Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Virenbefall eines Windows2003 Servers (https://www.trojaner-board.de/89961-virenbefall-windows2003-servers.html)

andperu 25.08.2010 08:49
Virenbefall eines Windows2003 Servers
 
Hallo,

ich vermute, daß mein Windows 2003 Server System von einem Virus befallen wurde. TrendMicro Officescan hat ein USB Virus erkannt (Mal_Otorun1), allerdings wurde nur die Datei autorun.inf als bösartig erkannt. Die Autorun.inf Datei hatte folgenden Inhalt:
[autorun]
shellexecute=DZEMO\\\\\\\\\\\\FATA.exe
shell\explore\command=DZEMO\\\\\\\\\\\\FATA.exe
open=DZEMO\\\\\\\\\\\\FATA.exe
USEAUTOPLAY=1
shell\explore\command=DZEMO\\\\\\\\\\\\FATA.exe
shell\explore\command=DZEMO\\\\\\\\\\\\FATA.exe


Hier die entsprechende OTL Log-Datei:

Code:
OTL logfile created on: 8/24/2010 10:38:59 AM - Run 1
OTL by OldTimer - Version 3.2.10.0    Folder = K:\CD\otl
Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
6.00 Gb Total Physical Memory | 5.00 Gb Available Physical Memory | 87.00% Memory free
11.00 Gb Paging File | 10.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 5651 5651 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.99 Gb Total Space | 4.66 Gb Free Space | 23.31% Space Free | Partition Type: NTFS
Drive D: | 19.99 Gb Total Space | 8.76 Gb Free Space | 43.81% Space Free | Partition Type: NTFS
Drive E: | 19.00 Gb Total Space | 1.45 Gb Free Space | 7.62% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 50.53 Gb Total Space | 41.97 Gb Free Space | 83.07% Space Free | Partition Type: NTFS
Drive P: | 250.98 Mb Total Space | 247.83 Mb Free Space | 98.74% Space Free | Partition Type: NTFS
 
Computer Name: WIN01
Current User Name: admin
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 60 Days
Output = Standard
 
========== Processes (SafeList) ==========
 
PRC - [2010/08/24 06:02:48 | 000,575,488 | ---- | M] (OldTimer Tools) -- K:\CD\otl\OTL.exe
PRC - [2010/08/04 18:56:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\javaw.exe
PRC - [2010/08/04 18:21:35 | 000,068,096 | ---- | M] () -- C:\cygwin\bin\cygrunsrv.exe
PRC - [2008/12/02 20:42:00 | 001,851,392 | ---- | M] (Kiwi Enterprises) -- C:\Program Files\Syslogd\Syslogd_Service.exe
PRC - [2008/11/20 18:18:27 | 000,310,272 | ---- | M] () -- C:\cygwin\usr\sbin\sshd.exe
PRC - [2008/01/31 15:17:26 | 000,134,144 | ---- | M] () -- C:\Program Files\pdf24\PDFBackend.exe
PRC - [2008/01/17 23:09:04 | 000,041,033 | ---- | M] (Apache Software Foundation) -- D:\Project\ApacheGroup\Apache2\bin\rotatelogs.exe
PRC - [2008/01/17 22:59:58 | 000,041,042 | ---- | M] (Apache Software Foundation) -- D:\Project\ApacheGroup\Apache2\bin\ApacheMonitor.exe
PRC - [2008/01/17 22:58:36 | 000,020,541 | ---- | M] (Apache Software Foundation) -- D:\Project\ApacheGroup\Apache2\bin\Apache.exe
PRC - [2007/12/05 08:56:42 | 000,241,136 | ---- | M] () -- C:\Program Files\NTP\bin\ntpd.exe
PRC - [2007/05/05 01:42:24 | 000,057,344 | ---- | M] (Apache Software Foundation) -- D:\Project\ApacheGroup\ApacheTomcat\bin\tomcat6.exe
PRC - [2007/02/17 02:00:02 | 000,040,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2007/02/17 01:55:16 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2007/02/17 01:31:58 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2007/02/17 00:37:58 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cscript.exe
PRC - [2007/02/17 00:31:22 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2007/02/05 14:36:09 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 19:13:32 | 009,175,040 | ---- | M] (Microsoft Corporation) -- D:\Project\MSDE2000\MSSQL$TEC4\Binn\sqlservr.exe
PRC - [2006/08/11 07:31:51 | 000,008,192 | ---- | M] () -- C:\Program Files\Project\WinInfo\srvany.exe
PRC - [2006/08/11 07:31:51 | 000,008,192 | ---- | M] () -- C:\Program Files\NTP\srvany.exe
PRC - [2005/05/03 22:07:32 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/08/24 06:02:48 | 000,575,488 | ---- | M] (OldTimer Tools) -- K:\CD\otl\OTL.exe
MOD - [2007/02/17 23:01:02 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
MOD - [2007/02/17 02:06:52 | 000,058,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tsappcmp.dll
MOD - [2007/02/17 01:42:06 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll
MOD - [2007/02/17 01:36:32 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/02/17 00:51:18 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll
MOD - [2007/02/17 00:38:36 | 000,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll
MOD - [2006/04/04 12:00:00 | 000,188,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll
MOD - [2006/04/04 12:00:00 | 000,077,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [On_Demand | Stopped] --  -- (WinHttpAutoProxySvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/08/04 18:21:35 | 000,068,096 | ---- | M] () [Auto | Running] -- C:\cygwin\bin\cygrunsrv.exe -- (sshd)
SRV - [2008/12/02 20:42:00 | 001,851,392 | ---- | M] (Kiwi Enterprises) [Auto | Running] -- C:\Program Files\Syslogd\Syslogd_Service.exe -- (Kiwi Syslog Daemon)
SRV - [2008/01/17 22:58:36 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Running] -- D:\Project\ApacheGroup\Apache2\bin\Apache.exe -- (Apache2)
SRV - [2007/12/05 08:56:42 | 000,241,136 | ---- | M] () [On_Demand | Running] -- C:\Program Files\NTP\bin\ntpd.exe -- (NTP)
SRV - [2007/05/05 01:42:24 | 000,057,344 | ---- | M] (Apache Software Foundation) [Auto | Running] -- D:\Project\ApacheGroup\ApacheTomcat\bin\tomcat6.exe -- (Tomcat6)
SRV - [2007/02/17 22:30:26 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 02:07:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 02:00:02 | 000,040,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2007/02/17 01:55:56 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 01:41:50 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 01:31:58 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 01:20:52 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 00:50:02 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/01/31 19:13:32 | 009,175,040 | ---- | M] (Microsoft Corporation) [Auto | Running] -- D:\Project\MSDE2000\MSSQL$TEC4\Binn\sqlservr.exe -- (MSSQL$TEC4)
SRV - [2007/01/31 19:13:22 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Project\MSDE2000\MSSQL$TEC4\Binn\sqlagent.EXE -- (SQLAgent$TEC4)
SRV - [2006/08/11 07:31:51 | 000,008,192 | ---- | M] () [Auto | Running] -- C:\Program Files\Project\WinInfo\srvany.exe -- (WinInfo)
SRV - [2006/08/11 07:31:51 | 000,008,192 | ---- | M] () [Auto | Running] -- C:\Program Files\NTP\srvany.exe -- (NtpPrepare)
SRV - [2006/04/04 12:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2006/04/04 12:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\tmcomm.sys -- (tmcomm)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2007/02/17 02:09:26 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/17 01:14:30 | 000,023,552 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\hpcisss.sys -- (hpcisss)
DRV - [2007/02/17 00:49:38 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2007/02/17 00:31:14 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/17 00:17:16 | 000,043,520 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\arc.sys -- (arc)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
 
O1 HOSTS File: ([2009/11/04 09:32:41 | 000,004,226 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1  localhost localhost.localdomain #
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\PDFBackend.exe ()
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1022..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [Flag] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk = D:\Project\ApacheGroup\Apache2\bin\ApacheMonitor.exe (Apache Software Foundation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O7 - HKU\S-1-5-21-1781243238-3084551821-1404876827-1022\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Project\Java\jre_\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} h**p://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} h**p://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} h**p://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} h**p://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - Unable to read "AutoRun" value or value not present!
O32 - AutoRun File - [2010/02/09 06:58:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/08/06 19:21:41 | 000,000,920 | ---- | M] () - K:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\##tcl05#d$\Shell - "" = AutoRun
O33 - MountPoints2\##tcl05#d$\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##tcl05#d$\Shell\AutoRun\command - "" = Z:\DZEMO\\\\\FATA.exe -- File not found
O33 - MountPoints2\##tcl05#d$\Shell\explore\command - "" = Z:\DZEMO\\\\\\FATA.exe -- File not found
O33 - MountPoints2\##tcl05#d$\Shell\open\command - "" = Z:\DZEMO\\\\\\FATA.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O34 - HKLM BootExecute: (pgdfgsvc C 1) - C:\WINDOWS\System32\pgdfgsvc.exe (Sysinternals - www.sysinternals.com)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 60 Days ==========
 
[2010/08/24 10:17:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/08/21 15:55:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/17 09:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\My Documents\pdf24
[2010/08/13 10:22:42 | 000,000,000 | ---D | C] -- C:\Program Files\pdf24
[2010/08/08 21:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\.eclipse
[2010/08/08 21:39:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\admin\PrivacIE
[2010/08/05 11:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\4PUPRPPPPPfmis
[2010/08/05 11:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\4PUPRPPPPPfmis
[2010/08/05 10:21:09 | 000,000,000 | RHSD | C] -- C:\Recycle Bin
[2010/08/05 09:26:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\PKWARE
[2010/08/05 09:00:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Local Settings\Application Data\Adobe
[2010/08/05 09:00:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\Adobe
[2010/08/05 08:53:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Macrovision
[2010/08/05 08:23:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Local Settings\Application Data\ApplicationHistory
[2010/08/05 08:23:47 | 000,125,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vb6de.dll
[2010/08/05 08:23:47 | 000,124,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2010/08/05 08:23:47 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WINSKDE.DLL
[2010/08/05 08:06:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\$SQLUninstallSQL2000-KB929654-v8.00.2239-x86-ENU$
[2010/08/05 08:05:43 | 000,033,340 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dbmsqlgc.dll
[2010/08/05 08:05:43 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dbmsgnet.dll
[2010/08/05 08:05:42 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\WINDOWS\IsUninst.exe
[2010/08/05 08:05:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2010/08/05 08:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/04 20:00:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\4PUPQPPPPPfmis
[2010/08/04 20:00:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\4PUPQPPPPPfmis
[2010/08/04 19:08:13 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msyuv.dll
[2010/08/04 19:08:05 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iyuv_32.dll
[2010/08/04 19:08:05 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsbyuv.dll
[2010/08/04 19:07:46 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\csrsrv.dll
[2010/08/04 19:07:46 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\csrsrv.dll
[2010/08/04 19:07:23 | 000,320,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shlwapi.dll
[2010/08/04 19:06:04 | 000,343,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mspaint.exe
[2010/08/04 19:05:32 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\repdrvfs.dll
[2010/08/04 19:03:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/08/04 19:01:56 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2010/08/04 19:01:56 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2010/08/04 19:01:55 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2010/08/04 19:01:55 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2010/08/04 19:01:54 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2010/08/04 19:01:50 | 001,985,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2010/08/04 19:01:48 | 001,208,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2010/08/04 19:01:24 | 011,070,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2010/08/04 18:56:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\Sun
[2010/08/04 18:56:28 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/04 18:56:28 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/04 18:56:28 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/04 18:56:28 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/04 18:56:09 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/08/04 18:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/08/04 18:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/08/04 18:34:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\Identities
[2010/08/04 18:34:06 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\admin\IETldCache
[2010/08/04 18:34:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\WINDOWS
[2010/08/04 18:20:15 | 000,000,000 | ---D | C] -- C:\cygwin
[2010/08/04 18:14:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\CryptFiles
[2010/08/04 18:13:54 | 000,105,264 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pspasswd.exe
[2010/08/04 18:13:54 | 000,057,344 | ---- | C] (AMF) -- C:\WINDOWS\System32\WinLockDll.dll
[2010/08/04 18:08:20 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\devcon.exe
[2010/08/04 18:07:57 | 000,103,424 | ---- | C] (Hewlett-Packard Corporation) -- C:\WINDOWS\System32\hpzpnp.dll
[2010/08/04 18:07:54 | 000,241,721 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPBMINI.DLL
[2010/08/04 18:07:54 | 000,163,840 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPJCMN2U.DLL
[2010/08/04 18:07:54 | 000,094,208 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPJIPX1U.DLL
[2010/08/04 18:07:54 | 000,049,152 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPBNRAC2.DLL
[2010/08/04 18:07:52 | 000,024,576 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\HPBMIAPI.DLL
[2010/08/04 18:07:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2010/08/04 18:07:35 | 000,149,504 | ---- | C] (Hewlett-Packard Corporation) -- C:\WINDOWS\System32\hpcpn6de.dll
[2010/08/04 18:07:31 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prnadmin.dll
[2010/08/04 18:02:10 | 000,000,000 | ---D | C] -- C:\sradumps
[2010/08/04 18:01:37 | 000,000,000 | ---D | C] -- C:\Program Files\Syslogd
[2010/08/04 17:59:33 | 000,262,144 | ---- | C] (Ruud van Velsen (Microsoft)) -- C:\WINDOWS\System32\kix32.exe
[2010/08/04 17:59:29 | 000,692,224 | ---- | C] (www.kixforms.org) -- C:\WINDOWS\System32\kixforms.dll
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 60 Days ==========
 
[2010/08/24 10:37:43 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\admin\NTUSER.DAT
[2010/08/24 09:00:01 | 000,000,320 | ---- | M] () -- C:\WINDOWS\tasks\KiwiSizeLimitation.job
[2010/08/24 02:33:31 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/08/24 01:30:01 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\Apache_logs_scrubber.job
[2010/08/23 09:52:23 | 000,544,472 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/23 09:52:23 | 000,458,908 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/23 09:52:23 | 000,075,654 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/23 09:47:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/23 09:47:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/23 08:33:49 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/21 16:05:15 | 000,752,528 | -H-- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\IconCache.db
[2010/08/21 15:58:56 | 000,000,442 | RHS- | M] () -- C:\Documents and Settings\admin\ntuser.pol
[2010/08/20 08:53:55 | 000,001,491 | ---- | M] () -- C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2010/08/13 16:44:22 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\admin\term.shh
[2010/08/13 10:22:43 | 000,000,686 | ---- | M] () -- C:\Documents and Settings\admin\Desktop\pdf24-creator.lnk
[2010/08/08 21:19:46 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\admin\_viminfo
[2010/08/08 14:57:26 | 000,001,184 | -H-- | M] () -- C:\Documents and Settings\admin\My Documents\Default.rdp
[2010/08/06 18:51:29 | 000,005,328 | ---- | M] () -- C:\WINDOWS\System32\mmdriver.PNF
[2010/08/06 18:51:29 | 000,004,344 | ---- | M] () -- C:\WINDOWS\System32\INFCACHE.1
[2010/08/06 18:51:29 | 000,004,128 | ---- | M] () -- C:\WINDOWS\System32\drivers\INFCACHE.1
[2010/08/06 18:51:28 | 000,077,504 | ---- | M] () -- C:\WINDOWS\System32\ieuinit.PNF
[2010/08/06 18:51:28 | 000,004,628 | ---- | M] () -- C:\WINDOWS\System32\homepage.PNF
[2010/08/06 18:51:27 | 000,007,628 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.PNF
[2010/08/06 17:27:14 | 000,012,328 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/05 10:47:10 | 000,000,564 | ---- | M] () -- C:\Documents and Settings\admin\Desktop\Shortcut to logging.lnk
[2010/08/05 10:46:56 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\admin\Desktop\Shortcut to hosts.lnk
[2010/08/05 10:39:01 | 000,028,258 | ---- | M] () -- C:\WINDOWS\citamis.str
[2010/08/05 10:38:35 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\LifeList.lnk
[2010/08/05 10:26:20 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\admin\ntuser.ini
[2010/08/05 08:25:10 | 000,046,570 | ---- | M] () -- C:\WINDOWS\vpd.properties
[2010/08/05 08:22:57 | 000,000,482 | ---- | M] () -- C:\WINDOWS\my.ini
[2010/08/05 08:10:43 | 000,009,390 | ---- | M] () -- C:\WINDOWS\vpd.properties.nested
[2010/08/05 08:04:52 | 000,000,725 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
[2010/08/04 19:08:52 | 000,003,376 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/04 18:56:15 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/08/04 18:56:15 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/04 18:56:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/04 18:56:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/04 18:56:15 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/04 18:53:55 | 000,001,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/04 18:34:20 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/04 17:55:30 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/08/04 17:28:44 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[2010/08/04 17:25:54 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2010/08/04 17:25:54 | 000,001,727 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2010/08/04 15:21:57 | 000,002,348 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2010/08/04 15:21:04 | 000,000,231 | ---- | M] () -- C:\WINDOWS\system.ini
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010/08/20 08:53:55 | 000,001,491 | ---- | C] () -- C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2010/08/13 16:44:22 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\admin\term.shh
[2010/08/13 10:22:43 | 000,000,686 | ---- | C] () -- C:\Documents and Settings\admin\Desktop\pdf24-creator.lnk
[2010/08/08 15:05:13 | 000,000,396 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/08/08 14:42:41 | 000,001,184 | -H-- | C] () -- C:\Documents and Settings\admin\My Documents\Default.rdp
[2010/08/08 14:41:39 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\admin\_viminfo
[2010/08/06 18:51:29 | 000,004,344 | ---- | C] () -- C:\WINDOWS\System32\INFCACHE.1
[2010/08/06 18:51:29 | 000,004,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\INFCACHE.1
[2010/08/06 18:51:28 | 000,005,328 | ---- | C] () -- C:\WINDOWS\System32\mmdriver.PNF
[2010/08/06 18:51:27 | 000,004,628 | ---- | C] () -- C:\WINDOWS\System32\homepage.PNF
[2010/08/06 18:51:26 | 000,007,628 | ---- | C] () -- C:\WINDOWS\System32\$winnt$.PNF
[2010/08/05 10:47:10 | 000,000,564 | ---- | C] () -- C:\Documents and Settings\admin\Desktop\Shortcut to logging.lnk
[2010/08/05 10:46:56 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\admin\Desktop\Shortcut to hosts.lnk
[2010/08/05 08:23:54 | 000,046,570 | ---- | C] () -- C:\WINDOWS\vpd.properties
[2010/08/05 08:22:57 | 000,000,482 | ---- | C] () -- C:\WINDOWS\my.ini
[2010/08/05 08:22:55 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vamsg.dll
[2010/08/05 08:10:41 | 000,009,390 | ---- | C] () -- C:\WINDOWS\vpd.properties.nested
[2010/08/05 08:05:43 | 000,001,912 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
[2010/08/05 08:05:17 | 000,000,280 | ---- | C] () -- C:\WINDOWS\tasks\Apache_logs_scrubber.job
[2010/08/05 08:04:52 | 000,000,725 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
[2010/08/04 18:53:55 | 000,001,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/04 18:34:20 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/04 18:34:02 | 000,000,442 | RHS- | C] () -- C:\Documents and Settings\admin\ntuser.pol
[2010/08/04 18:28:42 | 000,002,415 | ---- | C] () -- C:\WINDOWS\CreateKeyExchangeShortcut.vbs
[2010/08/04 18:28:42 | 000,000,159 | ---- | C] () -- C:\WINDOWS\CreateKeyExchangeShortcut.cmd
[2010/08/04 18:27:11 | 000,002,335 | ---- | C] () -- C:\WINDOWS\Create_ExportServerKey_Shortcut.vbs
[2010/08/04 18:27:11 | 000,002,333 | ---- | C] () -- C:\WINDOWS\Create_ImportUserKey_Shortcut.vbs
[2010/08/04 18:27:11 | 000,002,317 | ---- | C] () -- C:\WINDOWS\Create_ImportServerKey_Shortcut.vbs
[2010/08/04 18:27:11 | 000,002,314 | ---- | C] () -- C:\WINDOWS\Create_ExportUserKey_Shortcut.vbs
[2010/08/04 18:27:11 | 000,000,162 | ---- | C] () -- C:\WINDOWS\CreateShortcut.cmd
[2010/08/04 18:24:49 | 000,002,984 | ---- | C] () -- C:\WINDOWS\Create_KeyImportExport_Shortcuts.vbe
[2010/08/04 18:24:49 | 000,000,190 | ---- | C] () -- C:\WINDOWS\CreateShortcuts.cmd
[2010/08/04 18:17:11 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\SAM_PassFilter.dll
[2010/08/04 18:13:54 | 000,358,723 | ---- | C] () -- C:\WINDOWS\System32\PasswordChange.exe
[2010/08/04 18:13:54 | 000,128,512 | ---- | C] () -- C:\WINDOWS\System32\ChangePassword.exe
[2010/08/04 18:13:54 | 000,003,235 | ---- | C] () -- C:\WINDOWS\System32\PassordChangeCheck.vbe
[2010/08/04 18:13:54 | 000,000,953 | ---- | C] () -- C:\WINDOWS\System32\PasswordChange.kix
[2010/08/04 18:13:54 | 000,000,786 | ---- | C] () -- C:\WINDOWS\System32\ChangeServiceLogonPassword.vbe
[2010/08/04 18:13:54 | 000,000,758 | ---- | C] () -- C:\WINDOWS\System32\KillProcessIfRunByUser.vbe
[2010/08/04 18:13:54 | 000,000,642 | ---- | C] () -- C:\WINDOWS\System32\ChangeJobPassword.KX
[2010/08/04 18:13:54 | 000,000,110 | ---- | C] () -- C:\WINDOWS\System32\AddEventlogAsAdmin_v2.cmd
[2010/08/04 18:13:54 | 000,000,083 | ---- | C] () -- C:\WINDOWS\System32\PasswordChangeApi.cmd
[2010/08/04 18:08:20 | 000,256,485 | ---- | C] () -- C:\WINDOWS\System32\AutoIt_DisableCD.exe
[2010/08/04 18:07:54 | 000,018,747 | ---- | C] () -- C:\WINDOWS\System32\HPCEAC06.HPI
[2010/08/04 18:02:02 | 000,000,320 | ---- | C] () -- C:\WINDOWS\tasks\KiwiSizeLimitation.job
[2010/08/04 17:55:32 | 000,002,422 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2010/08/04 17:28:43 | 000,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD
[2010/08/04 17:25:53 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2010/08/04 17:25:53 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2010/08/04 17:25:51 | 000,077,504 | ---- | C] () -- C:\WINDOWS\System32\ieuinit.PNF
[2010/08/04 15:21:57 | 000,002,348 | ---- | C] () -- C:\WINDOWS\System32\pid.PNF
[2010/02/15 07:04:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/02/09 08:49:13 | 000,061,080 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/02/09 07:02:23 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\mtcmsgs.Dll
[2010/02/08 12:05:31 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2010/02/08 12:05:12 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2010/02/08 12:05:12 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2010/02/08 12:05:11 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2010/02/08 12:04:40 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2010/02/08 12:04:33 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2009/03/13 13:59:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\sn_regbase.dll
[2007/08/21 13:40:40 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\sitdatisps.dll
[2005/06/10 07:46:52 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\FDT100.dll
[2002/11/25 10:01:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2001/08/03 07:46:36 | 000,028,739 | ---- | C] () -- C:\WINDOWS\System32\rttextreg.dll
[2001/08/03 07:46:00 | 000,028,743 | ---- | C] () -- C:\WINDOWS\System32\rtserverstate.dll
[1999/07/16 13:37:56 | 000,136,704 | ---- | C] () -- C:\WINDOWS\System32\TDCTRL.dll
 
========== LOP Check ==========
 
[2010/02/09 15:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PKWARE
[2010/02/09 15:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PKWARE
[2010/08/21 15:55:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/05 09:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\PKWARE
[2010/08/24 01:30:01 | 000,000,280 | ---- | M] () -- C:\WINDOWS\Tasks\Apache_logs_scrubber.job
[2010/08/24 02:33:31 | 000,000,396 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/08/24 09:00:01 | 000,000,320 | ---- | M] () -- C:\WINDOWS\Tasks\KiwiSizeLimitation.job
[2010/08/23 09:38:42 | 000,032,636 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
 
========== Purity Check ==========
 
 
< End of report >

Sind die folgenden Dateien/Verzeichnisse gutartig?
  • C:\WINDOWS\System32\4PUPRPPPPPfmis
  • C:\WINDOWS\4PUPRPPPPPfmis
  • C:\WINDOWS\System32\4PUPQPPPPPfmis
  • C:\WINDOWS\4PUPQPPPPPfmis
  • C:\Recycle Bin

Vielen Dank für die Unterstützung!

Grüße
A.

Chris4You 25.08.2010 09:00
Hi,

Fix für OTL:
- Doppelklick auf die OTL.exe, um das Programm auszuführen.
- Vista/Win7-User bitte per Rechtsklick und "Ausführen als Administrator" starten.
- Kopiere den Inhalt der folgenden Codebox komplett in die OTL-Box unter "Custom Scan/Fixes"

Code:
:OTL
O32 - AutoRun File - [2010/08/06 19:21:41 | 000,000,920 | ---- | M] () - K:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\##tcl05#d$\Shell - "" = AutoRun
O33 - MountPoints2\##tcl05#d$\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##tcl05#d$\Shell\AutoRun\command - "" = Z:\DZEMO\\\\\FATA.exe -- File not found
O33 - MountPoints2\##tcl05#d$\Shell\explore\command - "" = Z:\DZEMO\\\\\\FATA.exe -- File not found
O33 - MountPoints2\##tcl05#d$\Shell\open\command - "" = Z:\DZEMO\\\\\\FATA.exe -- File not found
[2010/08/05 11:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\4PUPRPPPPPfmis
[2010/08/05 11:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\4PUPRPPPPPfmis

:Commands
[emptytemp]
[Reboot]
-Den roten Run Fixes! Button anklicken.
-Bitte alles aus dem Ergebnisfenster (Results) herauskopieren.
-Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert:
%systemroot%\_OTL

Danach MAM laufen lassen!
http://www.trojaner-board.de/51187-a...i-malware.html

chris


Alle Zeitangaben in WEZ +1. Es ist jetzt 21:19 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131