Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search terms hijacked/random browser tabs opening


  • This topic is locked This topic is locked
27 replies to this topic

#1 mardek

mardek

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 18 January 2010 - 12:14 PM

This may actually be two different issues in one.

Saturday morning, I was unable to boot up my computer in anything but debugging mode. This turned out (most likely) to be because of SPTD.sys, which kept hanging during bootup. I renamed it, which seems to have worked. (I have Alcohol 52% so I can make isos to install things on a netbook.)

However, it seems that while I was googling for a solution to that problem, I somehow contracted a rootkit that I can't get rid of. It randomly opens tabs in Opera while I'm browsing. These come in two types:

1. Tries to direct me to "gammabutiratosgh.com", where I get a 404 error. This is usually via some innocent-sounding, but dormant domain like "electricalsupply.com".

2. Hijacks my google search terms (though apparently not if I use the search field in the browser toolbar) and redirects me to a site that claims my computer is infected and asks to install antivirus software. I prevent it from doing that, of course.

I also recently got a random tab with an Ask.com search for "trend antivirus" , at hxxp://cryptdefence.com/search.php

I'm using Opera 10.10 on Windows XP Pro with SP2, Avira Antivir and Lavasoft Ad-Aware. Windows is on the C:\ drive, other programs and files on D:\. I currently cannot boot into safemode; my computer just restarts itself if I try.

I've scanned using both Avira and Ad-Aware, and found nothing. Also tried Trendmicro Housecall (running from Firefox, because it seems to be Opera that's infected) and found nothing there, either.

Measures I've undertaken so far are:

1. Doing a system restore to a point about a week ago.

2. Uninstalling and re-installing Opera, cleaning up the registry (and old files) in between using CCleaner.

3. Running smitfraudfix - in normal mode, since I can't get into safemode.

4. Using Sophos Anti-Rootkit. It detects a hidden file it can't remove at \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ and said it could remove one in the Opera application data; I removed that and three new ones took its place!

\Local Settings\Application Data\Opera\Opera\vps\0010\adoc.bx-g
\Local Settings\Application Data\Opera\Opera\vps\0010\url.axx-g
\Local Settings\Application Data\Opera\Opera\vps\0010\w.axx-g

Since none of that seemed to work, I decided I need the help of someone who knows what they're doing.

If all else fails, I do have a DriveImage XML backup of the C:\ drive from six weeks ago on a different physical drive in the same computer, but I'm not sure how I could restore it onto the system drive. (Since I don't have a second PC with a suitable slot where I could plug my C:\ in as a slave.)

And thanks for taking the time to do this, I appreciate it!

************************************************************


DDS (Ver_09-12-01.01) - NTFSx86
Run by Marleen at 17:56:51,34 on 18.01.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1158 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WTouch\WTouchService.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Programme\Avira\AntiVir Desktop\avgnt.exe
D:\Programme\Adobe Acrobat Pro\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Pidgin\pidgin.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\Programme\Rainlendar2\Rainlendar2.exe
D:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Programme\Java\bin\jqs.exe
D:\Programme\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
D:\Programme\Opera\opera.exe
D:\Programme\AdAware\Lavasoft\Ad-Aware\AAWTray.exe
D:\Programme\AdAware\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Marleen Settings\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/dna/h2g2/brunel/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\programme\adobe acrobat pro\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\programme\java\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\programme\java\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Pidgin] d:\programme\pidgin\pidgin.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Rainlendar2] d:\programme\rainlendar2\Rainlendar2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avgnt] "d:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [Acrobat Assistant 7.0] "d:\programme\adobe acrobat pro\distillr\Acrotray.exe"
mRun: [<NO NAME>]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234993768015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marleen\applic~1\mozilla\firefox\profiles\rsl8doq3.default\
FF - plugin: c:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: d:\programme\java\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\programme\java\bin\new_plugin\npjp2.dll
FF - plugin: d:\programme\netscape6\nppl3260.dll
FF - plugin: d:\programme\netscape6\nprjplug.dll
FF - plugin: d:\programme\netscape6\nprpjplug.dll
FF - plugin: d:\programme\opera\program\plugins\npdsplay.dll
FF - plugin: d:\programme\opera\program\plugins\NPOFFICE.DLL
FF - plugin: d:\programme\opera\program\plugins\npqtplugin.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\programme\opera\program\plugins\NPSWF32.dll
FF - plugin: d:\programme\opera\program\plugins\npwmsdrm.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin7.dll
FF - plugin: d:\programme\vlc player\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
d:\programme\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-14 64288]
R1 avgio;avgio;d:\programme\avira\antivir desktop\avgio.sys [2009-7-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\programme\avira\antivir desktop\sched.exe [2009-7-16 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\programme\avira\antivir desktop\avguard.exe [2009-7-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-16 56816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\programme\adaware\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 StarWindServiceAE;StarWind AE Service;d:\programme\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-11-3 4408616]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-11-3 112936]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\a.tmp --> c:\windows\system32\A.tmp [?]
S3 Fs_retded;Fs_retded;c:\windows\system32\dcomcnfg.exe [2009-2-18 5120]
S3 Lanaoptnn;Lanaoptnn;c:\windows\system32\drivers\usbport.sys [2004-8-4 142976]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-3 15656]

=============== Created Last 30 ================

2010-01-16 16:16:18 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-16 00:22:59 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-16 00:22:59 1409 ----a-w- c:\windows\QTFont.for
2010-01-12 21:30:40 0 d-----w- c:\docume~1\marleen\applic~1\WTablet
2010-01-12 21:30:36 0 d-----w- c:\docume~1\marleen\applic~1\WTouch

==================== Find3M ====================

2010-01-17 20:22:15 1516 ----a-w- c:\windows\system32\tmp.reg
2009-12-08 12:02:36 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 17:58:06,56 ===============

Attached Files


Edited by mardek, 18 January 2010 - 01:04 PM.


BC AdBot (Login to Remove)

 


#2 mardek

mardek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 23 January 2010 - 10:01 AM

On the advice of another forumite who knows what he's doing, I'm posting my GMER log, too.

I assume this is some sort of Vundo/Virtumondo infection, from what I've read. The first search terms it hijacked were when I was googling for solutions to the SPTD.sys problem, so I assume I picked it up then - but it might've been from Webcomicsnation; they've been having problems with malware in the banner ads lately.

Since my last post, I've switched to using a different computer - I kept losing connectivity, and then the NT shutdown error. I decided it was a good idea not to use it anymore, got the files I was working on out (disabled autorun and scanned the flash drive before opening - nothing suspicious on there, according to Avast) and shut it down normally.

When I turned it back on to use GMER (in normal mode), I got an error message that Windows had blocked its own Generic Host Process as potentially hazardous.



GMER crashed on the first try, ran for two hours on the second and then crashed the computer. (Froze up, ctrl+alt+delete didn't work.) Third try, after a full shut down, it restarted the computer a few minutes into the scan. Fourth time worked, logs below.

Oh, and in case it helps, I've not got a software firewall other than the Windows one, but there's a hardware firewall in the (cabled) router.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-23 15:02:02
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Marleen\LOCALS~1\Temp\kwxdypod.sys


---- System - GMER 1.0.15 ----

SSDT ACB131C6 ZwCreateKey
SSDT ACB131BC ZwCreateThread
SSDT ACB131CB ZwDeleteKey
SSDT ACB131D5 ZwDeleteValueKey
SSDT ACB131DA ZwLoadKey
SSDT ACB131A8 ZwOpenProcess
SSDT ACB131AD ZwOpenThread
SSDT ACB131E4 ZwReplaceKey
SSDT ACB131DF ZwRestoreKey
SSDT ACB131D0 ZwSetValueKey
SSDT ACB131B7 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89D32856

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Programme\Alcohol 52\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA3 0x7B 0xCD 0x9D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x08 0x94 0x42 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xF9 0x68 0x47 0x28 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Programme\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA3 0x7B 0xCD 0x9D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x08 0x94 0x42 0x95 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xF9 0x68 0x47 0x28 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:28 AM

Posted 24 January 2010 - 12:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 mardek

mardek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 24 January 2010 - 03:41 PM

Hi, Schrauber, and thanks - downloading it now to transfer to the infected PC.

#5 mardek

mardek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 24 January 2010 - 03:48 PM

Ok, there we go. That seems to have been the same version of DDS as I originally used, but here's the newest scan.

Do you need the "Attach" file, too, or just the DDS one?


DDS (Ver_09-12-01.01) - NTFSx86
Run by Marleen at 21:42:56,43 on 24.01.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1544 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WTouch\WTouchService.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
D:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Programme\Java\bin\jqs.exe
D:\Programme\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Programme\Avira\AntiVir Desktop\avgnt.exe
D:\Programme\Adobe Acrobat Pro\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Rainlendar2\Rainlendar2.exe
D:\Programme\Adobe Acrobat Pro\Acrobat\acrobat_sl.exe
D:\Marleen Settings\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/dna/h2g2/brunel/A53308361
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\programme\adobe acrobat pro\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\programme\java\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\programme\java\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Pidgin] d:\programme\pidgin\pidgin.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Rainlendar2] d:\programme\rainlendar2\Rainlendar2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avgnt] "d:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [Acrobat Assistant 7.0] "d:\programme\adobe acrobat pro\distillr\Acrotray.exe"
mRun: [<NO NAME>]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\programme\adobe acrobat pro\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234993768015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marleen\applic~1\mozilla\firefox\profiles\rsl8doq3.default\
FF - plugin: c:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: d:\programme\java\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\programme\java\bin\new_plugin\npjp2.dll
FF - plugin: d:\programme\netscape6\nppl3260.dll
FF - plugin: d:\programme\netscape6\nprjplug.dll
FF - plugin: d:\programme\netscape6\nprpjplug.dll
FF - plugin: d:\programme\opera\program\plugins\npdsplay.dll
FF - plugin: d:\programme\opera\program\plugins\NPOFFICE.DLL
FF - plugin: d:\programme\opera\program\plugins\npqtplugin.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\programme\opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\programme\opera\program\plugins\NPSWF32.dll
FF - plugin: d:\programme\opera\program\plugins\npwmsdrm.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\programme\quicktime\plugins\npqtplugin7.dll
FF - plugin: d:\programme\vlc player\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
d:\programme\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-14 64288]
R1 avgio;avgio;d:\programme\avira\antivir desktop\avgio.sys [2009-7-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\programme\avira\antivir desktop\sched.exe [2009-7-16 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\programme\avira\antivir desktop\avguard.exe [2009-7-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-16 56816]
R2 StarWindServiceAE;StarWind AE Service;d:\programme\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-11-3 4408616]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-11-3 112936]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\programme\adaware\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S3 Fs_retded;Fs_retded;c:\windows\system32\dcomcnfg.exe [2009-2-18 5120]
S3 Lanaoptnn;Lanaoptnn;c:\windows\system32\drivers\usbport.sys [2004-8-4 142976]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-3 15656]

=============== Created Last 30 ================

2010-01-19 01:22:08 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-19 01:07:10 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-19 01:07:02 0 d-----w- c:\windows\system32\ZoneLabs
2010-01-19 01:07:01 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-01-19 01:06:17 0 d-----w- c:\windows\Internet Logs
2010-01-18 22:46:42 0 d-----w- c:\windows\system32\lowsec
2010-01-16 00:22:59 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-16 00:22:59 1409 ----a-w- c:\windows\QTFont.for
2010-01-12 21:30:40 0 d-----w- c:\docume~1\marleen\applic~1\WTablet
2010-01-12 21:30:36 0 d-----w- c:\docume~1\marleen\applic~1\WTouch

==================== Find3M ====================

2010-01-17 20:22:15 1516 ----a-w- c:\windows\system32\tmp.reg
2009-12-08 12:02:36 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 21:44:19,59 ===============


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:28 AM

Posted 25 January 2010 - 12:30 PM

Hello, mardek and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 mardek

mardek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 25 January 2010 - 01:03 PM

Hello again, Tom.

I've already posted a GMER log in Post 2, on Grinler's advice. Since I've not changed anything since, do you really need another one? It took hours to complete last time, and only scanned all the way through on the fourth try...

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:28 AM

Posted 25 January 2010 - 01:26 PM

Sorry, need glasses smile.gif


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 mardek

mardek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 25 January 2010 - 01:44 PM

Scanning now.

(Not online with my shields down; I've just switched computers thumbup2.gif )

#10 mardek

mardek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 25 January 2010 - 02:47 PM

Ok, here it is. (Got the NT shutdown thing twice while trying to run it... And when it restarted, I couldn't disable Avira, so had to keep telling it to ignore it.)

ComboFix 10-01-24.05 - Marleen 25.01.2010 20:11:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1553 [GMT 1:00]
Running from: d:\marleen settings\Desktop\schrauber.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Uninstall.lnk
c:\windows\explorer.exe.tmp
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\twain_32.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-19 01:22 . 2010-01-19 01:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-19 01:07 . 2010-01-19 01:07 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-19 01:07 . 2010-01-19 01:21 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-19 01:06 . 2010-01-19 01:21 -------- d-----w- c:\windows\Internet Logs
2010-01-15 13:17 . 2010-01-15 13:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-12 21:30 . 2010-01-25 19:27 -------- d-----w- c:\documents and settings\Marleen\Application Data\WTablet
2010-01-12 21:30 . 2010-01-12 21:31 -------- d-----w- c:\documents and settings\Marleen\Application Data\WTouch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 19:28 . 2009-02-19 21:12 -------- d-----w- c:\documents and settings\Marleen\Application Data\.purple
2010-01-25 19:28 . 2009-03-13 16:52 -------- d-----w- c:\documents and settings\Marleen\Application Data\Skype
2010-01-23 10:36 . 2009-09-07 17:08 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-23 10:36 . 2009-09-07 17:08 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-01-19 01:21 . 2009-02-18 05:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-07 16:37 . 2009-10-28 22:37 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-22 16:39 . 2009-10-14 21:37 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-22 16:39 . 2009-10-14 21:37 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-22 16:39 . 2009-10-14 21:37 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-22 16:39 . 2009-10-14 21:37 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-22 16:39 . 2009-10-14 21:37 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-22 16:39 . 2009-10-14 21:37 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-22 16:38 . 2009-10-14 21:36 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-22 16:38 . 2009-10-14 21:36 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-22 16:38 . 2009-10-14 21:36 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-22 16:38 . 2009-10-14 21:36 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-22 16:38 . 2009-10-14 21:36 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-22 16:38 . 2009-10-14 21:36 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-22 11:11 . 2009-11-17 20:22 -------- d-----w- c:\documents and settings\Marleen\Application Data\vlc
2009-12-08 12:02 . 2009-07-16 09:47 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-26 21:00 . 2009-02-19 22:57 -------- d-----w- c:\program files\OpenOffice.org 2.1
2009-11-21 22:37 . 2009-10-14 21:37 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-11-21 22:37 . 2009-10-14 21:36 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-21 22:37 . 2009-10-14 21:36 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-21 22:37 . 2009-10-17 21:37 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-21 16:36 . 2004-08-04 00:56 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-04 00:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 22:37 . 2009-10-28 22:37 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-10-28 22:37 . 2009-10-28 22:37 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-10-28 22:37 . 2009-10-28 22:37 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-10-28 22:37 . 2009-10-28 22:37 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-10-28 22:37 . 2009-10-28 22:37 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-10-28 22:37 . 2009-10-28 22:37 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-10-28 22:37 . 2009-10-28 22:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 22:37 . 2009-10-28 22:37 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pidgin"="d:\programme\Pidgin\pidgin.exe" [2009-03-02 45603]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-11 24095528]
"Rainlendar2"="d:\programme\Rainlendar2\Rainlendar2.exe" [2009-02-21 4333568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-30 16864768]
"avgnt"="d:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Acrobat Assistant 7.0"="d:\programme\Adobe Acrobat Pro\Distillr\Acrotray.exe" [2004-12-14 483328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-9-19 25214]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat - Schnellstart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat - Schnellstart.lnk
backup=c:\windows\pss\Adobe Acrobat - Schnellstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Watch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Watch.lnk
backup=c:\windows\pss\Watch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Marleen Settings^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=d:\marleen settings\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 15:10 35696 ----a-w- c:\program files\Adobe\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\After Dark QuickAccess]
1996-09-26 02:00 33792 ----a-w- d:\programme\After Dark\After Dark.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-11-23 00:24 203208 ----a-w- d:\programme\Alcohol 52\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-10-19 19:16 286720 ----a-w- d:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-01 23:23 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-29 11:38 148888 ----a-w- d:\programme\Java\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Programme\\Opera\\opera.exe"=
"d:\\Programme\\Pidgin\\pidgin.exe"=
"d:\\Programme\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14.10.2009 22:37 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\programme\Avira\AntiVir Desktop\sched.exe [16.07.2009 10:47 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\programme\AdAware\Lavasoft\Ad-Aware\AAWService.exe [24.09.2009 12:17 1181328]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [03.11.2009 13:02 4408616]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [03.11.2009 13:03 112936]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S3 Fs_retded;Fs_retded;c:\windows\system32\dcomcnfg.exe [18.02.2009 06:14 5120]
S3 Lanaoptnn;Lanaoptnn;c:\windows\system32\drivers\usbport.sys [04.08.2004 00:08 142976]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [03.11.2009 13:02 15656]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- d:\programme\AdAware\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:37]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- d:\programme\AdAware\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:37]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- d:\programme\AdAware\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:37]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- d:\programme\AdAware\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:37]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- d:\programme\AdAware\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/dna/h2g2/brunel/A53308361
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - d:\programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marleen\Application Data\Mozilla\Firefox\Profiles\rsl8doq3.default\
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: d:\programme\Java\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\programme\Java\bin\new_plugin\npjp2.dll
FF - plugin: d:\programme\Netscape6\nppl3260.dll
FF - plugin: d:\programme\Netscape6\nprjplug.dll
FF - plugin: d:\programme\Netscape6\nprpjplug.dll
FF - plugin: d:\programme\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\programme\Opera\program\plugins\NPOFFICE.DLL
FF - plugin: d:\programme\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\programme\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\programme\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\programme\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\programme\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\programme\Opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\programme\Opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\programme\Opera\program\plugins\NPSWF32.dll
FF - plugin: d:\programme\Opera\program\plugins\npwmsdrm.dll
FF - plugin: d:\programme\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\programme\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\programme\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\programme\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\programme\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\programme\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\programme\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\programme\VLC Player\VLC\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Acrobat Assistant 8 - d:\programme\Adobe CS3\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-Gtwatch - c:\windows\gtwatch.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 20:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3388)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\WTouch\WTouchUser.exe
d:\programme\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\programme\Java\bin\jqs.exe
d:\programme\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\RTHDCPL.EXE
d:\programme\Adobe Acrobat Pro\Acrobat\acrobat_sl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
d:\programme\AdAware\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-25 20:31:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 19:31

Pre-Run: 6.346.031.104 bytes free
Post-Run: 6.515.322.880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - B3F3DE415BC6F4724DB2F008F9ECFD84

Edited by mardek, 25 January 2010 - 02:48 PM.


#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:28 AM

Posted 26 January 2010 - 03:30 PM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 mardek

mardek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 26 January 2010 - 03:54 PM

Ok, posting the results of both now. Oddly, Anti-Malware didn't find anything, but here's the log anyway:

Malwarebytes' Anti-Malware 1.44
Database version: 3642
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

26.01.2010 21:43:39
mbam-log-2010-01-26 (21-43-39).txt

Scan type: Quick Scan
Objects scanned: 117193
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL:


OTL logfile created on: 26.01.2010 21:45:02 - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = D:\Marleen Settings\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 72,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 90,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24,41 Gb Total Space | 6,06 Gb Free Space | 24,81% Space Free | Partition Type: NTFS
Drive D: | 208,46 Gb Total Space | 164,74 Gb Free Space | 79,02% Space Free | Partition Type: NTFS
Drive E: | 232,88 Gb Total Space | 116,70 Gb Free Space | 50,11% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 981,05 Mb Total Space | 540,96 Mb Free Space | 55,14% Space Free | Partition Type: FAT32

Computer Name: YOUR-B7958E5825
Current User Name: Marleen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010.01.26 21:34:36 | 00,548,352 | ---- | M] (OldTimer Tools) -- D:\Marleen Settings\Desktop\OTL.exe
PRC - [2009.12.19 23:37:15 | 00,788,880 | ---- | M] (Lavasoft) -- D:\Programme\AdAware\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009.12.19 23:37:14 | 01,181,328 | ---- | M] (Lavasoft) -- D:\Programme\AdAware\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009.08.05 11:36:00 | 00,185,089 | ---- | M] (Avira GmbH) -- D:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2009.07.29 12:38:57 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- D:\Programme\Java\bin\jqs.exe
PRC - [2009.07.15 17:13:06 | 03,662,632 | ---- | M] (Wacom Technology, Corp.) -- C:\Program Files\WTouch\WTouchUser.exe
PRC - [2009.07.15 17:13:04 | 00,393,512 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
PRC - [2009.07.15 17:13:04 | 00,112,936 | ---- | M] (Wacom Technology, Corp.) -- C:\Program Files\WTouch\WTouchService.exe
PRC - [2009.07.15 17:13:02 | 04,408,616 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe
PRC - [2009.05.13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- D:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2009.03.02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- D:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009.02.21 09:18:24 | 04,333,568 | ---- | M] () -- D:\Programme\Rainlendar2\Rainlendar2.exe
PRC - [2009.01.14 05:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008.09.30 18:01:00 | 16,864,768 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2007.06.13 11:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007.05.28 17:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) -- D:\Programme\Alcohol 52\StarWind\StarWindServiceAE.exe
PRC - [2006.02.28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2004.12.14 01:12:02 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- D:\Programme\Adobe Acrobat Pro\Distillr\acrotray.exe
PRC - [2004.08.04 01:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2001.08.23 21:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe


========== Modules (SafeList) ==========

MOD - [2010.01.26 21:34:36 | 00,548,352 | ---- | M] (OldTimer Tools) -- D:\Marleen Settings\Desktop\OTL.exe
MOD - [2006.08.25 16:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009.12.19 23:37:14 | 01,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- D:\Programme\AdAware\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009.09.19 01:23:14 | 00,069,632 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2009.08.05 11:36:00 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- D:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.07.29 12:38:57 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- D:\Programme\Java\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009.07.15 17:13:04 | 00,112,936 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\Program Files\WTouch\WTouchService.exe -- (WTouchService)
SRV - [2009.07.15 17:13:02 | 04,408,616 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\WINDOWS\system32\Pen_Tablet.exe -- (TabletServicePen)
SRV - [2009.05.13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- D:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009.03.23 21:49:10 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.01.14 06:05:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2009.01.14 05:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007.05.28 17:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- D:\Programme\Alcohol 52\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2006.02.28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2005.04.04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003.07.28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2001.08.23 21:00:00 | 00,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dcomcnfg.exe -- (Fs_retded)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/dna/h2g2/brunel/A53308361
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: D:\Programme\Java\lib\deploy\jqs\ff [2009.07.29 12:38:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: D:\Programme\Firefox\components [2010.01.10 13:49:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: D:\Programme\Firefox\plugins [2010.01.10 13:49:43 | 00,000,000 | ---D | M]

[2009.08.02 20:37:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marleen\Application Data\Mozilla\Extensions
[2010.01.19 02:21:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marleen\Application Data\Mozilla\Firefox\Profiles\rsl8doq3.default\extensions

O1 HOSTS File: ([2010.01.25 20:27:41 | 00,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe Acrobat Pro\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Programme\Java\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Programme\Java\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] D:\Programme\Adobe Acrobat Pro\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [avgnt] D:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKCU..\Run: [Pidgin] D:\Programme\Pidgin\pidgin.exe (The Pidgin developer community)
O4 - HKCU..\Run: [Rainlendar2] D:\Programme\Rainlendar2\Rainlendar2.exe ()
O4 - HKCU..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - D:\Programme\Adobe Acrobat Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1234993768015 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Marleen\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Marleen\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.02.18 06:18:19 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009.10.12 21:49:22 | 00,200,200 | ---- | M] () - D:\AUTO.pat -- [ NTFS ]
O32 - AutoRun File - [2009.10.12 21:49:22 | 00,007,316 | ---- | M] () - D:\AUTO.pst -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009.02.17 21:59:56 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (53765113575899136)

========== Files/Folders - Created Within 14 Days ==========

[2010.01.26 21:39:32 | 00,548,352 | ---- | C] (OldTimer Tools) -- D:\Marleen Settings\Desktop\OTL.exe
[2010.01.26 21:39:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Marleen\Application Data\Malwarebytes
[2010.01.26 21:39:17 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.01.26 21:39:15 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.01.26 21:39:15 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010.01.26 21:39:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010.01.26 21:38:52 | 05,115,824 | ---- | C] (Malwarebytes Corporation ) -- D:\Marleen Settings\Desktop\mbam-setup.exe
[2010.01.25 20:02:55 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010.01.25 20:01:45 | 00,000,000 | ---D | C] -- C:\schrauber
[2010.01.25 19:46:19 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010.01.25 19:46:19 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010.01.25 19:46:19 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010.01.25 19:46:19 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010.01.25 19:46:04 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.01.25 19:45:31 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010.01.19 02:21:49 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Marleen\Recent
[2010.01.19 02:07:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010.01.19 02:06:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010.01.18 18:25:03 | 00,000,000 | ---D | C] -- D:\My Documents\Fotos
[2010.01.18 18:24:29 | 00,000,000 | ---D | C] -- D:\My Documents\Thesis
[2010.01.18 18:22:16 | 00,000,000 | ---D | C] -- D:\My Documents\Jannika-Leipzig
[2010.01.16 22:22:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Marleen\Desktop
[2010.01.16 17:16:09 | 00,000,000 | ---D | C] -- D:\Marleen Settings\Desktop\Hannover Dezember 09
[2010.01.16 16:14:54 | 00,000,000 | ---D | C] -- D:\My Documents\Downloads
[2010.01.13 21:39:34 | 00,000,000 | ---D | C] -- D:\Marleen Settings\Desktop\postpics
[2010.01.12 22:30:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Marleen\Application Data\WTablet
[2010.01.12 22:30:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Marleen\Application Data\WTouch
[2009.03.25 00:16:26 | 00,018,120 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\gt680x.sys
[2009.02.18 06:21:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009.02.18 06:21:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009.02.18 06:18:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009.02.18 06:18:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010.01.26 21:39:22 | 06,029,312 | ---- | M] () -- C:\Documents and Settings\Marleen\ntuser.dat
[2010.01.26 21:39:19 | 00,000,703 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.01.26 21:35:54 | 00,000,488 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010.01.26 21:35:54 | 00,000,488 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010.01.26 21:35:54 | 00,000,488 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010.01.26 21:35:53 | 00,000,488 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010.01.26 21:35:53 | 00,000,488 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010.01.26 21:35:26 | 05,115,824 | ---- | M] (Malwarebytes Corporation ) -- D:\Marleen Settings\Desktop\mbam-setup.exe
[2010.01.26 21:35:12 | 00,002,143 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010.01.26 21:35:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.01.26 21:35:02 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.01.26 21:35:00 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.01.26 21:34:36 | 00,548,352 | ---- | M] (OldTimer Tools) -- D:\Marleen Settings\Desktop\OTL.exe
[2010.01.25 22:42:24 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Marleen\ntuser.ini
[2010.01.25 22:42:19 | 25,066,224 | -H-- | M] () -- C:\Documents and Settings\Marleen\Local Settings\Application Data\IconCache.db
[2010.01.25 20:27:56 | 00,000,277 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.01.25 20:27:41 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.01.25 20:03:01 | 00,000,293 | RHS- | M] () -- C:\boot.ini
[2010.01.25 19:43:04 | 03,835,974 | R--- | M] () -- D:\Marleen Settings\Desktop\schrauber.exe
[2010.01.24 21:39:12 | 00,524,288 | ---- | M] () -- D:\Marleen Settings\Desktop\dds.scr
[2010.01.23 11:36:03 | 00,000,054 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2010.01.23 11:36:03 | 00,000,039 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2010.01.22 16:23:06 | 00,284,915 | ---- | M] () -- D:\Marleen Settings\Desktop\gmer.zip
[2010.01.19 02:07:28 | 00,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010.01.19 02:07:10 | 00,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010.01.17 13:44:25 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010.01.16 22:22:19 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Marleen\Local Settings\Application Data\housecall.guid.cache
[2010.01.16 01:22:59 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.01.26 21:39:19 | 00,000,703 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.01.25 20:03:00 | 00,000,223 | ---- | C] () -- C:\Boot.bak
[2010.01.25 20:02:56 | 00,260,272 | ---- | C] () -- C:\cmldr
[2010.01.25 19:46:19 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010.01.25 19:46:19 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010.01.25 19:46:19 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010.01.25 19:46:19 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010.01.25 19:46:19 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010.01.25 19:45:15 | 03,835,974 | R--- | C] () -- D:\Marleen Settings\Desktop\schrauber.exe
[2010.01.24 21:42:50 | 00,524,288 | ---- | C] () -- D:\Marleen Settings\Desktop\dds.scr
[2010.01.23 00:17:38 | 00,293,376 | ---- | C] () -- D:\Marleen Settings\Desktop\gmer.exe
[2010.01.23 00:17:34 | 00,284,915 | ---- | C] () -- D:\Marleen Settings\Desktop\gmer.zip
[2010.01.19 02:07:10 | 00,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010.01.19 02:07:01 | 00,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010.01.17 21:37:05 | 06,029,312 | ---- | C] () -- C:\Documents and Settings\Marleen\ntuser.dat
[2010.01.16 22:22:19 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Marleen\Local Settings\Application Data\housecall.guid.cache
[2010.01.16 01:22:59 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010.01.16 01:22:59 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009.05.06 20:14:03 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2009.04.22 18:10:09 | 00,000,041 | ---- | C] () -- C:\WINDOWS\ad_prefs.ini
[2009.03.25 00:13:03 | 00,000,492 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009.03.16 23:00:04 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009.03.10 22:31:12 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.02.20 03:20:49 | 00,010,752 | ---- | C] () -- C:\Documents and Settings\Marleen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.02.20 02:01:53 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Ui.INI
[2009.02.20 01:51:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WATCH.INI
[2009.02.19 23:06:40 | 00,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2001.06.18 11:53:40 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\bpenhan.dll
[1998.06.11 20:38:06 | 00,095,232 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll

========== LOP Check ==========

[2009.10.17 20:17:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Firefly Studios
[2009.10.14 22:35:57 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2010.01.26 21:38:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marleen\Application Data\.purple
[2009.04.03 12:20:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marleen\Application Data\Canon
[2009.10.19 23:01:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marleen\Application Data\Graphisoft
[2009.09.15 00:07:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marleen\Application Data\gtk-2.0
[2009.02.19 21:31:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marleen\Application Data\Opera
[2010.01.12 22:31:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marleen\Application Data\WTouch
[2010.01.26 21:35:53 | 00,000,488 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010.01.26 21:35:53 | 00,000,488 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010.01.26 21:35:54 | 00,000,488 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010.01.26 21:35:54 | 00,000,488 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010.01.26 21:35:54 | 00,000,488 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004.08.04 02:05:44 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004.08.04 02:05:44 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004.08.03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004.08.03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004.08.03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004.08.03 23:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
[2004.08.03 23:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004.08.04 01:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004.08.04 01:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004.08.04 01:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2009.02.06 19:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009.02.06 19:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004.08.04 01:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004.08.04 01:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004.08.04 01:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004.08.04 01:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004.08.04 01:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004.08.04 01:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >


OTL Extras:


OTL Extras logfile created on: 26.01.2010 21:45:02 - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = D:\Marleen Settings\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 72,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 90,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24,41 Gb Total Space | 6,06 Gb Free Space | 24,81% Space Free | Partition Type: NTFS
Drive D: | 208,46 Gb Total Space | 164,74 Gb Free Space | 79,02% Space Free | Partition Type: NTFS
Drive E: | 232,88 Gb Total Space | 116,70 Gb Free Space | 50,11% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 981,05 Mb Total Space | 540,96 Mb Free Space | 55,14% Space Free | Partition Type: FAT32

Computer Name: YOUR-B7958E5825
Current User Name: Marleen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- D:\Programme\Opera\Opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "D:\Programme\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "D:\Programme\VLC Player\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Programme\VLC Player\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Computer, Inc.)
"D:\Programme\Opera\opera.exe" = D:\Programme\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"D:\Programme\Pidgin\pidgin.exe" = D:\Programme\Pidgin\pidgin.exe:*:Enabled:Pidgin -- (The Pidgin developer community)
"D:\Programme\Graphisoft\ArchiCAD 11\ArchiCAD.exe" = D:\Programme\Graphisoft\ArchiCAD 11\ArchiCAD.exe:*:Disabled:ArchiCAD 11.0.0 Component -- (Graphisoft R&D)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00060000-0000-1004-8002-0000C06B5161}" = WIBU-KEY Setup (WIBU-KEY Remove)
"{02AF8333-27BE-35F1-B5B6-EBCD89F846AF}" = Catalyst Control Center Localization Spanish
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0C5AA351-4C6B-8452-0DEB-DD9FFF4DB53F}" = CCC Help Chinese Standard
"{0D94B4A1-E09B-87B8-5FFD-6F720B5430BD}" = CCC Help French
"{0FA8B0C1-CBBD-5348-CA3F-B6EE90B7F186}" = Catalyst Control Center Graphics Light
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4803" = CanoScan 4400F
"{137603DC-0050-D41D-DAEF-9CC1D6899B7B}" = Catalyst Control Center Localization Chinese Traditional
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1A6570E5-D0C8-CEC5-C8AE-EE6EB1C72286}" = CCC Help German
"{1F4547C5-F62E-BA06-17D7-37EDB842D0FA}" = CCC Help Korean
"{21199F32-B676-4FE2-A443-EF7DB6B8FD4F}" = Opera 10.10
"{2191089C-FCB6-0DE1-8DFA-62481BA15887}" = CCC Help Polish
"{23DBDF71-1070-B12D-DE81-3DE82BD0EE0F}" = Catalyst Control Center Localization Japanese
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{260954A3-6960-C01E-6F40-1CE0A93BF626}" = Catalyst Control Center Localization German
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{2822B2F8-1509-1CCC-D6B4-488085F4DB4F}" = CCC Help Finnish
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{29B36F38-1071-DE31-F13F-AB772EACB520}" = CCC Help Dutch
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{382B1538-6CF7-D096-0943-1CC4697BD96C}" = CCC Help Japanese
"{3972733B-D4D3-D199-94AC-ED8C897A5D77}" = CCC Help Swedish
"{411E0CC3-587A-468C-B461-95FAFD05E4DE}" = Adobe InDesign CS3
"{434E3EEC-60B2-F0EF-41F7-2D2D18DC120E}" = CCC Help Norwegian
"{4393DE35-AD67-4F37-95E4-30F06EA0FDB2}" = Adobe Creative Suite 3 Design Premium
"{497C2376-FB2E-C042-7AE0-143AED4D04FB}" = Catalyst Control Center Core Implementation
"{4A6DF1FE-DA7B-9A5B-01AA-091314B3BFEE}" = Catalyst Control Center Graphics Full New
"{534FA2AB-C09D-F3F8-355B-74289B4A25B0}" = CCC Help Spanish
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5518E08A-2053-4A3E-85B2-F912D4666C9F}" = Adobe Setup
"{5B09BD67-4C99-46A1-8161-B7208CE18121}" = QuickTime
"{5B1172A6-1EF8-55B9-B6D1-E88DAF7461A0}" = Catalyst Control Center Localization Czech
"{5B1F1DF4-BBF7-A78C-8BE5-4F12A1964638}" = Skins
"{5E2A655C-F4C2-CDE8-D463-78865149ABAF}" = Catalyst Control Center Graphics Full Existing
"{626C2AA3-7E89-5A04-F774-C0E016399765}" = Catalyst Control Center Localization Danish
"{687BE4C6-3F13-BB68-41D0-D2ACBE9657E4}" = Catalyst Control Center Localization Norwegian
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7098EEF7-5B96-F14D-E07D-44169831FE89}" = ccc-core-preinstall
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73B5D990-04EA-4751-B10F-5534770B91F2}" = Adobe Color EU Recommended Settings
"{79E2005B-4D5D-3C7A-D85A-21E24F693607}" = Catalyst Control Center Localization Greek
"{7C503E58-B2BC-11D5-978A-0050BA84F5F7}" = Neverwinter Nights
"{7D08B393-0FBF-F9D4-1EF0-7088B5A4FFE4}" = Catalyst Control Center Localization Dutch
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{88589E54-FDD1-9333-DED9-BCE0155E9241}" = ccc-utility
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{8B43AE66-21A4-1534-3804-E2E5B0B1B74B}" = Catalyst Control Center Localization Italian
"{8C640345-AF96-4ABA-A697-97D2A0B8C6DB}" = Adobe Flash CS3
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{901F0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Proofing Tools
"{98927BFC-813F-3A04-A75C-6E131E31F34D}" = CCC Help English
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE22123-D4EE-4D3A-BE87-B5B2622537EF}" = Catalyst Control Center - Branding
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4C6B25C-F9C5-3AD8-AF30-260DF75C23D3}" = CCC Help Turkish
"{A8747D14-8760-1A5B-70C9-D30C3DC2E5C8}" = Catalyst Control Center Localization Thai
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B582A79C-312D-3673-5A6C-54F3EE7CDDDA}" = Catalyst Control Center Localization Polish
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BCEDD813-269C-4D8F-A4BA-01FDC66254D3}" = Adobe Flash Video Encoder
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{BE88C27E-9418-D76D-BA11-D127932DD6A8}" = Catalyst Control Center Localization Russian
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C1CA7048-1331-D216-8648-DE0AD1C2D2D2}" = Catalyst Control Center Localization Turkish
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C3020228-A899-0F93-1168-E9D8AFDB3755}" = Catalyst Control Center Localization Chinese Standard
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C67E3460-4EA6-C3B0-DA09-D2613FE52083}" = Catalyst Control Center Localization Swedish
"{C8D7A672-F697-4572-AC62-C856053A8DBC}" = Adobe Illustrator CS3
"{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}" = AVIVO Codecs
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEFB064E-A177-1354-ECBE-2F752819F4F3}" = Catalyst Control Center Localization Hungarian
"{CEFFFB30-308B-B39C-E9D5-C804BB35F76D}" = CCC Help Russian
"{CFAF67D2-FD21-D3DE-E095-1CB4AF3D8DE4}" = ccc-core-static
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D3BE386D-4A1F-D06B-51F3-B9C010FB60B7}" = Catalyst Control Center Localization Portuguese
"{D3C605D8-3A5E-4BAD-965D-2C61441BF2AC}" = Adobe Photoshop CS3
"{D810B249-16C2-78C4-BC52-04333C4EEED4}" = CCC Help Greek
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DAF37B83-F3A5-626F-B9E2-9B931B37C653}" = CCC Help Czech
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E13CDA67-9248-54B4-127A-C1BE8FCF54AA}" = CCC Help Portuguese
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E6EA750D-733D-5CFB-FE09-FE9D2965870A}" = Catalyst Control Center Localization Finnish
"{E8A6BB83-F875-53E1-6BC4-EDD490B68988}" = CCC Help Chinese Traditional
"{E9D314E9-A0BE-3B0F-7301-86928C6CF336}" = CCC Help Hungarian
"{EA684ACD-4EE8-3ACE-9D2A-19B86C156DC0}" = Catalyst Control Center Localization Korean
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F166954A-2FBD-B21E-D823-C9072424B1B3}" = CCC Help Thai
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F465A8CB-63C4-56FD-EE07-D176CEB333DA}" = CCC Help Danish
"{F54AD6C3-0E7D-8706-AACE-D42F889FC7FF}" = Catalyst Control Center Localization French
"{F706E9C5-7543-FE75-2B75-B46E56EEF062}" = CCC Help Italian
"{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}" = Adobe Color NA Extra Settings
"001FFFFFFF11FF00FF0701F02F02F000-R1" = ArchiCAD 11 INT
"ABBYY FineReader 4.0 Sprint" = ABBYY FineReader 4.0 Sprint
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Adobe_061850775b1c6d22bf2a145678e05e0" = Adobe Creative Suite 3 Design Premium hinzufügen oder entfernen
"After Dark" = After Dark
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner (remove only)
"Darkstar One_is1" = Darkstar One
"Die Gilde 2 - Gold Edition" = Die Gilde 2 - Gold Edition
"Drakensang_is1" = Drakensang
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"IrfanView" = IrfanView (remove only)
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.7.0 (Standard)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"Mustek 1200 UB Plus v1.3" = Mustek 1200 UB Plus v1.3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Pen Tablet Driver" = Bamboo
"Pidgin" = Pidgin
"Rainlendar2" = Rainlendar2 (remove only)
"RealPlayer 6.0" = RealPlayer
"VLC media player" = VLC media player 1.0.3
"WIC" = Windows Imaging Component
"WinRAR archiver" = WinRAR archiver
"XiphQT" = Xiph QuickTime Components

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 15.01.2010 19:46:11 | Computer Name = YOUR-B7958E5825 | Source = Adobe Version Cue CS3 | ID = 3
Description =

Error - 17.01.2010 08:47:22 | Computer Name = YOUR-B7958E5825 | Source = Adobe Version Cue CS3 | ID = 3
Description =

Error - 18.01.2010 21:18:22 | Computer Name = YOUR-B7958E5825 | Source = Application Error | ID = 1000
Description = Faulting application avguard.exe, version 9.0.1.32, faulting module
aevdf.dll, version 8.1.1.2, fault address 0x0000911c.

Error - 20.01.2010 09:55:17 | Computer Name = YOUR-B7958E5825 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x0250f7a0.

Error - 22.01.2010 19:13:58 | Computer Name = YOUR-B7958E5825 | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x0250f7a0.

Error - 22.01.2010 19:18:56 | Computer Name = YOUR-B7958E5825 | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0005c887.

Error - 23.01.2010 10:04:46 | Computer Name = YOUR-B7958E5825 | Source = Application Error | ID = 1000
Description = Faulting application avguard.exe, version 9.0.1.32, faulting module
aevdf.dll, version 8.1.1.2, fault address 0x00001213.

Error - 24.01.2010 16:38:56 | Computer Name = YOUR-B7958E5825 | Source = Application Error | ID = 1000
Description = Faulting application pidgin.exe, version 2.5.5.0, faulting module
unknown, version 0.0.0.0, fault address 0x019c438e.

Error - 25.01.2010 14:49:51 | Computer Name = YOUR-B7958E5825 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x0257f7a0.

Error - 25.01.2010 14:58:08 | Computer Name = YOUR-B7958E5825 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x0250f7a0.

[ System Events ]
Error - 25.01.2010 14:52:05 | Computer Name = YOUR-B7958E5825 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 25.01.2010 14:52:12 | Computer Name = YOUR-B7958E5825 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
sptd

Error - 25.01.2010 14:58:09 | Computer Name = YOUR-B7958E5825 | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 25.01.2010 14:58:09 | Computer Name = YOUR-B7958E5825 | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 25.01.2010 15:00:21 | Computer Name = YOUR-B7958E5825 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 25.01.2010 15:00:21 | Computer Name = YOUR-B7958E5825 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 25.01.2010 15:00:29 | Computer Name = YOUR-B7958E5825 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
sptd

Error - 25.01.2010 15:11:31 | Computer Name = YOUR-B7958E5825 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
sptd

Error - 25.01.2010 15:28:23 | Computer Name = YOUR-B7958E5825 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
sptd

Error - 26.01.2010 16:35:22 | Computer Name = YOUR-B7958E5825 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
sptd


< End of report >



#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:28 AM

Posted 26 January 2010 - 04:57 PM

Hi,


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 18...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.




I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 mardek

mardek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 26 January 2010 - 07:43 PM

Hello again, Schrauber, and thanks for the tip. I thought Java uninstalled old versions when it updated!

I've gotten rid of those now, and run the ESET scan.

It's found something at C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.SJ virus

Is that a combofix folder? (I didn't use ESET to delete it, wasn't sure whether I should...)

Edited by mardek, 26 January 2010 - 09:41 PM.


#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:28 AM

Posted 27 January 2010 - 12:44 PM

This one is already in quarantine smile.gif.

How is it running?

Please post back with a fresh OTL logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users