Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Gen. Computer is dying.


  • This topic is locked This topic is locked
2 replies to this topic

#1 david208

david208

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 17 May 2011 - 11:57 AM

I am having this problem since May, 16th. Malwarebytes said that it found Troyan Zbot, Windows Defender found Sirefef.B and Avira said that it found Rootkit.Gen. IE became slower and started to redirect me to the other websites. Function "Back" stopped working, IE was keeping bringing me to the website where I was. None of the above mentioned programs was able to solve the problem.
I made some scans and combofix said that it deleted some files but it became worse. Today I noticed that I can't connect to the internet.
It says: RPC server is unavailable and the internet is still not there after I enabled DCOM tunneling.
Besides that the computer stopped recognising the CD drive and USB Audio drive, so right now I'm writing from the other computer. I would highly appreciate if anyone could help me solve this problem.


[ComboFix 11-05-16.02 - vad 17.05.2011 1:49.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.41.1033.18.2047.1608 [GMT 2:00]
ausgeführt von:: c:\documents and settings\vad\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-04-16 bis 2011-05-16 ))))))))))))))))))))))))))))))
.
.
2011-05-16 20:54 . 2011-05-16 21:33 -------- d-----w- c:\windows\system32\NtmsData
2011-05-16 20:42 . 2011-05-16 20:42 -------- d-----w- c:\documents and settings\vad\Application Data\Avira
2011-05-16 20:38 . 2011-05-16 20:38 -------- d-----w- c:\program files\Avira
2011-05-16 20:38 . 2011-05-16 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-05-16 20:38 . 2011-04-01 15:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-16 20:38 . 2011-04-01 15:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-16 20:38 . 2010-06-17 13:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-05-16 20:38 . 2010-06-17 13:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-05-16 20:00 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2011-05-16 20:00 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys
2011-05-16 18:12 . 2011-05-16 18:12 54016 ----a-w- c:\windows\system32\drivers\cbkurxe.sys
2011-05-16 17:13 . 2011-05-16 17:38 -------- d-----w- c:\documents and settings\vad\Application Data\Tepo
2011-05-13 08:56 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2822D307-F833-4C0D-A590-3325FCDBEB8E}\mpengine.dll
2011-05-04 08:06 . 2009-08-06 17:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-04 08:06 . 2009-08-06 17:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-05-03 15:02 . 2011-05-03 15:02 -------- d-----w- C:\Worden
2011-05-03 15:02 . 1996-07-25 11:50 118272 ----a-w- c:\windows\system32\Qpro32.dll
2011-05-03 15:01 . 2004-07-15 22:19 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-05-03 15:01 . 2004-07-15 22:18 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-05-03 15:01 . 2004-07-15 22:20 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-05-03 15:01 . 2004-07-15 22:20 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-05-03 15:01 . 2004-07-15 22:18 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-05-03 15:01 . 2011-05-03 15:01 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
2011-05-03 15:01 . 2011-05-03 15:01 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
2011-05-03 11:55 . 2011-05-03 11:55 -------- d-----w- c:\program files\Microsoft Silverlight
2011-05-02 22:29 . 2011-05-16 14:31 -------- d-----w- c:\program files\CycleTimer
2011-04-28 08:59 . 2011-04-28 08:59 -------- d-----w- c:\program files\MagicISO
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\documents and settings\vad\Application Data\Canneverbe Limited
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2011-04-28 08:52 . 2009-11-12 11:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\program files\CDBurnerXP
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2010-06-06 07:13 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2010-06-05 19:59 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2002-12-31 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2002-12-31 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2002-12-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2002-12-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2002-12-31 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2002-12-31 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2002-12-31 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-06-05 21:09 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-16_23.10.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-16 23:48 . 2011-05-16 23:48 16384 c:\windows\Temp\Perflib_Perfdata_79c.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-17 33628160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"MultiScreen"="c:\program files\MultiScreen\MultiScreen.exe" [2008-06-30 114688]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2011-03-28 14:14 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\vad\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\vad\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [29.07.2010 13:07 6883]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [16.05.2011 22:38 136360]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [06.06.2010 00:47 58600]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [06.06.2010 00:25 1374464]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03.11.2006 19:19 13592]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 11:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Inhalt des "geplante Tasks" Ordners
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1078081533-1801674531-1003Core.job
- c:\documents and settings\vad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 21:58]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1078081533-1801674531-1003UA.job
- c:\documents and settings\vad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 21:58]
.
2011-05-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.ch/
LSP: mswsock.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 01:54
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\?\globalroot\systemroot\system32\mswsock.dll
c:\windows\system32\jscript.dll
.
Zeit der Fertigstellung: 2011-05-17 01:55:35
ComboFix-quarantined-files.txt 2011-05-16 23:55
ComboFix2.txt 2011-05-16 23:10
.
Vor Suchlauf: 473'900'888'064 bytes free
Nach Suchlauf: 473'893'945'344 bytes free
.
- - End Of File - - 1D769C4EC214709EA83E9FF10E439DE6
/]

[ComboFix 11-05-16.02 - vad 17.05.2011 1:04.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.41.1033.18.2047.1603 [GMT 2:00]
ausgeführt von:: c:\documents and settings\vad\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\vad\Desktop\006E~1.exe
c:\documents and settings\vad\g2mdlhlpx.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-04-16 bis 2011-05-16 ))))))))))))))))))))))))))))))
.
.
2011-05-16 20:54 . 2011-05-16 21:33 -------- d-----w- c:\windows\system32\NtmsData
2011-05-16 20:42 . 2011-05-16 20:42 -------- d-----w- c:\documents and settings\vad\Application Data\Avira
2011-05-16 20:38 . 2011-05-16 20:38 -------- d-----w- c:\program files\Avira
2011-05-16 20:38 . 2011-05-16 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-05-16 20:38 . 2011-04-01 15:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-16 20:38 . 2011-04-01 15:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-16 20:38 . 2010-06-17 13:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-05-16 20:38 . 2010-06-17 13:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-05-16 20:00 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2011-05-16 20:00 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys
2011-05-16 18:12 . 2011-05-16 18:12 54016 ----a-w- c:\windows\system32\drivers\cbkurxe.sys
2011-05-16 17:13 . 2011-05-16 17:38 -------- d-----w- c:\documents and settings\vad\Application Data\Tepo
2011-05-13 08:56 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2822D307-F833-4C0D-A590-3325FCDBEB8E}\mpengine.dll
2011-05-04 08:06 . 2009-08-06 17:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-04 08:06 . 2009-08-06 17:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-05-03 15:02 . 2011-05-03 15:02 -------- d-----w- C:\Worden
2011-05-03 15:02 . 1996-07-25 11:50 118272 ----a-w- c:\windows\system32\Qpro32.dll
2011-05-03 15:01 . 2004-07-15 22:19 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-05-03 15:01 . 2004-07-15 22:18 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-05-03 15:01 . 2004-07-15 22:20 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-05-03 15:01 . 2004-07-15 22:20 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-05-03 15:01 . 2004-07-15 22:18 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-05-03 15:01 . 2011-05-03 15:01 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
2011-05-03 15:01 . 2011-05-03 15:01 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
2011-05-03 11:55 . 2011-05-03 11:55 -------- d-----w- c:\program files\Microsoft Silverlight
2011-05-02 22:29 . 2011-05-16 14:31 -------- d-----w- c:\program files\CycleTimer
2011-04-28 08:59 . 2011-04-28 08:59 -------- d-----w- c:\program files\MagicISO
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\documents and settings\vad\Application Data\Canneverbe Limited
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2011-04-28 08:52 . 2009-11-12 11:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\program files\CDBurnerXP
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2010-06-06 07:13 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2010-06-05 19:59 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2002-12-31 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2002-12-31 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2002-12-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2002-12-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2002-12-31 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2002-12-31 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2002-12-31 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-06-05 21:09 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-17 33628160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"MultiScreen"="c:\program files\MultiScreen\MultiScreen.exe" [2008-06-30 114688]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\vad\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\vad\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [29.07.2010 13:07 6883]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [16.05.2011 22:38 136360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03.11.2006 19:19 13592]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [06.06.2010 00:47 58600]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [06.06.2010 00:25 1374464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - SSMDRV
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 11:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Inhalt des "geplante Tasks" Ordners
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1078081533-1801674531-1003Core.job
- c:\documents and settings\vad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 21:58]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1078081533-1801674531-1003UA.job
- c:\documents and settings\vad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 21:58]
.
2011-05-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.ch/
LSP: mswsock.dll
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKLM-Run-nwiz - nwiz.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 01:09
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\?\globalroot\systemroot\system32\mswsock.dll
c:\windows\system32\jscript.dll
.
Zeit der Fertigstellung: 2011-05-17 01:10:44
ComboFix-quarantined-files.txt 2011-05-16 23:10
.
Vor Suchlauf: 473'666'883'584 bytes free
Nach Suchlauf: 473'835'016'192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0F074B040577C5A6F306330CABB05DA8
/]

[ComboFix 11-05-16.02 - vad 17.05.2011 1:04.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.41.1033.18.2047.1603 [GMT 2:00]
ausgeführt von:: c:\documents and settings\vad\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\vad\Desktop\006E~1.exe
c:\documents and settings\vad\g2mdlhlpx.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-04-16 bis 2011-05-16 ))))))))))))))))))))))))))))))
.
.
2011-05-16 20:54 . 2011-05-16 21:33 -------- d-----w- c:\windows\system32\NtmsData
2011-05-16 20:42 . 2011-05-16 20:42 -------- d-----w- c:\documents and settings\vad\Application Data\Avira
2011-05-16 20:38 . 2011-05-16 20:38 -------- d-----w- c:\program files\Avira
2011-05-16 20:38 . 2011-05-16 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-05-16 20:38 . 2011-04-01 15:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-16 20:38 . 2011-04-01 15:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-16 20:38 . 2010-06-17 13:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-05-16 20:38 . 2010-06-17 13:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-05-16 20:00 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2011-05-16 20:00 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys
2011-05-16 18:12 . 2011-05-16 18:12 54016 ----a-w- c:\windows\system32\drivers\cbkurxe.sys
2011-05-16 17:13 . 2011-05-16 17:38 -------- d-----w- c:\documents and settings\vad\Application Data\Tepo
2011-05-13 08:56 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2822D307-F833-4C0D-A590-3325FCDBEB8E}\mpengine.dll
2011-05-04 08:06 . 2009-08-06 17:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-04 08:06 . 2009-08-06 17:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-05-03 15:02 . 2011-05-03 15:02 -------- d-----w- C:\Worden
2011-05-03 15:02 . 1996-07-25 11:50 118272 ----a-w- c:\windows\system32\Qpro32.dll
2011-05-03 15:01 . 2004-07-15 22:19 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-05-03 15:01 . 2004-07-15 22:18 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-05-03 15:01 . 2004-07-15 22:20 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-05-03 15:01 . 2004-07-15 22:20 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-05-03 15:01 . 2004-07-15 22:18 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-05-03 15:01 . 2011-05-03 15:01 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
2011-05-03 15:01 . 2011-05-03 15:01 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
2011-05-03 11:55 . 2011-05-03 11:55 -------- d-----w- c:\program files\Microsoft Silverlight
2011-05-02 22:29 . 2011-05-16 14:31 -------- d-----w- c:\program files\CycleTimer
2011-04-28 08:59 . 2011-04-28 08:59 -------- d-----w- c:\program files\MagicISO
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\documents and settings\vad\Application Data\Canneverbe Limited
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2011-04-28 08:52 . 2009-11-12 11:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-04-28 08:52 . 2011-04-28 08:52 -------- d-----w- c:\program files\CDBurnerXP
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2010-06-06 07:13 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2010-06-05 19:59 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2002-12-31 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2002-12-31 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2002-12-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2002-12-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2002-12-31 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2002-12-31 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2002-12-31 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-06-05 21:09 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-17 33628160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"MultiScreen"="c:\program files\MultiScreen\MultiScreen.exe" [2008-06-30 114688]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\vad\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\vad\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [29.07.2010 13:07 6883]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [16.05.2011 22:38 136360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03.11.2006 19:19 13592]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [06.06.2010 00:47 58600]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [06.06.2010 00:25 1374464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - SSMDRV
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 11:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Inhalt des "geplante Tasks" Ordners
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1078081533-1801674531-1003Core.job
- c:\documents and settings\vad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 21:58]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1078081533-1801674531-1003UA.job
- c:\documents and settings\vad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 21:58]
.
2011-05-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.ch/
LSP: mswsock.dll
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKLM-Run-nwiz - nwiz.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 01:09
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\?\globalroot\systemroot\system32\mswsock.dll
c:\windows\system32\jscript.dll
.
Zeit der Fertigstellung: 2011-05-17 01:10:44
ComboFix-quarantined-files.txt 2011-05-16 23:10
.
Vor Suchlauf: 473'666'883'584 bytes free
Nach Suchlauf: 473'835'016'192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0F074B040577C5A6F306330CABB05DA8
/]

[HKU\S-1-5-21-299502267-1078081533-1801674531-1003\Console 17.05.2011 01:10 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 05.06.2010 22:05 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 05.06.2010 22:05 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\Interface\{b7689793-c9b4-c352-541e-7e10c63a891a} 16.05.2011 19:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 17.05.2011 00:56 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 17.05.2011 00:56 0 bytes Security mismatch.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM 16.05.2011 21:17 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\26659 06.10.2010 21:25 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\26659\AcrobatUpdater.exe 21.09.2010 20:37 330.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\26659\AdobeARM.exe 21.09.2010 20:37 910.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\26659\AdobeExtractFiles.dll 21.09.2010 20:37 68.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\26659\ReaderUpdater.exe 21.09.2010 20:37 330.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdbeRdr940_en_US.msi 23.09.2010 14:43 41.15 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdbeRdrUpd932_all_incr.msp 04.04.2010 08:54 11.30 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdbeRdrUpd933_all_incr.msp 20.06.2010 10:01 7.67 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdbeRdrUpd934_all_incr.msp 13.08.2010 20:09 11.70 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdbeRdrUpd941_all_incr.msp 08.11.2010 09:14 3.25 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdbeRdrUpd942_all_incr.msp 31.01.2011 12:45 10.62 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdbeRdrUpd943_all_incr.msp 13.03.2011 03:02 14.44 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdbeRdrUpd944_all_incr.msp 14.04.2011 16:46 3.68 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\AdobeARM.bin 06.10.2010 21:25 342.30 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\ARM.msi 21.09.2010 08:07 358.50 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\Reader9Manifest.msi 20.04.2011 00:45 31.50 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun.log 17.05.2011 01:23 892 bytes Hidden from Windows API.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000032 16.05.2011 20:55 17.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000047 16.05.2011 22:38 16.03 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000048 16.05.2011 22:38 21.82 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004a 16.05.2011 22:38 76.55 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004b 17.05.2011 01:17 16.03 KB Hidden from Windows API.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004c 17.05.2011 01:17 61.76 KB Hidden from Windows API.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004d 17.05.2011 01:18 17.21 KB Hidden from Windows API.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004e 17.05.2011 01:18 76.55 KB Hidden from Windows API.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004f 17.05.2011 01:18 21.82 KB Hidden from Windows API.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000050 17.05.2011 01:18 46.82 KB Hidden from Windows API.
C:\Documents and Settings\vad\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000051 17.05.2011 01:18 34.28 KB Hidden from Windows API.
C:\Documents and Settings\vad\Local Settings\Temp\AdobeARM.log 17.05.2011 01:28 1.79 KB Hidden from Windows API.
C:\Documents and Settings\vad\Recent\Anti_Meran_Ch08.lnk 17.05.2011 01:24 512 bytes Hidden from Windows API.
C:\Documents and Settings\vad\Recent\Cowan Bradley.lnk 17.05.2011 01:28 611 bytes Hidden from Windows API.
C:\Documents and Settings\vad\Recent\Eula.lnk 17.05.2011 01:20 453 bytes Hidden from Windows API.
C:\Documents and Settings\vad\Recent\pct.lnk 17.05.2011 01:28 775 bytes Hidden from Windows API.
C:\RECYCLER 17.05.2011 01:22 0 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-299502267-1078081533-1801674531-1003 17.05.2011 01:22 0 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-299502267-1078081533-1801674531-1003\desktop.ini 17.05.2011 01:22 65 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-299502267-1078081533-1801674531-1003\INFO2 17.05.2011 01:22 20 bytes Hidden from Windows API.
C:\System Volume Information\_restore{62E4F00E-B306-4032-933F-D7BFFBF72D15}\RP280\A0065077.msi 20.04.2011 00:45 31.50 KB Hidden from Windows API.
C:\System Volume Information\_restore{62E4F00E-B306-4032-933F-D7BFFBF72D15}\RP280\A0065078.exe 21.09.2010 20:37 330.91 KB Hidden from Windows API.
C:\System Volume Information\_restore{62E4F00E-B306-4032-933F-D7BFFBF72D15}\RP280\A0065079.exe 21.09.2010 20:37 910.44 KB Hidden from Windows API.
C:\System Volume Information\_restore{62E4F00E-B306-4032-933F-D7BFFBF72D15}\RP280\A0065080.dll 21.09.2010 20:37 68.93 KB Hidden from Windows API.
C:\System Volume Information\_restore{62E4F00E-B306-4032-933F-D7BFFBF72D15}\RP280\A0065081.exe 21.09.2010 20:37 330.91 KB Hidden from Windows API.
C:\System Volume Information\_restore{62E4F00E-B306-4032-933F-D7BFFBF72D15}\RP280\A0065082.msi 23.09.2010 14:43 41.15 MB Hidden from Windows API.
C:\System Volume Information\_restore{62E4F00E-B306-4032-933F-D7BFFBF72D15}\RP280\A0065083.msi 21.09.2010 08:07 358.50 KB Hidden from Windows API.
C:\WINDOWS\system32\wbem\Logs\FrameWork.log 17.05.2011 01:23 257 bytes Hidden from Windows API.
C:\WINDOWS\Temp\MpCmdRun.log 17.05.2011 01:23 804 bytes Hidden from Windows API.
/]

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 28 May 2011 - 05:34 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 07 June 2011 - 01:59 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users