Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS.Rootkit is killing me


  • This topic is locked This topic is locked
17 replies to this topic

#1 compromizedsys

compromizedsys

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 11 February 2010 - 09:09 AM

Hello.

History of my problem:
QUOTE
In the mid of January i was surfing the web with Internet Explorer (usually i use Firefox).
A popup appeared in the task bar, that windows has detected updates.
I allowed it to update, and went back browsing.
I don't exactly remember which site it was, but i have been crossreferencing through certain news and blogs.
Shorty after that i received another popup, suggesting that my system was infected.
By that time i thought the update may have provided a new antivirus system called "Malware Defense"
since the design reminded me of windows security center.
I was wrong.
To make a long story short, after figuring out that "malware defense" was a fraud,
i tried to battle it out of my system to this day.
I have tried out a bunch of anti-malware, somehow i got Prevx and Spywaredoctor to work.
It gave me hints where the registry and file system was infected.
By looking at the registry i noticed that there was a registry folder containing keys to prevent
major antivirus and anti-malware products from running.
So i edited the keys to allow me to use MBAM.
Finally i was able to run my "Malwarebytes' Anti Malware" again,
so i updated it and
did various quick and full scans, both in safe and normal mode.


This is what MBAM found:

QUOTE
Date: 10.01.2010 *FIRST RUN* *quick scan* *normal mode*

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTpksiqwmnyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTepbftituwt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTtpwyejwfvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\H8SRTdpamdivdlv.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\User\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1E30H1NU\eHff9086d5V0100f080006Rad0673d6102Tb4da91b9201l000730dP000201080[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\User\Lokale Einstellungen\temp\Installer.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\User\Lokale Einstellungen\temp\settdebugx.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h8srtkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRThmpqxkcmpx.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\User\Lokale Einstellungen\temp\H8SRT46e5.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.


QUOTE
Date: 10.01.2010 *SECOND RUN* *full scan* *secure mode*

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C9D66B40-B54E-4263-8528-FC64D4C4210A}\RP216\A0076096.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C9D66B40-B54E-4263-8528-FC64D4C4210A}\RP216\A0076097.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C9D66B40-B54E-4263-8528-FC64D4C4210A}\RP216\A0076098.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C9D66B40-B54E-4263-8528-FC64D4C4210A}\RP216\A0076099.sys (Malware.Packer) -> Quarantined and deleted successfully.


After some infections reappeared in the _restore directory i disabled the restore point option (which i have not been activating myself, so i think either the bad software or some of the good softwares did that).
And after that, all scans appeared to be fully clean.

I went on having TDSSKiller and RootkitBuster do what they could to remove anything remaining.
As far as i remember they found one or two files in total.

I thought my system was clean and safe again.

I noticed an XUL script error in Firefox appearing when browsing so-called web2.0 (that means php&java&flash) sites
such as youtube and facebook.
It points to chrome://xulcache/content/overlay.xul:[number - mostly in the range of 40 to 48]
I don't know if this is simply a debug message, or if parts of the malware infected firefox itself.

After updating MBAM another infection was found.

QUOTE
Date: 10.02.2010 *quick scan* *normal mode*

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.


I am not sure whether the name implies that this is something simply left over or that this is a functional piece of malware.

Anyways i have become a little paranoid, since TDSS.rootkit seems to be quite sophisticated and may even infect valid system drivers (as i have read in the Prevx Blog entitled "TDSS rootkit silently owns the internet").

Here is a most recent DDS Scan log:

QUOTE
DDS (Ver_09-12-01.01) - FAT32x86
Run by User at 12:11:35,70 on 11.02.2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.735.384 [GMT 1:00]

FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Programme\Tall Emu\Online Armor\OAcat.exe
C:\Programme\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
SVCHOST.EXE
C:\Programme\avmwlanstick\WlanNetService.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programme\Apoint2K\Apoint.exe
C:\WINDOWS\system32\S3hotkey.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Apoint2K\Apntex.exe
C:\Programme\Tall Emu\Online Armor\OAhlp.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.de/
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CARPService] carpserv.exe
mRun: [Apoint] c:\programme\apoint2k\Apoint.exe
mRun: [S3hotkey] S3hotkey.exe
mRun: [S3TRAY2] S3tray2.exe
mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [@OnlineArmor GUI] "c:\programme\tall emu\online armor\oaui.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\progra~1\agnitum\outpos~1.0\plugins\browserbar\ie_bar.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229076368068
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\programme\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\user\anwend~1\mozilla\firefox\profiles\hy4bwfvf.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle SSL search
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - HiddenExtension: XUL Cache: {E66DE744-4E1D-4C07-89E1-5B8E9527BB0A} - c:\windows\system32\config\systemprofile\lokale einstellungen\anwendungsdaten\{e66de744-4e1d-4c07-89e1-5b8e9527bb0a}\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programme\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programme\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-2-10 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-2-10 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-2-10 29776]
R2 OAcat;Online Armor Helper Service;c:\programme\tall emu\online armor\oacat.exe [2010-2-10 1282248]
R2 SvcOnlineArmor;Online Armor;c:\programme\tall emu\online armor\oasrv.exe [2010-2-10 3291336]
R3 CVIAAUD;Acer VIA 3D Environmental Audio;c:\windows\system32\drivers\cviaaud.sys [1980-1-1 321280]
R3 CVIAHALA;CVIAHALA;c:\windows\system32\drivers\cviahal.sys [1980-1-1 215104]
R3 ViaModem;ViaModem;c:\windows\system32\drivers\ViaModem.sys [1980-1-1 66337]
S0 mgylp;mgylp;c:\windows\system32\drivers\tqgi.sys --> c:\windows\system32\drivers\tqgi.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\aliehci.sys --> c:\windows\system32\drivers\ALIEHCI.sys [?]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2007-6-23 45440]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [2006-12-28 4352]
S3 CSTDIDRV;CSTDIDRV;c:\windows\system32\drivers\cstdi50.sys --> c:\windows\system32\drivers\CSTDI50.sys [?]
S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [2007-6-22 265088]
S3 G3GRSC;G3G R Smart Card;c:\windows\system32\drivers\g3grsc.sys [2007-3-12 19328]
S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [2007-3-12 28416]
S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [2007-3-12 24576]
S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys --> c:\windows\system32\drivers\gttap1.sys [?]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2007-6-23 56960]
S3 rk_remover;rk_remover;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2010-02-11 10:57:15 0 d-----w- c:\windows\pss
2010-02-10 20:02:25 0 d-----w- c:\dokume~1\user\anwend~1\OnlineArmor
2010-02-10 20:02:25 0 d-----w- c:\dokume~1\alluse~1\anwend~1\OnlineArmor
2010-02-10 20:01:38 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-02-10 20:01:38 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-02-10 20:01:38 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-02-10 20:01:37 0 d-----w- c:\programme\Tall Emu
2010-02-01 17:10:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-30 03:46:59 0 d-----w- c:\programme\Astonsoft
2010-01-27 16:26:13 0 d-----w- c:\programme\SpywareBlaster
2010-01-25 11:03:46 0 d-----w- c:\dokume~1\user\anwend~1\QuickScan
2010-01-23 12:58:46 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-10 20:02:04 83102 ----a-w- c:\windows\system32\perfc007.dat
2010-02-10 20:02:04 453778 ----a-w- c:\windows\system32\perfh007.dat
2010-02-01 17:10:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-25 22:52:32 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-10 18:41:10 98304 ----a-w- c:\windows\DUMP5247.tmp
2010-01-10 16:49:46 98304 ----a-w- c:\windows\DUMP922f.tmp
2010-01-07 15:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 13:55:24 98304 ----a-w- c:\windows\DUMPa063.tmp
2009-12-31 16:50:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:04 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 19:05:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:05:02 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:05:02 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 19:05:02 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:05:00 5942784 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:05:00 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:04:56 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:04:56 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:04:56 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:04:54 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 19:04:54 1985536 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:04:54 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:04:52 11070464 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:04:50 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:18:56 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 07:45:24 98304 ----a-w- c:\windows\DUMP4016.tmp
2009-12-17 07:40:02 346624 ----a-w- c:\windows\system32\mspaint.exe
2009-12-17 07:40:02 346624 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:20 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 10:06:04 2191488 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:06:04 2191488 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-09 10:06:04 2068352 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-09 10:06:04 2068352 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-09 10:05:52 2147840 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-09 10:05:52 2026496 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 09:23:28 474624 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:58 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:58 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:58 1297408 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:58 1297408 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:08:02 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:08:02 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:08:02 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:08:02 85504 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:08:02 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:08:02 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:08:02 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:08:02 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:08:02 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:08:02 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2008-07-07 12:01:38 32768 --sha-w- c:\windows\system32\config\systemprofile\lokale einstellungen\verlauf\history.ie5\mshist012008070720080708\index.dat

============= FINISH: 12:14:37,93 ===============


Just to make sure that i am not missing something,
here's the most recent HJT Log:

QUOTE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:35, on 11.02.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Tall Emu\Online Armor\OAcat.exe
C:\Programme\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programme\avmwlanstick\WlanNetService.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programme\Apoint2K\Apoint.exe
C:\WINDOWS\system32\S3hotkey.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Apoint2K\Apntex.exe
C:\Programme\Tall Emu\Online Armor\OAhlp.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Programme\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229076368068
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Programme\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Programme\Tall Emu\Online Armor\oasrv.exe

--
End of file - 4968 bytes


I also noticed upload traffic from svchost.exe to a slovakian machine (via "netstat -a" and whois traceroute IP).
So, i blocked that IP for now.
Since i blocked that, one out of two svchost.exe running is having neither down nor upstream at all.
Hopefully this was an IP of the botnet, but i don't know for sure.
Nevertheless i fear that maybe my svchost.exe has been corrupted.

So...
this was my little story.
I really hope you can help me out,
to make sure it is safe to do research, communication and a little business online again.
Right now i can't find my windows cd, so i really hope i can get around a reinstallation.
(Oh, btw, is a rootkit similar to what they call a bootsector virus? Does it survive a reinstallation?)

I have been struggling and scanning with this malicious software for about a month now,
and it really makes me feel uncomfortable not to know if there may be some
undetected parts of data lurking in my system, waiting to be remotely reactivated at any time.



Thanks for struggling through the text and thanks for help in advance.

Edited by compromizedsys, 11 February 2010 - 09:22 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:34 AM

Posted 17 February 2010 - 05:19 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
[We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 22 February 2010 - 08:06 AM

Thanks for the reply. smile.gif

Here are the OTLogs:

(i have edited out my computer name, the name and http of my search engine,
as well as some trusted files
(such as podcast mp3s, media files from wikipedia and various PDF documents = files i know and trust)
for privacy reasons.)




OTL.TXT:

CODE
OTL logfile created on: 22.02.2010 14:07:51 - Run 1
OTL by OldTimer - Version 3.1.30.1     Folder = C:\Dokumente und Einstellungen\User\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

735,00 Mb Total Physical Memory | 365,00 Mb Available Physical Memory | 50,00% Memory free
2,00 Gb Paging File | 1,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 1128 2256 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 27,89 Gb Total Space | 6,64 Gb Free Space | 23,80% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ***edit: private***
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2010.02.22 14:03:28 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\User\Desktop\OTL.exe
PRC - [2010.02.01 18:10:42 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Java\jre6\bin\jqs.exe
PRC - [2010.01.16 04:11:50 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2010.01.11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
PRC - [2009.12.05 07:53:40 | 003,042,504 | ---- | M] (Tall Emu) -- C:\Programme\Tall Emu\Online Armor\oahlp.exe
PRC - [2009.12.05 07:53:38 | 006,622,920 | ---- | M] (Tall Emu) -- C:\Programme\Tall Emu\Online Armor\oaui.exe
PRC - [2009.12.05 07:53:38 | 003,291,336 | ---- | M] (Tall Emu) -- C:\Programme\Tall Emu\Online Armor\oasrv.exe
PRC - [2009.12.05 07:53:38 | 001,282,248 | ---- | M] (Tall Emu) -- C:\Programme\Tall Emu\Online Armor\oacat.exe
PRC - [2008.04.14 04:22:46 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003.02.25 04:33:14 | 000,069,632 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\S3tray2.exe
PRC - [2002.07.03 07:04:18 | 000,040,960 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\S3hotkey.exe
PRC - [2002.04.01 12:45:34 | 000,004,608 | ---- | M] (Conexant Systems ) -- C:\WINDOWS\system32\carpserv.exe
PRC - [2001.12.13 00:01:00 | 000,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe
PRC - [2001.11.23 00:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001.10.19 20:46:40 | 000,118,784 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Programme\Apoint2K\Apoint.exe
PRC - [2001.07.13 10:44:24 | 000,032,768 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Programme\Apoint2K\ApntEx.exe


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2010.02.22 14:03:28 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\User\Desktop\OTL.exe
MOD - [2009.12.05 07:53:38 | 000,941,256 | ---- | M] (Tall Emu) -- C:\Programme\Tall Emu\Online Armor\oawatch.dll
MOD - [2008.04.14 04:22:32 | 000,053,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll
MOD - [2008.04.14 04:22:32 | 000,024,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll
MOD - [2008.04.14 04:22:32 | 000,018,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wtsapi32.dll


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Auto | Stopped] --  -- (AcrSch2Svc)
SRV - [2010.02.01 18:10:42 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Programme\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009.12.05 07:53:38 | 003,291,336 | ---- | M] (Tall Emu) [Auto | Running] -- C:\Programme\Tall Emu\Online Armor\oasrv.exe -- (SvcOnlineArmor)
SRV - [2009.12.05 07:53:38 | 001,282,248 | ---- | M] (Tall Emu) [Auto | Running] -- C:\Programme\Tall Emu\Online Armor\OAcat.exe -- (OAcat)
SRV - [2007.03.12 03:35:02 | 000,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Stopped] -- C:\Programme\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2006.12.28 01:02:00 | 000,356,352 | ---- | M] (AVM Berlin) [Disabled | Stopped] -- C:\Programme\avmwlanstick\WLanNetService.exe -- (AVM WLAN Connection Service)
SRV - [2006.11.08 16:35:38 | 000,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006.11.08 16:35:36 | 000,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2001.11.23 00:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2009.12.05 07:28:06 | 000,024,656 | ---- | M] (Tall Emu) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\OAmon.sys -- (OAmon)
DRV - [2009.12.05 07:27:56 | 000,029,776 | ---- | M] (Tall Emu Pty Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\OAnet.sys -- (OAnet)
DRV - [2009.12.05 07:27:52 | 000,223,312 | ---- | M] (Tall Emu) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\OADriver.sys -- (OADevice)
DRV - [2008.04.13 20:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB-Audiotreiber (WDM)
DRV - [2007.11.13 11:25:54 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007.06.17 11:17:56 | 000,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2007.03.08 20:20:50 | 000,021,568 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2007.03.08 20:20:50 | 000,016,496 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2007.03.08 20:20:48 | 000,049,920 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2007.03.08 01:51:00 | 000,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006.12.28 01:02:00 | 000,265,088 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fwlanusb.sys -- (FWLANUSB)
DRV - [2006.12.28 01:02:00 | 000,004,352 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avmeject.sys -- (avmeject)
DRV - [2006.10.16 14:45:26 | 000,028,416 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\g3grumdm.sys -- (G3GRUMDM)
DRV - [2006.10.16 14:45:26 | 000,024,576 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\g3gruser.sys -- (G3GRUSER)
DRV - [2006.10.16 14:45:24 | 000,019,328 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\g3grsc.sys -- (G3GRSC)
DRV - [2006.09.24 15:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2005.06.15 10:01:40 | 000,056,960 | ---- | M] (OrangeWare Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ousb2hub.sys -- (ousb2hub)
DRV - [2005.06.15 10:01:40 | 000,045,440 | ---- | M] (OrangeWare Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\ousbehci.sys -- (ousbehci)
DRV - [2004.12.06 14:07:32 | 000,104,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh)
DRV - [2003.05.26 13:57:50 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Twistr)
DRV - [2002.04.01 17:05:08 | 000,014,643 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\KBFILTR.SYS -- (KBFiltr)
DRV - [2002.04.01 12:45:44 | 000,032,956 | ---- | M] (Conexant Systems ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\strmdisp.sys -- (StreamDispatcher)
DRV - [2002.04.01 12:45:18 | 000,584,816 | ---- | M] (Conexant Systems ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2002.04.01 12:44:02 | 000,427,231 | ---- | M] (Conexant Systems ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\k56nt.sys -- (K56)
DRV - [2002.04.01 12:43:42 | 000,127,405 | ---- | M] (Conexant Systems ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fsksnt.sys -- (Fsks)
DRV - [2002.04.01 12:43:10 | 000,217,051 | ---- | M] (Conexant Systems ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\faxnt.sys -- (SoftFax)
DRV - [2002.04.01 12:42:28 | 000,056,639 | ---- | M] (Conexant Systems ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tonesnt.sys -- (Tones)
DRV - [2002.04.01 12:42:14 | 000,310,739 | ---- | M] (Conexant Systems ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fallback.sys -- (Fallback)
DRV - [2002.04.01 12:41:10 | 000,066,337 | ---- | M] (Conexant Systems ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ViaModem.sys -- (ViaModem)
DRV - [2002.04.01 12:40:30 | 000,068,998 | ---- | M] (Conexant Systems ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rksample.sys -- (Rksample)
DRV - [2002.04.01 12:40:18 | 000,534,701 | ---- | M] (Conexant Systems ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\v124nt.sys -- (V124)
DRV - [2002.03.26 12:43:34 | 000,006,016 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2001.11.12 18:20:38 | 000,215,104 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cviahal.sys -- (CVIAHALA)
DRV - [2001.11.12 18:19:06 | 000,321,280 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cviaaud.sys -- (CVIAAUD)
DRV - [2001.09.29 19:41:32 | 000,050,209 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2001.09.17 12:00:16 | 000,017,744 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2001.08.18 12:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001.08.17 12:13:08 | 000,027,165 | ---- | M] (VIA Technologies, Inc.              ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS)
DRV - [1996.04.03 21:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http of my trusted search engine
IE - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 94 68 C0 65 7C CA 01  [binary data]
IE - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\S-1-5-21-400550780-2136417557-3852222622-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.search.selectedEngine: "my trusted search engine"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http of my trusted search engine"
FF - prefs.js..extensions.enabledItems: {E66DE744-4E1D-4C07-89E1-5B8E9527BB0A}:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.45
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.47
FF - prefs.js..extensions.enabledItems: optout@dubfire.net:2.0
FF - prefs.js..extensions.enabledItems: {BEE0F7EE-BEE0-BEE0-BEE0-BEE0F7EE0000}:1.7
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\extensions\\{E66DE744-4E1D-4C07-89E1-5B8E9527BB0A}: C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\{E66DE744-4E1D-4C07-89E1-5B8E9527BB0A}\ [2009.01.10 17:17:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.02.01 18:00:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.02.01 18:00:16 | 000,000,000 | ---D | M]

[2010.02.01 18:00:30 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla\Extensions
[2010.02.01 18:00:30 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\hy4bwfvf.default\extensions
[2010.02.05 19:57:44 | 000,000,000 | ---D | M] (NoScript) -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\hy4bwfvf.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010.02.01 18:32:58 | 000,000,000 | ---D | M] (BeeFree) -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\hy4bwfvf.default\extensions\{BEE0F7EE-BEE0-BEE0-BEE0-BEE0F7EE0000}
[2010.02.01 18:32:58 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\hy4bwfvf.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010.02.01 18:32:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\hy4bwfvf.default\extensions\optout@dubfire.net
[2010.02.01 18:38:32 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\hy4bwfvf.default\extensions\trackmenot@mrl.nyu.edu
[2010.02.02 22:36:28 | 000,001,549 | ---- | M] () -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\hy4bwfvf.default\searchplugins\my trusted search engine.xml
[2010.02.01 18:00:16 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.01.16 02:15:30 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.01.16 02:15:30 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.01.16 02:15:30 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.01.16 02:15:30 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.01.16 02:15:30 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.09.27 13:37:40 | 000,334,518 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: 127.0.0.1    www.007guard.com
O1 - Hosts: 127.0.0.1    007guard.com
O1 - Hosts: 127.0.0.1    008i.com
O1 - Hosts: 127.0.0.1    www.008k.com
O1 - Hosts: 127.0.0.1    008k.com
O1 - Hosts: 127.0.0.1    www.00hq.com
O1 - Hosts: 127.0.0.1    00hq.com
O1 - Hosts: 127.0.0.1    010402.com
O1 - Hosts: 127.0.0.1    www.032439.com
O1 - Hosts: 127.0.0.1    032439.com
O1 - Hosts: 127.0.0.1    www.0scan.com
O1 - Hosts: 127.0.0.1    0scan.com
O1 - Hosts: 127.0.0.1    1000gratisproben.com
O1 - Hosts: 127.0.0.1    www.1000gratisproben.com
O1 - Hosts: 127.0.0.1    1001namen.com
O1 - Hosts: 127.0.0.1    www.1001namen.com
O1 - Hosts: 127.0.0.1    100888290cs.com
O1 - Hosts: 127.0.0.1    www.100888290cs.com
O1 - Hosts: 127.0.0.1    www.100sexlinks.com
O1 - Hosts: 127.0.0.1    100sexlinks.com
O1 - Hosts: 127.0.0.1    10sek.com
O1 - Hosts: 127.0.0.1    www.10sek.com
O1 - Hosts: 127.0.0.1    www.1-2005-search.com
O1 - Hosts: 127.0.0.1    1-2005-search.com
O1 - Hosts: 11488 more lines...


///COMMENT: Is the above part of a botnet, or is it the black list of "SpywareBlaster"???

CODE
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\..\Toolbar\Webbrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [@OnlineArmor GUI] C:\Programme\Tall Emu\Online Armor\oaui.exe (Tall Emu)
O4 - HKLM..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [CARPService] C:\WINDOWS\System32\carpserv.exe (Conexant Systems )
O4 - HKLM..\Run: [QuickTime Task] C:\Programme\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [S3hotkey] C:\WINDOWS\System32\S3hotkey.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [S3TRAY2] C:\WINDOWS\System32\S3tray2.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-400550780-2136417557-3852222622-1008_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll File not found
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-400550780-2136417557-3852222622-1008\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229076368068 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programme\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\User\Anwendungsdaten\IrfanView\IrfanView_Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\User\Anwendungsdaten\IrfanView\IrfanView_Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - C:\Programme\Tall Emu\Online Armor\oaevent.dll (Tall Emu)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007.03.12 08:47:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 -  File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007.03.12 08:36:00 | 000,000,000 | ---D | M]
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found

MsConfig - Services: "WMPNetworkSvc"
MsConfig - Services: "AVM WLAN Connection Service"
MsConfig - StartUpReg: [b]Adobe Reader Speed Launcher[/b] - hkey= - key= - C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: [b]OutpostFeedBack[/b] - hkey= - key= - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\feedback.exe File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vektorgrafik-Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML-Datenbindung für Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3e7bb08a-a7a3-4692-8eac-ac5e7895755b} - KB834707
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Erweitertes Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Sicherheitsupdate für Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Taskplaner
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E78BFA60-5393-4C38-82AB-E8019E464EB4} - .NET Framework
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: MSACM.CEGSM - C:\WINDOWS\System32\mobileV.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\i420vfw.dll (www.helixcommunity.org)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.dll (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010.02.22 14:03:21 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\User\Desktop\OTL.exe
[2010.02.22 01:45:37 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\User\Recent
[2010.02.15 21:13:46 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Reinhard Epp Software
[2010.02.15 21:13:46 | 000,000,000 | ---D | C] -- C:\Programme\CyberMotion 3D-Designer v14
[2010.02.12 02:50:48 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\DirectX
[2010.02.11 15:30:39 | 000,000,000 | ---D | C] -- C:\Programme\ESET
[2010.02.11 12:18:20 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\User\Eigene Dateien\DDSScan
[2010.02.11 11:57:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010.02.10 21:02:25 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\OnlineArmor
[2010.02.10 21:02:25 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\OnlineArmor
[2010.02.10 21:01:38 | 000,223,312 | ---- | C] (Tall Emu) -- C:\WINDOWS\System32\drivers\OADriver.sys
[2010.02.10 21:01:38 | 000,029,776 | ---- | C] (Tall Emu Pty Ltd) -- C:\WINDOWS\System32\drivers\OAnet.sys
[2010.02.10 21:01:38 | 000,024,656 | ---- | C] (Tall Emu) -- C:\WINDOWS\System32\drivers\OAmon.sys
[2010.02.10 21:01:37 | 000,000,000 | ---D | C] -- C:\Programme\Tall Emu
[2010.02.01 18:11:12 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Java
[2010.02.01 18:10:55 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.02.01 18:10:55 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.02.01 18:10:55 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.02.01 18:10:55 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010.02.01 18:00:25 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\Mozilla
[2010.02.01 18:00:15 | 000,000,000 | ---D | C] -- C:\Programme\Mozilla Firefox
[2010.01.30 05:15:42 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\User\Eigene Dateien\Algarve 2010
[2010.01.30 04:52:42 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\DeepBurner
[2010.01.30 04:46:59 | 000,000,000 | ---D | C] -- C:\Programme\Astonsoft
[2010.01.28 01:19:55 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\User\Desktop\mozilla36 bookmarks backup
[2010.01.28 00:31:26 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sun
[2010.01.27 17:26:13 | 000,000,000 | ---D | C] -- C:\Programme\SpywareBlaster
[2010.01.27 16:14:38 | 000,910,584 | ---- | C] (Prevx) -- C:\Dokumente und Einstellungen\User\Eigene Dateien\PREVXCSIFREE.EXE
[2010.01.25 12:03:46 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\QuickScan
[2009.02.26 08:01:30 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Macromedia
[2009.02.25 14:33:38 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Macromedia
[2008.12.15 01:54:41 | 000,688,128 | ---- | C] ( ) -- C:\WINDOWS\System32\npgnash.dll
[2008.10.07 10:25:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Apple
[2007.03.12 14:35:06 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Bytemobile
[2007.03.12 08:50:38 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2007.03.12 08:50:38 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2007.03.12 08:38:34 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Microsoft
[2007.03.12 08:38:34 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Microsoft
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010.02.22 14:03:28 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\User\Desktop\OTL.exe
[2010.02.22 08:33:04 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.02.22 08:13:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.02.22 08:13:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.02.22 08:13:10 | 771,280,896 | -HS- | M] () -- C:\hiberfil.sys
[2010.02.22 01:45:44 | 008,912,896 | -H-- | M] () -- C:\Dokumente und Einstellungen\User\NTUSER.DAT
[2010.02.22 01:45:44 | 000,000,300 | -HS- | M] () -- C:\Dokumente und Einstellungen\User\ntuser.ini
[2010.02.21 20:54:12 | 000,116,224 | ---- | M] () -- C:\Dokumente und Einstellungen\User\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.02.11 11:59:10 | 000,001,285 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.02.11 11:59:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.02.11 11:59:10 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010.02.10 22:24:56 | 000,524,288 | ---- | M] () -- C:\Dokumente und Einstellungen\User\Desktop\dds.scr
[2010.02.10 21:02:04 | 000,453,778 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.02.10 21:02:04 | 000,436,074 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.02.10 21:02:04 | 000,083,102 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.02.10 21:02:04 | 000,069,776 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.02.10 20:01:24 | 000,000,400 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010.02.10 18:37:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010.02.01 18:10:42 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010.02.01 18:10:42 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.02.01 18:10:42 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.02.01 18:10:42 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.02.01 18:10:42 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010.02.01 18:00:22 | 000,001,470 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Mozilla Firefox.lnk
[2010.02.01 16:42:24 | 000,002,340 | ---- | M] () -- C:\Dokumente und Einstellungen\User\Eigene Dateien\backup_post-virus-n-rootkit.reg
[2010.01.30 04:47:04 | 000,000,630 | ---- | M] () -- C:\Dokumente und Einstellungen\User\Desktop\DeepBurner.lnk
[2010.01.27 16:15:26 | 000,000,329 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010.01.27 16:14:52 | 000,910,584 | ---- | M] (Prevx) -- C:\Dokumente und Einstellungen\User\Eigene Dateien\PREVXCSIFREE.EXE
[2010.01.25 23:52:32 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010.01.25 23:52:02 | 001,074,232 | ---- | M] () -- C:\Dokumente und Einstellungen\User\Eigene Dateien\RootkitBuster_2.80.1077.zip
[2010.01.25 23:46:12 | 000,152,401 | ---- | M] () -- C:\Dokumente und Einstellungen\User\Eigene Dateien\tdsskiller.zip
[2010.01.23 14:14:38 | 000,001,613 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Adobe Reader 8.lnk
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010.02.10 22:24:51 | 000,524,288 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Desktop\dds.scr
[2010.02.01 18:00:21 | 000,001,470 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Mozilla Firefox.lnk
[2010.02.01 16:56:59 | 771,280,896 | -HS- | C] () -- C:\hiberfil.sys
[2010.02.01 16:42:22 | 000,002,340 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Eigene Dateien\backup_post-virus-n-rootkit.reg
[2010.01.30 04:47:03 | 000,000,630 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Desktop\DeepBurner.lnk
[2010.01.25 23:51:55 | 001,074,232 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Eigene Dateien\RootkitBuster_2.80.1077.zip
[2010.01.25 23:46:09 | 000,152,401 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Eigene Dateien\tdsskiller.zip
[2010.01.23 14:14:36 | 000,001,613 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Adobe Reader 8.lnk
[2009.11.30 17:12:37 | 000,000,034 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009.11.24 16:10:58 | 000,000,067 | ---- | C] () -- C:\WINDOWS\AVIConverter.INI
[2009.04.17 01:26:54 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009.01.13 05:28:01 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\EmailErr.log
[2009.01.10 17:58:28 | 000,000,329 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008.12.17 19:28:18 | 000,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2008.12.17 18:50:02 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008.12.15 01:54:41 | 001,302,528 | ---- | C] () -- C:\WINDOWS\System32\libmySQL.dll
[2008.12.15 01:54:41 | 000,270,336 | ---- | C] () -- C:\WINDOWS\System32\SDL_mixer.dll
[2008.12.15 01:54:41 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2008.12.15 01:54:41 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\sdl.dll
[2008.12.15 01:54:41 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\zlibwapi.dll
[2008.12.12 11:15:52 | 000,000,137 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
[2008.07.23 20:45:27 | 000,002,868 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Anwendungsdaten\HPCOM_48BitScanUpdate.log
[2008.07.23 20:45:27 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2008.07.20 13:32:39 | 000,116,224 | ---- | C] () -- C:\Dokumente und Einstellungen\User\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.07.13 14:29:23 | 000,007,589 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hpzinstall.log
[2007.10.14 14:24:28 | 000,000,565 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2007.10.14 14:24:26 | 000,000,189 | ---- | C] () -- C:\WINDOWS\brqikmon.ini
[2007.10.14 14:24:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2007.06.20 19:07:29 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2007.06.20 19:07:29 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2007.06.17 11:17:54 | 000,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007.06.15 22:11:59 | 000,000,030 | ---- | C] () -- C:\WINDOWS\iedit.INI
[2007.05.04 18:26:34 | 000,008,192 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony Ericsson
[2007.03.19 20:04:56 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007.03.12 14:33:37 | 000,241,664 | ---- | C] () -- C:\WINDOWS\VMC9SavedNwtGatewayDLL.dll
[2007.03.12 14:33:37 | 000,001,110 | ---- | C] () -- C:\WINDOWS\VMC9SavedNwtGatewayConfig.ini
[2007.03.12 12:45:52 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007.03.12 08:55:31 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007.03.12 08:54:42 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2007.03.12 08:43:34 | 000,003,776 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005.08.15 00:11:59 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2005.08.15 00:11:44 | 000,041,984 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2005.08.15 00:11:28 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2005.08.10 00:12:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005.04.04 12:52:42 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2005.04.04 12:35:24 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004.09.01 17:49:17 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2002.11.15 14:11:28 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\MMSwitch.dll
[1999.01.26 23:00:00 | 000,114,816 | ---- | C] () -- C:\WINDOWS\System32\MSMT4232.DLL
[1999.01.22 19:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys
[1980.01.01 00:00:00 | 000,007,932 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[color=#E56717]========== Custom Scans ==========[/color]


[color=#A23BEC]< %systemroot%\system32\*.dll /lockedfiles >[/color]

[color=#A23BEC]< %systemroot%\Tasks\*.job /lockedfiles >[/color]


[color=#A23BEC]< MD5 for: AGP440.SYS  >[/color]
[2004.08.04 01:10:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008.07.07 11:48:34 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004.08.04 01:10:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008.07.07 11:48:34 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004.08.03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

[color=#A23BEC]< MD5 for: ATAPI.SYS  >[/color]
[2004.08.04 01:10:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008.07.07 11:48:34 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004.08.04 01:10:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008.07.07 11:48:34 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004.08.03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[color=#A23BEC]< MD5 for: EVENTLOG.DLL  >[/color]
[2008.04.14 04:22:10 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008.04.14 04:22:10 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\system32\eventlog.dll
[2004.08.04 00:57:20 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=B932C077D5A65B71B4512544AC404CB4 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

[color=#A23BEC]< MD5 for: NETLOGON.DLL  >[/color]
[2008.04.14 04:22:20 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008.04.14 04:22:20 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\system32\netlogon.dll
[2004.08.04 00:57:32 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=D27395EDCD3416AFD125A9370DCB585C -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

[color=#A23BEC]< MD5 for: SCECLI.DLL  >[/color]
[2008.04.14 04:22:24 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008.04.14 04:22:24 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\system32\scecli.dll
[2004.08.04 00:57:34 | 000,186,880 | ---- | M] (Microsoft Corporation) MD5=64DC26B3CF7BCCAD431CE360A4C625D5 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[color=#A23BEC]< %systemroot%\*. /mp /s >[/color]

[color=#E56717]========== Files - Unicode (All) ==========[/color]
[2009.05.31 17:48:08 | 000,000,130 | ---- | M] ()(C:\WINDOWS\????????????????????????????????U??????) -- C:\WINDOWS\㩣灜潲牧浡敭煜極瑮獥敳瑮慩汰祡牥停畬楧獮停畬楧獮椮楮＀Ȣ粒ƛ粒Ǜ粒ɢﯸ翺׀
[2009.05.31 17:48:08 | 000,000,130 | ---- | M] ()(C:\WINDOWS\???????????????????????????) -- C:\WINDOWS\㩣灜潲牧浡敭煜極瑮獥敳瑮慩汰祡牥停畬楧獮停畬楧獮椮楮
[2009.05.31 17:48:06 | 000,000,130 | ---- | C] ()(C:\WINDOWS\????????????????????????????????U??????) -- C:\WINDOWS\㩣灜潲牧浡敭煜極瑮獥敳瑮慩汰祡牥停畬楧獮停畬楧獮椮楮＀Ȣ粒ƛ粒Ǜ粒ɢﯸ翺׀
[2009.05.31 17:48:06 | 000,000,130 | ---- | C] ()(C:\WINDOWS\???????????????????????????) -- C:\WINDOWS\㩣灜潲牧浡敭煜極瑮獥敳瑮慩汰祡牥停畬楧獮停畬楧獮椮楮
[2009.05.31 17:43:58 | 000,000,130 | ---- | M] ()(C:\WINDOWS\????????????????????????????????U??????) -- C:\WINDOWS\㩣灜潲牧浡敭煜極瑮獥敳瑮慩汰祡牥停畬楧獮停畬楧獮椮楮＀Ȣ粒ƛ粒Ǜ粒ɢﯸ翺Ѵ
[2009.05.31 17:43:56 | 000,000,130 | ---- | C] ()(C:\WINDOWS\????????????????????????????????U??????) -- C:\WINDOWS\㩣灜潲牧浡敭煜極瑮獥敳瑮慩汰祡牥停畬楧獮停畬楧獮椮楮＀Ȣ粒ƛ粒Ǜ粒ɢﯸ翺Ѵ
< End of report >




EXTRAS.TXT:

CODE
OTL Extras logfile created on: 22.02.2010 14:07:51 - Run 1
OTL by OldTimer - Version 3.1.30.1     Folder = C:\Dokumente und Einstellungen\User\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

735,00 Mb Total Physical Memory | 365,00 Mb Available Physical Memory | 50,00% Memory free
2,00 Gb Paging File | 1,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 1128 2256 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 27,89 Gb Total Space | 6,64 Gb Free Space | 23,80% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ***edit: private***
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]


[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-400550780-2136417557-3852222622-1008\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Programme\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Programme\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Programme\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- Reg Error: Key error.
https [open] -- "C:\Programme\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Programme\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Programme\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Programme\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Programme\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Programme\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\Mozilla Firefox\FIREFOX.EXE" = C:\Programme\Mozilla Firefox\FIREFOX.EXE:*:Enabled:Firefox -- (Mozilla Corporation)


[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00030407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Small Business
"{025C3792-E9C6-432A-92C1-661F99D021CA}" = Ulead Photo Explorer 8.5
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0FABD3D7-3036-4e78-B29D-58957ADB0A12}" = HP PSC & OfficeJet 3.5
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{26A1E9CF-BFC1-4309-80CD-C182D80922DB}_is1" = Artweaver 0.5
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{2ADE2157-7A5E-122C-B51D-EB8A01B15943}" = DeepBurner v1.9.0.228
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7F34A21F-2DEB-4598-BB19-611D6BD24271}" = Managed DirectX (0901)
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{AC76BA86-7AD7-1031-7B44-A81300000003}" = Adobe Reader 8.1.3 - Deutsch
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B2C61EBB-F47C-48ba-B375-27A40F8F48F7}" = HP Deskjet All-In-One Software 9.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCD90636-D97D-4130-A44A-3AD4E63B9220}" = OpenOffice.org 2.4
"{CCEB53A5-A252-4CF3-8602-429AB06BF0AE}" = Terragen
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9-Reihe
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agnitum Outpost Firewall Pro" = Agnitum Outpost Firewall Pro
"Applian FLV Player2.0.24" = Applian FLV Player
"Ashampoo WinOptimizer 2002" = Ashampoo WinOptimizer 2002
"AVMWLANCLI" = AVM FRITZ!WLAN
"CM3DDV1400_is1" = CyberMotion 3D-Designer v14
"CNXT_MODEM_PCI_VEN_1106&DEV_3068&SUBSYS_001D1025" = Conexant Soft 56K Modem
"DivX Codec" = Remove DivX Codec
"DivX Player" = DivX Player
"DivX Total Pack" = DivX Total Pack
"ESET Online Scanner" = ESET Online Scanner v3
"GXTranscoder_is1" = GX::Transcoder v5.0
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.2
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IrfanView" = IrfanView (remove only)
"LManager" = Aspire Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"OnlineArmor_is1" = Online Armor 4.0
"RealAlt_is1" = Real Alternative 1.9.0
"S3Display" = S3Display
"S3Gamma2" = S3Gamma2
"S3Info2" = S3Info2
"SpeedFan" = SpeedFan (remove only)
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Steam App 30" = Day of Defeat
"Streamripper" = Streamripper (Remove only)
"Twister" = Twister and Utilities
"VLC media player" = VideoLAN VLC media player 0.8.6i
"VueScan" = VueScan
"Winamp" = Winamp
"Windows Media Encoder 9" = Windows Media Encoder 9-Reihe
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR Archivierer
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"X Codec Pack" = X Codec Pack

[color=#E56717]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 15.08.2008 20:22:45 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung WinRAR.exe, Version 3.41.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 15.08.2008 20:22:45 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung WinRAR.exe, Version 3.41.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 13.09.2008 01:44:29 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung vlc.exe, Version 0.8.6.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 14.09.2008 23:22:14 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung WinRAR.exe, Version 3.41.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 14.09.2008 23:22:15 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung WinRAR.exe, Version 3.41.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 14.09.2008 23:22:19 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung WinRAR.exe, Version 3.41.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 14.09.2008 23:35:46 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung firefox.exe, Version 1.9.0.3105, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 23.09.2008 03:48:48 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung WinRAR.exe, Version 3.41.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 23.09.2008 03:48:48 | Computer Name = ***edit: private*** | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung WinRAR.exe, Version 3.41.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 23.09.2008 14:05:50 | Computer Name = ***edit: private*** | Source = Spybot - Search & Destroy | ID = 0
Description =

[ System Events ]
Error - 01.02.2010 11:40:52 | Computer Name = ***edit: private*** | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "MSIServer"
mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {000C101C-0000-0000-C000-000000000046}

Error - 01.02.2010 11:40:52 | Computer Name = ***edit: private*** | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "MSIServer"
mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {000C101C-0000-0000-C000-000000000046}

Error - 01.02.2010 11:42:08 | Computer Name = ***edit: private*** | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "StiSvc"
mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 01.02.2010 11:46:45 | Computer Name = ***edit: private*** | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "StiSvc"
mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 01.02.2010 11:55:59 | Computer Name = ***edit: private*** | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "EventSystem"
mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 14.02.2010 17:15:04 | Computer Name = ***edit: private*** | Source = W32Time | ID = 39452689
Description = Zeitabieter "NtpClient": Beim DNS-Lookup für den manuell konfigurierten
Peer  "time.windows.com,0x1" ist ein Fehler aufgetreten. Der DNS-Lookup wird in 15
Minuten  wiederholt.  Fehler: Der Host war bei einem Socketvorgang nicht erreichbar.
(0x80072751)

Error - 14.02.2010 17:15:04 | Computer Name = ***edit: private*** | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen  konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb  der
nächsten 14 Minuten wird kein Versuch unternommen, eine Verbindung  mit der Quelle
herzustellen.  Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 14.02.2010 17:15:05 | Computer Name = ***edit: private*** | Source = W32Time | ID = 39452689
Description = Zeitabieter "NtpClient": Beim DNS-Lookup für den manuell konfigurierten
Peer  "time.windows.com,0x1" ist ein Fehler aufgetreten. Der DNS-Lookup wird in 15
Minuten  wiederholt.  Fehler: Der Host war bei einem Socketvorgang nicht erreichbar.
(0x80072751)

Error - 14.02.2010 17:15:05 | Computer Name = ***edit: private*** | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen  konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb  der
nächsten 14 Minuten wird kein Versuch unternommen, eine Verbindung  mit der Quelle
herzustellen.  Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 14.02.2010 17:19:35 | Computer Name = ***edit: private*** | Source = NetBT | ID = 4307
Description = Initialisierung fehlgeschlagen, da die Transportschicht das Öffnen
der Anfangsadressen verweigerte.


< End of report >




Thanks for analyzing the Logs in advance!
I will track the topic via e-mail as you suggested, although i am unable to be online every day.

Edited by compromizedsys, 22 February 2010 - 09:20 AM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:34 AM

Posted 22 February 2010 - 04:23 PM

Hi,

your logs look clean, however this is not surprising, since rootkits won't show in it.
The prevx blog entry you read actually treats of a different infection than the one showing in your logs. It is more frequently known as tdl3 and is not part of the tdss group as was initially thought.

However I would like to make sure that nothing is left, therefore please try to run defogger first:
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

And try to run gmer again. Please also try to run it in safe mode if it still crashes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 24 February 2010 - 01:09 PM

Hello smile.gif

I ran DeFogger according to your instructions.
However, the sptd entries still show up in gmer.
(I suppose these drivers are leftovers from programs i uninstalled ages ago.)


Just to make sure i didn't do anything wrong, here's the

defogger_disable.log:

[attachment=48578:defogger_disable.log]

After that i ran gmer,
here are the logs.
[I tried running gmer from the desktop, but somehow the scan hung up or the window disappeared.
I then ran gmer from the user data folder and it ran stable.]


Gmer (safe mode):

[attachment=48579:gmer_safe_mode.log]

Gmer (normal mode):

[attachment=48580:gmer_normal_mode.log]



To me it looks clean at a first glance, but i could be missing something.

Thanks for your help, myrti!


EDIT: I just realized that the logs show up a bit messy when i try to post them in code tags,
so for better readability i uploaded the logs as attachments.
Hope that's ok for you.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:34 AM

Posted 26 February 2010 - 12:18 PM

Hi,

sptd is part of Daemon Tools or Alcohol120%. If you have one of those programs still installed you also need sptd. If you don't have it installed, you don't need it.

The log looks clean, we did not delete the service, however we disabled then. The suspicious entries are no longer present and the log looks clean.

You can reenable drivers with defogger now if you want.

Please run a scan with Eset as well:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 01 March 2010 - 07:08 AM

hello.

i have completed the scan, which found no threads,
but somehow escan doesn't give me an option to save a log
in the way you have instructed me to.

is this because of version changes, or am i only supposed to create a log once a threat has been detected?



thank you smile.gif

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:34 AM

Posted 01 March 2010 - 11:28 AM

Hi,

Your logs are clean. How is the PC doing?

If you don't have anymore problems, please update your software:
Your Adobe Reader is out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 01 March 2010 - 12:59 PM

hello.

the computer behaves normal.

only the XUL cache error occurs from time to time,
but as far as i have understood it,
it has to do with mozilla plugins that have some outdated lines of code in them.
yes, i will try to turn the plugins off and on, until i know which plugin causes the error.

updates will be done also.



thanks smile.gif

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:34 AM

Posted 01 March 2010 - 01:08 PM

Hi,

you may have some left overs from goored, please run the removal tool:
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 02 March 2010 - 03:03 PM

hello.

this is the gooredfix log:

CODE
GooredFix by jpshortstuff (08.01.10.1)
Log created at 11:26 on 02/03/2010 (User)
Firefox version 3.6 (de)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{E66DE744-4E1D-4C07-89E1-5B8E9527BB0A} -> Success!
Deleting C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\{E66DE744-4E1D-4C07-89E1-5B8E9527BB0A} -> Success!

========== GooredLog ==========

C:\Programme\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:00 01/02/2010]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [17:10 01/02/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [14:08 09/08/2009]
"jqs@sun.com"="C:\Programme\Java\jre6\lib\deploy\jqs\ff" [17:10 01/02/2010]

-=E.O.F=-



I honestly have no idea what this is blink.gif


Thank you for pointing this out nontheless.
Is a goored infection somehow related to tdss / td3?

I think I feel Mozilla is not such a memory hog anymore.



Thank you, mirty, i consider to make a small donation for your efforts! thumbup.gif

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:34 AM

Posted 02 March 2010 - 05:41 PM

Hi,

no goored is not related to tdl3.
Goored was one of the first infections targetting Firefox especially. It installs as a hidden add-on to firefox and also usually only affects browsing in Firefox itself. It has no rootkit component.

Are you having any more issues with the PC?

Please update your Adobe Reader. Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

Let me know if you run into any trouble doing that.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 06 March 2010 - 05:11 PM

hello. smile.gif

i have updated my adobe reader as you suggested.

thank you very much for your help.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:34 AM

Posted 06 March 2010 - 05:22 PM

Hi,

your logs are clean, all that is left to do is to remove the programs we used:
Read those last few lines, in order to keep your pc safe and clean:
Please do the following to clean up your PC:
  1. Delete the tools used during the disinfection:
    • Download OTC from the following mirrors and save it to your desktop:
    • Double click on
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  2. If OTC faild to remove all programs from your Desktop, please delete the rest manually.
  3. Disable and Enable System Restore.
    You can find instructions on how to disable and reenable system restore here:
    Windows ME System Restore Guide
    Windows XP System Restore Guide
    Windows Vista System Restore Guide

    Note: You should only do this once, not on a regular basis!
    You will not be able to restore computer to any earlier than today!

Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Greetings from Germany, smile.gif
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 06 March 2010 - 05:58 PM

ok, did that.

i will try my best to keep up-to-date.

thanks for the help, i will not forget it and will donate as soon as possible. thumbup2.gif

(oh you are a fellow german, nice to meet you in the internet :D)

Edited by compromizedsys, 06 March 2010 - 06:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users