12 replies to this topic

[biba82]

Hi everyone,

I am not quite sure what the problem is. I am connected to a local network (living and working in an intentional community). It is protected by some Fortinet products. I had to install:

- FortiClient Endpoint Security 4.1.2.138 and
- FortiClient Endpoint Security

That was back in late 2009. Without these programs installed on my laptop, I was not able to access the internet.
Eversince, things have gone "funny" with my internet access (e.g. strong fluctuation in the connection speed, inablility to update FortiClient). Also, in December Superantispyware and Malwarebytes found trojans and a worm, which FortiClient was unable to detect. Now, I dealt with that problem and things went okay for a while.

1) Recently, I have been unable to access the email account that our webadministrator had set up for the different care units (via Microsoft Outlook Web Access). I receive following message when I click on the bookmark in my browser:

"Not Found

The requested URL /exchweb/bin/auth/owalogon.asp was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2 Server at www.vidaraasen.no Port 443"

Neither our former webadmin, nor the people who are otherwise responsible for the installation and maintenance of the network were able to help until now.

2) In the past two weeks, my laptop got slower and took e.g. longer time to startup or had problems shutting down as e.g. Firefox wouldn't close as I had ordered it to. Some mornings when I started my laptop, after it had finished loading all components, the desktop screen froze, and/or commands took literally 5 mins to be processed. It always ended in me force shutting down the machine. The following startup never was a problem.

In the last four days, at every startup, I receive an error message telling me that NTKcutl.dll is damaged or cannot be found. As a relative Newbie, I do not have a single clue what to do with that.
On the 7th and 8th of this month, FortiClient then found two viruses:
1) ntkcutl.dll c:\programme\arima\led_display_utility and
2) fcappdb.exe C:\Programme\Fortinet\FortiClient\

Especially second message concerned me. Therefore, I scanned my system with Spybot, Superantispyware, and Malwarebytes, which I use ca. once a week. They all came out clean. Afterwards I uninstalled these programs, cleaned up the registry, reinstalled them again and scanned the system once more. Again, they came out all clean.

Since yesterday, the Windows message pops up, telling me that my system may be unprotected, even though FortiClient is running, my laptop is still a bit slower than usual.

I never trusted FortiClient, maybe just because I was annoyed by the fact that its installation was made a precondition for internet use here.
I have no clue what kind of problem this is and I just hope that you guys can help me!

Don't know if it will help, but here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:52:06, on 10.02.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Fortinet\FortiClient\scheduler.exe
C:\Programme\Fortinet\FortiClient\FCDBLog.exe
C:\Programme\Fortinet\FortiClient\FortiProxy.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Fortinet\FortiClient\fortifw.exe
C:\Programme\Fortinet\FortiClient\FortiTray.exe
C:\Programme\Fortinet\FortiClient\fortiwf.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\McAfee\SiteAdvisor\McSACore.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Fortinet\FortiClient\fmon.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [InstantOn] C:\Programme\CyberLink\PowerCinema Linux\ion_install.exe /c
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1254126936203
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6B081A9-AEEF-472B-9A5F-E04E565483B7}: NameServer = 195.159.0.100,195.159.0.200
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FortiClient Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Programme\Fortinet\FortiClient\scheduler.exe
O23 - Service: FortiClient SSL VPN (FortiSslvpnDaemon) - Fortinet Inc. - C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Programme\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6971 bytes


Looking forward to replies

Cheers
biba82

[LDTate]

Sorry about the delay in responding

If you still need help, Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Also please describe how your computer behaves at the moment.

[biba82]

Hi LDTate,

thanks for your help!

In the meantime, I managed to fix the ntkcutl.dll issue. There is no error message at system startup anymore, hope that means it is fixed.
At every startup (including Firefox, Thunderbird, and various other programs) however, FortiClient pops up with a security warning message. I included one of them as an image. I can see in FortiClients' report log, that AppDetection and Firewall have recorded loads of these messages.
Even when I allow the particular program (e.g. Firefox) as an exception in my firewall, the next time I startup, I have do it all again.

That's the only obviously strange thing happining just now. The internet connection speed is still at times slow, but that may be connected to the actual setup here in the community with maybe too many people using it at the same time.


Can't think of anything else. Virus, spyware, and malware scans come out clean. Still can't access my work email.
I am also still insecure about a virus threat which was detected in C:\Programme\Fortinet\FortiClient\.

Run a hijack this scan, here's the Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31:15, on 14.02.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Fortinet\FortiClient\scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programme\Fortinet\FortiClient\FCDBLog.exe
C:\Programme\Fortinet\FortiClient\FortiProxy.exe
C:\Programme\Fortinet\FortiClient\fmon.exe
C:\Programme\Fortinet\FortiClient\fortifw.exe
C:\Programme\Fortinet\FortiClient\FortiTray.exe
C:\Programme\Fortinet\FortiClient\fortiwf.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\McAfee\SiteAdvisor\McSACore.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\Games\Sports Interactive\Football Manager 2008\fm.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [InstantOn] C:\Programme\CyberLink\PowerCinema Linux\ion_install.exe /c
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1254126936203
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6B081A9-AEEF-472B-9A5F-E04E565483B7}: NameServer = 195.159.0.100,195.159.0.200
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FortiClient Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Programme\Fortinet\FortiClient\scheduler.exe
O23 - Service: FortiClient SSL VPN (FortiSslvpnDaemon) - Fortinet Inc. - C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Programme\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7019 bytes

Hope it helps!
Biba

[LDTate]

Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  
  Note: If you have SP3, use the SP2 package.If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

[biba82]

Hi again,

ran ComboFix. Was a bit tricky at first, because FortiClient needs to be running for me to be allowed to go online.
Anyway, here's the result:

ComboFix 10-02-12.01 - Benjamin Baar 14.02.2010 15:32:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2046.1571 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Benjamin Baar\Desktop\ComboFix.exe
AV: FortiClient AntiVirus *On-access scanning enabled* (Updated) {C86EC76D-5A4C-40E7-BD94-59358E544D81}
FW: FortiClient Personal Firewall *enabled* {528CB157-D384-4593-AAAA-E42DFF111CED}
.

((((((((((((((((((((((( Dateien erstellt von 2010-01-14 bis 2010-02-14 ))))))))))))))))))))))))))))))
.

2010-02-13 07:20 . 2009-12-14 07:08 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2010-02-13 07:20 . 2009-12-08 09:23 474624 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-02-13 07:20 . 2009-11-27 16:08 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-02-13 07:20 . 2009-12-17 07:40 346624 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-02-10 14:12 . 2010-02-10 14:12 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Lokale Einstellungen\Anwendungsdaten\Help
2010-02-10 09:29 . 2010-02-10 09:29 -------- d-----w- c:\programme\Panda Security
2010-02-10 09:11 . 2010-02-10 09:12 -------- d-----w- c:\programme\ERUNT
2010-02-09 13:22 . 2010-02-09 13:22 -------- d-----w- c:\programme\Trend Micro
2010-02-09 07:59 . 2010-02-09 11:08 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\QuickScan
2010-02-09 07:58 . 2010-01-11 16:33 789320 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-09 07:58 . 2010-01-11 16:32 698184 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2010-02-09 07:54 . 2010-02-09 07:54 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Uniblue
2010-02-06 12:22 . 2010-02-09 13:38 -------- d-----w- c:\programme\DkZ Studio
2010-02-05 20:28 . 2010-02-05 20:28 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Lokale Einstellungen\Anwendungsdaten\Identities
2010-01-30 16:29 . 2010-01-30 16:29 5562672 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\TVU Networks\AutoUpgrade\TVUPlayer2.4.9.1.exe
2010-01-30 16:29 . 2010-01-30 16:29 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\TVU Networks
2010-01-28 20:40 . 2010-02-10 09:12 -------- d-----w- c:\programme\Sophos
2010-01-25 12:36 . 2010-01-25 12:36 61440 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c1c037d-n\decora-sse.dll
2010-01-25 12:36 . 2010-01-25 12:36 12800 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c1c037d-n\decora-d3d.dll
2010-01-25 12:36 . 2010-01-25 12:36 503808 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2350e95a-n\msvcp71.dll
2010-01-25 12:36 . 2010-01-25 12:36 348160 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2350e95a-n\msvcr71.dll
2010-01-25 12:36 . 2010-01-25 12:36 499712 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2350e95a-n\jmc.dll
2010-01-20 19:04 . 2010-01-20 19:43 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\.jenny
2010-01-20 19:04 . 2010-01-20 19:04 -------- d-----w- c:\windows\Sun
2010-01-20 18:59 . 2010-01-20 18:59 348160 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\msvcr71.dll
2010-01-20 18:59 . 2010-01-20 18:59 61440 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\decora-sse.dll
2010-01-20 18:59 . 2010-01-20 18:59 503808 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\msvcp71.dll
2010-01-20 18:59 . 2010-01-20 18:59 499712 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\jmc.dll
2010-01-20 18:59 . 2010-01-20 18:59 12800 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\decora-d3d.dll
2010-01-20 18:59 . 2010-01-20 18:59 20480 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-52c3fbfd-n\gluegen-rt.dll
2010-01-20 18:59 . 2010-01-20 18:59 114688 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4cce9c5c-n\jogl_cg.dll
2010-01-20 18:59 . 2010-01-20 18:59 20480 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4cce9c5c-n\jogl_awt.dll
2010-01-20 18:59 . 2010-01-20 18:59 315392 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4cce9c5c-n\jogl.dll
2010-01-20 18:59 . 2010-01-20 18:59 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
2010-01-20 18:58 . 2010-01-20 18:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-20 18:58 . 2010-01-20 18:58 -------- d-----w- c:\programme\Java
2010-01-17 14:52 . 2010-02-13 17:14 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\vlc

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 14:25 . 2009-11-01 07:31 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Skype
2010-02-14 14:25 . 2009-09-28 07:34 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\skypePM
2010-02-14 10:10 . 2009-09-28 07:29 -------- d-----w- c:\programme\Mozilla Thunderbird
2010-02-09 13:39 . 2009-09-28 07:30 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\SUPERAntiSpyware.com
2010-02-09 13:39 . 2009-09-28 07:29 -------- d-----w- c:\programme\Spybot - Search & Destroy
2010-02-09 13:39 . 2009-09-28 07:29 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2010-02-09 13:05 . 2009-10-09 15:24 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\uTorrent
2010-02-03 18:23 . 2009-09-28 21:16 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-02 06:33 . 2009-09-28 23:17 -------- d-----w- c:\programme\Google
2010-01-30 19:48 . 2009-09-28 08:06 -------- d-----w- c:\programme\Sopcast
2010-01-26 15:22 . 2009-10-02 23:49 -------- d-----w- c:\programme\PeerGuardian2
2010-01-24 16:41 . 2009-10-03 16:08 1 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-24 12:26 . 2009-10-08 06:30 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\dvdcss
2010-01-14 20:48 . 2010-01-14 20:48 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\DivX
2010-01-14 20:43 . 2010-01-14 20:41 -------- d-----w- c:\programme\DivX
2010-01-14 20:42 . 2010-01-14 20:41 -------- d-----w- c:\programme\Gemeinsame Dateien\DivX Shared
2010-01-12 19:04 . 2010-01-12 19:04 -------- d-----w- c:\programme\Gemeinsame Dateien\Fortinet
2010-01-05 15:57 . 2010-01-05 15:57 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\FastStone
2010-01-05 15:56 . 2010-01-05 15:56 -------- d-----w- c:\programme\FastStone Image Viewer
2010-01-03 17:08 . 2010-01-03 13:31 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sports Interactive
2010-01-03 13:34 . 2010-01-03 13:32 -------- d--h--w- c:\programme\Zero G Registry
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-23 11:35 . 2009-09-28 07:30 -------- d-----w- c:\programme\SUPERAntiSpyware
2009-12-22 22:20 . 2009-09-28 10:38 -------- d-----w- c:\programme\Gemeinsame Dateien\LogiShrd
2009-12-22 05:07 . 2004-08-04 12:00 672768 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:07 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:52 . 2009-09-28 08:04 -------- d-----w- c:\programme\McAfee
2009-12-17 07:40 . 2009-09-27 18:37 346624 ----a-w- c:\windows\system32\mspaint.exe
2009-12-15 10:41 . 2009-12-15 10:41 36968 ----a-w- c:\windows\system32\drivers\FortiShield.sys
2009-12-15 10:41 . 2009-12-15 10:41 46184 ----a-w- c:\windows\system32\drivers\FortiRmon.sys
2009-12-15 10:41 . 2009-12-15 10:41 29928 ----a-w- c:\windows\system32\drivers\FortiRdr.sys
2009-12-15 10:41 . 2009-12-15 10:41 98024 ----a-w- c:\windows\system32\drivers\fortips.sys
2009-12-15 10:41 . 2009-12-15 10:41 118504 ----a-w- c:\windows\system32\drivers\fortipfw.sys
2009-12-15 10:41 . 2009-12-15 10:41 43112 ----a-w- c:\windows\system32\drivers\fortimon2.sys
2009-12-15 10:41 . 2009-12-15 10:41 13416 ----a-w- c:\windows\system32\drivers\fortiapd.sys
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 17:31 . 2004-08-04 12:00 48552 ----a-w- c:\windows\system32\perfc007.dat
2009-12-09 17:31 . 2004-08-04 12:00 317168 ----a-w- c:\windows\system32\perfh007.dat
2009-12-08 10:46 . 2009-12-08 10:46 17064 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2009-06-03 19:09 1297408 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:57 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:08 . 2004-08-04 12:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:08 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:08 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:08 . 2004-08-04 00:57 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:08 . 2001-08-18 04:54 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-21 15:54 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-17 10:44 . 2009-11-17 10:44 79144 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"MSMSGS"="c:\programme\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-03-10 5566464]
"InstantOn"="c:\programme\CyberLink\PowerCinema Linux\ion_install.exe" [2005-02-23 94042]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-04 2805248]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\Benjamin Baar\Startmen�\Programme\Autostart\
ERUNT AutoBackup.lnk - c:\programme\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\dokumente und einstellungen\All Users\Startmen�\Programme\Autostart\
BTTray.lnk - c:\programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]
Logitech SetPoint.lnk - c:\programme\Logitech\SetPoint\SetPoint.exe [2009-11-13 813584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^BTTray.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Benjamin Baar^Startmenü^Programme^Autostart^OpenOffice.org 3.1.lnk]
path=c:\dokumente und einstellungen\Benjamin Baar\Startmenü\Programme\Autostart\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 02:23 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\programme\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-06-02 18:32 270336 ----a-w- c:\programme\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 15:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-28 19:21 141600 ----a-w- c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 14:33 563984 ----a-w- c:\programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 14:37 2178832 ----a-w- c:\programme\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:22 1695232 ------w- c:\programme\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-03-10 14:07 1495040 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE
"SynTPEnh"=c:\programme\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\FortiProxy.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\FCMgr.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\FortiWadbd.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\FortiWad.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"d:\\Games\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 FAFileMon;FAFileMon;c:\windows\system32\drivers\fortimon2.sys [15.12.2009 11:41 43112]
R1 FARegMon;FARegMon;c:\windows\system32\drivers\FortiRmon.sys [15.12.2009 11:41 46184]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [15.12.2009 11:41 13416]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [15.12.2009 11:41 118504]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [15.12.2009 11:41 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [15.12.2009 11:41 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [15.12.2009 11:41 36968]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [13.11.2009 14:06 10384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\programme\McAfee\SiteAdvisor\McSACore.exe [28.09.2009 09:04 93320]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [06.04.2009 13:20 22432]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [28.09.2009 05:11 1013248]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [21.07.2009 16:53 36384]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [28.09.2009 06:28 226768]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28.09.2009 12:11 721904]
S2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [28.07.2009 16:11 703008]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [29.09.2009 00:17 133104]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [15.10.2009 16:34 14496]
S3 gtermddo;gtermddo;\??\c:\dokume~1\BENJAM~1\LOKALE~1\Temp\gtermddo.sys --> c:\dokume~1\BENJAM~1\LOKALE~1\Temp\gtermddo.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8.tmp --> c:\windows\system32\8.tmp [?]
.
Inhalt des "geplante Tasks" Ordners

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-09-28 23:17]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-09-28 23:17]
.
.
------- Zusätzlicher Suchlauf -------
.
IE: Senden an &Bluetooth - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {B6B081A9-AEEF-472B-9A5F-E04E565483B7} = 195.159.0.100,195.159.0.200
FF - ProfilePath - c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\programme\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\programme\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programme\Fortinet\SslvpnClient\npccplugin.dll
FF - plugin: c:\programme\Fortinet\SslvpnClient\nptcplugin.dll
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programme\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programme\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-avgrsstarter - (no file)
MSConfigStartUp-SpybotSD TeaTimer - c:\programme\Spybot - Search & Destroy\TeaTimer.exe
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_3055&SUBSYS_14F18001 - c:\programme\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_3055&SUBSYS_14F18001\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_3055&SUBSYS_14F18001



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 15:35
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\8.tmp"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'explorer.exe'(3736)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\programme\Logitech\SetPoint\lgscroll.dll
.
Zeit der Fertigstellung: 2010-02-14 15:37:16
ComboFix-quarantined-files.txt 2010-02-14 14:37

Vor Suchlauf: 4 Verzeichnis(se), 28.340.895.744 Bytes frei
Nach Suchlauf: 6 Verzeichnis(se), 28.502.171.648 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2AF6E1A3A37E2F4E3A9F6A4282C163B5

Why did I run ComboFix in the first place? Do you have any suspicions?

Biba

[LDTate]

FYI,
Gtermddo.sys is Backdoor.Genlot.DX.


Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

File::
c:\dokume~1\BENJAM~1\LOKALE~1\Temp\gtermddo.sys 
c:\windows\system32\8.tmp

Driver::
gtermddo



Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"=""

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...




Drag CFScript.txt into ComboFix.exe


Then post the results log using Copy / Paste


Also please describe how your computer behaves at the moment.

[biba82]

Here are the results:

Question might be stupid, but do you have any idea where that backdoor might be coming from. Could it be passed on through the local network here and why did Fortinet not find it?
My boss told me that it's soooo good and they spend soooo much to keep everyone safe.



ComboFix 10-02-12.01 - Benjamin Baar 14.02.2010 16:35:52.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2046.1604 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Benjamin Baar\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Benjamin Baar\Desktop\CFScript.txt
AV: FortiClient AntiVirus *On-access scanning disabled* (Updated) {C86EC76D-5A4C-40E7-BD94-59358E544D81}
FW: FortiClient Personal Firewall *disabled* {528CB157-D384-4593-AAAA-E42DFF111CED}

FILE ::
"c:\dokume~1\BENJAM~1\LOKALE~1\Temp\gtermddo.sys"
"c:\windows\system32\8.tmp"
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GTERMDDO
-------\Service_gtermddo


((((((((((((((((((((((( Dateien erstellt von 2010-01-14 bis 2010-02-14 ))))))))))))))))))))))))))))))
.

2010-02-13 07:20 . 2009-12-14 07:08 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2010-02-13 07:20 . 2009-12-08 09:23 474624 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-02-13 07:20 . 2009-11-27 16:08 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-02-13 07:20 . 2009-12-17 07:40 346624 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-02-10 14:12 . 2010-02-10 14:12 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Lokale Einstellungen\Anwendungsdaten\Help
2010-02-10 09:29 . 2010-02-10 09:29 -------- d-----w- c:\programme\Panda Security
2010-02-10 09:11 . 2010-02-10 09:12 -------- d-----w- c:\programme\ERUNT
2010-02-09 13:22 . 2010-02-09 13:22 -------- d-----w- c:\programme\Trend Micro
2010-02-09 07:59 . 2010-02-09 11:08 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\QuickScan
2010-02-09 07:58 . 2010-01-11 16:33 789320 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-09 07:58 . 2010-01-11 16:32 698184 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2010-02-09 07:54 . 2010-02-09 07:54 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Uniblue
2010-02-06 12:22 . 2010-02-09 13:38 -------- d-----w- c:\programme\DkZ Studio
2010-02-05 20:28 . 2010-02-05 20:28 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Lokale Einstellungen\Anwendungsdaten\Identities
2010-01-30 16:29 . 2010-01-30 16:29 5562672 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\TVU Networks\AutoUpgrade\TVUPlayer2.4.9.1.exe
2010-01-30 16:29 . 2010-01-30 16:29 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\TVU Networks
2010-01-28 20:40 . 2010-02-10 09:12 -------- d-----w- c:\programme\Sophos
2010-01-25 12:36 . 2010-01-25 12:36 61440 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c1c037d-n\decora-sse.dll
2010-01-25 12:36 . 2010-01-25 12:36 12800 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c1c037d-n\decora-d3d.dll
2010-01-25 12:36 . 2010-01-25 12:36 503808 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2350e95a-n\msvcp71.dll
2010-01-25 12:36 . 2010-01-25 12:36 348160 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2350e95a-n\msvcr71.dll
2010-01-25 12:36 . 2010-01-25 12:36 499712 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2350e95a-n\jmc.dll
2010-01-20 19:04 . 2010-01-20 19:43 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\.jenny
2010-01-20 19:04 . 2010-01-20 19:04 -------- d-----w- c:\windows\Sun
2010-01-20 18:59 . 2010-01-20 18:59 348160 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\msvcr71.dll
2010-01-20 18:59 . 2010-01-20 18:59 61440 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\decora-sse.dll
2010-01-20 18:59 . 2010-01-20 18:59 503808 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\msvcp71.dll
2010-01-20 18:59 . 2010-01-20 18:59 499712 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\jmc.dll
2010-01-20 18:59 . 2010-01-20 18:59 12800 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-1b92cdf1-n\decora-d3d.dll
2010-01-20 18:59 . 2010-01-20 18:59 20480 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-52c3fbfd-n\gluegen-rt.dll
2010-01-20 18:59 . 2010-01-20 18:59 114688 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4cce9c5c-n\jogl_cg.dll
2010-01-20 18:59 . 2010-01-20 18:59 20480 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4cce9c5c-n\jogl_awt.dll
2010-01-20 18:59 . 2010-01-20 18:59 315392 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4cce9c5c-n\jogl.dll
2010-01-20 18:59 . 2010-01-20 18:59 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
2010-01-20 18:58 . 2010-01-20 18:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-20 18:58 . 2010-01-20 18:58 -------- d-----w- c:\programme\Java
2010-01-17 14:52 . 2010-02-13 17:14 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\vlc

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 15:43 . 2009-09-28 07:34 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\skypePM
2010-02-14 15:42 . 2009-11-01 07:31 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Skype
2010-02-14 10:10 . 2009-09-28 07:29 -------- d-----w- c:\programme\Mozilla Thunderbird
2010-02-09 13:39 . 2009-09-28 07:30 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\SUPERAntiSpyware.com
2010-02-09 13:39 . 2009-09-28 07:29 -------- d-----w- c:\programme\Spybot - Search & Destroy
2010-02-09 13:39 . 2009-09-28 07:29 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2010-02-09 13:05 . 2009-10-09 15:24 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\uTorrent
2010-02-03 18:23 . 2009-09-28 21:16 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-02 06:33 . 2009-09-28 23:17 -------- d-----w- c:\programme\Google
2010-01-30 19:48 . 2009-09-28 08:06 -------- d-----w- c:\programme\Sopcast
2010-01-26 15:22 . 2009-10-02 23:49 -------- d-----w- c:\programme\PeerGuardian2
2010-01-24 16:41 . 2009-10-03 16:08 1 ----a-w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-24 12:26 . 2009-10-08 06:30 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\dvdcss
2010-01-14 20:48 . 2010-01-14 20:48 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\DivX
2010-01-14 20:43 . 2010-01-14 20:41 -------- d-----w- c:\programme\DivX
2010-01-14 20:42 . 2010-01-14 20:41 -------- d-----w- c:\programme\Gemeinsame Dateien\DivX Shared
2010-01-12 19:04 . 2010-01-12 19:04 -------- d-----w- c:\programme\Gemeinsame Dateien\Fortinet
2010-01-05 15:57 . 2010-01-05 15:57 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\FastStone
2010-01-05 15:56 . 2010-01-05 15:56 -------- d-----w- c:\programme\FastStone Image Viewer
2010-01-03 17:08 . 2010-01-03 13:31 -------- d-----w- c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Sports Interactive
2010-01-03 13:34 . 2010-01-03 13:32 -------- d--h--w- c:\programme\Zero G Registry
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-23 11:35 . 2009-09-28 07:30 -------- d-----w- c:\programme\SUPERAntiSpyware
2009-12-22 22:20 . 2009-09-28 10:38 -------- d-----w- c:\programme\Gemeinsame Dateien\LogiShrd
2009-12-22 05:07 . 2004-08-04 12:00 672768 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:07 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:52 . 2009-09-28 08:04 -------- d-----w- c:\programme\McAfee
2009-12-17 07:40 . 2009-09-27 18:37 346624 ----a-w- c:\windows\system32\mspaint.exe
2009-12-15 10:41 . 2009-12-15 10:41 36968 ----a-w- c:\windows\system32\drivers\FortiShield.sys
2009-12-15 10:41 . 2009-12-15 10:41 46184 ----a-w- c:\windows\system32\drivers\FortiRmon.sys
2009-12-15 10:41 . 2009-12-15 10:41 29928 ----a-w- c:\windows\system32\drivers\FortiRdr.sys
2009-12-15 10:41 . 2009-12-15 10:41 98024 ----a-w- c:\windows\system32\drivers\fortips.sys
2009-12-15 10:41 . 2009-12-15 10:41 118504 ----a-w- c:\windows\system32\drivers\fortipfw.sys
2009-12-15 10:41 . 2009-12-15 10:41 43112 ----a-w- c:\windows\system32\drivers\fortimon2.sys
2009-12-15 10:41 . 2009-12-15 10:41 13416 ----a-w- c:\windows\system32\drivers\fortiapd.sys
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 17:31 . 2004-08-04 12:00 48552 ----a-w- c:\windows\system32\perfc007.dat
2009-12-09 17:31 . 2004-08-04 12:00 317168 ----a-w- c:\windows\system32\perfh007.dat
2009-12-08 10:46 . 2009-12-08 10:46 17064 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2009-06-03 19:09 1297408 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:57 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:08 . 2004-08-04 12:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:08 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:08 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:08 . 2004-08-04 00:57 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:08 . 2001-08-18 04:54 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-21 15:54 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-17 10:44 . 2009-11-17 10:44 79144 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-14_14.35.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-14 15:42 . 2010-02-14 15:42 16384 c:\windows\Temp\Perflib_Perfdata_b04.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"MSMSGS"="c:\programme\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-03-10 5566464]
"InstantOn"="c:\programme\CyberLink\PowerCinema Linux\ion_install.exe" [2005-02-23 94042]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-04 2805248]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\Benjamin Baar\Startmen�\Programme\Autostart\
ERUNT AutoBackup.lnk - c:\programme\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\dokumente und einstellungen\All Users\Startmen�\Programme\Autostart\
BTTray.lnk - c:\programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]
Logitech SetPoint.lnk - c:\programme\Logitech\SetPoint\SetPoint.exe [2009-11-13 813584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^BTTray.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Benjamin Baar^Startmenü^Programme^Autostart^OpenOffice.org 3.1.lnk]
path=c:\dokumente und einstellungen\Benjamin Baar\Startmenü\Programme\Autostart\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 02:23 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\programme\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-06-02 18:32 270336 ----a-w- c:\programme\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 15:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-28 19:21 141600 ----a-w- c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 14:33 563984 ----a-w- c:\programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 14:37 2178832 ----a-w- c:\programme\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:22 1695232 ------w- c:\programme\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-03-10 14:07 1495040 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE
"SynTPEnh"=c:\programme\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\FortiProxy.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\FCMgr.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\FortiWadbd.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\FortiWad.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"d:\\Games\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Programme\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28.09.2009 12:11 721904]
R1 FAFileMon;FAFileMon;c:\windows\system32\drivers\fortimon2.sys [15.12.2009 11:41 43112]
R1 FARegMon;FARegMon;c:\windows\system32\drivers\FortiRmon.sys [15.12.2009 11:41 46184]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [15.12.2009 11:41 13416]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [15.12.2009 11:41 118504]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [15.12.2009 11:41 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [15.12.2009 11:41 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [15.12.2009 11:41 36968]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [28.07.2009 16:11 703008]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [13.11.2009 14:06 10384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\programme\McAfee\SiteAdvisor\McSACore.exe [28.09.2009 09:04 93320]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [06.04.2009 13:20 22432]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [28.09.2009 05:11 1013248]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [21.07.2009 16:53 36384]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [28.09.2009 06:28 226768]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [29.09.2009 00:17 133104]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [15.10.2009 16:34 14496]
S3 MEMSWEEP2;MEMSWEEP2; [x]
.
Inhalt des "geplante Tasks" Ordners

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-09-28 23:17]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-09-28 23:17]
.
.
------- Zusätzlicher Suchlauf -------
.
IE: Senden an &Bluetooth - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {B6B081A9-AEEF-472B-9A5F-E04E565483B7} = 195.159.0.100,195.159.0.200
FF - ProfilePath - c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\programme\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\dokumente und einstellungen\Benjamin Baar\Anwendungsdaten\Mozilla\Firefox\Profiles\j95e8m2o.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\programme\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programme\Fortinet\SslvpnClient\npccplugin.dll
FF - plugin: c:\programme\Fortinet\SslvpnClient\nptcplugin.dll
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programme\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programme\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 16:43
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spnt.sys >>UNKNOWN [0x8A6DA938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba665cb8
\Driver\atapi -> atapi.sys @ 0xba602b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"=""
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'explorer.exe'(7216)
c:\programme\Gemeinsame Dateien\Logishrd\LVMVFM\LVPrcInj.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\programme\Logitech\SetPoint\lgscroll.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Fortinet\FortiClient\scheduler.exe
c:\programme\Fortinet\FortiClient\FCDBLog.exe
c:\programme\Fortinet\FortiClient\FortiProxy.exe
c:\programme\Fortinet\FortiClient\fmon.exe
c:\programme\Fortinet\FortiClient\fortifw.exe
c:\programme\Fortinet\FortiClient\FortiTray.exe
c:\programme\Fortinet\FortiClient\fortiwf.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
c:\programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\slserv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programme\Skype\Plugin Manager\skypePM.exe
c:\programme\Fortinet\FortiClient\FCWscD7.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-02-14 16:46:53 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-02-14 15:46
ComboFix2.txt 2010-02-14 14:37

Vor Suchlauf: 5 Verzeichnis(se), 28.507.557.888 Bytes frei
Nach Suchlauf: 6 Verzeichnis(se), 28.395.266.048 Bytes frei

- - End Of File - - 1BE8922F33D94CB0C8E3A76A5A5F2A83

[LDTate]

It's located in a temp file so it's hard telling where it came from.
I can tell you this about most backdoor infections:
Here's my canned reply to those that have a backdoor infection

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Is it on the company server? I have no idea.

I'm a little surprised your company allows
uTorrent or Football Manager 2008


AS far as I can tell you're clean.
Be sure to atleast uninstall Combofix.

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

• Click START then RUN
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  • 
  
  To be on the safe side, I would also change all my passwords.
  
  Here's my usual all clean post
  
  
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
• Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
  Without a firewall your computer is succeptible to being hacked and taken over.
  I am very serious about this and see it happen almost every day with my clients.
  Simply using a Firewall in its default configuration can lower your risk greatly.
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  This will ensure your computer has always the latest security updates available installed on your computer.
  If there are new updates to install, install them immediately, reboot your computer, and revisit the site
  until there are no more critical updates.
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly.
  Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.


I would suggest you read How to Prevent Malware:

[biba82]

Hi LDTate, Many thanks for your help! I'm still using my personal laptopfor work. Before I moved here, I was using utorrent and Football Manager 2008 is the reason why I my girlfriend hates my laptop and why I am going to miss my sons first steps ;-) In the meantime, my employer fortunately has discovered that a potentially enormous amount of sensitive information is stored on an employees computer (in this case, mine). Therefore, they have purchased and setup "house laptops" with the same security suite. Is there a possibility to find out if the same infections have been found on other machines (I guess that ca. 100 individual workstations belong to our local network)? I am using Firefox w/ NoScript any suggestions for making it safer online. Unfortunately, I am bound to use FortiClient, as it is impossible to go online without installing and using the software. Do you have any software recommendations that might help me to stay more safe and clean, in case the fault lies with FortiClient? I am regularly using SUPER, Malwarebytes, Spybot and also Sophos AntiRootkit; Do I need to uninstall and download fresh versions (The old scans always came out clean)? Are there any ways of monitoring the incoming and outgoing internet traffic to identify leaks (e.g. PeerGuardian)? BTW, re. the backdoor, is there any chance to find out approx. when it came onto my laptop? Biba

[LDTate]

Hi LDTate,

Many thanks for your help!


I'm still using my personal laptopfor work.
Before I moved here, I was using utorrent and Football Manager 2008 is the reason why I my girlfriend hates my laptop and why I am going to miss my sons first steps ;-)

In the meantime, my employer fortunately has discovered that a potentially enormous amount of sensitive information is stored on an employees computer (in this case, mine). Therefore, they have purchased and setup "house laptops" with the same security suite.

Is there a possibility to find out if the same infections have been found on other machines (I guess that ca. 100 individual workstations belong to our local network)? <--I would hope the company has IT people to find that out

I am using Firefox w/ NoScript any suggestions for making it safer online. <--Google it

Unfortunately, I am bound to use FortiClient, as it is impossible to go online without installing and using the software. Do you have any software recommendations that might help me to stay more safe and clean, in case the fault lies with FortiClient? <---There isn't any one protection program that will catch everything. I don't know anything about FortiClient

I am regularly using SUPER, Malwarebytes, Spybot and also Sophos AntiRootkit; Do I need to uninstall and download fresh versions (The old scans always came out clean)? <--You should just need to update them. MBAM isn't a resident program unless it's the paid for version.

Are there any ways of monitoring the incoming and outgoing internet traffic to identify leaks (e.g. PeerGuardian)? <--PeerGuardian Only use 1 firewall and anti-virus program.


BTW, re. the backdoor, is there any chance to find out approx. when it came onto my laptop? <-- Not that I know of

Biba

You need to empty your JAVA cache.
Go here and follow the instructions to clear your Java Cache

[biba82]

Cheers LDTate, once again, thank you very much for your help! All the best! Biba82

[LDTate]

You're more then welcome. Glad we were able to help Peace be with you

[LDTate]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.