\geplugin.exe "=
    "c:\\Programme\\Skype\\Phone\\Skype.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9163:TCP "= 9163:TCP:ecreav
    .
    R2 gupdate;Servizio di Google Update (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [2010-09-08 136176]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-20 38224]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\programme\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2009-11-09 25088]
    S2 TeamViewer5;TeamViewer 5;c:\programme\TeamViewer\Version5\TeamViewer_Service.exe [2009-11-27 185640]
    S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2002-09-20 23888]
    S3 usbsmi;USB 2.0 UVC WebCam;c:\windows\system32\DRIVERS\SMIksdrv.sys [2008-10-13 154880]
    .
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2011-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    2011-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\programme\Google\Update\GoogleUpdate.exe [2010-09-08 08:07]
    .
    2011-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\programme\Google\Update\GoogleUpdate.exe [2010-09-08 08:07]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    uStart Page = hxxp://www.yahoo.it/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\dokumente und einstellungen\Edith\Anwendungsdaten\Mozilla\Firefox\Profiles\3ouwwh82.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\Mozilla Firefox 3.1 Beta 2\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\programme\Mozilla Firefox 3.1 Beta 2\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-18 16:10
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    Scanne versteckte Prozesse...
    .
    Scanne versteckte Autostarteinträge...
    .
    Scanne versteckte Dateien...
    .
    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0
    .
    **************************************************************************
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker4 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------
    .
    - - - - - - - > 'explorer.exe'(3836)
    c:\progra~1\mcafee.com\vso\McVSSkt.dll
    c:\windows\system32\msi.dll
    .
    ------------------------ Weitere laufende Prozesse ------------------------
    .
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\programme\McAfee Security Scan\2.0.181\SSScheduler.exe
    c:\programme\USB2.0 UVC WebCam\USB2.0 UVC WebCam\STIMON.exe
    c:\programme\Java\jre6\bin\jqs.exe
    c:\programme\mcafee.com\agent\mcdetect.exe
    c:\progra~1\mcafee.com\agent\mctskshd.exe
    c:\progra~1\mcafee.com\vso\mcvsrte.exe
    c:\programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    c:\programme\TeamViewer\Version5\TeamViewer.exe
    c:\progra~1\mcafee.com\vso\mcshield.exe
    c:\programme\Skype\Plugin Manager\skypePM.exe
    c:\programme\Google\Update\Download\{FCE59C56-82D2-40D6-A2FE-AB32EA3F4221}\chrome_updater.exe
    c:\windows\Temp\CR_7.tmp\setup.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\System32\logon.scr
    c:\windows\SoftwareDistribution\Download\1c38c7dcac9dd982675bd0ed58b8ddaf\update\update.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2011-03-18 16:52:04 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2011-03-18 15:50
    ComboFix2.txt 2011-03-17 17:05
    .
    Vor Suchlauf: 10 Verzeichnis(se), 30.295.552.000 Bytes frei
    Nach Suchlauf: 12 Verzeichnis(se), 29.757.313.024 Bytes frei
    .
    - - End Of File - - C1709AFBFD41523D0727268BB064EC5F
     
    Mrjayde,
    #5
  7. 2011/03/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good :)

    MSE will be just fine as your AV program.
    You can install it now.

    Get rid of McAfee leftovers by running this tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

    When done...

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #6
  8. 2011/03/21
    Mrjayde

    Mrjayde Inactive Thread Starter

    Joined:
    2011/03/16
    Messages:
    7
    Likes Received:
    0
    Had some trouble installing MSE so went with avast free anti-virus instead.

    I ran the OTL scan but somebody used the computer while it ran so I decided to start over. For what ever reason I didn't get an Extras.txt after trying it agian. I tried twice more amd only got the OTL.txt below

    OTL logfile created on: 21.03.2011 15:34:32 - Run 3
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Dokumente und Einstellungen\Edith\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

    247,00 Mb Total Physical Memory | 96,00 Mb Available Physical Memory | 39,00% Memory free
    606,00 Mb Paging File | 290,00 Mb Available in Paging File | 48,00% Paging File free
    Paging file location(s): C:\pagefile.sys 372 744 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
    Drive C: | 38,28 Gb Total Space | 24,48 Gb Free Space | 63,96% Space Free | Partition Type: NTFS

    Computer Name: EDITHCOMPUTER | User Name: Edith | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011.03.20 12:25:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Edith\Desktop\OTL.exe
    PRC - [2011.02.23 16:04:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe
    PRC - [2011.02.23 16:04:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe
    PRC - [2010.11.10 12:49:34 | 000,932,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe
    PRC - [2010.10.29 14:49:28 | 000,249,064 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    PRC - [2009.11.27 16:48:14 | 004,975,400 | ---- | M] (TeamViewer GmbH) -- C:\Programme\TeamViewer\Version5\TeamViewer.exe
    PRC - [2009.11.27 16:24:34 | 000,185,640 | ---- | M] (TeamViewer GmbH) -- C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe
    PRC - [2009.03.10 22:18:20 | 000,970,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
    PRC - [2008.08.18 21:02:16 | 000,933,888 | ---- | M] (Silicon Motion) -- C:\Programme\USB2.0 UVC WebCam\USB2.0 UVC WebCam\STIMON.exe
    PRC - [2004.08.04 00:57:54 | 001,035,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2001.02.23 10:07:30 | 000,270,336 | ---- | M] (Microsoft Corporation) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe


    ========== Modules (SafeList) ==========

    MOD - [2011.03.20 12:25:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Edith\Desktop\OTL.exe
    MOD - [2011.02.23 16:04:17 | 000,197,208 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\snxhk.dll
    MOD - [2004.08.04 00:54:28 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011.02.23 16:04:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2009.11.27 16:24:34 | 000,185,640 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe -- (TeamViewer5)
    SRV - [2001.02.23 10:07:30 | 000,270,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)


    ========== Driver Services (SafeList) ==========

    DRV - [2011.02.23 15:56:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011.02.23 15:56:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011.02.23 15:55:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011.02.23 15:55:47 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2011.02.23 15:55:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011.02.23 15:54:57 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2011.02.23 15:54:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010.12.20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
    DRV - [2009.11.09 18:12:42 | 000,025,088 | ---- | M] (TeamViewer GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\teamviewervpn.sys -- (teamviewervpn)
    DRV - [2008.10.13 18:24:36 | 000,154,880 | ---- | M] (SMI) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SMIksdrv.sys -- (usbsmi)
    DRV - [2004.08.03 23:04:34 | 000,012,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (usb_rndis)
    DRV - [2004.08.03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) NT-Treiber für Realtek RTL8139(A/B/C)
    DRV - [2003.05.27 09:21:46 | 000,051,301 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
    DRV - [2003.05.27 09:21:28 | 001,086,261 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
    DRV - [2003.05.27 09:20:32 | 000,480,649 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
    DRV - [2003.05.27 09:19:24 | 000,031,440 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-1078081533-879983540-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\S-1-5-21-1078081533-879983540-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-1078081533-879983540-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
    IE - HKU\S-1-5-21-1078081533-879983540-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\S-1-5-21-1078081533-879983540-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07103010
    FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906

    FF - HKLM\software\mozilla\Firefox\extensions\\wrc@avast.com: C:\Programme\AVAST Software\Avast\WebRep\FF [2011.03.20 14:05:39 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.1b2\extensions\\Components: C:\Programme\Mozilla Firefox 3.1 Beta 2\components [2009.01.04 14:27:59 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.1b2\extensions\\Plugins: C:\Programme\Mozilla Firefox 3.1 Beta 2\plugins [2011.03.16 19:25:44 | 000,000,000 | ---D | M]

    [2008.12.28 19:07:23 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\Mozilla\Extensions
    [2011.03.14 12:54:19 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\Mozilla\Firefox\Profiles\3ouwwh82.default\extensions
    [2008.12.28 19:09:08 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\Mozilla\Firefox\Profiles\3ouwwh82.default\extensions\moveplayer@movenetworks.com
    [2011.03.03 12:31:31 | 000,000,000 | ---D | M] (Skype extension) -- C:\PROGRAMME\MOZILLA FIREFOX 3.1 BETA 2\EXTENSIONS\{AB2CE124-6272-4B12-94A9-7303C7397BD1}

    O1 HOSTS File: ([2011.03.18 16:08:48 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll ()
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Programme\Google\GoogleToolbar3.dll (Google Germany GmbH)
    O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Programme\Google\GoogleToolbar3.dll (Google Germany GmbH)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll ()
    O3 - HKU\S-1-5-21-1078081533-879983540-839522115-1003\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Programme\Google\GoogleToolbar3.dll (Google Germany GmbH)
    O3 - HKU\S-1-5-21-1078081533-879983540-839522115-1003\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Programme\Google\GoogleToolbar3.dll (Google Germany GmbH)
    O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Programme\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [avast] C:\Programme\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
    O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\STIMON.lnk = C:\Programme\USB2.0 UVC WebCam\USB2.0 UVC WebCam\STIMON.exe (Silicon Motion)
    O4 - Startup: C:\Dokumente und Einstellungen\Edith\Startmenü\Programme\Autostart\PowerReg Scheduler.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1078081533-879983540-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1078081533-879983540-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1078081533-879983540-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1078081533-879983540-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O15 - HKU\S-1-5-21-1078081533-879983540-839522115-1003\..Trusted Domains: ([]msn in My Computer)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 62.101.93.101 83.103.25.250
    O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
    O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007.12.30 17:09:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2004.12.15 17:40:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.CPY -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011.03.20 23:49:39 | 000,000,000 | -HSD | C] -- C:\Config.Msi
    [2011.03.20 14:07:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\avast! Free Antivirus
    [2011.03.20 14:06:59 | 000,301,528 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011.03.20 14:06:59 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011.03.20 14:06:54 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011.03.20 14:06:53 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011.03.20 14:06:52 | 000,371,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2011.03.20 14:06:50 | 000,102,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011.03.20 14:06:50 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011.03.20 14:06:49 | 000,030,680 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011.03.20 14:05:36 | 000,040,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011.03.20 14:05:35 | 000,190,016 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2011.03.20 14:04:47 | 000,000,000 | ---D | C] -- C:\Programme\AVAST Software
    [2011.03.20 14:04:47 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AVAST Software
    [2011.03.20 12:50:28 | 000,000,000 | ---D | C] -- C:\06b54f2b59cc224accd4c477280bab
    [2011.03.20 12:43:39 | 000,000,000 | ---D | C] -- C:\2d336ac3c8f0fd9662008f384e8d
    [2011.03.20 12:25:39 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Edith\Desktop\OTL.exe
    [2011.03.20 12:22:46 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2011.03.20 12:18:27 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Edith\PrivacIE
    [2011.03.20 12:09:18 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Edith\IETldCache
    [2011.03.19 20:09:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
    [2011.03.19 19:56:20 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
    [2011.03.19 19:14:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
    [2011.03.18 18:01:17 | 000,000,000 | ---D | C] -- C:\Programme\MSXML 6.0
    [2011.03.18 17:37:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
    [2011.03.17 17:45:12 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011.03.17 17:40:15 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011.03.17 17:40:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011.03.17 17:40:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011.03.17 17:40:14 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011.03.17 17:40:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011.03.17 17:39:26 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011.03.16 23:09:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Edith\Desktop\AV Software
    [2011.03.16 20:18:53 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Edith\Desktop\Logs
    [2011.03.16 20:06:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\Malwarebytes
    [2011.03.16 20:06:08 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Malwarebytes' Anti-Malware
    [2011.03.16 20:06:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011.03.16 20:06:01 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
    [2011.03.16 20:05:54 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011.03.16 20:05:53 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
    [2011.03.16 19:32:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
    [2011.03.16 19:28:50 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sun
    [2011.03.16 19:28:29 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Java
    [2011.03.16 19:24:10 | 000,000,000 | ---D | C] -- C:\Programme\Java
    [2011.03.16 19:21:44 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\Sun
    [2011.03.16 19:06:06 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MFAData
    [2011.03.03 12:28:09 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Skype
    [5 C:\Dokumente und Einstellungen\Edith\Eigene Dateien\*.tmp files -> C:\Dokumente und Einstellungen\Edith\Eigene Dateien\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011.03.21 15:17:01 | 000,001,086 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011.03.21 14:17:04 | 000,001,082 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011.03.21 13:03:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011.03.21 13:00:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011.03.21 00:19:08 | 000,448,470 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
    [2011.03.21 00:19:08 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011.03.21 00:19:08 | 000,079,910 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
    [2011.03.21 00:19:08 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011.03.21 00:10:30 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011.03.20 22:53:04 | 000,001,479 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Desktop\Solitär.lnk
    [2011.03.20 14:07:01 | 000,001,653 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\avast! Free Antivirus.lnk
    [2011.03.20 14:06:51 | 000,003,001 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2011.03.20 13:38:56 | 000,002,495 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Desktop\Microsoft Word.lnk
    [2011.03.20 13:37:48 | 062,623,864 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Desktop\setup_av_free.exe
    [2011.03.20 13:33:17 | 000,002,229 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2011.03.20 13:09:31 | 001,373,616 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Desktop\MCPR.exe
    [2011.03.20 12:53:44 | 000,142,032 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011.03.20 12:25:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Edith\Desktop\OTL.exe
    [2011.03.18 16:51:38 | 000,001,777 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Chrome.lnk
    [2011.03.18 16:08:48 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011.03.18 15:48:18 | 004,289,870 | R--- | M] () -- C:\Dokumente und Einstellungen\Edith\Desktop\ComboFix.exe
    [2011.03.17 17:45:22 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011.03.16 10:23:02 | 000,178,687 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\SCAN0107_000.pdf
    [2011.03.04 13:40:07 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2011.03.03 19:56:01 | 000,277,376 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\SCAN0095_000.pdf
    [2011.03.03 19:31:01 | 000,500,219 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\SCAN0097_000.pdf
    [2011.03.03 19:30:28 | 002,077,442 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\SCAN0094_000.pdf
    [2011.03.01 10:03:46 | 000,022,067 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\TUTOR D'ACCOGLIENZA Turni Marzo 2011.pdf
    [2011.02.24 22:03:47 | 000,002,243 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Skype.lnk
    [2011.02.23 16:04:21 | 000,040,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011.02.23 16:04:17 | 000,190,016 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2011.02.23 15:56:55 | 000,371,544 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2011.02.23 15:56:45 | 000,301,528 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011.02.23 15:55:49 | 000,049,240 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011.02.23 15:55:47 | 000,102,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011.02.23 15:55:44 | 000,096,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011.02.23 15:55:10 | 000,025,432 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011.02.23 15:54:57 | 000,030,680 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011.02.23 15:54:55 | 000,019,544 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011.02.19 19:59:55 | 000,102,781 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\501858366.PDF
    [5 C:\Dokumente und Einstellungen\Edith\Eigene Dateien\*.tmp files -> C:\Dokumente und Einstellungen\Edith\Eigene Dateien\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011.03.20 14:07:01 | 000,001,653 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\avast! Free Antivirus.lnk
    [2011.03.20 13:37:36 | 062,623,864 | ---- | C] () -- C:\Dokumente und Einstellungen\Edith\Desktop\setup_av_free.exe
    [2011.03.20 13:33:17 | 000,002,229 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
    [2011.03.20 13:09:25 | 001,373,616 | ---- | C] () -- C:\Dokumente und Einstellungen\Edith\Desktop\MCPR.exe
    [2011.03.17 17:45:22 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011.03.17 17:45:17 | 000,262,448 | RHS- | C] () -- C:\cmldr
    [2011.03.17 17:40:15 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011.03.17 17:40:15 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011.03.17 17:40:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011.03.17 17:40:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011.03.17 17:40:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011.03.17 17:35:05 | 004,289,870 | R--- | C] () -- C:\Dokumente und Einstellungen\Edith\Desktop\ComboFix.exe
    [2011.03.16 10:23:01 | 000,178,687 | ---- | C] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\SCAN0107_000.pdf
    [2011.03.03 19:31:00 | 000,500,219 | ---- | C] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\SCAN0097_000.pdf
    [2011.03.03 19:30:45 | 000,277,376 | ---- | C] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\SCAN0095_000.pdf
    [2011.03.03 19:30:26 | 002,077,442 | ---- | C] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\SCAN0094_000.pdf
    [2011.03.01 10:03:43 | 000,022,067 | ---- | C] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\TUTOR D'ACCOGLIENZA Turni Marzo 2011.pdf
    [2011.02.19 19:59:52 | 000,102,781 | ---- | C] () -- C:\Dokumente und Einstellungen\Edith\Eigene Dateien\501858366.PDF
    [2010.11.24 10:41:55 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\SM37XCoInst.dll
    [2010.11.24 10:41:55 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\RemoveSM37X.exe
    [2010.10.25 22:41:13 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
    [2010.10.04 16:21:50 | 000,000,126 | ---- | C] () -- C:\WINDOWS\PRLTP_USBdrv.ini
    [2008.12.28 19:07:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2007.12.30 18:14:39 | 000,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
    [2007.12.30 18:14:39 | 000,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
    [2007.12.30 16:59:15 | 000,000,402 | ---- | C] () -- C:\WINDOWS\QTW.INI
    [2007.12.26 14:42:44 | 000,011,264 | ---- | C] () -- C:\WINDOWS\CATSTUB.EXE
    [2007.12.26 14:42:44 | 000,000,412 | ---- | C] () -- C:\WINDOWS\encarta.ini
    [2007.12.26 14:42:43 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
    [2006.12.08 18:28:42 | 007,034,608 | ---- | C] () -- C:\WINDOWS\psa2011se_ger.exe
    [2006.06.20 08:18:48 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
    [2006.05.12 14:48:10 | 000,000,235 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
    [2005.12.13 09:42:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
    [2005.01.09 11:05:21 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS47.DLL
    [2005.01.09 11:04:28 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2004.12.15 18:41:32 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
    [2004.12.15 18:26:37 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
    [2004.12.15 18:26:37 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
    [2004.12.15 18:26:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
    [2004.12.15 18:26:33 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.exe
    [2004.12.15 18:26:33 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
    [2004.12.15 18:26:29 | 000,266,240 | ---- | C] () -- C:\WINDOWS\CMIUninstall.exe
    [2004.12.15 18:26:29 | 000,225,280 | ---- | C] () -- C:\WINDOWS\CmiRmRedundDir.exe
    [2004.12.15 18:26:29 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
    [2004.12.15 18:25:36 | 000,002,755 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
    [2004.12.15 18:25:35 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
    [2004.12.15 17:43:01 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2004.12.15 17:37:01 | 000,021,740 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2004.12.15 17:31:12 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2004.12.15 17:30:11 | 000,142,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004.08.02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2002.08.29 02:54:14 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2001.08.31 23:15:44 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2001.08.31 23:15:44 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2001.08.18 20:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2001.08.18 20:00:00 | 000,448,470 | ---- | C] () -- C:\WINDOWS\System32\perfh007.dat
    [2001.08.18 20:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2001.08.18 20:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2001.08.18 20:00:00 | 000,269,480 | ---- | C] () -- C:\WINDOWS\System32\perfi007.dat
    [2001.08.18 20:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2001.08.18 20:00:00 | 000,079,910 | ---- | C] () -- C:\WINDOWS\System32\perfc007.dat
    [2001.08.18 20:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2001.08.18 20:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2001.08.18 20:00:00 | 000,034,478 | ---- | C] () -- C:\WINDOWS\System32\perfd007.dat
    [2001.08.18 20:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2001.08.18 20:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

    ========== LOP Check ==========

    [2011.03.20 14:04:47 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AVAST Software
    [2011.03.16 19:06:06 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MFAData
    [2008.03.02 15:59:49 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\My Games
    [2009.12.02 21:25:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\TeamViewer

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2007.12.30 17:09:47 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2004.12.15 17:40:12 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.CPY
    [2004.12.15 18:03:43 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011.03.17 17:45:22 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2001.08.18 20:00:00 | 000,004,952 | RHS- | M] () -- C:\bootfont.bin
    [2004.08.03 23:00:10 | 000,262,448 | RHS- | M] () -- C:\cmldr
    [2011.03.18 16:52:17 | 000,010,728 | ---- | M] () -- C:\ComboFix.txt
    [2004.12.15 17:40:12 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2004.12.15 17:40:12 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2004.12.15 17:40:12 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004.12.15 17:58:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2004.12.15 17:58:00 | 000,251,184 | RHS- | M] () -- C:\ntldr
    [2011.03.21 13:00:18 | 390,070,272 | -HS- | M] () -- C:\pagefile.sys
    [2011.03.16 22:50:50 | 000,071,854 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_16.03.2011_22.44.05_log.txt

    < %systemroot%\Fonts\*.com >
    [2006.04.18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006.06.29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006.04.18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006.06.29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2004.12.15 17:39:41 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2002.06.17 06:00:00 | 000,013,824 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD47.DLL
    [2002.06.17 06:00:00 | 000,046,080 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP47.DLL
    [2008.07.06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2008.07.06 11:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011.02.23 16:04:21 | 000,040,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2004.12.15 18:29:21 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2004.12.15 18:29:21 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2004.12.15 18:29:21 | 000,401,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2004.12.15 17:48:13 | 000,000,079 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Desktop anzeigen.scf
    [2004.12.15 18:09:57 | 000,000,182 | -HS- | M] () -- C:\Dokumente und Einstellungen\Edith\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011.03.18 15:48:18 | 004,289,870 | R--- | M] () -- C:\Dokumente und Einstellungen\Edith\Desktop\ComboFix.exe
    [2011.03.20 13:09:31 | 001,373,616 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Desktop\MCPR.exe
    [2011.03.20 12:25:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Edith\Desktop\OTL.exe
    [2011.03.20 13:37:48 | 062,623,864 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Desktop\setup_av_free.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011.03.16 18:28:07 | 000,000,067 | -HS- | M] () -- C:\Dokumente und Einstellungen\Edith\Cookies\desktop.ini
    [2011.03.21 13:00:36 | 000,163,840 | ---- | M] () -- C:\Dokumente und Einstellungen\Edith\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2004.08.04 00:58:18 | 000,212,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2004.08.04 00:57:18 | 000,028,672 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\custsat.dll
    [2002.08.20 19:31:24 | 000,004,821 | ---- | M] () -- C:\Programme\Messenger\logowin.gif
    [2002.08.20 12:32:18 | 000,007,047 | ---- | M] () -- C:\Programme\Messenger\lvback.gif
    [2002.04.11 11:57:14 | 000,001,174 | ---- | M] () -- C:\Programme\Messenger\mailtmpl.txt
    [2008.05.02 15:24:05 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\msgsc.dll
    [2004.08.04 00:55:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\msgslang.dll
    [2004.10.13 17:24:37 | 001,694,208 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\msmsgs.exe
    [2002.08.20 15:08:38 | 000,069,663 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\msmsgsin.exe
    [2002.08.20 19:31:26 | 000,002,882 | ---- | M] () -- C:\Programme\Messenger\newalert.wav
    [2002.08.20 19:31:26 | 000,006,156 | ---- | M] () -- C:\Programme\Messenger\newemail.wav
    [2002.08.20 19:31:26 | 000,006,160 | ---- | M] () -- C:\Programme\Messenger\online.wav
    [2002.08.20 12:32:20 | 000,004,454 | ---- | M] () -- C:\Programme\Messenger\type.wav
    [2004.07.17 11:35:00 | 000,120,389 | ---- | M] () -- C:\Programme\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [1994.10.27 00:00:00 | 000,004,128 | ---- | M] (Apple Computer, Inc.) -- C:\WINDOWS\system\QTNOTIFY.EXE
    [2003.11.27 10:52:46 | 001,454,080 | ---- | M] (C-Media Electronics Inc.) -- C:\WINDOWS\system\SmWizard.exe

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
    Mrjayde,
    #7
  9. 2011/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I still need Extras.txt.

    Any current issues?
     
    broni,
    #8
  10. 2011/03/22
    Mrjayde

    Mrjayde Inactive Thread Starter

    Joined:
    2011/03/16
    Messages:
    7
    Likes Received:
    0
    Tried to run OTL again today but once more only got the OTL.txt out of it.

    The computer is running a bit slow but that just might be because it's an old machine. The orginal problem, i.e. unable to connect to MS and AV sites has been resolved.

    Seeing that I was only visiting here and leaving soon and the computer's owner is happy to be able to connect to MS sites again, perhaps we should just leave it at that.

    Again thank you very much for all your assistance!
     
    Mrjayde,
    #9
  11. 2011/03/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm glad to see your computer doing fine, but we have to finish what we started.

    Lack of proper amount of RAM is definitely an issue here.
    Windows XP needs at least 512MB of RAM (1GB ideally).

    ================================================================

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
O15 - HKU\S-1-5-21-1078081533-879983540-839522115-1003\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[5 C:\Dokumente und Einstellungen\Edith\Eigene Dateien\*.tmp files -> C:\Dokumente und Einstellungen\Edith\Eigene Dateien\*.tmp -> ]
[2010.10.25 22:41:13 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
    broni,
    #10
  12. 2011/03/23
    Mrjayde

    Mrjayde Inactive Thread Starter

    Joined:
    2011/03/16
    Messages:
    7
    Likes Received:
    0
    Okay, only problem is that I won't have access to this computer much longer and I don't think there is anyone who could take over. In any case, here are the scan results. Should I recommend to the computer owner to buy more RAM?

    1) OTL

    All processes killed
    ========== OTL ==========
    Registry value HKEY_USERS\S-1-5-21-1078081533-879983540-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\ deleted successfully.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
    Starting removal of ActiveX control DirectAnimation Java Classes
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
    File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
    Starting removal of ActiveX control Microsoft XML Parser for Java
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
    C:\Dokumente und Einstellungen\Edith\Eigene Dateien\~WRL0419.tmp deleted successfully.
    C:\Dokumente und Einstellungen\Edith\Eigene Dateien\~WRL0669.tmp deleted successfully.
    C:\Dokumente und Einstellungen\Edith\Eigene Dateien\~WRL1286.tmp deleted successfully.
    C:\Dokumente und Einstellungen\Edith\Eigene Dateien\~WRL2371.tmp deleted successfully.
    C:\Dokumente und Einstellungen\Edith\Eigene Dateien\~WRL3633.tmp deleted successfully.
    C:\WINDOWS\system32\ezsidmv.dat moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Edith
    ->Temp folder emptied: 6953624 bytes
    ->Temporary Internet Files folder emptied: 49092443 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 873 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32969 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 19154324 bytes
    RecycleBin emptied: 336946 bytes

    Total Files Cleaned = 72,00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: Edith
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    Total Flash Files Cleaned = 0,00 mb


    OTL by OldTimer - Version 3.2.22.3 log created on 03232011_152718

    Files\Folders moved on Reboot...
    File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    2) Securituy Check

    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 2
    Out of date service pack!!
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:
    avast! Free Antivirus
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 24
    Out of date Java installed!
    Adobe Flash Player
    Adobe Reader X (10.0.1) - Deutsch
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast avastUI.exe
    ``````````End of Log````````````


    3) ESET scan

    C:\Qoobox\Quarantine\C\WINDOWS\system32\_mgzwt_.dll.zip Win32/Conficker.AE worm
    C:\System Volume Information\_restore{B349732D-07B1-4F4A-95EF-628C6A5A6BF7}\RP63\A0017551.exe Win32/Packed.Autoit.E.Gen application
     
    Mrjayde,
    #11
  13. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    More RAM will definitely help.

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current (including Service Pack 3 installation!)

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
    broni,
    #12
  14. 2011/03/24
    Mrjayde

    Mrjayde Inactive Thread Starter

    Joined:
    2011/03/16
    Messages:
    7
    Likes Received:
    0
    Excellent, thank you so much.

    I've downloaded the programs you have recomended and also printed your instructions so that the computer owner can follow them. The computer works a lot better than before we started and a bit more RAM should speed the machine up.

    Here is the last OTL log:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Edith
    ->Temp folder emptied: 51508 bytes
    ->Temporary Internet Files folder emptied: 11882358 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 689 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 395 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 12,00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: Edith
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    Total Flash Files Cleaned = 0,00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.22.3 log created on 03242011_132937

    Files\Folders moved on Reboot...
    File\Folder C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Temp\~DFEE6D.tmp not found!
    File\Folder C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Temp\~DFFD54.tmp not found!
    C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Temporary Internet Files\Content.IE5\XXDARLLT\p-01-0VIaSjnOLg[1].gif moved successfully.
    C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Temporary Internet Files\Content.IE5\MQ61QVX9\00b42e3a-b809-49b2-b433-cc45b2bc89d33rd_party_BBS[1].htm moved successfully.
    C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Temporary Internet Files\Content.IE5\MQ61QVX9\ads[1].htm moved successfully.
    C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Temporary Internet Files\Content.IE5\MQ61QVX9\cm[1].htm moved successfully.
    C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Temporary Internet Files\Content.IE5\MQ61QVX9\p-01-0VIaSjnOLg[1].gif moved successfully.
    C:\Dokumente und Einstellungen\Edith\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
    Mrjayde,
    #13
  15. 2011/03/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very well....

    Good luck and stay safe :)
     
    broni,
    #14

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...