Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Virenbefall eines Windows2003 Servers

Virenbefall eines Windows2003 Servers


Log-Analyse und Auswertung: Virenbefall eines Windows2003 Servers

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 25.08.2010, 08:49   #1
andperu
 
Virenbefall eines Windows2003 Servers - Standard

Virenbefall eines Windows2003 Servers


Hallo,

ich vermute, daß mein Windows 2003 Server System von einem Virus befallen wurde. TrendMicro Officescan hat ein USB Virus erkannt (Mal_Otorun1), allerdings wurde nur die Datei autorun.inf als bösartig erkannt. Die Autorun.inf Datei hatte folgenden Inhalt:
[autorun]
shellexecute=DZEMO\\\\\\\\\\\\FATA.exe
shell\explore\command=DZEMO\\\\\\\\\\\\FATA.exe
open=DZEMO\\\\\\\\\\\\FATA.exe
USEAUTOPLAY=1
shell\explore\command=DZEMO\\\\\\\\\\\\FATA.exe
shell\explore\command=DZEMO\\\\\\\\\\\\FATA.exe


Hier die entsprechende OTL Log-Datei:

Code:
ATTFilter
OTL logfile created on: 8/24/2010 10:38:59 AM - Run 1
OTL by OldTimer - Version 3.2.10.0     Folder = K:\CD\otl
Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
6.00 Gb Total Physical Memory | 5.00 Gb Available Physical Memory | 87.00% Memory free
11.00 Gb Paging File | 10.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 5651 5651 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.99 Gb Total Space | 4.66 Gb Free Space | 23.31% Space Free | Partition Type: NTFS
Drive D: | 19.99 Gb Total Space | 8.76 Gb Free Space | 43.81% Space Free | Partition Type: NTFS
Drive E: | 19.00 Gb Total Space | 1.45 Gb Free Space | 7.62% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 50.53 Gb Total Space | 41.97 Gb Free Space | 83.07% Space Free | Partition Type: NTFS
Drive P: | 250.98 Mb Total Space | 247.83 Mb Free Space | 98.74% Space Free | Partition Type: NTFS
 
Computer Name: WIN01
Current User Name: admin
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 60 Days
Output = Standard
 
========== Processes (SafeList) ==========
 
PRC - [2010/08/24 06:02:48 | 000,575,488 | ---- | M] (OldTimer Tools) -- K:\CD\otl\OTL.exe
PRC - [2010/08/04 18:56:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\javaw.exe
PRC - [2010/08/04 18:21:35 | 000,068,096 | ---- | M] () -- C:\cygwin\bin\cygrunsrv.exe
PRC - [2008/12/02 20:42:00 | 001,851,392 | ---- | M] (Kiwi Enterprises) -- C:\Program Files\Syslogd\Syslogd_Service.exe
PRC - [2008/11/20 18:18:27 | 000,310,272 | ---- | M] () -- C:\cygwin\usr\sbin\sshd.exe
PRC - [2008/01/31 15:17:26 | 000,134,144 | ---- | M] () -- C:\Program Files\pdf24\PDFBackend.exe
PRC - [2008/01/17 23:09:04 | 000,041,033 | ---- | M] (Apache Software Foundation) -- D:\Project\ApacheGroup\Apache2\bin\rotatelogs.exe
PRC - [2008/01/17 22:59:58 | 000,041,042 | ---- | M] (Apache Software Foundation) -- D:\Project\ApacheGroup\Apache2\bin\ApacheMonitor.exe
PRC - [2008/01/17 22:58:36 | 000,020,541 | ---- | M] (Apache Software Foundation) -- D:\Project\ApacheGroup\Apache2\bin\Apache.exe
PRC - [2007/12/05 08:56:42 | 000,241,136 | ---- | M] () -- C:\Program Files\NTP\bin\ntpd.exe
PRC - [2007/05/05 01:42:24 | 000,057,344 | ---- | M] (Apache Software Foundation) -- D:\Project\ApacheGroup\ApacheTomcat\bin\tomcat6.exe
PRC - [2007/02/17 02:00:02 | 000,040,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2007/02/17 01:55:16 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2007/02/17 01:31:58 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2007/02/17 00:37:58 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cscript.exe
PRC - [2007/02/17 00:31:22 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2007/02/05 14:36:09 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 19:13:32 | 009,175,040 | ---- | M] (Microsoft Corporation) -- D:\Project\MSDE2000\MSSQL$TEC4\Binn\sqlservr.exe
PRC - [2006/08/11 07:31:51 | 000,008,192 | ---- | M] () -- C:\Program Files\Project\WinInfo\srvany.exe
PRC - [2006/08/11 07:31:51 | 000,008,192 | ---- | M] () -- C:\Program Files\NTP\srvany.exe
PRC - [2005/05/03 22:07:32 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/08/24 06:02:48 | 000,575,488 | ---- | M] (OldTimer Tools) -- K:\CD\otl\OTL.exe
MOD - [2007/02/17 23:01:02 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
MOD - [2007/02/17 02:06:52 | 000,058,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tsappcmp.dll
MOD - [2007/02/17 01:42:06 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll
MOD - [2007/02/17 01:36:32 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/02/17 00:51:18 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll
MOD - [2007/02/17 00:38:36 | 000,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll
MOD - [2006/04/04 12:00:00 | 000,188,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll
MOD - [2006/04/04 12:00:00 | 000,077,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [On_Demand | Stopped] --  -- (WinHttpAutoProxySvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/08/04 18:21:35 | 000,068,096 | ---- | M] () [Auto | Running] -- C:\cygwin\bin\cygrunsrv.exe -- (sshd)
SRV - [2008/12/02 20:42:00 | 001,851,392 | ---- | M] (Kiwi Enterprises) [Auto | Running] -- C:\Program Files\Syslogd\Syslogd_Service.exe -- (Kiwi Syslog Daemon)
SRV - [2008/01/17 22:58:36 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Running] -- D:\Project\ApacheGroup\Apache2\bin\Apache.exe -- (Apache2)
SRV - [2007/12/05 08:56:42 | 000,241,136 | ---- | M] () [On_Demand | Running] -- C:\Program Files\NTP\bin\ntpd.exe -- (NTP)
SRV - [2007/05/05 01:42:24 | 000,057,344 | ---- | M] (Apache Software Foundation) [Auto | Running] -- D:\Project\ApacheGroup\ApacheTomcat\bin\tomcat6.exe -- (Tomcat6)
SRV - [2007/02/17 22:30:26 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 02:07:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 02:00:02 | 000,040,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2007/02/17 01:55:56 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 01:41:50 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 01:31:58 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 01:20:52 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 00:50:02 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/01/31 19:13:32 | 009,175,040 | ---- | M] (Microsoft Corporation) [Auto | Running] -- D:\Project\MSDE2000\MSSQL$TEC4\Binn\sqlservr.exe -- (MSSQL$TEC4)
SRV - [2007/01/31 19:13:22 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Project\MSDE2000\MSSQL$TEC4\Binn\sqlagent.EXE -- (SQLAgent$TEC4)
SRV - [2006/08/11 07:31:51 | 000,008,192 | ---- | M] () [Auto | Running] -- C:\Program Files\Project\WinInfo\srvany.exe -- (WinInfo)
SRV - [2006/08/11 07:31:51 | 000,008,192 | ---- | M] () [Auto | Running] -- C:\Program Files\NTP\srvany.exe -- (NtpPrepare)
SRV - [2006/04/04 12:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2006/04/04 12:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\tmcomm.sys -- (tmcomm)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2007/02/17 02:09:26 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/17 01:14:30 | 000,023,552 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\hpcisss.sys -- (hpcisss)
DRV - [2007/02/17 00:49:38 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2007/02/17 00:31:14 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/17 00:17:16 | 000,043,520 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\arc.sys -- (arc)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
 
O1 HOSTS File: ([2009/11/04 09:32:41 | 000,004,226 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1  localhost localhost.localdomain #
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\PDFBackend.exe ()
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1022..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [Flag] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk = D:\Project\ApacheGroup\Apache2\bin\ApacheMonitor.exe (Apache Software Foundation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1022\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Project\Java\jre_\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} h**p://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} h**p://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} h**p://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} h**p://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - Unable to read "AutoRun" value or value not present!
O32 - AutoRun File - [2010/02/09 06:58:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/08/06 19:21:41 | 000,000,920 | ---- | M] () - K:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\##tcl05#d$\Shell - "" = AutoRun
O33 - MountPoints2\##tcl05#d$\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##tcl05#d$\Shell\AutoRun\command - "" = Z:\DZEMO\\\\\FATA.exe -- File not found
O33 - MountPoints2\##tcl05#d$\Shell\explore\command - "" = Z:\DZEMO\\\\\\FATA.exe -- File not found
O33 - MountPoints2\##tcl05#d$\Shell\open\command - "" = Z:\DZEMO\\\\\\FATA.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O34 - HKLM BootExecute: (pgdfgsvc C 1) - C:\WINDOWS\System32\pgdfgsvc.exe (Sysinternals - www.sysinternals.com)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 60 Days ==========
 
[2010/08/24 10:17:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/08/21 15:55:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/17 09:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\My Documents\pdf24
[2010/08/13 10:22:42 | 000,000,000 | ---D | C] -- C:\Program Files\pdf24
[2010/08/08 21:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\.eclipse
[2010/08/08 21:39:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\admin\PrivacIE
[2010/08/05 11:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\4PUPRPPPPPfmis
[2010/08/05 11:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\4PUPRPPPPPfmis
[2010/08/05 10:21:09 | 000,000,000 | RHSD | C] -- C:\Recycle Bin
[2010/08/05 09:26:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\PKWARE
[2010/08/05 09:00:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Local Settings\Application Data\Adobe
[2010/08/05 09:00:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\Adobe
[2010/08/05 08:53:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Macrovision
[2010/08/05 08:23:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Local Settings\Application Data\ApplicationHistory
[2010/08/05 08:23:47 | 000,125,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vb6de.dll
[2010/08/05 08:23:47 | 000,124,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2010/08/05 08:23:47 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WINSKDE.DLL
[2010/08/05 08:06:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\$SQLUninstallSQL2000-KB929654-v8.00.2239-x86-ENU$
[2010/08/05 08:05:43 | 000,033,340 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dbmsqlgc.dll
[2010/08/05 08:05:43 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dbmsgnet.dll
[2010/08/05 08:05:42 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\WINDOWS\IsUninst.exe
[2010/08/05 08:05:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2010/08/05 08:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/04 20:00:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\4PUPQPPPPPfmis
[2010/08/04 20:00:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\4PUPQPPPPPfmis
[2010/08/04 19:08:13 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msyuv.dll
[2010/08/04 19:08:05 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iyuv_32.dll
[2010/08/04 19:08:05 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsbyuv.dll
[2010/08/04 19:07:46 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\csrsrv.dll
[2010/08/04 19:07:46 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\csrsrv.dll
[2010/08/04 19:07:23 | 000,320,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shlwapi.dll
[2010/08/04 19:06:04 | 000,343,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mspaint.exe
[2010/08/04 19:05:32 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\repdrvfs.dll
[2010/08/04 19:03:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/08/04 19:01:56 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2010/08/04 19:01:56 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2010/08/04 19:01:55 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2010/08/04 19:01:55 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2010/08/04 19:01:54 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2010/08/04 19:01:50 | 001,985,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2010/08/04 19:01:48 | 001,208,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2010/08/04 19:01:24 | 011,070,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2010/08/04 18:56:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\Sun
[2010/08/04 18:56:28 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/04 18:56:28 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/04 18:56:28 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/04 18:56:28 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/04 18:56:09 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/08/04 18:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/08/04 18:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/08/04 18:34:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\Identities
[2010/08/04 18:34:06 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\admin\IETldCache
[2010/08/04 18:34:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\WINDOWS
[2010/08/04 18:20:15 | 000,000,000 | ---D | C] -- C:\cygwin
[2010/08/04 18:14:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\CryptFiles
[2010/08/04 18:13:54 | 000,105,264 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pspasswd.exe
[2010/08/04 18:13:54 | 000,057,344 | ---- | C] (AMF) -- C:\WINDOWS\System32\WinLockDll.dll
[2010/08/04 18:08:20 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\devcon.exe
[2010/08/04 18:07:57 | 000,103,424 | ---- | C] (Hewlett-Packard Corporation) -- C:\WINDOWS\System32\hpzpnp.dll
[2010/08/04 18:07:54 | 000,241,721 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPBMINI.DLL
[2010/08/04 18:07:54 | 000,163,840 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPJCMN2U.DLL
[2010/08/04 18:07:54 | 000,094,208 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPJIPX1U.DLL
[2010/08/04 18:07:54 | 000,049,152 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPBNRAC2.DLL
[2010/08/04 18:07:52 | 000,024,576 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\HPBMIAPI.DLL
[2010/08/04 18:07:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2010/08/04 18:07:35 | 000,149,504 | ---- | C] (Hewlett-Packard Corporation) -- C:\WINDOWS\System32\hpcpn6de.dll
[2010/08/04 18:07:31 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prnadmin.dll
[2010/08/04 18:02:10 | 000,000,000 | ---D | C] -- C:\sradumps
[2010/08/04 18:01:37 | 000,000,000 | ---D | C] -- C:\Program Files\Syslogd
[2010/08/04 17:59:33 | 000,262,144 | ---- | C] (Ruud van Velsen (Microsoft)) -- C:\WINDOWS\System32\kix32.exe
[2010/08/04 17:59:29 | 000,692,224 | ---- | C] (www.kixforms.org) -- C:\WINDOWS\System32\kixforms.dll
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 60 Days ==========
 
[2010/08/24 10:37:43 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\admin\NTUSER.DAT
[2010/08/24 09:00:01 | 000,000,320 | ---- | M] () -- C:\WINDOWS\tasks\KiwiSizeLimitation.job
[2010/08/24 02:33:31 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/08/24 01:30:01 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\Apache_logs_scrubber.job
[2010/08/23 09:52:23 | 000,544,472 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/23 09:52:23 | 000,458,908 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/23 09:52:23 | 000,075,654 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/23 09:47:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/23 09:47:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/23 08:33:49 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/21 16:05:15 | 000,752,528 | -H-- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\IconCache.db
[2010/08/21 15:58:56 | 000,000,442 | RHS- | M] () -- C:\Documents and Settings\admin\ntuser.pol
[2010/08/20 08:53:55 | 000,001,491 | ---- | M] () -- C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2010/08/13 16:44:22 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\admin\term.shh
[2010/08/13 10:22:43 | 000,000,686 | ---- | M] () -- C:\Documents and Settings\admin\Desktop\pdf24-creator.lnk
[2010/08/08 21:19:46 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\admin\_viminfo
[2010/08/08 14:57:26 | 000,001,184 | -H-- | M] () -- C:\Documents and Settings\admin\My Documents\Default.rdp
[2010/08/06 18:51:29 | 000,005,328 | ---- | M] () -- C:\WINDOWS\System32\mmdriver.PNF
[2010/08/06 18:51:29 | 000,004,344 | ---- | M] () -- C:\WINDOWS\System32\INFCACHE.1
[2010/08/06 18:51:29 | 000,004,128 | ---- | M] () -- C:\WINDOWS\System32\drivers\INFCACHE.1
[2010/08/06 18:51:28 | 000,077,504 | ---- | M] () -- C:\WINDOWS\System32\ieuinit.PNF
[2010/08/06 18:51:28 | 000,004,628 | ---- | M] () -- C:\WINDOWS\System32\homepage.PNF
[2010/08/06 18:51:27 | 000,007,628 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.PNF
[2010/08/06 17:27:14 | 000,012,328 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/05 10:47:10 | 000,000,564 | ---- | M] () -- C:\Documents and Settings\admin\Desktop\Shortcut to logging.lnk
[2010/08/05 10:46:56 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\admin\Desktop\Shortcut to hosts.lnk
[2010/08/05 10:39:01 | 000,028,258 | ---- | M] () -- C:\WINDOWS\citamis.str
[2010/08/05 10:38:35 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\LifeList.lnk
[2010/08/05 10:26:20 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\admin\ntuser.ini
[2010/08/05 08:25:10 | 000,046,570 | ---- | M] () -- C:\WINDOWS\vpd.properties
[2010/08/05 08:22:57 | 000,000,482 | ---- | M] () -- C:\WINDOWS\my.ini
[2010/08/05 08:10:43 | 000,009,390 | ---- | M] () -- C:\WINDOWS\vpd.properties.nested
[2010/08/05 08:04:52 | 000,000,725 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
[2010/08/04 19:08:52 | 000,003,376 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/04 18:56:15 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/08/04 18:56:15 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/04 18:56:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/04 18:56:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/04 18:56:15 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/04 18:53:55 | 000,001,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/04 18:34:20 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/04 17:55:30 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/08/04 17:28:44 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[2010/08/04 17:25:54 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2010/08/04 17:25:54 | 000,001,727 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2010/08/04 15:21:57 | 000,002,348 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2010/08/04 15:21:04 | 000,000,231 | ---- | M] () -- C:\WINDOWS\system.ini
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010/08/20 08:53:55 | 000,001,491 | ---- | C] () -- C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2010/08/13 16:44:22 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\admin\term.shh
[2010/08/13 10:22:43 | 000,000,686 | ---- | C] () -- C:\Documents and Settings\admin\Desktop\pdf24-creator.lnk
[2010/08/08 15:05:13 | 000,000,396 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/08/08 14:42:41 | 000,001,184 | -H-- | C] () -- C:\Documents and Settings\admin\My Documents\Default.rdp
[2010/08/08 14:41:39 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\admin\_viminfo
[2010/08/06 18:51:29 | 000,004,344 | ---- | C] () -- C:\WINDOWS\System32\INFCACHE.1
[2010/08/06 18:51:29 | 000,004,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\INFCACHE.1
[2010/08/06 18:51:28 | 000,005,328 | ---- | C] () -- C:\WINDOWS\System32\mmdriver.PNF
[2010/08/06 18:51:27 | 000,004,628 | ---- | C] () -- C:\WINDOWS\System32\homepage.PNF
[2010/08/06 18:51:26 | 000,007,628 | ---- | C] () -- C:\WINDOWS\System32\$winnt$.PNF
[2010/08/05 10:47:10 | 000,000,564 | ---- | C] () -- C:\Documents and Settings\admin\Desktop\Shortcut to logging.lnk
[2010/08/05 10:46:56 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\admin\Desktop\Shortcut to hosts.lnk
[2010/08/05 08:23:54 | 000,046,570 | ---- | C] () -- C:\WINDOWS\vpd.properties
[2010/08/05 08:22:57 | 000,000,482 | ---- | C] () -- C:\WINDOWS\my.ini
[2010/08/05 08:22:55 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vamsg.dll
[2010/08/05 08:10:41 | 000,009,390 | ---- | C] () -- C:\WINDOWS\vpd.properties.nested
[2010/08/05 08:05:43 | 000,001,912 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
[2010/08/05 08:05:17 | 000,000,280 | ---- | C] () -- C:\WINDOWS\tasks\Apache_logs_scrubber.job
[2010/08/05 08:04:52 | 000,000,725 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
[2010/08/04 18:53:55 | 000,001,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/04 18:34:20 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/04 18:34:02 | 000,000,442 | RHS- | C] () -- C:\Documents and Settings\admin\ntuser.pol
[2010/08/04 18:28:42 | 000,002,415 | ---- | C] () -- C:\WINDOWS\CreateKeyExchangeShortcut.vbs
[2010/08/04 18:28:42 | 000,000,159 | ---- | C] () -- C:\WINDOWS\CreateKeyExchangeShortcut.cmd
[2010/08/04 18:27:11 | 000,002,335 | ---- | C] () -- C:\WINDOWS\Create_ExportServerKey_Shortcut.vbs
[2010/08/04 18:27:11 | 000,002,333 | ---- | C] () -- C:\WINDOWS\Create_ImportUserKey_Shortcut.vbs
[2010/08/04 18:27:11 | 000,002,317 | ---- | C] () -- C:\WINDOWS\Create_ImportServerKey_Shortcut.vbs
[2010/08/04 18:27:11 | 000,002,314 | ---- | C] () -- C:\WINDOWS\Create_ExportUserKey_Shortcut.vbs
[2010/08/04 18:27:11 | 000,000,162 | ---- | C] () -- C:\WINDOWS\CreateShortcut.cmd
[2010/08/04 18:24:49 | 000,002,984 | ---- | C] () -- C:\WINDOWS\Create_KeyImportExport_Shortcuts.vbe
[2010/08/04 18:24:49 | 000,000,190 | ---- | C] () -- C:\WINDOWS\CreateShortcuts.cmd
[2010/08/04 18:17:11 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\SAM_PassFilter.dll
[2010/08/04 18:13:54 | 000,358,723 | ---- | C] () -- C:\WINDOWS\System32\PasswordChange.exe
[2010/08/04 18:13:54 | 000,128,512 | ---- | C] () -- C:\WINDOWS\System32\ChangePassword.exe
[2010/08/04 18:13:54 | 000,003,235 | ---- | C] () -- C:\WINDOWS\System32\PassordChangeCheck.vbe
[2010/08/04 18:13:54 | 000,000,953 | ---- | C] () -- C:\WINDOWS\System32\PasswordChange.kix
[2010/08/04 18:13:54 | 000,000,786 | ---- | C] () -- C:\WINDOWS\System32\ChangeServiceLogonPassword.vbe
[2010/08/04 18:13:54 | 000,000,758 | ---- | C] () -- C:\WINDOWS\System32\KillProcessIfRunByUser.vbe
[2010/08/04 18:13:54 | 000,000,642 | ---- | C] () -- C:\WINDOWS\System32\ChangeJobPassword.KX
[2010/08/04 18:13:54 | 000,000,110 | ---- | C] () -- C:\WINDOWS\System32\AddEventlogAsAdmin_v2.cmd
[2010/08/04 18:13:54 | 000,000,083 | ---- | C] () -- C:\WINDOWS\System32\PasswordChangeApi.cmd
[2010/08/04 18:08:20 | 000,256,485 | ---- | C] () -- C:\WINDOWS\System32\AutoIt_DisableCD.exe
[2010/08/04 18:07:54 | 000,018,747 | ---- | C] () -- C:\WINDOWS\System32\HPCEAC06.HPI
[2010/08/04 18:02:02 | 000,000,320 | ---- | C] () -- C:\WINDOWS\tasks\KiwiSizeLimitation.job
[2010/08/04 17:55:32 | 000,002,422 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2010/08/04 17:28:43 | 000,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD
[2010/08/04 17:25:53 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2010/08/04 17:25:53 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2010/08/04 17:25:51 | 000,077,504 | ---- | C] () -- C:\WINDOWS\System32\ieuinit.PNF
[2010/08/04 15:21:57 | 000,002,348 | ---- | C] () -- C:\WINDOWS\System32\pid.PNF
[2010/02/15 07:04:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/02/09 08:49:13 | 000,061,080 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/02/09 07:02:23 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\mtcmsgs.Dll
[2010/02/08 12:05:31 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2010/02/08 12:05:12 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2010/02/08 12:05:12 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2010/02/08 12:05:11 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2010/02/08 12:04:40 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2010/02/08 12:04:33 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2009/03/13 13:59:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\sn_regbase.dll
[2007/08/21 13:40:40 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\sitdatisps.dll
[2005/06/10 07:46:52 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\FDT100.dll
[2002/11/25 10:01:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2001/08/03 07:46:36 | 000,028,739 | ---- | C] () -- C:\WINDOWS\System32\rttextreg.dll
[2001/08/03 07:46:00 | 000,028,743 | ---- | C] () -- C:\WINDOWS\System32\rtserverstate.dll
[1999/07/16 13:37:56 | 000,136,704 | ---- | C] () -- C:\WINDOWS\System32\TDCTRL.dll
 
========== LOP Check ==========
 
[2010/02/09 15:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PKWARE
[2010/02/09 15:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PKWARE
[2010/08/21 15:55:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/05 09:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\PKWARE
[2010/08/24 01:30:01 | 000,000,280 | ---- | M] () -- C:\WINDOWS\Tasks\Apache_logs_scrubber.job
[2010/08/24 02:33:31 | 000,000,396 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/08/24 09:00:01 | 000,000,320 | ---- | M] () -- C:\WINDOWS\Tasks\KiwiSizeLimitation.job
[2010/08/23 09:38:42 | 000,032,636 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
 
========== Purity Check ==========
 
 
< End of report >

Sind die folgenden Dateien/Verzeichnisse gutartig?
  • C:\WINDOWS\System32\4PUPRPPPPPfmis
  • C:\WINDOWS\4PUPRPPPPPfmis
  • C:\WINDOWS\System32\4PUPQPPPPPfmis
  • C:\WINDOWS\4PUPQPPPPPfmis
  • C:\Recycle Bin

Vielen Dank für die Unterstützung!

Grüße
A.

Alt 25.08.2010, 09:00   #2
Chris4You
 
Virenbefall eines Windows2003 Servers - Standard

Virenbefall eines Windows2003 Servers


Hi,

Fix für OTL:
- Doppelklick auf die OTL.exe, um das Programm auszuführen.
- Vista/Win7-User bitte per Rechtsklick und "Ausführen als Administrator" starten.
- Kopiere den Inhalt der folgenden Codebox komplett in die OTL-Box unter "Custom Scan/Fixes"

Code:
ATTFilter
:OTL
O32 - AutoRun File - [2010/08/06 19:21:41 | 000,000,920 | ---- | M] () - K:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\##tcl05#d$\Shell - "" = AutoRun
O33 - MountPoints2\##tcl05#d$\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##tcl05#d$\Shell\AutoRun\command - "" = Z:\DZEMO\\\\\FATA.exe -- File not found
O33 - MountPoints2\##tcl05#d$\Shell\explore\command - "" = Z:\DZEMO\\\\\\FATA.exe -- File not found
O33 - MountPoints2\##tcl05#d$\Shell\open\command - "" = Z:\DZEMO\\\\\\FATA.exe -- File not found
[2010/08/05 11:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\4PUPRPPPPPfmis
[2010/08/05 11:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\4PUPRPPPPPfmis

:Commands
[emptytemp]
[Reboot]
-Den roten Run Fixes! Button anklicken.
-Bitte alles aus dem Ergebnisfenster (Results) herauskopieren.
-Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert:
%systemroot%\_OTL

Danach MAM laufen lassen!
http://www.trojaner-board.de/51187-a...i-malware.html

chris
__________________

__________________
Antwort

Themen zu Virenbefall eines Windows2003 Servers
autorun.inf, bho, boot, datei, dllcache, error, explorer, folge, format, home, launch, location, log-datei, logfile, microsoft, oldtimer, pagefile.sys, pdf, plug-in, recycle, registry, server, shortcut, software, start, start menu, system, system32, usb, usb virus, virus, win32, windows, winlogon


« JAVA/Agent.M.1 - Antivir Meldung | Computer ist seit längerem langsam und erscheint in seiner Rechenleistung eingeschräkt »


Ähnliche Themen: Virenbefall eines Windows2003 Servers


  1. Fragen zu private Daten bezüglich eines Proxy Servers
    Mülltonne - 30.08.2014 (0)
  2. Wieder mal eine Auswertung eines OTLPE-Logs eines GVU/GEMA Trojaner infizierten Systems
    Log-Analyse und Auswertung - 29.06.2013 (10)
  3. Virenbefall
    Plagegeister aller Art und deren Bekämpfung - 26.07.2012 (3)
  4. wie bekomme ich die ip eines prorat servers
    Mülltonne - 05.02.2012 (1)
  5. Starten des Servers fehlgeschlagen (0x80080005)
    Alles rund um Windows - 26.09.2010 (1)
  6. Virenbefall und große Unwissenheit eines Mitglieds der Generation 50+
    Plagegeister aller Art und deren Bekämpfung - 09.09.2010 (26)
  7. Virenbefall?
    Log-Analyse und Auswertung - 13.11.2009 (1)
  8. Virenbefall!
    Plagegeister aller Art und deren Bekämpfung - 08.07.2009 (3)
  9. Also ich brauch Hilfe beim öffnen eines Spiele Servers :D
    Mülltonne - 03.08.2008 (0)
  10. Virenbefall durch versehentliche Annahme eines VideoCodecs
    Mülltonne - 30.06.2008 (0)
  11. Virenbefall
    Plagegeister aller Art und deren Bekämpfung - 07.02.2008 (6)
  12. help you get the best bp servers
    Mülltonne - 04.08.2007 (7)
  13. Virenbefall
    Log-Analyse und Auswertung - 22.10.2006 (3)
  14. Virenbefall
    Log-Analyse und Auswertung - 05.11.2005 (10)
  15. virenbefall
    Plagegeister aller Art und deren Bekämpfung - 28.08.2005 (6)
  16. Virenbefall?
    Plagegeister aller Art und deren Bekämpfung - 15.01.2005 (8)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Virenbefall eines Windows2003 Servers - Hallo, ich vermute, daß mein Windows 2003 Server System von einem Virus befallen wurde. TrendMicro Officescan hat ein USB Virus erkannt (Mal_Otorun1), allerdings wurde nur die Datei autorun.inf als bösartig - Virenbefall eines Windows2003 Servers...
Archiv
Du betrachtest: Virenbefall eines Windows2003 Servers auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55