Hi On any new Windows 7 installation (32 & 64 bit) on absolutely clean machines I always find - right after installation - not signed executable images (.exe & .dll) (sigcheck -e -r -s -u c:\windows) and many of them include the word WATAU (strings -s c:\windows | findstr WATAU) and later in a future, they frequently appear regarding security problems. Anybody knows what "WATAU" means and why most dll's are signed, but someones not? (e.g. files in C:\Program Files\Common Files\Microsoft Shared\ink\). I'd really apreciate any input. Thanks a lot. (PS It's my first time, I "risk" to ask a question on this forum. I apologize, if I didn't proceed correctly.) Greetings, Martin MartinDS

Hi, Thanks for posting in Microsoft TechNet forums. Sigcheck is a command-line utility to verify images that are digitally signed and dump version information with this simple command-line utility. First of all, I would like to confirm how did you get the Windows 7 installation. Please make sure you have obtained the latest Windows Updates. If the system is fully updated, let us use the System File Checker tool (SFC.exe) to determine which file is causing the issue, and then replace the file. To do this, follow these steps: 1. Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow. 2. Type the following command, and then press ENTER: sfc /scannow The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions. Refer the following link for more information: How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7 http://support.microsoft.com/kb/929833 If the issue persists, please collect data from a known good reference system and any other systems that you want to look at. Use the following command: sigcheck -s -e -v %windir%\system32 > %computername%_sigcheck.csv sigcheck -s -e -v %windir%\syswow64 >> %computername%_sigcheck.csv This will collect information on both signed and unsigned files. We can then compare the reference system to a problem system. Best Regards Magon Liu TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Thanks for posting in Microsoft TechNet forums. As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Magon Liu TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Sorry I didn’t answer these days – I know it’s a poor excuse - but I was really overworked. I downloaded my Windows 7 from here (I have the Technet-Suscription): https://technet.microsoft.com/de-de/subscriptions/securedownloads/default.aspx and installed it on my main Test-Machine. I’m sure I obtained ALL Windows updates and also all other program-updates (Secunia PSI). I use the Windows Firewall and Microsoft Security Essentials. Your tip to Run sfc /scannow was very useful! Thanks a lot. I proceeded as you advised. (http://support.microsoft.com/kb/929833 ). There was no “[SR] Cannot repair member file" in the cbs.log file. So I think everything is ok. (findstr /C:"[SR] Cannot repair member file" %windir%\logs\cbs\cbs.log) I also started sigcheck -s -e -v %windir%\system32 > %computername%_sigcheck.csv and in syswow64 The csv files are tremendous! If you want to analyze them, that would be fine. But anyway, I think your help was great. But I’m still VERY curious what “WATAU” means. So, if you want to keep this thread open, that’s fine. But if you must close it, it’s also no problem. But I’m very surprised, that the thread had 316 Views, but no one could answer this question, ore there aren’t so much “Hex-Viewers” around there, or, they are there, but they have “other interests” ;-). Well, my English isn’t so good, sometime understandable. Thanks a lot for your answer and help. Martin MartinDS

Can you provide more names that with the word “WATAU” please ? It does not have much meanings according to my research.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Can you provide more names that with the word “WATAU” please ? It does not have much meanings according to my research. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” Hi Thanks a lot for your reply! Exactly “It does not have much meanings according to my research.” Because it doesn’t seem to have any meaning and you can’t find any usable info in the web, I wondered to see this word so frequently in many of my files (e.g. 388 times in my explorer.exe!!). (There is a very, very clever (new??) rootkit on all my PC’s and no antivirus seems to find it. (Also not if I boot with a CD!! And this rootkit has some relationship with this “WATAU”). Do you really also find this word in your explorer.exe? Most other words I found in Hex-View made some sense to me, but not this one. And by far there isn’t other word which appears so frequently. I bet, that doesn’t mean something positive. I have here a 657 MB Text File. It’s the result of a “WATAU”-scan over my entire Hard disk. There are no more words around the word WATAU, only Hex-Text. And it’s almost impossible to paste text-parts around the word WATAU, because no editor accepts such paste!! Thanks for any answer. Martin The following hieroglyphic writing you see here, I took from a 20 lines “cut” of explorer.exe (including the word “WATAU”) and pasted it here. Paste is not possible. There is not even on line! (And I get very, very strange security-error-messages some minutes later. H‹A03Û‹òH‹éH;Ä[Ý The error-message I got and I never saw before: Now I’ll try it to paste again, with other hex data: ‰Q АH‰\$H‰l$H‰t$WATAUHƒì E3íI‹éM‹àA;Õ‹òH‹ÙA‹ý\Ü And here some lines of the 657 MB Text-File only including such lines : C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: SUVWATAUAVAWH c:\\$Recycle.Bin\S-1-5-21-1584766477-1522655288-819236455-1000\$RVME4E9.TXT: C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll: @SUVWATAUAVAWH Print-Screen of the error message: MartinDS

No I did not find any file that contains the wording. I tried on Bing.com to search @SUVWATAUAVH, it seems it has something related to security. If your antivirus software did not detect it, let us try another tool called hijackthis. 1. Please download the Internet Explorer analyzer HiJackThis from the following link: http://www.techspot.com/download317.html Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability. 2. Double click the downloaded file to run HiJackThis. (Note: If there is a notification message, please click OK.) 3. In the HiJackThis window, click "Do a system scan and save a log file". (Note: If there is a notification message, please click OK.) 4. HiJackThis will scan your system and generate a log file in Notepad. Please close Notepad and find the log file. Note: It will be saved in the same folder with HijackThis.exe. For example, if you run HijackThis.exe from the desktop, you will find the log on the desktop. You can post the log file here.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

No I did not find any file that contains the wording. I tried on Bing.com to search @SUVWATAUAVH, it seems it has something related to security. If your antivirus software did not detect it, let us try another tool called hijackthis. 1. Please download the Internet Explorer analyzer HiJackThis from the following link: http://www.techspot.com/download317.html Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability. 2. Double click the downloaded file to run HiJackThis. (Note: If there is a notification message, please click OK.) 3. In the HiJackThis window, click "Do a system scan and save a log file". (Note: If there is a notification message, please click OK.) 4. HiJackThis will scan your system and generate a log file in Notepad. Please close Notepad and find the log file. Note: It will be saved in the same folder with HijackThis.exe. For example, if you run HijackThis.exe from the desktop, you will find the log on the desktop. You can post the log file here. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” Hi, Thanks a lot again! … I personally won’t relax until I know what’s going on here! I’d really be glad if you could help me to resolve this mystery. …. I think I forgot to mention, that I tried dozens (yes!) of Antivirus programs to find any evidence… and I always get the same answer “no virus”. I’m too many years in this business to know that there can’t be so many “WATAU’S” simply because there are there. So you can imagine how curious I am about this WATAU. (You should know, most of my PC’s are “only” Test-Computers (to learn about Microsoft Products, especially those from Technet). So it’s basically a “learning-issue” to me… or to discover something really bad and new!). Here the (not complete) list of AV Progs: · Microsoft Security Essentials is “the” Antivirus on all my PC’s The following progs all boot with their own boot CD, and with different Operating Systems! · Spybot - Search & Destroy · Avira antivir · Knopiccilin (heise.de) This is a CD you can boot from and checks with 3 different antivirus programs! · Kaspersky · www.greatis.com, UnhackMe and the bootable Regrun Warrior CD The following on without boot CD and only on the 32 bit machines: · GMER .... and many others! …. Well I clicked on your link http://www.techspot.com/download317.html Then I clicked the hickack.exe download link and was redirected to http://free.antivirus.com/hijackthis/ and downloaded the file (HijackThis.exe). It had no digital signature. MD5 was 9A2347903D6EDB84C10F288BC0578C1C (seems to be ok according my web search.) (I usually only run signed Exe’s on my computers, I hope I wasn’t redirected….?) I’m very tired but I hope my English is understandable. (PS Perhaps you want me to send you my explorer.exe?) Thanks and regards, Martin ... These two files of the hijackthis logfile have docens!!! of WATAU's.!! O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - …. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:56:57, on 15.12.2010 Platform: Windows 7 SP1, v.721 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.7930.16406) Boot mode: Normal Running processes: C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe C:\Program Files (x86)\Secunia\PSI\PSIA.exe C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files (x86)\Secunia\PSI\sua.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe C:\Program Files (x86)\Safer Networking\FileAlyzer\FileAlyzer.exe C:\Program Files (x86)\Total Uninstall 5\Tu.exe Z:\Users\XXXAdminTabl\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CCS\Services\Tcpip\..\{37AC32AF-2949-4F37-A5BE-823766979A48}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS2\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS3\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Acronis Nonstop Backup-Dienst (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8336 bytes MartinDS

No I did not find any file that contains the wording. I tried on Bing.com to search @SUVWATAUAVH, it seems it has something related to security. If your antivirus software did not detect it, let us try another tool called hijackthis. 1. Please download the Internet Explorer analyzer HiJackThis from the following link: http://www.techspot.com/download317.html Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability. 2. Double click the downloaded file to run HiJackThis. (Note: If there is a notification message, please click OK.) 3. In the HiJackThis window, click "Do a system scan and save a log file". (Note: If there is a notification message, please click OK.) 4. HiJackThis will scan your system and generate a log file in Notepad. Please close Notepad and find the log file. Note: It will be saved in the same folder with HijackThis.exe. For example, if you run HijackThis.exe from the desktop, you will find the log on the desktop. You can post the log file here. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” Hi, Thanks a lot again! … I personally won’t relax until I know what’s going on here! I’d really be glad if you could help me to resolve this mystery. …. I think I forgot to mention, that I tried dozens (yes!) of Antivirus programs to find any evidence… and I always get the same answer “no virus”. I’m too many years in this business to know that there can’t be so many “WATAU’S” simply because there are there. So you can imagine how curious I am about this WATAU. (You should know, most of my PC’s are “only” Test-Computers (to learn about Microsoft Products, especially those from Technet). So it’s basically a “learning-issue” to me… or to discover something really bad and new!). Here the (not complete) list of AV Progs: · Microsoft Security Essentials is “the” Antivirus on all my PC’s The following progs all boot with their own boot CD, and with different Operating Systems! · Spybot - Search & Destroy · Avira antivir · Knopiccilin (heise.de) This is a CD you can boot from and checks with 3 different antivirus programs! · Kaspersky · www.greatis.com, UnhackMe and the bootable Regrun Warrior CD The following on without boot CD and only on the 32 bit machines: · GMER .... and many others! …. Well I clicked on your link http://www.techspot.com/download317.html Then I clicked the hickack.exe download link and was redirected to http://free.antivirus.com/hijackthis/ and downloaded the file (HijackThis.exe). It had no digital signature. MD5 was 9A2347903D6EDB84C10F288BC0578C1C (seems to be ok according my web search.) (I usually only run signed Exe’s on my computers, I hope I wasn’t redirected….?) I’m very tired but I hope my English is understandable. (PS Perhaps you want me to send you my explorer.exe?) Thanks and regards, Martin ... These two files of the hijackthis logfile have docens!!! of WATAU's.!! O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - Well, I'll risk you consider me a megalomaniac, because: I recommend you: Take this thread off the web and find out what's behind this WATAU! As there still isn't any usable info about it, but obviously there IS something bad - I'm quite sure - ther is something bad - and you could find this "nice guys" who are producing this troubles. But don't worry, I'm not offended if you think different, but it's an advice I had to tell you …. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:56:57, on 15.12.2010 Platform: Windows 7 SP1, v.721 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.7930.16406) Boot mode: Normal Running processes: C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe C:\Program Files (x86)\Secunia\PSI\PSIA.exe C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files (x86)\Secunia\PSI\sua.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe C:\Program Files (x86)\Safer Networking\FileAlyzer\FileAlyzer.exe C:\Program Files (x86)\Total Uninstall 5\Tu.exe Z:\Users\XXXAdminTabl\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CCS\Services\Tcpip\..\{37AC32AF-2949-4F37-A5BE-823766979A48}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS2\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS3\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Acronis Nonstop Backup-Dienst (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8336 bytes MartinDS

No I did not find any file that contains the wording. I tried on Bing.com to search @SUVWATAUAVH, it seems it has something related to security. If your antivirus software did not detect it, let us try another tool called hijackthis. 1. Please download the Internet Explorer analyzer HiJackThis from the following link: http://www.techspot.com/download317.html Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability. 2. Double click the downloaded file to run HiJackThis. (Note: If there is a notification message, please click OK.) 3. In the HiJackThis window, click "Do a system scan and save a log file". (Note: If there is a notification message, please click OK.) 4. HiJackThis will scan your system and generate a log file in Notepad. Please close Notepad and find the log file. Note: It will be saved in the same folder with HijackThis.exe. For example, if you run HijackThis.exe from the desktop, you will find the log on the desktop. You can post the log file here. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” Hi, Thanks a lot again! … I personally won’t relax until I know what’s going on here! I’d really be glad if you could help me to resolve this mystery. …. I think I forgot to mention, that I tried dozens (yes!) of Antivirus programs to find any evidence… and I always get the same answer “no virus”. I’m too many years in this business to know that there can’t be so many “WATAU’S” simply because there are there. So you can imagine how curious I am about this WATAU. (You should know, most of my PC’s are “only” Test-Computers (to learn about Microsoft Products, especially those from Technet). So it’s basically a “learning-issue” to me… or to discover something really bad and new!). Here the (not complete) list of AV Progs: · Microsoft Security Essentials is “the” Antivirus on all my PC’s The following progs all boot with their own boot CD, and with different Operating Systems! · Spybot - Search & Destroy · Avira antivir · Knopiccilin (heise.de) This is a CD you can boot from and checks with 3 different antivirus programs! · Kaspersky · www.greatis.com, UnhackMe and the bootable Regrun Warrior CD The following on without boot CD and only on the 32 bit machines: · GMER .... and many others! …. Well I clicked on your link http://www.techspot.com/download317.html Then I clicked the hickack.exe download link and was redirected to http://free.antivirus.com/hijackthis/ and downloaded the file (HijackThis.exe). It had no digital signature. MD5 was 9A2347903D6EDB84C10F288BC0578C1C (seems to be ok according my web search.) (I usually only run signed Exe’s on my computers, I hope I wasn’t redirected….?) I’m very tired but I hope my English is understandable. (PS Perhaps you want me to send you my explorer.exe?) Thanks and regards, Martin ... These two files of the hijackthis logfile have docens!!! of WATAU's.!! O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - Well, I'll risk you consider me a megalomaniac, because: I recommend you: Take this thread off the web and find out what's behind this WATAU! As there still isn't any usable info about it, but obviously there IS something bad - I'm quite sure - ther is something bad - and you could find this "nice guys" who are producing this troubles. But don't worry, I'm not offended if you think different, but it's an advice I had to tell you …. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:56:57, on 15.12.2010 Platform: Windows 7 SP1, v.721 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.7930.16406) Boot mode: Normal Running processes: C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe C:\Program Files (x86)\Secunia\PSI\PSIA.exe C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files (x86)\Secunia\PSI\sua.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe C:\Program Files (x86)\Safer Networking\FileAlyzer\FileAlyzer.exe C:\Program Files (x86)\Total Uninstall 5\Tu.exe Z:\Users\XXXAdminTabl\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CCS\Services\Tcpip\..\{37AC32AF-2949-4F37-A5BE-823766979A48}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS2\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS3\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Acronis Nonstop Backup-Dienst (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8336 bytes MartinDS I wanted to paste you some text of efssvc.dll, which I really don't like. But it's impossible to paste it! Even a simple text editor don't accepts it.... MartinDSa

No I did not find any file that contains the wording. I tried on Bing.com to search @SUVWATAUAVH, it seems it has something related to security. If your antivirus software did not detect it, let us try another tool called hijackthis. 1. Please download the Internet Explorer analyzer HiJackThis from the following link: http://www.techspot.com/download317.html Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability. 2. Double click the downloaded file to run HiJackThis. (Note: If there is a notification message, please click OK.) 3. In the HiJackThis window, click "Do a system scan and save a log file". (Note: If there is a notification message, please click OK.) 4. HiJackThis will scan your system and generate a log file in Notepad. Please close Notepad and find the log file. Note: It will be saved in the same folder with HijackThis.exe. For example, if you run HijackThis.exe from the desktop, you will find the log on the desktop. You can post the log file here. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

Hi, Thanks a lot again! … I personally won’t relax until I know what’s going on here! I’d really be glad if you could help me to resolve this mystery. …. I think I forgot to mention, that I tried dozens (yes!) of Antivirus programs to find any evidence… and I always get the same answer “no virus”. I’m too many years in this business to know that there can’t be so many “WATAU’S” simply because there are there. So you can imagine how curious I am about this WATAU. (You should know, most of my PC’s are “only” Test-Computers (to learn about Microsoft Products, especially those from Technet). So it’s basically a “learning-issue” to me… or to discover something really bad and new!). Here the (not complete) list of AV Progs: • Microsoft Security Essentials is “the” Antivirus on all my PC’s The following progs all boot with their own boot CD, and with different Operating Systems! • Spybot - Search & Destroy • Avira antivir • Knopiccilin (heise.de) This is a CD you can boot from and checks with 3 different antivirus programs! • Kaspersky • www.greatis.com, UnhackMe and the bootable Regrun Warrior CD The following on without boot CD and only on the 32 bit machines: • GMER .... and many others! …. Well I clicked on your link http://www.techspot.com/download317.html Then I clicked the hickack.exe download link and was redirected to http://free.antivirus.com/hijackthis/ and downloaded the file (HijackThis.exe). It had no digital signature. MD5 was 9A2347903D6EDB84C10F288BC0578C1C (seems to be ok according my web search.) (I usually only run signed Exe’s on my computers, I hope I wasn’t redirected….?) I’m very tired but I hope my English is understandable. (PS Perhaps you want me to send you my explorer.exe?) Thanks and regards, Martin ... These two files of the hijackthis logfile have docens!!! of WATAU's.!! O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - Well, I'll risk you consider me a megalomaniac, because: I recommend you: Take this thread off the web and find out what's behind this WATAU! As there still isn't any usable info about it, but obviously there IS something bad - I'm quite sure - ther is something bad - and you could find this "nice guys" who are producing this troubles. But don't worry, I'm not offended if you think different, but it's an advice I had to tell you …. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:56:57, on 15.12.2010 Platform: Windows 7 SP1, v.721 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.7930.16406) Boot mode: Normal Running processes: C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe C:\Program Files (x86)\Secunia\PSI\PSIA.exe C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files (x86)\Secunia\PSI\sua.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe C:\Program Files (x86)\Safer Networking\FileAlyzer\FileAlyzer.exe C:\Program Files (x86)\Total Uninstall 5\Tu.exe Z:\Users\XXXAdminTabl\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CCS\Services\Tcpip\..\{37AC32AF-2949-4F37-A5BE-823766979A48}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS2\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS3\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Acronis Nonstop Backup-Dienst (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8336 bytes ________________________________________ MartinDS o Reply o Quote o Mark As Answer o Edit o Delete • Wednesday, December 15, 2010 9:50 PM Mardusch 0 No I did not find any file that contains the wording. I tried on Bing.com to search @SUVWATAUAVH, it seems it has something related to security. If your antivirus software did not detect it, let us try another tool called hijackthis. 1. Please download the Internet Explorer analyzer HiJackThis from the following link: http://www.techspot.com/download317.html Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability. 2. Double click the downloaded file to run HiJackThis. (Note: If there is a notification message, please click OK.) 3. In the HiJackThis window, click "Do a system scan and save a log file". (Note: If there is a notification message, please click OK.) 4. HiJackThis will scan your system and generate a log file in Notepad. Please close Notepad and find the log file. Note: It will be saved in the same folder with HijackThis.exe. For example, if you run HijackThis.exe from the desktop, you will find the log on the desktop. You can post the log file here. ________________________________________ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” Hi, Thanks a lot again! … I personally won’t relax until I know what’s going on here! I’d really be glad if you could help me to resolve this mystery. …. I think I forgot to mention, that I tried dozens (yes!) of Antivirus programs to find any evidence… and I always get the same answer “no virus”. I’m too many years in this business to know that there can’t be so many “WATAU’S” simply because there are there. So you can imagine how curious I am about this WATAU. (You should know, most of my PC’s are “only” Test-Computers (to learn about Microsoft Products, especially those from Technet). So it’s basically a “learning-issue” to me… or to discover something really bad and new!). Here the (not complete) list of AV Progs: • Microsoft Security Essentials is “the” Antivirus on all my PC’s The following progs all boot with their own boot CD, and with different Operating Systems! • Spybot - Search & Destroy • Avira antivir • Knopiccilin (heise.de) This is a CD you can boot from and checks with 3 different antivirus programs! • Kaspersky • www.greatis.com, UnhackMe and the bootable Regrun Warrior CD The following on without boot CD and only on the 32 bit machines: • GMER .... and many others! …. Well I clicked on your link http://www.techspot.com/download317.html Then I clicked the hickack.exe download link and was redirected to http://free.antivirus.com/hijackthis/ and downloaded the file (HijackThis.exe). It had no digital signature. MD5 was 9A2347903D6EDB84C10F288BC0578C1C (seems to be ok according my web search.) (I usually only run signed Exe’s on my computers, I hope I wasn’t redirected….?) I’m very tired but I hope my English is understandable. (PS Perhaps you want me to send you my explorer.exe?) Thanks and regards, Martin ... These two files of the hijackthis logfile have docens!!! of WATAU's.!! O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - Well, I'll risk you consider me a megalomaniac, because: I recommend you: Take this thread off the web and find out what's behind this WATAU! As there still isn't any usable info about it, but obviously there IS something bad - I'm quite sure - ther is something bad - and you could find this "nice guys" who are producing this troubles. But don't worry, I'm not offended if you think different, but it's an advice I had to tell you …. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:56:57, on 15.12.2010 Platform: Windows 7 SP1, v.721 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.7930.16406) Boot mode: Normal Running processes: C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe C:\Program Files (x86)\Secunia\PSI\PSIA.exe C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files (x86)\Secunia\PSI\sua.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe C:\Program Files (x86)\Safer Networking\FileAlyzer\FileAlyzer.exe C:\Program Files (x86)\Total Uninstall 5\Tu.exe Z:\Users\XXXAdminTabl\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CCS\Services\Tcpip\..\{37AC32AF-2949-4F37-A5BE-823766979A48}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS2\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS3\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Acronis Nonstop Backup-Dienst (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8336 bytes ________________________________________ MartinDS I wanted to paste you some text of efssvc.dll, which I really don't like. But it's impossible to paste it! Even a simple text editor don't accepts it....

Hi, Thanks a lot again! … I personally won’t relax until I know what’s going on here! I’d really be glad if you could help me to resolve this mystery. …. I think I forgot to mention, that I tried dozens (yes!) of Antivirus programs to find any evidence… and I always get the same answer “no virus”. I’m too many years in this business to know that there can’t be so many “WATAU’S” simply because there are there. So you can imagine how curious I am about this WATAU. (You should know, most of my PC’s are “only” Test-Computers (to learn about Microsoft Products, especially those from Technet). So it’s basically a “learning-issue” to me… or to discover something really bad and new!). Here the (not complete) list of AV Progs: • Microsoft Security Essentials is “the” Antivirus on all my PC’s The following progs all boot with their own boot CD, and with different Operating Systems! • Spybot - Search & Destroy • Avira antivir • Knopiccilin (heise.de) This is a CD you can boot from and checks with 3 different antivirus programs! • Kaspersky • www.greatis.com, UnhackMe and the bootable Regrun Warrior CD The following on without boot CD and only on the 32 bit machines: • GMER .... and many others! …. Well I clicked on your link http://www.techspot.com/download317.html Then I clicked the hickack.exe download link and was redirected to http://free.antivirus.com/hijackthis/ and downloaded the file (HijackThis.exe). It had no digital signature. MD5 was 9A2347903D6EDB84C10F288BC0578C1C (seems to be ok according my web search.) (I usually only run signed Exe’s on my computers, I hope I wasn’t redirected….?) I’m very tired but I hope my English is understandable. (PS Perhaps you want me to send you my explorer.exe?) Thanks and regards, Martin ... These two files of the hijackthis logfile have docens!!! of WATAU's.!! O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - Well, I'll risk you consider me a megalomaniac, because: I recommend you: Take this thread off the web and find out what's behind this WATAU! As there still isn't any usable info about it, but obviously there IS something bad - I'm quite sure - ther is something bad - and you could find this "nice guys" who are producing this troubles. But don't worry, I'm not offended if you think different, but it's an advice I had to tell you …. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:56:57, on 15.12.2010 Platform: Windows 7 SP1, v.721 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.7930.16406) Boot mode: Normal Running processes: C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe C:\Program Files (x86)\Secunia\PSI\PSIA.exe C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files (x86)\Secunia\PSI\sua.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe C:\Program Files (x86)\Safer Networking\FileAlyzer\FileAlyzer.exe C:\Program Files (x86)\Total Uninstall 5\Tu.exe Z:\Users\XXXAdminTabl\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CCS\Services\Tcpip\..\{37AC32AF-2949-4F37-A5BE-823766979A48}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS2\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS3\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Acronis Nonstop Backup-Dienst (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8336 bytes ________________________________________ MartinDS o Reply o Quote o Mark As Answer o Edit o Delete • Wednesday, December 15, 2010 9:50 PM Mardusch 0 No I did not find any file that contains the wording. I tried on Bing.com to search @SUVWATAUAVH, it seems it has something related to security. If your antivirus software did not detect it, let us try another tool called hijackthis. 1. Please download the Internet Explorer analyzer HiJackThis from the following link: http://www.techspot.com/download317.html Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability. 2. Double click the downloaded file to run HiJackThis. (Note: If there is a notification message, please click OK.) 3. In the HiJackThis window, click "Do a system scan and save a log file". (Note: If there is a notification message, please click OK.) 4. HiJackThis will scan your system and generate a log file in Notepad. Please close Notepad and find the log file. Note: It will be saved in the same folder with HijackThis.exe. For example, if you run HijackThis.exe from the desktop, you will find the log on the desktop. You can post the log file here. ________________________________________ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” Hi, Thanks a lot again! … I personally won’t relax until I know what’s going on here! I’d really be glad if you could help me to resolve this mystery. …. I think I forgot to mention, that I tried dozens (yes!) of Antivirus programs to find any evidence… and I always get the same answer “no virus”. I’m too many years in this business to know that there can’t be so many “WATAU’S” simply because there are there. So you can imagine how curious I am about this WATAU. (You should know, most of my PC’s are “only” Test-Computers (to learn about Microsoft Products, especially those from Technet). So it’s basically a “learning-issue” to me… or to discover something really bad and new!). Here the (not complete) list of AV Progs: • Microsoft Security Essentials is “the” Antivirus on all my PC’s The following progs all boot with their own boot CD, and with different Operating Systems! • Spybot - Search & Destroy • Avira antivir • Knopiccilin (heise.de) This is a CD you can boot from and checks with 3 different antivirus programs! • Kaspersky • www.greatis.com, UnhackMe and the bootable Regrun Warrior CD The following on without boot CD and only on the 32 bit machines: • GMER .... and many others! …. Well I clicked on your link http://www.techspot.com/download317.html Then I clicked the hickack.exe download link and was redirected to http://free.antivirus.com/hijackthis/ and downloaded the file (HijackThis.exe). It had no digital signature. MD5 was 9A2347903D6EDB84C10F288BC0578C1C (seems to be ok according my web search.) (I usually only run signed Exe’s on my computers, I hope I wasn’t redirected….?) I’m very tired but I hope my English is understandable. (PS Perhaps you want me to send you my explorer.exe?) Thanks and regards, Martin ... These two files of the hijackthis logfile have docens!!! of WATAU's.!! O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - Well, I'll risk you consider me a megalomaniac, because: I recommend you: Take this thread off the web and find out what's behind this WATAU! As there still isn't any usable info about it, but obviously there IS something bad - I'm quite sure - ther is something bad - and you could find this "nice guys" who are producing this troubles. But don't worry, I'm not offended if you think different, but it's an advice I had to tell you …. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:56:57, on 15.12.2010 Platform: Windows 7 SP1, v.721 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.7930.16406) Boot mode: Normal Running processes: C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe C:\Program Files (x86)\Secunia\PSI\PSIA.exe C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files (x86)\Secunia\PSI\sua.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe C:\Program Files (x86)\Safer Networking\FileAlyzer\FileAlyzer.exe C:\Program Files (x86)\Total Uninstall 5\Tu.exe Z:\Users\XXXAdminTabl\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CCS\Services\Tcpip\..\{37AC32AF-2949-4F37-A5BE-823766979A48}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS2\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O17 - HKLM\System\CS3\Services\Tcpip\..\{29D6B96D-5294-49B9-8376-165A9FD8CDBB}: NameServer = 195.186.1.111,195.186.4.111 O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Acronis Nonstop Backup-Dienst (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8336 bytes ________________________________________ MartinDS I wanted to paste you some text of efssvc.dll, which I really don't like. But it's impossible to paste it! Even a simple text editor don't accepts it.... Well, now I'd really expect an answer from Microsoft. I even don't know, if it's responsibly to plug in my usb-sticks on my client's PC!! It seems, this issue is a real issue (for Microsoft)! I have Windows Firewall installed and Security Essentials (which are really fine products!). But I would like to know, why there are so many WATAU-Files on my PC's? And it seems not to be a simple rootkit. I found it also on my Server 2008 r2! So, please help me. I'd be glad for any answer. Sincerly, MartinMartinDS

Hi, Sorry for my delay. From the log file, I noticed the following startup item: O4-Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe The description of this item is: Must be fixed! Added by the Startpage.G hijacker. Note - this is NOT the Windows Task Manager file! Let us run hijackthis to fix it: 1. Run HiJackThis. (Note: If there is a notification message, please click OK.) 2. In the HiJackThis Window, click "Do a system scan only". (Note: If there is a notification message, please click OK.) 3. Check the checkboxes beside the malicious entries listed above and click the "Fix Checked" button. 4. Click Yes to begin fixing the infected files. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi "From the log file, I noticed the following startup item: O4-Global Startup: taskmgr.exe.lnk = C:\Windows\System32\taskmgr.exe" This link I added myself, because I always want to have the Taskmanager. Sorry, I startet HijackThis many times in the past, this doesn't solve my problem. As I mencioned, I tried a lot and there is no solution: "…. I think I forgot to mention, that I tried dozens (yes!) of Antivirus programs to find any evidence… and I always get the same answer “no virus”. I’m too many years in this business to know that there can’t be so many “WATAU’S” simply because there are there. So you can imagine how curious I am about this WATAU. (You should know, most of my PC’s are “only” Test-Computers (to learn about Microsoft Products, especially those from Technet). So it’s basically a “learning-issue” to me… or to discover something really bad and new!). Here the (not complete) list of AV Progs: • Microsoft Security Essentials is “the” Antivirus on all my PC’s The following progs all boot with their own boot CD, and with different Operating Systems! • Spybot - Search & Destroy • Avira antivir • Knopiccilin (heise.de) This is a CD you can boot from and checks with 3 different antivirus programs! • Kaspersky • www.greatis.com, UnhackMe and the bootable Regrun Warrior CD The following on without boot CD and only on the 32 bit machines: • GMER .... and many others! …. " So, please, I'd still apreciate to know what these "WATAU" mean? And if my (test-)computers are really clean. PS Did you check for "WATAU" on a 32 bit Windows? I found them on 64 bit Windows. So, I appologize, but my question still wasn't answered. Thanks a lot, MartinMartinDS