Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: virus Worm.VBS.Autorun.fh, c:\windows\system32\regedit.sys


  • This topic is locked This topic is locked
19 replies to this topic

#1 JaninaP

JaninaP

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 21 December 2009 - 02:54 PM

I think virus was caused by an infected USB Drive. Already spread to second notebook via external hard drive.
When starting PC, Antivir Virus Software does not open and update automatically as usual, no windows updates are done. I am informed that new securitý updates are available but they are always aborted.
When clicking on Avtivir Control Center, he tells me 'Path not found'. When opening files or explorer I get the message runtime error. New Programms try to install themselves in Autorun but are blocket by my win patrol.
After using Kaspersky Scan he tells found this: It cannot be deleted, because he has no access to file.
deleted: virus Worm.VBS.Autorun.fh File: C:\pagefiles.sys

thx a lot for helping!!!
Tell me if u need further information!!!

First find my DDS skript:

DDS (Ver_09-12-01.01) - NTFSx86
Run by JaninaP at 19:07:28,57 on 21.12.2009
Internet Explorer: 8.0.6001xxxxx
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2038xxxxx [GMT 0:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programme\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Samsung\Easy Display Manager\dmhkcore.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Philips\SA28XX Device Manager\main.exe
C:\Programme\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Programme\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Dokumente und Einstellungen\Janina Pakusch\Desktop\Virus Removal Tool\is-MBIFE\is-MBIFE.exe
C:\Programme\Microsoft Office\Office12\WINWORD.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Janina Pakusch\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\programme\pdfforge toolbar\SearchSettings.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programme\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\google toolbar\GoogleToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\programme\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\programme\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\programme\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\programme\samsung\magickbd\PreMKBD.exe
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinPatrol] c:\programme\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\bttray.lnk - c:\programme\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\philip~1.lnk - c:\programme\philips\sa28xx device manager\main.exe
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\programme\gemeinsame dateien\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Senden an &Bluetooth-Gerät... - c:\programme\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Senden an Bluetooth - c:\programme\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\programme\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\programme\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
mASetup: {27AB0758-F8E8-3AFE-8A4B-A08AB9658382} - c:\windows\system32\svchostnt.exe
IFEO: 00hoeav.com - c:\windows\system32\svchostnt.exe
IFEO: 0w.com - c:\windows\system32\svchostnt.exe
IFEO: 360rpt.EXE - c:\windows\system32\svchostnt.exe
IFEO: 360safe.EXE - c:\windows\system32\svchostnt.exe
IFEO: 360safebox.EXE - c:\windows\system32\svchostnt.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2009-12-5 11608]
R1 is-MBIFEdrv;is-MBIFEdrv;c:\windows\system32\drivers\86709398.sys [2009-12-7 148496]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\avira\antivir desktop\sched.exe [2009-12-5 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2009-12-5 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-29 55656]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-2-12 4300]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-2-12 238464]
S2 gupdate1ca1cd9d9f165bc;Google Update Service (gupdate1ca1cd9d9f165bc);c:\programme\google\update\GoogleUpdate.exe [2009-8-14 133104]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]

=============== Created Last 30 ================

2009-12-15 07:36:01 0 d-----w- c:\dokumente und einstellungen\janina pakusch\.jenny
2009-12-07 20:44:08 178208 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-07 20:44:08 15886368 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-07 20:44:03 148496 ----a-w- c:\windows\system32\drivers\86709398.sys
2009-12-07 20:43:48 42747176 ----a-w- c:\programme\setup_7.0.0.290_02.07.2009_17-02.exe
2009-12-05 18:16:41 0 d-----w- c:\programme\Avira
2009-12-05 18:16:41 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Avira
2009-12-05 18:15:01 31066056 ----a-w- c:\programme\avira_antivir_personal415_de.exe
2009-11-29 15:16:16 204 --sha-r- C:\autorun.inf

==================== Find3M ====================

2009-11-09 22:32:14 80306 ----a-w- c:\windows\system32\perfc007.dat
2009-11-09 22:32:14 449044 ----a-w- c:\windows\system32\perfh007.dat
2009-10-17 11:29:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-01 19:31:48 7501831 ----a-w- c:\programme\FreeYouTubeToMp3Converter59.exe
2009-08-30 14:35:49 17570056 ----a-w- c:\programme\PDFCreator-0_9_8_setup_2.exe
2009-08-29 14:42:43 327020864 ----a-w- c:\programme\X12-30103.exe
2009-08-28 20:43:44 18015723 ----a-w- c:\programme\vlc-1.0.1-win32.exe
2009-08-16 11:42:04 791505 ----a-w- c:\programme\TOP.zip
2009-08-14 12:21:43 22261544 ----a-w- c:\programme\SkypeSetupFull141.exe
2009-08-14 12:15:40 745296 ----a-w- c:\programme\setupde161.exe
2009-08-14 12:11:37 21836008 ----a-w- c:\programme\sa2820_02_pal_eng.zip
2009-07-29 14:57:45 32467048 ----a-w- c:\programme\avira_antivir_personal403_de.exe
2008-05-08 11:24:44 155648 --sha-r- c:\windows\system32\wscript.exe

============= FINISH: 19:07:48,51 ===============


now find the kaspersky collectSysInfo

<AVZ_CollectSysInfo>
--------------------
Start time: 21.12.2009 19:34:37
Duration: 00:02:25
Finish time: 21.12.2009 19:37:02


<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
21.12.2009 19:34:38 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
21.12.2009 19:34:38 System Restore: Disabled
21.12.2009 19:34:40 1.1 Searching for user-mode API hooks
21.12.2009 19:34:40 Analysis: kernel32.dll, export table found in section .text
21.12.2009 19:34:40 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
21.12.2009 19:34:40 Hook kernel32.dll:CreateProcessA (99) blocked
21.12.2009 19:34:40 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
21.12.2009 19:34:40 Hook kernel32.dll:CreateProcessW (103) blocked
21.12.2009 19:34:40 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC7E->61F041FC
21.12.2009 19:34:40 Hook kernel32.dll:FreeLibrary (241) blocked
21.12.2009 19:34:40 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B56F->61F040FB
21.12.2009 19:34:40 Hook kernel32.dll:GetModuleFileNameA (373) blocked
21.12.2009 19:34:40 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B475->61F041A0
21.12.2009 19:34:40 Hook kernel32.dll:GetModuleFileNameW (374) blocked
21.12.2009 19:34:40 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE40->61F04648
21.12.2009 19:34:40 Hook kernel32.dll:GetProcAddress (409) blocked
21.12.2009 19:34:40 Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
21.12.2009 19:34:40 Hook kernel32.dll:LoadLibraryA (581) blocked
21.12.2009 19:34:40 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
21.12.2009 19:34:40 Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
21.12.2009 19:34:40 Hook kernel32.dll:LoadLibraryExA (582) blocked
21.12.2009 19:34:40 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
21.12.2009 19:34:40 Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
21.12.2009 19:34:40 Hook kernel32.dll:LoadLibraryExW (583) blocked
21.12.2009 19:34:40 Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEEB->61F03D0C
21.12.2009 19:34:40 Hook kernel32.dll:LoadLibraryW (584) blocked
21.12.2009 19:34:40 IAT modification detected: LoadLibraryW - 00C00010<>7C80AEEB
21.12.2009 19:34:40 Analysis: ntdll.dll, export table found in section .text
21.12.2009 19:34:40 Analysis: user32.dll, export table found in section .text
21.12.2009 19:34:40 Analysis: advapi32.dll, export table found in section .text
21.12.2009 19:34:40 Analysis: ws2_32.dll, export table found in section .text
21.12.2009 19:34:40 Analysis: wininet.dll, export table found in section .text
21.12.2009 19:34:40 Analysis: rasapi32.dll, export table found in section .text
21.12.2009 19:34:40 Analysis: urlmon.dll, export table found in section .text
21.12.2009 19:34:40 Analysis: netapi32.dll, export table found in section .text
21.12.2009 19:34:41 1.2 Searching for kernel-mode API hooks
21.12.2009 19:34:42 Driver loaded successfully
21.12.2009 19:34:42 SDT found (RVA=08B520)
21.12.2009 19:34:42 Kernel ntoskrnl.exe found in memory at address 804D7000
21.12.2009 19:34:42 SDT = 80562520
21.12.2009 19:34:42 KiST = 804E48B0 (284)
21.12.2009 19:34:42 Function NtCreateKey (29) intercepted (8057791D->F7A842BE), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtCreateThread (35) intercepted (80586C45->F7A842B4), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtDeleteKey (3F) intercepted (80593334->F7A842C3), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtDeleteValueKey (41) intercepted (80591F8B->F7A842CD), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtLoadKey (62) intercepted (805CE7ED->F7A842D2), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtOpenProcess (7A) intercepted (80581702->F7A842A0), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtOpenThread (80) intercepted (805E1941->F7A842A5), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtReplaceKey (C1) intercepted (806564E8->F7A842DC), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtRestoreKey (CC) intercepted (8065607D->F7A842D7), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtSetValueKey (F7) intercepted (8058228C->F7A842C8), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:42 Function NtTerminateProcess (101) intercepted (8058E695->F7A842AF), hook not defined
21.12.2009 19:34:42 >>> Function restored successfully !
21.12.2009 19:34:42 >>> Hook code blocked
21.12.2009 19:34:44 Functions checked: 284, intercepted: 11, restored: 11
21.12.2009 19:34:44 1.3 Checking IDT and SYSENTER
21.12.2009 19:34:44 Analysis for CPU 1
21.12.2009 19:34:44 Analysis for CPU 2
21.12.2009 19:34:44 Checking IDT and SYSENTER - complete
21.12.2009 19:34:45 1.4 Searching for masking processes and drivers
21.12.2009 19:34:45 Checking not performed: extended monitoring driver (AVZPM) is not installed
21.12.2009 19:34:45 Driver loaded successfully
21.12.2009 19:34:45 1.5 Checking of IRP handlers
21.12.2009 19:34:45 Checking - complete
21.12.2009 19:34:47 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCP80.dll --> Suspicion for Keylogger or Trojan DLL
21.12.2009 19:34:47 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCP80.dll>>> Behavioral analysis
21.12.2009 19:34:47 Behaviour typical for keyloggers not detected
21.12.2009 19:34:47 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll --> Suspicion for Keylogger or Trojan DLL
21.12.2009 19:34:47 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll>>> Behavioral analysis
21.12.2009 19:34:47 Behaviour typical for keyloggers not detected
21.12.2009 19:34:47 C:\Programme\BillP Studios\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL
21.12.2009 19:34:47 C:\Programme\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Behavioral analysis
21.12.2009 19:34:47 Behaviour typical for keyloggers not detected
21.12.2009 19:34:49 C:\WINDOWS\system32\btmmhook.dll --> Suspicion for Keylogger or Trojan DLL
21.12.2009 19:34:49 C:\WINDOWS\system32\btmmhook.dll>>> Behavioral analysis
21.12.2009 19:34:49 1. Reacts to events: keyboard
21.12.2009 19:34:49 C:\WINDOWS\system32\btmmhook.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
21.12.2009 19:34:50 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
21.12.2009 19:35:16 Danger - process debugger "00hoeav.com" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:16 Danger - process debugger "0w.com" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "360rpt.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "360safe.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "360safebox.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "360tray.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "6.bat" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "6fnlpetp.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "6x8be16.cmd" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "a2cmd.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "a2free.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "a2service.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "a2upd.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "abk.bat" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Adobe Gamma Loader.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "algsrvs.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "algssl.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Angry.bat" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Anti-Trojan.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ANTIARP.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "antihost.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ANTS.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "APVXDWIN.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ArSwp.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashDisp.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashEnhcd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashLogV.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashMaiSv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashPopWz.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashQuick.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashServ.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashSkPcc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashUpd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ashWebSv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Ast.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "aswBoot.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "aswRegSvr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "aswUpdSv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "autorun.bin" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AutoRun.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Autorun.ini" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "autorun.reg" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "autorun.txt" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "autorun.wsh" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AutoRunKiller.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "autoruns.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "autorunsc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avadmin.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AvastSS.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avcenter.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Avciman.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avconfig.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AVCONSOL.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AVENGINE.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgamsvr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgas.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgcc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgcc32.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgemc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avginet.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgnt.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgrssvc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgrsx.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgscan.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgserv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgupsvc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgw.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avgwdsvc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avltd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avmailc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AvMonitor.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avnotify.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "avp.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AVP32.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AVPCC.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "AVPM.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "bad1.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "bad2.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "bad3.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "bdagent.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "bdsubwiz.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "BDSurvey.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "BIOSREAD.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "blackd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "blackice.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "caiss.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "caissdt.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "cauninst.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavApp.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "cavasm.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavAUD.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CAVCmd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CAVCtx.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavEmSrv.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Cavmr.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavMUD.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Cavoar.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavQ.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CAVRep.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CAVRid.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CAVSCons.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "cavse.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavSn.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavSub.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CAVSubmit.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavUMAS.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CavUserUpd.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Cavvl.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CCenter.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CEmRep.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "cleaner.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "cleaner3.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "CMain.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "copy.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "cpe17antiautorun.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "cpe17antiautoruna.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "destrukto.vbs" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "DF5Serv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "drwadins.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "drweb32w.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "drweb386.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "drwebscd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "drwebupw.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "drwebwcl.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "drwreg.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "dwwin.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "e.cmd" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "e9ehn1m8.com" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "egui.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ekrn.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "EMDISK.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "f0.cmd" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "FileKan.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "flashy.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "FPAVServer.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "FProtTray.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "fpscan.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "fptrayproc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "FPWin.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "FrameworkService.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Frameworkservice.EXE " = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "FRW.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "FrzState2k.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "fs6519.dll.vbs" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "fssf.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "fwcagent.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "g2pfnid.com" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "GFUpd.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "guard.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "GuardField.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "guardgui.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "guardxkickoff.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "guardxkickoff_x64.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "guardxservice.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "guardxup.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "h3.bat" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "HijackThis.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "hookinst.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "host.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "i.bat" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "iamapp.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "iamserv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "IceSword.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ICLOAD95.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ICLOADNT.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ICMON.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ICSUPP95.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ICSUPPNT.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Identity.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "iefqwp.cmd" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "IEShow.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "IFACE.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ij.bat" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "InstallCAVS.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "InstLsp.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Iparmor.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "iSafe.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "iSafInst.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "KASARP.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "kav32.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "KAVPFW.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "kavstart.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ker.vbs" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "KeyMgr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "killVBS.vbs" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "kissvc.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "kmailmon.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "KPfwSvc.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "KRegEx.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "KVSrvXP.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "KVWSC.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "kwatch.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "licmgr.ex" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "licreg.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "lky.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "lockdown2000.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "m2nl.bat" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcagent.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcappins.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcaupdate.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcdash.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Mcdetect.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcinfo.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcinsupd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcmnhdlr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcregwiz.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "McShield.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Mctray.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcupdmgr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcupdui.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "McVSEscn.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcvsftsn.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mcvsmap.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "mghtml.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Mmsk.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "MooLive.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "MSConfig.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys"
21.12.2009 19:35:17 Danger - process debugger "msdos.pif" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "msfir80.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "MSGrc32.vbs" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "msime80.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "msizap.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "msmsgs.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "msvcr71.dll" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "naiavfin.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "naPrdMgr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Navapsvc.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "NAVAPW32.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "NAVW32.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "new folder.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "njibyekk.com" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "nod32.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "nod32krn.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "nod32kui.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "oasclnt.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "olb1iimw.bat" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "OnAccessInstaller.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Pagent.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Pagentwd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "PavFnSvr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "pavprsrv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "PavReport.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "pavsched.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "PAVSRV51.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "pctsAuxs.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "pctsSvc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "pctsTray.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "PFW.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "preupd.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "procexp.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "PsCtrlS.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "PSHost.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "PsImSvc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "pskmssvc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "psksvc.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "QQDoctor.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "QtnMaint.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "RAV.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ravmon.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Ravservice.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "RavStub.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "RAVTRAY.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "rcukd.cmd" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "regedit.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys"
21.12.2009 19:35:17 Danger - process debugger "reload.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "rfwmain.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "rfwProxy.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "rfwsrv.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Rfwstub.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "rose.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "RSTray.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "rstrui.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys"
21.12.2009 19:35:17 Danger - process debugger "Runiep.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "safeboxTray.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "sal.xls.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SCVHOST.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "scvhosts.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SCVHSOT.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SCVVHOST.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "scvvhosts.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SCVVHSOT.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "seccenter.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SendLogs.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "session.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "shstat.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SocksA.ex" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SOLOCFG.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SOLOLITE.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SOLOSCAN.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SOLOSENT.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Sphinx.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "spidercpl.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "spiderml.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "spidernt.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "spiderui.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "spml_set.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "SREngLdr.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ssvichosst.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "sxs.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "system.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "taskmgr.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys"
21.12.2009 19:35:17 Danger - process debugger "tca.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "temp.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "temp2.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "toy.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "TPSrv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "TrojanDetector.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Trojanwall.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "TrojDie.KXP" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "UdaterUI.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "uiscan.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "unp_test.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "update.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "UPSDbMaker.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "userdump.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "UUpd.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "v.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Vba32Act.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Vba32arkit.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Vba32ECM.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Vba32ifs.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vba32ldr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Vba32PP3.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "Vba32Qtn.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vbcmserv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vbcons.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vbglobal.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vbimport.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vbinst.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vbscan.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vbsystry.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "VetMsg.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "virusutilities.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "VisthAux.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "VPC32.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "VPTRAY.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "VSECOMR.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "VSHWIN32.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vsmon.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "vsserv.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "VSSTAT.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "VsTskMgr.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "WEBPROXY.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "WEBSCANX.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "whi.com" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "WinGrc32.dll" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "WOPTILITIES.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "WrAdmin.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "WrCtrl.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "wscntfy.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "wsctool.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "yannh.cmd" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "ybj8df.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "zonealarm.exe" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "_AVP32.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "_AVPCC.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:17 Danger - process debugger "_AVPM.EXE" = "C:\WINDOWS\system32\svchostnt.exe"
21.12.2009 19:35:18 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
21.12.2009 19:35:18 >>> D:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
21.12.2009 19:35:18 >>> G:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
21.12.2009 19:35:18 >> Services: potentially dangerous service allowed: TermService (Terminaldienste)
21.12.2009 19:35:18 >> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
21.12.2009 19:35:18 >> Services: potentially dangerous service allowed: Schedule (Taskplaner)
21.12.2009 19:35:18 >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
21.12.2009 19:35:18 >> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
21.12.2009 19:35:18 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
21.12.2009 19:35:18 >> Security: administrative shares (C$, D$ ...) are enabled
21.12.2009 19:35:18 >> Security: anonymous user access is enabled
21.12.2009 19:35:19 >> Security: sending Remote Assistant queries is enabled
21.12.2009 19:35:23 >> System process debugger detected
21.12.2009 19:35:26 >> Disable HDD autorun
21.12.2009 19:35:26 >> Disable autorun from network drives
21.12.2009 19:35:26 >> Disable CD/DVD autorun
21.12.2009 19:35:26 >> Disable removable media autorun
21.12.2009 19:35:26 System Analysis in progress
21.12.2009 19:37:02 System Analysis - complete
21.12.2009 19:37:02 Delete file:C:\Dokumente und Einstellungen\Janina Pakusch\Desktop\Virus Removal Tool\is-MBIFE\LOG\avptool_syscheck.htm
21.12.2009 19:37:02 Delete file:C:\Dokumente und Einstellungen\Janina Pakusch\Desktop\Virus Removal Tool\is-MBIFE\LOG\avptool_syscheck.xml
21.12.2009 19:37:02 Deleting service/driver: utmymtc1
21.12.2009 19:37:02 Delete file:C:\WINDOWS\system32\Drivers\utmymtc1.sys
21.12.2009 19:37:02 Deleting service/driver: ujmymtc1
21.12.2009 19:37:02 Script executed without errors

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:52 PM

Posted 03 January 2010 - 03:13 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 JaninaP

JaninaP
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 03 January 2010 - 04:56 PM

Hi Suebaby,

thanks for your help,

meanwile i ran a virus scan, some viruses have been found and deleted, but i still cannot use and update my antivir or download any windows updates.

I ran the RSID, here is the logfile...

Logfile of random's system information tool 1.06 (written by random/random)
Run by Janina P..... at 2010-01-03 21:48:24
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 45 GB (62%) free of 73 GB
Total RAM: 2038 MB (69% free)


======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll [2009-07-29 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Programme\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-11-08 764912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Programme\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-07-29 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll [2009-07-29 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-08-26 16851456]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]
""= []
"EDS"=C:\Programme\Samsung\Samsung EDS\EDSAgent.exe [2007-12-20 659456]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-02-28 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-02-28 166424]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-02-28 137752]
"SynTPEnh"=C:\Programme\Synaptics\SynTP\SynTPEnh.exe [2008-08-28 1044480]
"DMHotKey"=C:\Programme\Samsung\Easy Display Manager\DMLoader.exe [2006-12-27 466944]
"BatteryManager"=C:\Programme\Samsung\Samsung Battery Manager\BatteryManager.exe [2008-10-20 2768896]
"MagicKeyboard"=C:\Programme\SAMSUNG\MagicKBD\PreMKBD.exe [2006-05-14 151552]
"Adobe Reader Speed Launcher"=C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-14 39792]
"WinPatrol"=C:\Programme\BillP Studios\WinPatrol\winpatrol.exe [2009-07-22 341312]
"avgnt"=C:\Programme\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-02-12 39408]
"MSMSGS"=C:\Programme\Messenger\msmsgs.exe [2008-04-14 1695232]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
Philips SA28xx Geräte-Manager.lnk - C:\Programme\Philips\SA28XX Device Manager\main.exe

C:\Dokumente und Einstellungen\Janina Pakusch\Startmenü\Programme\Autostart
_uninst_setup_9.0.0.722_22.12.2009_10-55[1].exe.lnk - C:\Dokumente und Einstellungen\Janina Pakusch\Lokale Einstellungen\Temp\_uninst_setup_9.0.0.722_22.12.2009_10-55[1].exe.bat

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\Internet Explorer\IEXPLORE.EXE"="C:\Programme\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Programme\Microsoft Office\Office12\ONENOTE.EXE"="C:\Programme\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Programme\Skype\Plugin Manager\skypePM.exe"="C:\Programme\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Programme\Skype\Phone\Skype.exe"="C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
shell\open\command - wscript.exe /e:vbs pagefiles.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca320ce3-e0c1-11de-9d92-00242cf6dd62}]
shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
shell\open\command - wscript.exe /e:vbs pagefiles.sys


======File associations======

.vbs - edit -

======List of files/folders created in the last 3 months======

2010-01-03 21:48:24 ----D---- C:\rsit
2010-01-03 21:48:24 ----D---- C:\Programme\trend micro
2009-12-30 12:11:57 ----D---- C:\WINDOWS\_swf_imagine digital freedom_work
2009-12-25 15:24:17 ----D---- C:\Janina
2009-12-25 14:14:33 ----A---- C:\WINDOWS\ntbtlog.txt
2009-12-25 13:23:05 ----D---- C:\Programme\Avira
2009-12-25 13:23:05 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2009-12-25 13:21:32 ----A---- C:\Programme\avira_antivir_personal415_de.exe
2009-12-21 19:20:29 ----A---- C:\RootRepeal report 12-21-09 (19-20-29).txt
2009-12-15 07:35:26 ----D---- C:\WINDOWS\Sun
2009-12-07 20:43:48 ----A---- C:\Programme\setup_7.0.0.290_02.07.2009_17-02.exe
2009-11-25 22:39:15 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-25 22:38:56 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2009-11-10 22:35:29 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-09 22:28:21 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-11-07 11:00:18 ----D---- C:\WINDOWS\system32\XPSViewer
2009-11-07 11:00:13 ----D---- C:\Programme\MSBuild
2009-11-07 11:00:11 ----D---- C:\WINDOWS\system32\en-US
2009-11-07 11:00:04 ----D---- C:\Programme\Reference Assemblies
2009-11-07 10:59:39 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-11-07 10:59:38 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-11-07 10:59:38 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-11-02 21:32:42 ----D---- C:\Programme\Mindmanager
2009-11-02 21:28:53 ----RSD---- C:\WINDOWS\assembly
2009-11-02 21:27:33 ----D---- C:\WINDOWS\Microsoft.NET
2009-11-01 14:29:46 ----D---- C:\Programme\Mind Manager
2009-10-31 08:41:38 ----D---- C:\WINDOWS\Downloaded Installations
2009-10-20 21:47:00 ----D---- C:\Dokumente und Einstellungen\Janina Pakusch\Anwendungsdaten\dvdcss
2009-10-17 11:29:49 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-17 11:29:49 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-17 11:29:49 ----A---- C:\WINDOWS\system32\java.exe
2009-10-17 11:29:49 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-13 21:13:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-13 21:12:25 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-13 21:12:20 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-13 21:11:57 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-13 21:11:52 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-13 21:11:46 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-13 21:11:37 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-13 21:11:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-10-13 21:11:19 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-06 20:41:43 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Windows Genuine Advantage
2009-10-04 22:00:55 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2009-10-04 22:00:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2009-10-04 22:00:35 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2009-10-04 22:00:07 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2009-10-04 21:59:45 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2009-10-04 21:58:54 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-10-04 19:16:38 ----A---- C:\WINDOWS\system32\muweb.dll
2009-10-04 19:16:38 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-10-04 19:16:38 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-10-04 09:12:29 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-10-04 09:12:28 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2009-10-04 09:12:03 ----D---- C:\Programme\Windows Media Connect 2
2009-10-04 09:11:34 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2009-10-04 09:10:06 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-10-04 09:09:23 ----D---- C:\WINDOWS\system32\LogFiles
2009-10-04 09:09:16 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$

======List of files/folders modified in the last 3 months======

2010-01-03 21:48:24 ----RD---- C:\Programme
2010-01-03 21:48:20 ----D---- C:\WINDOWS\Prefetch
2010-01-03 21:47:53 ----D---- C:\Dokumente und Einstellungen\Janina Pakusch\Anwendungsdaten\Skype
2010-01-03 20:42:26 ----D---- C:\Dokumente und Einstellungen\Janina Pakusch\Anwendungsdaten\skypePM
2010-01-03 20:39:35 ----D---- C:\WINDOWS\Temp
2009-12-30 12:11:57 ----D---- C:\WINDOWS
2009-12-30 11:47:54 ----D---- C:\WINDOWS\system32\ias
2009-12-30 11:47:54 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-29 18:17:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-27 19:10:44 ----HD---- C:\WINDOWS\inf
2009-12-27 19:10:44 ----D---- C:\WINDOWS\system32\drivers
2009-12-26 11:39:00 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-25 17:34:43 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-12-25 14:18:03 ----SHD---- C:\RECYCLER
2009-12-25 14:15:02 ----D---- C:\Dokumente und Einstellungen
2009-12-25 13:22:04 ----SHD---- C:\WINDOWS\Installer
2009-12-25 13:22:03 ----D---- C:\WINDOWS\WinSxS
2009-12-25 13:22:02 ----D---- C:\Programme\Gemeinsame Dateien\Microsoft Shared
2009-12-25 12:01:47 ----SHD---- C:\System Volume Information
2009-12-23 07:05:27 ----SD---- C:\Dokumente und Einstellungen\Janina Pakusch\Anwendungsdaten\Microsoft
2009-12-21 17:32:07 ----D---- C:\WINDOWS\system32
2009-12-20 17:09:26 ----D---- C:\Dokumente und Einstellungen\Janina Pakusch\Anwendungsdaten\vlc
2009-12-13 09:11:04 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2009-12-01 20:06:19 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-30 21:17:30 ----D---- C:\WINDOWS\system32\Restore
2009-11-25 22:39:12 ----A---- C:\WINDOWS\imsins.BAK
2009-11-25 22:38:19 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-17 23:34:28 ----RSD---- C:\WINDOWS\Fonts
2009-11-17 23:34:08 ----D---- C:\Programme\Microsoft Works
2009-11-15 08:25:08 ----SD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft
2009-11-09 22:32:14 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-09 22:28:42 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-07 10:59:48 ----D---- C:\WINDOWS\system32\spool
2009-11-07 10:57:55 ----D---- C:\WINDOWS\system32\mui
2009-11-02 21:27:39 ----D---- C:\Programme\Internet Explorer
2009-11-01 21:12:47 ----SD---- C:\WINDOWS\Tasks
2009-10-30 06:36:14 ----D---- C:\WINDOWS\Help
2009-10-28 15:07:15 ----A---- C:\WINDOWS\system32\tzchange.exe
2009-10-22 09:16:22 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-10-17 11:29:22 ----D---- C:\Programme\Java
2009-10-04 09:12:18 ----A---- C:\WINDOWS\win.ini
2009-10-04 09:11:59 ----D---- C:\Programme\Windows Media Player

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 20432241;20432241; C:\WINDOWS\system32\DRIVERS\20432241.sys [2009-09-25 128016]
R1 58421071;58421071; C:\WINDOWS\system32\DRIVERS\58421071.sys [2009-09-25 128016]
R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40448]
R1 setup_9.0.0.722_22.12.2009_10-55drv;setup_9.0.0.722_22.12.2009_10-55drv; C:\WINDOWS\system32\DRIVERS\2043224.sys [2009-10-09 315408]
R1 setup_9.0.0.722_25.12.2009_11-11drv;setup_9.0.0.722_25.12.2009_11-11drv; C:\WINDOWS\system32\DRIVERS\5842107.sys [2009-10-09 315408]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-11-25 56816]
R2 DOSMEMIO;MEMIO; \??\C:\WINDOWS\system32\MEMIO.SYS []
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS-kompatibles Transportprotokoll; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;NWLink-NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2008-04-14 63232]
R2 NwlnkSpx;NWLink SPX/SPXII-Protokoll; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2008-04-14 55936]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-10-08 1334432]
R3 btaudio;Bluetooth-Audiogerät; C:\WINDOWS\system32\drivers\btaudio.sys [2008-07-26 539640]
R3 BTDriver;Virtueller Bluetooth-Kommunikationstreiber; C:\WINDOWS\system32\DRIVERS\btport.sys [2008-07-26 37424]
R3 BTKRNL;Bluetooth-Bus-Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2008-07-29 879832]
R3 BTWDNDIS;Bluetooth-LAN-Zugangsserver; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2008-07-29 156816]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2008-07-26 74688]
R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 DNSeFilter;DNSeFilter; C:\WINDOWS\system32\drivers\SamsungEDS.sys [2008-01-14 30208]
R3 HDAudBus;Microsoft UAA-Bustreiber für High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-08-26 4753920]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-08-28 224736]
R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB-Standardhubtreiber; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Miniporttreiber für universellen Microsoft USB-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VMC326;Vimicro Camera Service VMC326; C:\WINDOWS\System32\Drivers\VMC326.sys [2008-09-23 238464]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2008-11-07 291328]
S1 kbdhid;Tastatur-HID-Treiber; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720]
S3 CCDECODE;Untertiteldecoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HidUsb;Microsoft HID Class-Treiber; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Maus-HID-Treiber; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-18 12288]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI-Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV-/Videoverbindung; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA-IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB-Druckerklasse; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbstor;USB-Massenspeichertreiber; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 usbvideo;USB-Videogerät (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 utmymtc1;AVZ Kernel Driver; \??\C:\WINDOWS\system32\Drivers\utmymtc1.sys []
S3 WSTCODEC;World Standard Teletext-Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Filtertreiber für Systemwiederherstellung; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Programme\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Programme\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 btwdins;Bluetooth Service; C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2008-09-17 264800]
R2 NwSapAgent;SAP-Agent; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 yksvc;Marvell Yukon Service; ykx32mpcoinst,serviceStartProc []
S2 gupdate1ca1cd9d9f165bc;Google Update Service (gupdate1ca1cd9d9f165bc); C:\Programme\Google\Update\GoogleUpdate.exe [2009-08-14 133104]
S2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe []
S2 Samsung Update Plus;Samsung Update Plus; C:\Programme\Samsung\Samsung Update Plus\SLUBackgroundService.exe [2008-05-13 77480]
S3 aspnet_state;ASP.NET-Zustandsdienst; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Software Updater; C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-29 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe [2009-10-17 153376]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe []
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Hope you can help me.

One thing i realized, when using the internet the keypad is reacting very slowly, typing letter for letter, not in the normal speed...

thanks a lot for your support!!!

Have a nice evening,
cheers
janina

Edited by JaninaP, 03 January 2010 - 04:57 PM.


#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:52 PM

Posted 04 January 2010 - 06:49 PM

  • Please download Trend Micro - HijackThis.
  • Double click HJTInstall.exe to begin installation.
  • Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to save it in another location.
  • Click Install.
  • A shortcut will be created on your Desktop and HijackThis will run automatically.
  • You will need to accept the EULA, if it appears, to be able to use the tool.
  • When HijackThis opens, click on the Do a system scan and save a log file button.
  • When HijackThis has finished scanning, a window entitled hijackthis.log will open. When you close this window, the log will be saved into the HijackThis folder.
  • If needed, see TrendMicro™ HijackThis™ Quick Start Guide
  • Copy and paste this log into your next reply.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 JaninaP

JaninaP
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 05 January 2010 - 02:21 PM

Hi Suebaby, I tried to follow your instructuins, but I cant get further than step 4. If I Install the Programm a shortcut is created on my desktop, but if i click on it, I get a warning, that the path cant be found (the same warning i get when I want to open antivir). If i try to open it using the explorer I get the same message. It doesnt matter where I save it (I tried C, D, and external drive).

What can I do now?
Thanks again :( I am really glad to find help because I ran out of Ideas

Cheers
JAnina

#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:52 PM

Posted 13 January 2010 - 10:17 AM

You should be able to download and install HijackThis after using ComboFix.

Please download ComboFix.
Alternate Link 1
Alternate Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Double click on ComboFix and follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware.
    Click 'No' to exit.

  • Click Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • Notes:
  • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
  • ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
  • ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post:
  • C:\ComboFix.txt (the log from ComboFix)
  • a new HijackThis log

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 JaninaP

JaninaP
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 14 January 2010 - 01:25 PM

Hi Suebaby,

I downloaded combofix and started the application. It advises me to deactivate antivir otherwise it could cause damages on my computer if both programs run at the same time. I cannot uninstall it because (as mentioned) it cannt find the path. Shall I run combofix nevertheless? or is there a possibility to deactivate antivir?

Thanks again
Cheers
Janina

#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:52 PM

Posted 14 January 2010 - 02:06 PM

AVIRA ANTIVIR
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background.
right click it-> untick the option "AntiVir Guard enable".
You should now see a closed, white umbrella on a red background.
You successfully disabled the AntiVir Guard.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 JaninaP

JaninaP
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 14 January 2010 - 05:06 PM

This button is not there due to the computer problems avira is not working but seems to be still activated. So I guess I should just run combofix without caring about the warning? Actually avira should not be running to disturb combofix...

Thanks :(

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:52 PM

Posted 17 January 2010 - 12:36 PM

After you have ComboFix and a new installation for Antivir on your desktop, disconnect from the Internet. Uninstall Antivir and run ComboFix. Reinstall Antivir before getting back on the Internet.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 JaninaP

JaninaP
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 17 January 2010 - 04:43 PM

Hey Suebaby,

I ran Combofix, it deleted some files and folders... and now, my antivir is running again!! Great!!! THanks!!! I already updated it, seems to be fine!!! I will post the combofix log in case u need it and we need to do further actions. Can u tell me what exactly hurt my computer?

Thanks a lot for your good advice!!! Here is the script:
Cheers
Janina

ComboFix 10-01-16.04 - Janina P 17.01.2010 21:03:55.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.[GMT 0:00]
ausgeführt von:: c:\dokumente und einstellungen\Janina \Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programme\pdfforge Toolbar\SeARchsettings.dll
c:\recycler\S-1-5-21-1292428093-813497703-842925246-1003
c:\recycler\S-1-5-21-931196064-335735689-1684122734-1005
c:\windows\msetup
c:\windows\msetup\MSetup.exe
D:\Autorun.inf

.
((((((((((((((((((((((( Dateien erstellt von 2009-12-17 bis 2010-01-17 ))))))))))))))))))))))))))))))
.

2010-01-03 21:48 . 2010-01-05 19:14 -------- d-----w- c:\programme\trend micro
2010-01-03 21:48 . 2010-01-03 21:48 -------- d-----w- C:\rsit
2009-12-27 19:10 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\58421072.sys
2009-12-27 19:10 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\5842107.sys
2009-12-27 19:10 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\58421071.sys
2009-12-27 17:00 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\20432242.sys
2009-12-27 17:00 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\2043224.sys
2009-12-27 17:00 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\20432241.sys
2009-12-26 11:38 . 2008-04-14 00:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-26 11:38 . 2008-04-14 00:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-12-25 15:24 . 2009-12-25 18:23 -------- d-----w- C:\Janina
2009-12-25 13:23 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-25 13:23 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-12-25 13:23 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-12-25 13:23 . 2009-12-25 13:23 -------- d-----w- c:\programme\Avira
2009-12-25 13:23 . 2009-12-25 13:23 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-12-25 13:21 . 2009-12-25 13:21 31079672 ----a-w- c:\programme\avira_antivir_personal415_de.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 21:07 . 2009-08-30 14:37 -------- d-----w- c:\programme\pdfforge Toolbar
2010-01-17 20:55 . 2009-08-14 12:22 -------- d-----w- c:\dokumente und einstellungen\Janina Pakusch\Anwendungsdaten\Skype
2010-01-17 20:48 . 2009-08-14 12:23 -------- d-----w- c:\dokumente und einstellungen\Janina Pakusch\Anwendungsdaten\skypePM
2009-12-25 13:02 . 2009-12-07 20:44 229400 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-25 13:02 . 2009-12-07 20:44 19394592 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-20 17:09 . 2009-08-28 20:45 -------- d-----w- c:\dokumente und einstellungen\Janina Pakusch\Anwendungsdaten\vlc
2009-12-13 09:11 . 2009-08-29 14:48 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2009-12-07 20:43 . 2009-12-07 20:43 42747176 ----a-w- c:\programme\setup_7.0.0.290_02.07.2009_17-02.exe
2009-12-04 09:02 . 2009-07-29 14:59 27496 ----a-w- c:\dokumente und einstellungen\Janina Pakusch\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-11-25 11:19 . 2009-07-29 14:59 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-09 22:32 . 2009-02-12 19:35 80306 ----a-w- c:\windows\system32\perfc007.dat
2009-11-09 22:32 . 2009-02-12 19:35 449044 ----a-w- c:\windows\system32\perfh007.dat
2009-09-01 19:31 . 2009-09-01 19:31 7501831 ----a-w- c:\programme\FreeYouTubeToMp3Converter59.exe
2009-08-30 14:35 . 2009-08-14 06:24 17570056 ----a-w- c:\programme\PDFCreator-0_9_8_setup_2.exe
2009-08-29 14:42 . 2009-08-29 14:27 327020864 ----a-w- c:\programme\X12-30103.exe
2009-08-28 20:43 . 2009-08-28 20:43 18015723 ----a-w- c:\programme\vlc-1.0.1-win32.exe
2009-08-16 11:42 . 2009-08-16 11:41 791505 ----a-w- c:\programme\TOP.zip
2009-08-14 12:21 . 2009-08-14 12:21 22261544 ----a-w- c:\programme\SkypeSetupFull141.exe
2009-08-14 12:15 . 2009-08-14 12:15 745296 ----a-w- c:\programme\setupde161.exe
2009-08-14 12:11 . 2009-08-14 12:11 21836008 ----a-w- c:\programme\sa2820_02_pal_eng.zip
2008-05-08 11:24 . 2009-02-12 19:35 155648 --sha-r- c:\windows\system32\wscript.exe
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-12 39408]
"MSMSGS"="c:\programme\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\programme\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\programme\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\programme\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\programme\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"WinPatrol"="c:\programme\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-22 341312]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - c:\programme\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]
Philips SA28xx Ger„te-Manager.lnk - c:\programme\Philips\SA28XX Device Manager\main.exe [2009-8-14 7974243]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 20432242;20432242 Boot Guard Driver;c:\windows\system32\drivers\20432242.sys [27.12.2009 17:00 37392]
R0 58421072;58421072 Boot Guard Driver;c:\windows\system32\drivers\58421072.sys [27.12.2009 19:10 37392]
R1 20432241;20432241;c:\windows\system32\drivers\20432241.sys [27.12.2009 17:00 128016]
R1 58421071;58421071;c:\windows\system32\drivers\58421071.sys [27.12.2009 19:10 128016]
R1 setup_9.0.0.722_22.12.2009_10-55drv;setup_9.0.0.722_22.12.2009_10-55drv;c:\windows\system32\drivers\2043224.sys [27.12.2009 17:00 315408]
R1 setup_9.0.0.722_25.12.2009_11-11drv;setup_9.0.0.722_25.12.2009_11-11drv;c:\windows\system32\drivers\5842107.sys [27.12.2009 19:10 315408]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [25.12.2009 13:23 108289]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [12.02.2009 12:01 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14.01.2008 18:01 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [12.02.2009 12:05 238464]
S2 gupdate1ca1cd9d9f165bc;Google Update Service (gupdate1ca1cd9d9f165bc);c:\programme\Google\Update\GoogleUpdate.exe [14.08.2009 12:22 133104]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
S3 utmymtc1;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utmymtc1.sys --> c:\windows\system32\Drivers\utmymtc1.sys [?]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\programme\Gemeinsame Dateien\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Senden an &Bluetooth-Gerät... - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Senden an Bluetooth - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ActiveSetup-{27AB0758-F8E8-3AFE-8A4B-A08AB9658382} - c:\windows\system32\svchostnt.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 21:12
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2010-01-17 21:14:49
ComboFix-quarantined-files.txt 2010-01-17 21:14

Vor Suchlauf: 7 Verzeichnis(se), 48.085.110.784 Bytes frei
Nach Suchlauf: 9 Verzeichnis(se), 48.780.386.304 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F9BD5382B1B3E8EB240FBD5D82762148

#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:52 PM

Posted 18 January 2010 - 02:08 PM

Please post another HijackThis file.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#13 JaninaP

JaninaP
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 24 January 2010 - 05:23 AM

Hi Suebaby,

here is my hijackthis file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:20, on 24.01.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\BillP Studios\WinPatrol\winpatrol.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Samsung\Easy Display Manager\dmhkcore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\Programme\Philips\SA28XX Device Manager\main.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\System32\svchost.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programme\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EDS] C:\Programme\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Programme\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Programme\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Programme\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programme\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: _uninst_setup_9.0.0.722_22.12.2009_10-55[1].exe.lnk = C:\Dokumente und Einstellungen\Janina P\Lokale Einstellungen\Temp\_uninst_setup_9.0.0.722_22.12.2009_10-55[1].exe.bat
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Philips SA28xx Geräte-Manager.lnk = C:\Programme\Philips\SA28XX Device Manager\main.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Programme\Gemeinsame Dateien\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Senden an Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Programme\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Update Service (gupdate1ca1cd9d9f165bc) (gupdate1ca1cd9d9f165bc) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: Samsung Update Plus - Unknown owner - C:\Programme\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 8215 bytes

#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:52 PM

Posted 30 January 2010 - 10:01 AM

I apologize for the delay in responding. I am taking chemo and recently found out that I have blood clots in my left leg. I am feeling better now and will work on your log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:52 PM

Posted 11 February 2010 - 04:46 PM

Hi JaninaP,

I will be helping you out since suebaby41 is not well at the moment, since it has been a while I would like to see some fresh log and also
please let me know any problems that you are still having.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following logs and tell me about any remaining problems:
  • log.txt
  • info.txt
Thanks

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users