Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antimalware Doctor virus


  • Please log in to reply
51 replies to this topic

#1 klingsor2010

klingsor2010

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 26 August 2010 - 12:45 PM

Hello Friends,

My laptop has been infected by the Antimalware Doctor virus. Yesterday I was fooled into clicking and installing the virus when it came up with the official looking windows like dialogue box. My computer has MacAfee on it. It came up with a warning immediately before the malware dialogue box came up, however, I foolishly mistook the Antimalware Doctor notice to be related to the MacAfee Warning.

Once I determined that I had installed the virus on my computer, I followed the procedures outlined on this website relating specifically to removing the antimalware doctor virus. The Malwarebytes program detected around 10 infected items, but when I tried to remove them, I got a message that not all infected items could be removed. (I am attaching the logfile to this post.)

On the reboot immediately following this, I got an error message that indicated: Error in RUMDLL
C:¬\windows\mephas.dll was not found

Then I followed the procedures of running the malware removal tools before requesting help posted on the website. When I got to the step of doing the GMER scan, I encountered a problem. I left the computer while it was going through the scan, but when I came back, it had rebooted. So I ran the iExplore kill and tried running GMER once again with the same result of a system reboot in the middle of the scan. Finally, with through the process while observing the scan myself and discovered it was getting bogged down. System manager showed the CPU running at 100%. Thus, I started to manually end the user processes that were hogging the CPU—mcxsmon.exe, CCC.exe, Mpfsrv.exe, mcagent.exe. This got the CPU down to between 50% and 65%. However, periodically during the scan, the CPU would go up to nearly 100% again. I would go back to the list of user processes and once again end processes like mpfsrv and mcagent. That would return the CPU to the previous levels, and I was able to complete the GMER scan.

It seems that the rkill (I also tried using the iExplore) is not entirely eliminating all the virus processes running on the machine. This is further indicated by the fact that when I use Netscape after running it, I still get occasional redirects that spawn new windows and go to undirected sites.

One more observation:

Another change in my system I have noticed is that my external USB keyboard is no longer recognized. Also, the audio headphone jack no longer works. When it is plugged in, the audio still plays through the laptop speakers, and I do not get the typical message on the bottom right of the screen that recognizes an audio device when I plug in the headphones.

A final note: my computer is German, running German XP pro (Acer Travelmate 7530).
Thanks very much in advance. This virus infection has been a nightmare, but the fact that there are volunteers out there willing to help is a great comfort.

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 10:14:10,40 on 26.08.2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2526.1863 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Programme\Acer\Acer Bio Protection\BASVC.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Acer\Acer Bio Protection\PdtWzd.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
C:\Programme\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
c:\PROGRA~1\GEMEIN~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\GEMEIN~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Programme\McAfee\MPF\MPFSrv.exe
C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Mozilla Firefox\plugin-container.exe
C:\Dokumente und Einstellungen\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.purdue.edu/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/forgotPassword.asp?affid=550-22&langid=1&close=true&RW=1
uInternet Settings,ProxyServer = http=127.0.0.1:6522
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\programme\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID-Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programme\gemeinsame dateien\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
uRun: [pemywvla] c:\dokumente und einstellungen\user\lokale einstellungen\anwendungsdaten\guwgmwdsa\lfvnsbishdw.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\programme\realtek\audio\installshield\AzMixerSel.exe
mRun: [ZPdtWzdVitaKey MC3000] "c:\programme\acer\acer bio protection\PdtWzd.exe" show
mRun: [FreePDF Assistant] c:\programme\freepdf_xp\fpassist.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\programme\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [BackupNowEZtray] "c:\programme\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
mRun: [mcagent_exe] "c:\programme\mcafee.com\agent\mcagent.exe" /runkey
mRun: [pemywvla] c:\dokumente und einstellungen\user\lokale einstellungen\anwendungsdaten\guwgmwdsa\lfvnsbishdw.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\bttray.lnk - c:\programme\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\window~1.lnk - c:\programme\windows desktop search\WindowsSearch.exe
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Senden an &Bluetooth-Gerät... - c:\programme\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\programme\acer\acer bio protection\PwdBank.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\programme\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: netlibrary.com\www
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250353295218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AWinNotifyVitaKey MC3000 - c:\programme\acer\acer bio protection\WinNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\programme\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\programme\acer\acer bio protection\PwdFilter

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\user\anwend~1\mozilla\firefox\profiles\fjn0fk2u.default\
FF - prefs.js: browser.startup.homepage - google.de
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\programme\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programme\microsoft\office live\npOLW.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programme\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\programme\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\programme\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programme\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [2009-7-3 43184]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R2 IGBASVC;iGroupTec Service;c:\programme\acer\acer bio protection\BASVC.exe [2009-7-3 3481088]
R2 McProxy;McAfee Proxy Service;c:\progra~1\gemein~1\mcafee\mcproxy\mcproxy.exe [2010-6-21 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-6-21 144704]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\programme\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-9-19 45312]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-7-3 96856]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-6-21 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-21 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-21 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-6-21 40552]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys --> c:\windows\system32\drivers\bdfm.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-6-21 34248]

=============== Created Last 30 ================

2010-08-26 14:13:23 0 ----a-w- c:\dokumente und einstellungen\user\defogger_reenable
2010-08-26 13:16:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 01:51:00 0 d-----w- c:\dokume~1\user\anwend~1\Malwarebytes
2010-08-26 01:50:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-26 01:50:48 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-08-26 01:50:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-26 01:50:47 0 d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-08-25 20:25:40 2843 ----a-w- c:\windows\isosucej.dll
2010-08-25 20:18:54 2843 ----a-w- c:\windows\arekezako.dll
2010-08-25 20:11:27 0 d-----w- c:\dokume~1\user\anwend~1\C6E031F47CFCBECAF13BED1327434290
2010-08-21 14:37:51 0 d-----w- C:\Greg_C

==================== Find3M ====================

2010-08-26 13:16:07 90436 ----a-w- c:\windows\system32\perfc007.dat
2010-08-26 13:16:07 474460 ----a-w- c:\windows\system32\perfh007.dat
2010-07-15 19:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-30 12:28:51 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02:00 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 23:45:21 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:35 1172480 ----a-w- c:\windows\system32\msxml3.dll
2004-02-20 11:31:02 69632 ----a-w- c:\programme\uninstgs.exe

============= FINISH: 10:16:20,43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:43 PM

Posted 31 August 2010 - 12:00 PM

Hi klingsor2010,

Welcome to Bleeping Computer!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like give a few guidelines so that we can fix your problem as quickly and efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

STEP 1 - MBAM

Note: In the event that you already have MBAM installed, you do not need to reinstall it. Simply Updating it and doing a Quickscan is sufficient.

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 2 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 3 - OTL

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • GMER Log
  • OTL Log

Edited by mpascal, 31 August 2010 - 12:00 PM.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 klingsor2010

klingsor2010
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 01 September 2010 - 03:06 PM

Hi mpascal,

Thanks very much for helping me out. Here are the logs you requested. My computer repeatedly crashed when running gmer—sometimes rebooting by itself and other times just freezing up. Thus, I had to run it in windows safe mode. The list was much longer when I ran the program normally, but I could only get a successful, complete scan in safe mode.

One more thing to note: I forgot to tell you in my original post that I had installed Defogger, because I have NERO burning Rom program on my machine.
Finally, an observation while scanning: I noticed the program FreePDF_XP as the scanner was going through the computer. This struck me as suspicious because I don’t recall ever installing something under this name on the computer. Also, when I started to have problems with the malware Doctor virus a couple weeks ago, an error message came up for this program (even though I don’t run it).

Thanks again for your efforts! It is greatly appreciated.

klingsor


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4521

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

01.09.2010 09:56:30
mbam-log-2010-09-01 (09-56-30).txt

Scan type: Quick scan
Objects scanned: 131544
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-01 15:15:53
Windows 5.1.2600 Service Pack 3
Running: og3ieyvj.exe; Driver: C:\DOKUME~1\user\LOKALE~1\Temp\uxtdapow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1048] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B4874A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 01.09.2010 15:28:31 - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Dokumente und Einstellungen\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 77,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 86,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 298,08 Gb Total Space | 278,33 Gb Free Space | 93,37% Space Free | Partition Type: NTFS
Drive D: | 298,09 Gb Total Space | 54,70 Gb Free Space | 18,35% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAPTOP1
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Dokumente und Einstellungen\user\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Programme\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Programme\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Programme\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.)
PRC - C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Programme\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Programme\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Programme\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe (NewTech Infosystems, Inc.)
PRC - C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe (NewTech Infosystems, Inc.)
PRC - c:\Programme\Gemeinsame Dateien\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Programme\Gemeinsame Dateien\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Programme\Acer\Acer Bio Protection\BASVC.exe ()
PRC - C:\Programme\Acer\Acer Bio Protection\PdtWzd.exe (Arachnoid Biometrics Identification Group Corp.)
PRC - C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
PRC - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
PRC - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVCM.EXE (Microsoft Corporation)
PRC - C:\Programme\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)


========== Modules (SafeList) ==========

MOD - C:\Dokumente und Einstellungen\user\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Programme\NewTech Infosystems\Backup Now EZ\Pehook.dll (NewTech Infosystems, Inc.)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\BtMmHook.dll (Broadcom Corporation.)


========== Win32 Services (SafeList) ==========

SRV - (SPService) -- c:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe\sp.DLL ()
SRV - (mcmscsvc) -- C:\Programme\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Programme\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Programme\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Programme\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Programme\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
SRV - (NTI BackupNowEZSvr) -- C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe (NewTech Infosystems, Inc.)
SRV - (McProxy) -- c:\Programme\Gemeinsame Dateien\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Programme\Gemeinsame Dateien\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (IGBASVC) -- C:\Programme\Acer\Acer Bio Protection\BASVC.exe ()
SRV - (wlidsvc) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (odserv) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (bdfm) -- C:\WINDOWS\System32\drivers\bdfm.sys File not found
DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (PnkBstrK) -- C:\WINDOWS\system32\drivers\PnkBstrK.sys ()
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\athw.sys (Atheros Communications, Inc.)
DRV - (AlfaFF) -- C:\WINDOWS\system32\Drivers\AlfaFF.sys (Alfa Corporation)
DRV - (NTIDrvr) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (UBHelper) -- C:\WINDOWS\system32\drivers\UBHelper.sys (NewTech Infosystems Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (JMCR) -- C:\WINDOWS\system32\drivers\jmcr.sys (JMicron Technology Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor) -- C:\WINDOWS\system32\drivers\atswpdrv.sys (AuthenTec, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (RTHDMIAzAudService) -- C:\WINDOWS\system32\drivers\RtHDMI.sys (Realtek Semiconductor Corp.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (btwhid) -- C:\WINDOWS\system32\drivers\btwhid.sys (Broadcom Corporation.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.)
DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (Int15) -- C:\WINDOWS\system32\drivers\int15.sys ()
DRV - (imagesrv) -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys (Ahead Software AG)
DRV - (imagedrv) -- C:\WINDOWS\System32\Drivers\imagedrv.sys (Ahead Software AG)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.purdue.edu/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.de"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.24 23:51:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.08.26 09:16:50 | 000,000,000 | ---D | M]

[2009.07.03 11:45:21 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Extensions
[2010.08.26 09:18:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions
[2009.07.19 06:46:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.08.18 02:06:44 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010.09.01 09:57:18 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.08.26 09:16:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2009.11.27 01:44:29 | 000,065,536 | ---- | M] () -- C:\Programme\Mozilla Firefox\components\FFComm.dll
[2008.08.16 11:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\CgpCore.dll
[2008.08.16 11:42:12 | 000,091,448 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\confmgr.dll
[2008.08.16 11:42:08 | 000,020,800 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\ctxlogging.dll
[2008.05.21 02:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcm80.dll
[2008.05.21 02:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcp80.dll
[2008.05.21 02:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcr80.dll
[2010.07.17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2008.08.16 11:44:46 | 000,427,312 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\npicaN.dll
[2008.08.16 11:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\TcpPServ.dll
[2010.03.12 21:52:22 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.03.12 21:52:22 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.03.12 21:52:23 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.03.12 21:52:23 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.03.12 21:52:23 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2008.04.14 08:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live ID-Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AzMixerSel] C:\Programme\Realtek\Audio\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BackupNowEZtray] C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [mcagent_exe] C:\Programme\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [pemywvla] C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\guwgmwdsa\lfvnsbishdw.exe File not found
O4 - HKLM..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ZPdtWzdVitaKey MC3000] C:\Programme\Acer\Acer Bio Protection\PdtWzd.exe (Arachnoid Biometrics Identification Group Corp.)
O4 - HKCU..\Run: [pemywvla] C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\guwgmwdsa\lfvnsbishdw.exe File not found
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\BTTray.lnk = C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Programme\Acer\Acer Bio Protection\PwdBank.exe ()
O9 - Extra 'Tools' menuitem : Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Programme\Acer\Acer Bio Protection\PwdBank.exe ()
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKCU\..Trusted Domains: netlibrary.com ([www] http in Vertrauenswürdige Sites)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1250353295218 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\AWinNotifyVitaKey MC3000: DllName - C:\Programme\Acer\Acer Bio Protection\WinNotify.dll - C:\Programme\Acer\Acer Bio Protection\WinNotify.dll (Arachnoid Biometrics Identification Group Corp.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Programme\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.07.02 14:47:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2232501f-67e1-11de-b2f8-d09e070d5a96}\Shell\AutoRun\command - "" = F:\y.cmd -- File not found
O33 - MountPoints2\{74a50ff1-0c5a-11df-b6e3-001e68ec4f7e}\Shell\AutoRun\command - "" = F:\restore\restorestarter.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010.09.01 09:20:55 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.09.01 09:20:53 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.09.01 09:20:52 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.08.31 19:49:24 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\user\Desktop\OTL.exe
[2010.08.31 19:46:19 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\user\Desktop\mbam-setup.exe
[2010.08.26 09:17:15 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sun
[2010.08.26 09:16:50 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010.08.26 09:16:49 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.08.26 09:16:49 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.08.26 09:16:49 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.08.25 21:54:51 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Macromedia
[2010.08.25 21:54:49 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Adobe
[2010.08.25 21:51:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Malwarebytes
[2010.08.25 21:50:48 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.08.25 16:11:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\Windows Server
[2010.08.25 16:11:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\C6E031F47CFCBECAF13BED1327434290
[2010.08.21 10:37:51 | 000,000,000 | ---D | C] -- C:\Greg_C
[2010.08.08 12:59:13 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Ahead
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.09.01 15:23:10 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.09.01 15:22:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.09.01 15:22:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.09.01 15:21:18 | 003,184,656 | -H-- | M] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\IconCache.db
[2010.09.01 15:18:27 | 009,699,328 | -H-- | M] () -- C:\Dokumente und Einstellungen\user\NTUSER.DAT
[2010.09.01 13:36:14 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\user\ntuser.ini
[2010.09.01 13:17:15 | 000,010,691 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010.09.01 13:14:11 | 001,079,610 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.09.01 13:14:11 | 000,474,460 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.09.01 13:14:11 | 000,433,196 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.09.01 13:14:11 | 000,090,436 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.09.01 13:14:11 | 000,067,960 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.09.01 09:20:58 | 000,000,676 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.08.31 19:46:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\user\Desktop\mbam-setup.exe
[2010.08.31 19:28:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\user\Desktop\OTL.exe
[2010.08.31 19:28:16 | 000,293,376 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\og3ieyvj.exe
[2010.08.26 17:04:28 | 000,363,520 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\rkill.com
[2010.08.26 10:13:23 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\user\defogger_reenable
[2010.08.26 10:12:27 | 000,050,477 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\Defogger.exe
[2010.08.26 09:39:53 | 000,525,824 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\dds.scr
[2010.08.25 16:25:40 | 000,002,843 | ---- | M] () -- C:\WINDOWS\isosucej.dll
[2010.08.25 16:18:55 | 000,002,843 | ---- | M] () -- C:\WINDOWS\arekezako.dll
[2010.08.22 20:04:10 | 000,154,624 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.08.21 03:16:46 | 000,002,243 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Skype.lnk
[2010.08.17 06:43:07 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.08.15 06:41:40 | 000,173,080 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.08.15 06:39:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010.08.15 01:29:19 | 000,000,338 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.09.01 09:20:58 | 000,000,676 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.08.31 19:49:21 | 000,293,376 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\og3ieyvj.exe
[2010.08.26 17:09:11 | 000,363,520 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\rkill.com
[2010.08.26 10:13:23 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\user\defogger_reenable
[2010.08.26 10:12:32 | 000,050,477 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\Defogger.exe
[2010.08.26 09:40:20 | 000,525,824 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\dds.scr
[2010.08.25 16:25:40 | 000,002,843 | ---- | C] () -- C:\WINDOWS\isosucej.dll
[2010.08.25 16:18:54 | 000,002,843 | ---- | C] () -- C:\WINDOWS\arekezako.dll
[2010.05.08 17:04:29 | 000,001,671 | ---- | C] () -- C:\WINDOWS\FOLIOHLP.INI
[2010.05.08 17:04:28 | 000,000,077 | ---- | C] () -- C:\WINDOWS\LNAME.INI
[2009.08.18 18:37:14 | 000,022,328 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\PnkBstrK.sys
[2009.08.15 18:56:18 | 000,138,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.08.03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009.07.28 17:40:35 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009.07.18 13:38:41 | 000,154,624 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.07.05 10:31:38 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\Hooks.dll
[2009.07.03 11:41:24 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2009.07.03 11:41:21 | 000,069,632 | ---- | C] () -- C:\Programme\uninstgs.exe
[2009.07.03 11:35:17 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\VMC3KAPI.dll
[2009.07.03 08:00:41 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2009.07.03 06:22:08 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008.10.09 09:31:54 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll
[2008.08.19 02:58:32 | 000,000,616 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008.05.26 16:23:36 | 000,016,834 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2008.05.26 16:23:34 | 000,024,188 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2008.05.26 16:23:32 | 000,016,568 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2008.04.14 08:00:00 | 000,266,240 | ---- | C] () -- C:\WINDOWS\ozuzegosu.dll
[2007.04.01 03:00:28 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007.04.01 02:41:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2007.01.26 02:32:18 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\int15.sys
[2005.02.17 06:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005.02.17 06:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001.11.14 07:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009.07.02 14:47:56 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010.06.21 19:45:09 | 000,003,398 | ---- | M] () -- C:\bdlog.txt
[2009.07.02 14:42:08 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008.04.14 08:00:00 | 000,004,952 | RHS- | M] () -- C:\bootfont.bin
[2009.07.02 14:47:56 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009.11.06 18:14:12 | 000,000,000 | ---- | M] () -- C:\ctapi_out_gr.txt
[2009.07.02 14:47:56 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009.07.02 14:47:56 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008.04.14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008.04.14 08:00:00 | 000,251,712 | RHS- | M] () -- C:\ntldr
[2010.09.01 15:22:38 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010.08.26 17:51:11 | 000,000,362 | ---- | M] () -- C:\rkill.log

< %systemroot%\Fonts\*.com >
[2006.04.18 09:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006.06.29 08:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006.04.18 09:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006.06.29 08:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009.07.02 14:47:31 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008.07.06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006.10.26 13:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008.07.06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

[color=#A23BEC]< %sys

Edited by klingsor2010, 01 September 2010 - 03:35 PM.


#4 klingsor2010

klingsor2010
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 01 September 2010 - 03:43 PM

There was a problem in my post of the OTL logs. I tried to do a manual edit, but it didn't correct the problem and include the full log texts Thus I am posting the OTL logs here in full now. Sorry for the mess.

OTL logfile created on: 01.09.2010 15:28:31 - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Dokumente und Einstellungen\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 77,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 86,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 298,08 Gb Total Space | 278,33 Gb Free Space | 93,37% Space Free | Partition Type: NTFS
Drive D: | 298,09 Gb Total Space | 54,70 Gb Free Space | 18,35% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAPTOP1
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Dokumente und Einstellungen\user\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Programme\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Programme\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Programme\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.)
PRC - C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Programme\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Programme\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Programme\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe (NewTech Infosystems, Inc.)
PRC - C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe (NewTech Infosystems, Inc.)
PRC - c:\Programme\Gemeinsame Dateien\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Programme\Gemeinsame Dateien\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Programme\Acer\Acer Bio Protection\BASVC.exe ()
PRC - C:\Programme\Acer\Acer Bio Protection\PdtWzd.exe (Arachnoid Biometrics Identification Group Corp.)
PRC - C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
PRC - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
PRC - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVCM.EXE (Microsoft Corporation)
PRC - C:\Programme\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)


========== Modules (SafeList) ==========

MOD - C:\Dokumente und Einstellungen\user\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Programme\NewTech Infosystems\Backup Now EZ\Pehook.dll (NewTech Infosystems, Inc.)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\BtMmHook.dll (Broadcom Corporation.)


========== Win32 Services (SafeList) ==========

SRV - (SPService) -- c:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe\sp.DLL ()
SRV - (mcmscsvc) -- C:\Programme\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Programme\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Programme\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Programme\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Programme\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
SRV - (NTI BackupNowEZSvr) -- C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe (NewTech Infosystems, Inc.)
SRV - (McProxy) -- c:\Programme\Gemeinsame Dateien\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Programme\Gemeinsame Dateien\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (IGBASVC) -- C:\Programme\Acer\Acer Bio Protection\BASVC.exe ()
SRV - (wlidsvc) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (odserv) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (bdfm) -- C:\WINDOWS\System32\drivers\bdfm.sys File not found
DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (PnkBstrK) -- C:\WINDOWS\system32\drivers\PnkBstrK.sys ()
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\athw.sys (Atheros Communications, Inc.)
DRV - (AlfaFF) -- C:\WINDOWS\system32\Drivers\AlfaFF.sys (Alfa Corporation)
DRV - (NTIDrvr) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (UBHelper) -- C:\WINDOWS\system32\drivers\UBHelper.sys (NewTech Infosystems Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (JMCR) -- C:\WINDOWS\system32\drivers\jmcr.sys (JMicron Technology Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor) -- C:\WINDOWS\system32\drivers\atswpdrv.sys (AuthenTec, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (RTHDMIAzAudService) -- C:\WINDOWS\system32\drivers\RtHDMI.sys (Realtek Semiconductor Corp.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (btwhid) -- C:\WINDOWS\system32\drivers\btwhid.sys (Broadcom Corporation.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.)
DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (Int15) -- C:\WINDOWS\system32\drivers\int15.sys ()
DRV - (imagesrv) -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys (Ahead Software AG)
DRV - (imagedrv) -- C:\WINDOWS\System32\Drivers\imagedrv.sys (Ahead Software AG)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.purdue.edu/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.de"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.24 23:51:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.08.26 09:16:50 | 000,000,000 | ---D | M]

[2009.07.03 11:45:21 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Extensions
[2010.08.26 09:18:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions
[2009.07.19 06:46:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.08.18 02:06:44 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010.09.01 09:57:18 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.08.26 09:16:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2009.11.27 01:44:29 | 000,065,536 | ---- | M] () -- C:\Programme\Mozilla Firefox\components\FFComm.dll
[2008.08.16 11:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\CgpCore.dll
[2008.08.16 11:42:12 | 000,091,448 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\confmgr.dll
[2008.08.16 11:42:08 | 000,020,800 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\ctxlogging.dll
[2008.05.21 02:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcm80.dll
[2008.05.21 02:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcp80.dll
[2008.05.21 02:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcr80.dll
[2010.07.17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2008.08.16 11:44:46 | 000,427,312 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\npicaN.dll
[2008.08.16 11:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\TcpPServ.dll
[2010.03.12 21:52:22 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.03.12 21:52:22 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.03.12 21:52:23 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.03.12 21:52:23 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.03.12 21:52:23 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2008.04.14 08:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live ID-Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AzMixerSel] C:\Programme\Realtek\Audio\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BackupNowEZtray] C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [mcagent_exe] C:\Programme\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [pemywvla] C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\guwgmwdsa\lfvnsbishdw.exe File not found
O4 - HKLM..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ZPdtWzdVitaKey MC3000] C:\Programme\Acer\Acer Bio Protection\PdtWzd.exe (Arachnoid Biometrics Identification Group Corp.)
O4 - HKCU..\Run: [pemywvla] C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\guwgmwdsa\lfvnsbishdw.exe File not found
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\BTTray.lnk = C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Programme\Acer\Acer Bio Protection\PwdBank.exe ()
O9 - Extra 'Tools' menuitem : Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Programme\Acer\Acer Bio Protection\PwdBank.exe ()
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKCU\..Trusted Domains: netlibrary.com ([www] http in Vertrauenswürdige Sites)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1250353295218 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\AWinNotifyVitaKey MC3000: DllName - C:\Programme\Acer\Acer Bio Protection\WinNotify.dll - C:\Programme\Acer\Acer Bio Protection\WinNotify.dll (Arachnoid Biometrics Identification Group Corp.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Programme\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.07.02 14:47:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2232501f-67e1-11de-b2f8-d09e070d5a96}\Shell\AutoRun\command - "" = F:\y.cmd -- File not found
O33 - MountPoints2\{74a50ff1-0c5a-11df-b6e3-001e68ec4f7e}\Shell\AutoRun\command - "" = F:\restore\restorestarter.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010.09.01 09:20:55 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.09.01 09:20:53 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.09.01 09:20:52 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.08.31 19:49:24 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\user\Desktop\OTL.exe
[2010.08.31 19:46:19 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\user\Desktop\mbam-setup.exe
[2010.08.26 09:17:15 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sun
[2010.08.26 09:16:50 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010.08.26 09:16:49 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.08.26 09:16:49 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.08.26 09:16:49 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.08.25 21:54:51 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Macromedia
[2010.08.25 21:54:49 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Adobe
[2010.08.25 21:51:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Malwarebytes
[2010.08.25 21:50:48 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.08.25 16:11:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\Windows Server
[2010.08.25 16:11:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\C6E031F47CFCBECAF13BED1327434290
[2010.08.21 10:37:51 | 000,000,000 | ---D | C] -- C:\Greg_C
[2010.08.08 12:59:13 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Ahead
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.09.01 15:23:10 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.09.01 15:22:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.09.01 15:22:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.09.01 15:21:18 | 003,184,656 | -H-- | M] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\IconCache.db
[2010.09.01 15:18:27 | 009,699,328 | -H-- | M] () -- C:\Dokumente und Einstellungen\user\NTUSER.DAT
[2010.09.01 13:36:14 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\user\ntuser.ini
[2010.09.01 13:17:15 | 000,010,691 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010.09.01 13:14:11 | 001,079,610 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.09.01 13:14:11 | 000,474,460 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.09.01 13:14:11 | 000,433,196 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.09.01 13:14:11 | 000,090,436 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.09.01 13:14:11 | 000,067,960 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.09.01 09:20:58 | 000,000,676 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.08.31 19:46:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\user\Desktop\mbam-setup.exe
[2010.08.31 19:28:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\user\Desktop\OTL.exe
[2010.08.31 19:28:16 | 000,293,376 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\og3ieyvj.exe
[2010.08.26 17:04:28 | 000,363,520 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\rkill.com
[2010.08.26 10:13:23 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\user\defogger_reenable
[2010.08.26 10:12:27 | 000,050,477 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\Defogger.exe
[2010.08.26 09:39:53 | 000,525,824 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\dds.scr
[2010.08.25 16:25:40 | 000,002,843 | ---- | M] () -- C:\WINDOWS\isosucej.dll
[2010.08.25 16:18:55 | 000,002,843 | ---- | M] () -- C:\WINDOWS\arekezako.dll
[2010.08.22 20:04:10 | 000,154,624 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.08.21 03:16:46 | 000,002,243 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Skype.lnk
[2010.08.17 06:43:07 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.08.15 06:41:40 | 000,173,080 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.08.15 06:39:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010.08.15 01:29:19 | 000,000,338 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.09.01 09:20:58 | 000,000,676 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.08.31 19:49:21 | 000,293,376 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\og3ieyvj.exe
[2010.08.26 17:09:11 | 000,363,520 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\rkill.com
[2010.08.26 10:13:23 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\user\defogger_reenable
[2010.08.26 10:12:32 | 000,050,477 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\Defogger.exe
[2010.08.26 09:40:20 | 000,525,824 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\dds.scr
[2010.08.25 16:25:40 | 000,002,843 | ---- | C] () -- C:\WINDOWS\isosucej.dll
[2010.08.25 16:18:54 | 000,002,843 | ---- | C] () -- C:\WINDOWS\arekezako.dll
[2010.05.08 17:04:29 | 000,001,671 | ---- | C] () -- C:\WINDOWS\FOLIOHLP.INI
[2010.05.08 17:04:28 | 000,000,077 | ---- | C] () -- C:\WINDOWS\LNAME.INI
[2009.08.18 18:37:14 | 000,022,328 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\PnkBstrK.sys
[2009.08.15 18:56:18 | 000,138,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.08.03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009.07.28 17:40:35 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009.07.18 13:38:41 | 000,154,624 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.07.05 10:31:38 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\Hooks.dll
[2009.07.03 11:41:24 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2009.07.03 11:41:21 | 000,069,632 | ---- | C] () -- C:\Programme\uninstgs.exe
[2009.07.03 11:35:17 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\VMC3KAPI.dll
[2009.07.03 08:00:41 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2009.07.03 06:22:08 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008.10.09 09:31:54 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll
[2008.08.19 02:58:32 | 000,000,616 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008.05.26 16:23:36 | 000,016,834 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2008.05.26 16:23:34 | 000,024,188 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2008.05.26 16:23:32 | 000,016,568 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2008.04.14 08:00:00 | 000,266,240 | ---- | C] () -- C:\WINDOWS\ozuzegosu.dll
[2007.04.01 03:00:28 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007.04.01 02:41:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2007.01.26 02:32:18 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\int15.sys
[2005.02.17 06:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005.02.17 06:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001.11.14 07:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009.07.02 14:47:56 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010.06.21 19:45:09 | 000,003,398 | ---- | M] () -- C:\bdlog.txt
[2009.07.02 14:42:08 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008.04.14 08:00:00 | 000,004,952 | RHS- | M] () -- C:\bootfont.bin
[2009.07.02 14:47:56 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009.11.06 18:14:12 | 000,000,000 | ---- | M] () -- C:\ctapi_out_gr.txt
[2009.07.02 14:47:56 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009.07.02 14:47:56 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008.04.14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008.04.14 08:00:00 | 000,251,712 | RHS- | M] () -- C:\ntldr
[2010.09.01 15:22:38 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010.08.26 17:51:11 | 000,000,362 | ---- | M] () -- C:\rkill.log

< %systemroot%\Fonts\*.com >
[2006.04.18 09:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006.06.29 08:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006.04.18 09:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006.06.29 08:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009.07.02 14:47:31 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

[color=#A23BEC]< %syst

#5 klingsor2010

klingsor2010
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 01 September 2010 - 03:48 PM

It is still not posting my complete logs, so I am attaching them instead.

Attached Files



#6 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:43 PM

Posted 01 September 2010 - 05:17 PM

Hi there,

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    CODE
    :OTL
    PRC - C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
    O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
    O4 - HKLM..\Run: [pemywvla] C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\guwgmwdsa\lfvnsbishdw.exe File not found
    O4 - HKCU..\Run: [pemywvla] C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\guwgmwdsa\lfvnsbishdw.exe File not found
    [7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2010.08.25 16:25:40 | 000,002,843 | ---- | M] () -- C:\WINDOWS\isosucej.dll
    [2010.08.25 16:18:55 | 000,002,843 | ---- | M] () -- C:\WINDOWS\arekezako.dll

    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Open up OTL and push the Quickscan button. Post the resulting log here in your next reply.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#7 klingsor2010

klingsor2010
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 01 September 2010 - 07:04 PM

Hi,

Here is the quickscan OLT Log. Also, I am attaching the OLT text that came up after reboot following the custom fix.

Thanks!

OTL logfile created on: 01.09.2010 19:44:32 - Run 2
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Dokumente und Einstellungen\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 69,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 298,08 Gb Total Space | 281,29 Gb Free Space | 94,37% Space Free | Partition Type: NTFS
Drive D: | 298,09 Gb Total Space | 54,70 Gb Free Space | 18,35% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAPTOP1
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
PRC - C:\Dokumente und Einstellungen\user\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Programme\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Programme\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Programme\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Programme\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe (NewTech Infosystems, Inc.)
PRC - C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe (NewTech Infosystems, Inc.)
PRC - c:\Programme\Gemeinsame Dateien\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Programme\Gemeinsame Dateien\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Programme\Acer\Acer Bio Protection\BASVC.exe ()
PRC - C:\Programme\Acer\Acer Bio Protection\PdtWzd.exe (Arachnoid Biometrics Identification Group Corp.)
PRC - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
PRC - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVCM.EXE (Microsoft Corporation)
PRC - C:\Programme\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)


========== Modules (SafeList) ==========

MOD - C:\Dokumente und Einstellungen\user\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Programme\NewTech Infosystems\Backup Now EZ\Pehook.dll (NewTech Infosystems, Inc.)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\BtMmHook.dll (Broadcom Corporation.)


========== Win32 Services (SafeList) ==========

SRV - (SPService) -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe\sp.DLL ()
SRV - (mcmscsvc) -- C:\Programme\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Programme\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Programme\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Programme\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Programme\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
SRV - (NTI BackupNowEZSvr) -- C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe (NewTech Infosystems, Inc.)
SRV - (McProxy) -- c:\Programme\Gemeinsame Dateien\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Programme\Gemeinsame Dateien\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (IGBASVC) -- C:\Programme\Acer\Acer Bio Protection\BASVC.exe ()
SRV - (wlidsvc) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (odserv) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (bdfm) -- C:\WINDOWS\System32\drivers\bdfm.sys File not found
DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (PnkBstrK) -- C:\WINDOWS\system32\drivers\PnkBstrK.sys ()
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\athw.sys (Atheros Communications, Inc.)
DRV - (AlfaFF) -- C:\WINDOWS\system32\Drivers\AlfaFF.sys (Alfa Corporation)
DRV - (NTIDrvr) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (UBHelper) -- C:\WINDOWS\system32\drivers\UBHelper.sys (NewTech Infosystems Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (JMCR) -- C:\WINDOWS\system32\drivers\jmcr.sys (JMicron Technology Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor) -- C:\WINDOWS\system32\drivers\atswpdrv.sys (AuthenTec, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (RTHDMIAzAudService) -- C:\WINDOWS\system32\drivers\RtHDMI.sys (Realtek Semiconductor Corp.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (btwhid) -- C:\WINDOWS\system32\drivers\btwhid.sys (Broadcom Corporation.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.)
DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (Int15) -- C:\WINDOWS\system32\drivers\int15.sys ()
DRV - (imagesrv) -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys (Ahead Software AG)
DRV - (imagedrv) -- C:\WINDOWS\System32\Drivers\imagedrv.sys (Ahead Software AG)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.purdue.edu/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.de"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.24 23:51:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.08.26 09:16:50 | 000,000,000 | ---D | M]

[2009.07.03 11:45:21 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Extensions
[2010.09.01 16:12:21 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions
[2009.07.19 06:46:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.08.18 02:06:44 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010.09.01 19:33:03 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.08.26 09:16:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2009.11.27 01:44:29 | 000,065,536 | ---- | M] () -- C:\Programme\Mozilla Firefox\components\FFComm.dll
[2008.08.16 11:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\CgpCore.dll
[2008.08.16 11:42:12 | 000,091,448 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\confmgr.dll
[2008.08.16 11:42:08 | 000,020,800 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\ctxlogging.dll
[2008.05.21 02:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcm80.dll
[2008.05.21 02:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcp80.dll
[2008.05.21 02:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\msvcr80.dll
[2010.07.17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2008.08.16 11:44:46 | 000,427,312 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\npicaN.dll
[2008.08.16 11:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\TcpPServ.dll
[2010.03.12 21:52:22 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.03.12 21:52:22 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.03.12 21:52:23 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.03.12 21:52:23 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.03.12 21:52:23 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2008.04.14 08:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live ID-Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AzMixerSel] C:\Programme\Realtek\Audio\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BackupNowEZtray] C:\Programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Programme\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ZPdtWzdVitaKey MC3000] C:\Programme\Acer\Acer Bio Protection\PdtWzd.exe (Arachnoid Biometrics Identification Group Corp.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\BTTray.lnk = C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Programme\Acer\Acer Bio Protection\PwdBank.exe ()
O9 - Extra 'Tools' menuitem : Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Programme\Acer\Acer Bio Protection\PwdBank.exe ()
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKCU\..Trusted Domains: netlibrary.com ([www] http in Vertrauenswürdige Sites)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1250353295218 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\AWinNotifyVitaKey MC3000: DllName - C:\Programme\Acer\Acer Bio Protection\WinNotify.dll - C:\Programme\Acer\Acer Bio Protection\WinNotify.dll (Arachnoid Biometrics Identification Group Corp.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Programme\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.07.02 14:47:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2232501f-67e1-11de-b2f8-d09e070d5a96}\Shell\AutoRun\command - "" = F:\y.cmd -- File not found
O33 - MountPoints2\{74a50ff1-0c5a-11df-b6e3-001e68ec4f7e}\Shell\AutoRun\command - "" = F:\restore\restorestarter.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010.09.01 19:36:02 | 000,000,000 | ---D | C] -- C:\_OTL
[2010.09.01 09:20:55 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.09.01 09:20:53 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.09.01 09:20:52 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.08.31 19:49:24 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\user\Desktop\OTL.exe
[2010.08.31 19:46:19 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\user\Desktop\mbam-setup.exe
[2010.08.26 09:17:15 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sun
[2010.08.25 21:54:51 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Macromedia
[2010.08.25 21:54:49 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Adobe
[2010.08.25 21:51:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Malwarebytes
[2010.08.25 21:50:48 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.08.25 16:11:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\Windows Server
[2010.08.25 16:11:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\C6E031F47CFCBECAF13BED1327434290
[2010.08.21 10:37:51 | 000,000,000 | ---D | C] -- C:\Greg_C
[2010.08.08 12:59:13 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Ahead
[2010.07.06 02:44:52 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010.06.27 22:55:59 | 000,364,544 | ---- | C] (Matthew T. Ashland) -- C:\WINDOWS\System32\MACDll.dll
[2010.06.27 22:55:58 | 000,000,000 | ---D | C] -- C:\Programme\Monkey's Audio
[2010.06.27 22:48:07 | 000,000,000 | ---D | C] -- C:\Programme\Exact Audio Copy
[2010.06.21 19:59:40 | 000,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2010.06.21 19:59:40 | 000,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010.06.21 19:59:39 | 000,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010.06.21 19:59:30 | 000,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010.06.21 19:58:19 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\McAfee
[2010.06.21 19:58:14 | 000,000,000 | ---D | C] -- C:\Programme\McAfee.com
[2010.06.21 19:58:04 | 000,000,000 | ---D | C] -- C:\Programme\McAfee
[2010.06.21 19:56:46 | 000,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2010.06.16 12:59:30 | 000,000,000 | ---D | C] -- C:\Programme\Lame for Audacity
[2010.06.16 11:13:38 | 000,000,000 | ---D | C] -- C:\Programme\Audacity

========== Files - Modified Within 90 Days ==========

[2010.09.01 19:42:57 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.09.01 19:42:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.09.01 19:42:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.09.01 19:41:31 | 000,010,691 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010.09.01 19:41:28 | 009,699,328 | -H-- | M] () -- C:\Dokumente und Einstellungen\user\NTUSER.DAT
[2010.09.01 19:41:28 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\user\ntuser.ini
[2010.09.01 19:36:04 | 001,079,610 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.09.01 19:36:04 | 000,474,460 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.09.01 19:36:04 | 000,433,196 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.09.01 19:36:04 | 000,090,436 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.09.01 19:36:04 | 000,067,960 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.09.01 18:14:14 | 002,546,006 | -H-- | M] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\IconCache.db
[2010.09.01 09:20:58 | 000,000,676 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.08.31 19:46:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\user\Desktop\mbam-setup.exe
[2010.08.31 19:28:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\user\Desktop\OTL.exe
[2010.08.31 19:28:16 | 000,293,376 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\og3ieyvj.exe
[2010.08.26 17:04:28 | 000,363,520 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\rkill.com
[2010.08.26 10:13:23 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\user\defogger_reenable
[2010.08.26 10:12:27 | 000,050,477 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\Defogger.exe
[2010.08.26 09:39:53 | 000,525,824 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\dds.scr
[2010.08.22 20:04:10 | 000,154,624 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.08.21 03:16:46 | 000,002,243 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Skype.lnk
[2010.08.17 06:43:07 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.08.15 06:41:40 | 000,173,080 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.08.15 06:39:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010.08.15 01:29:19 | 000,000,338 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010.07.15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010.06.27 22:48:10 | 000,000,679 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\Exact Audio Copy.lnk
[2010.06.21 20:04:05 | 000,000,651 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\McAfee Security Center.lnk
[2010.06.21 20:03:48 | 000,000,539 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.06.21 19:58:50 | 000,000,330 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010.06.21 19:45:21 | 000,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2010.06.21 03:35:17 | 000,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2010.06.20 18:39:55 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\BDUpdateV1.xml
[2010.06.16 11:13:45 | 000,000,610 | ---- | M] () -- C:\Dokumente und Einstellungen\user\Desktop\Audacity.lnk

========== Files Created - No Company Name ==========

[2010.09.01 09:20:58 | 000,000,676 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.08.31 19:49:21 | 000,293,376 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\og3ieyvj.exe
[2010.08.26 17:09:11 | 000,363,520 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\rkill.com
[2010.08.26 10:13:23 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\user\defogger_reenable
[2010.08.26 10:12:32 | 000,050,477 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\Defogger.exe
[2010.08.26 09:40:20 | 000,525,824 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\dds.scr
[2010.06.27 22:48:10 | 000,000,679 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\Exact Audio Copy.lnk
[2010.06.21 20:04:14 | 000,010,691 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2010.06.21 20:04:05 | 000,000,651 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\McAfee Security Center.lnk
[2010.06.21 19:58:51 | 000,000,338 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010.06.21 19:58:50 | 000,000,330 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2010.06.16 11:13:45 | 000,000,610 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Desktop\Audacity.lnk
[2010.05.08 17:04:29 | 000,001,671 | ---- | C] () -- C:\WINDOWS\FOLIOHLP.INI
[2010.05.08 17:04:28 | 000,000,077 | ---- | C] () -- C:\WINDOWS\LNAME.INI
[2009.08.18 18:37:14 | 000,022,328 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\PnkBstrK.sys
[2009.08.15 18:56:18 | 000,138,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.08.03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009.07.28 17:40:35 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009.07.18 13:38:41 | 000,154,624 | ---- | C] () -- C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.07.05 10:31:38 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\Hooks.dll
[2009.07.03 11:41:24 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2009.07.03 11:41:21 | 000,069,632 | ---- | C] () -- C:\Programme\uninstgs.exe
[2009.07.03 11:35:17 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\VMC3KAPI.dll
[2009.07.03 08:00:41 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2009.07.03 06:22:08 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008.10.09 09:31:54 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll
[2008.08.19 02:58:32 | 000,000,616 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008.05.26 16:23:36 | 000,016,834 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2008.05.26 16:23:34 | 000,024,188 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2008.05.26 16:23:32 | 000,016,568 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2008.04.14 08:00:00 | 000,266,240 | ---- | C] () -- C:\WINDOWS\ozuzegosu.dll
[2007.04.01 03:00:28 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007.04.01 02:41:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2007.01.26 02:32:18 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\int15.sys
[2005.02.17 06:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005.02.17 06:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001.11.14 07:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009.07.05 10:43:20 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LKG
[2010.02.01 16:49:32 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NTIReg
[2010.08.25 16:11:27 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\C6E031F47CFCBECAF13BED1327434290
[2009.07.10 09:52:19 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\ICAClient
[2009.07.03 04:59:05 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\OpenOffice.org
[2009.07.18 11:35:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Windows Desktop Search
[2009.09.17 10:41:42 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\user\Anwendungsdaten\Windows Search
[2010.08.15 01:29:19 | 000,000,338 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010.06.21 19:58:50 | 000,000,330 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========


< End of report >

Attached Files



#8 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:43 PM

Posted 01 September 2010 - 08:43 PM

Hi there,

I got rid of that FreePDF XP file last time, there might be some of it left though so you can probably get rid of it in add / remove programs, or just delete it.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#9 klingsor2010

klingsor2010
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 01 September 2010 - 09:55 PM

Hi-

I think I messed up by having my computer not connected to the internet when I ran combofix. Let me know if I should run it again with internet connection active this time. Thanks much!


ComboFix 10-09-01.02 - user 01.09.2010 22:28:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2526.1979 [GMT -4:00]
ausgeführt von:: c:\dokumente und einstellungen\user\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\All Users\Anwendungsdaten\Adobe\sp.DLL
c:\dokumente und einstellungen\user\Lokale Einstellungen\Anwendungsdaten\Windows Server
c:\dokumente und einstellungen\user\Lokale Einstellungen\Anwendungsdaten\Windows Server\admin.txt
c:\dokumente und einstellungen\user\Lokale Einstellungen\Anwendungsdaten\Windows Server\flags.ini
c:\dokumente und einstellungen\user\Lokale Einstellungen\Anwendungsdaten\Windows Server\server.dat
c:\dokumente und einstellungen\user\Lokale Einstellungen\Anwendungsdaten\Windows Server\uses32.dat

Infizierte Kopie von c:\windows\system32\drivers\kbdhid.sys wurde gefunden und desinfiziert
Kopie von - Kitty had a snack tongue.gif wurde wiederhergestellt
c:\windows\explorer.exe . . . ist infiziert!!

c:\windows\system32\winlogon.exe . . . ist infiziert!!

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SPService


((((((((((((((((((((((( Dateien erstellt von 2010-08-02 bis 2010-09-02 ))))))))))))))))))))))))))))))
.

2010-09-01 23:36 . 2010-09-01 23:36 -------- d-----w- C:\_OTL
2010-09-01 17:04 . 2010-09-01 17:04 -------- d-----r- c:\dokumente und einstellungen\Administrator\Eigene Dateien
2010-09-01 17:03 . 2010-09-01 17:03 -------- d-sh--w- c:\dokumente und einstellungen\Administrator\IETldCache
2010-09-01 13:20 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 13:20 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-01 13:20 . 2010-09-01 13:21 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-08-26 13:17 . 2010-08-26 13:17 61440 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ca5b7fe-n\decora-sse.dll
2010-08-26 13:17 . 2010-08-26 13:17 503808 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\msvcp71.dll
2010-08-26 13:17 . 2010-08-26 13:17 499712 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\jmc.dll
2010-08-26 13:17 . 2010-08-26 13:17 348160 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\msvcr71.dll
2010-08-26 13:17 . 2010-08-26 13:17 12800 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ca5b7fe-n\decora-d3d.dll
2010-08-26 13:16 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 03:28 . 2010-08-26 03:28 -------- d-----r- c:\dokumente und einstellungen\NetworkService\Favoriten
2010-08-26 01:51 . 2010-08-26 01:51 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Malwarebytes
2010-08-26 01:50 . 2010-08-26 01:50 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-08-25 20:11 . 2010-08-25 20:11 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\C6E031F47CFCBECAF13BED1327434290
2010-08-21 14:37 . 2010-08-22 14:22 -------- d-----w- C:\Greg_C
2010-08-08 16:59 . 2010-08-08 16:59 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Ahead

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-01 23:36 . 2009-07-03 15:41 -------- d-----w- c:\programme\FreePDF_XP
2010-09-01 23:36 . 2008-04-14 12:00 90436 ----a-w- c:\windows\system32\perfc007.dat
2010-09-01 23:36 . 2008-04-14 12:00 474460 ----a-w- c:\windows\system32\perfh007.dat
2010-08-26 13:17 . 2009-07-03 08:57 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
2010-08-26 13:16 . 2009-07-03 08:57 -------- d-----w- c:\programme\Java
2010-08-21 07:37 . 2009-08-18 18:29 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Skype
2010-08-21 07:17 . 2009-08-18 18:31 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\skypePM
2010-08-15 10:29 . 2009-07-30 18:00 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2010-07-29 23:34 . 2009-07-03 08:59 1 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-24 01:29 . 2010-06-21 23:58 -------- d-----w- c:\programme\McAfee
2010-07-15 19:18 . 2010-06-21 23:59 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-30 12:28 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02 . 2008-04-14 12:00 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 23:45 . 2009-07-03 11:32 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-21 15:27 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-07-02 18:45 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2004-02-20 11:31 . 2009-07-03 15:41 69632 ----a-w- c:\programme\uninstgs.exe
2009-11-27 05:44 . 2008-10-30 15:34 65536 ----a-w- c:\programme\mozilla firefox\components\FFComm.dll
2008-08-16 15:42 . 2008-08-16 15:42 13112 ----a-w- c:\programme\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 15:42 . 2008-08-16 15:42 70456 ----a-w- c:\programme\mozilla firefox\plugins\CgpCore.dll
2008-08-16 15:42 . 2008-08-16 15:42 91448 ----a-w- c:\programme\mozilla firefox\plugins\confmgr.dll
2008-08-16 15:42 . 2008-08-16 15:42 20800 ----a-w- c:\programme\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 15:43 . 2008-08-16 15:43 206136 ----a-w- c:\programme\mozilla firefox\plugins\ctxmui.dll
2008-08-16 15:42 . 2008-08-16 15:42 31032 ----a-w- c:\programme\mozilla firefox\plugins\icafile.dll
2008-08-16 15:42 . 2008-08-16 15:42 40248 ----a-w- c:\programme\mozilla firefox\plugins\icalogon.dll
2008-05-21 06:41 . 2008-05-21 06:41 479232 ----a-w- c:\programme\mozilla firefox\plugins\msvcm80.dll
2008-05-21 06:41 . 2008-05-21 06:41 548864 ----a-w- c:\programme\mozilla firefox\plugins\msvcp80.dll
2008-05-21 06:41 . 2008-05-21 06:41 626688 ----a-w- c:\programme\mozilla firefox\plugins\msvcr80.dll
2008-06-05 11:58 . 2008-06-05 11:58 648504 ----a-w- c:\programme\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 15:42 . 2008-08-16 15:42 23864 ----a-w- c:\programme\mozilla firefox\plugins\TcpPServ.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 59AC2CEA6FA728A48A2FBD568C696C72 . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 3D48E32B692D6EAA8029D4941B3AF1BB . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-26 16862720]
"AzMixerSel"="c:\programme\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\programme\Acer\Acer Bio Protection\PdtWzd.exe" [2009-07-03 3686400]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StartCCC"="c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2008-02-12 1028096]
"BackupNowEZtray"="c:\programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-09-19 562944]
"mcagent_exe"="c:\programme\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - c:\programme\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
Windows Search.lnk - c:\programme\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programme\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2009-07-03 15:35 3077120 ----a-w- c:\programme\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Gemeinsame Dateien\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19422:TCP"= 19422:TCP:spport
"14101:TCP"= 14101:TCP:spport
"26737:TCP"= 26737:TCP:spport
"13877:TCP"= 13877:TCP:spport
"23415:TCP"= 23415:TCP:spport
"16803:TCP"= 16803:TCP:spport
"14213:TCP"= 14213:TCP:spport
"14179:TCP"= 14179:TCP:spport
"21250:TCP"= 21250:TCP:spport
"19451:TCP"= 19451:TCP:spport
"29493:TCP"= 29493:TCP:spport
"11720:TCP"= 11720:TCP:spport
"13183:TCP"= 13183:TCP:spport
"19528:TCP"= 19528:TCP:spport
"16396:TCP"= 16396:TCP:spport
"28978:TCP"= 28978:TCP:spport
"12721:TCP"= 12721:TCP:spport
"13569:TCP"= 13569:TCP:spport
"27451:TCP"= 27451:TCP:spport
"13955:TCP"= 13955:TCP:spport
"29044:TCP"= 29044:TCP:spport
"22680:TCP"= 22680:TCP:spport
"18062:TCP"= 18062:TCP:spport

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [03.07.2009 11:35 43184]
R2 IGBASVC;iGroupTec Service;c:\programme\Acer\Acer Bio Protection\BASVC.exe [03.07.2009 11:35 3481088]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [19.09.2009 08:04 45312]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [03.07.2009 11:32 96856]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys --> c:\windows\system32\drivers\bdfm.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Inhalt des "geplante Tasks" Ordners

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-21 16:22]

2010-06-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-21 16:22]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.purdue.edu/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/forgotPassword.asp?affid=550-22&langid=1&close=true&RW=1
uInternet Settings,ProxyServer = http=127.0.0.1:6522
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Senden an &Bluetooth-Gerät... - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: netlibrary.com\www
FF - ProfilePath - c:\dokumente und einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\
FF - prefs.js: browser.startup.homepage - google.de
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\programme\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programme\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-01 22:38
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
c:\programme\Acer\Acer Bio Protection\WinNotify.dll
c:\programme\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\ATSC70.DLL
c:\windows\system32\ATSC70PBA.dll

- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\btmmhook.dll
c:\programme\Windows Desktop Search\deskbar.dll
c:\programme\Windows Desktop Search\de-de\dbres.dll.mui
c:\programme\Windows Desktop Search\dbres.dll
c:\programme\Windows Desktop Search\wordwheel.dll
c:\programme\Windows Desktop Search\de-de\msnlExtRes.dll.mui
c:\programme\Windows Desktop Search\msnlExtRes.dll
c:\programme\NewTech Infosystems\Backup Now EZ\Pehook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\Ati2evxx.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\GEMEIN~1\mcafee\mna\mcnasvc.exe
c:\progra~1\GEMEIN~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\programme\McAfee\MPF\MPFSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\dokume~1\user\LOKALE~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-09-01 22:43:31 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-09-02 02:43

Vor Suchlauf: 10 Verzeichnis(se), 301.845.299.200 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 301.776.252.928 Bytes frei

- - End Of File - - 35EEA69C927717E1D5DCB62E6ACD890A


#10 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:43 PM

Posted 01 September 2010 - 11:16 PM

Hi there,

Close any open browsers, and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the codebox below into it:

CODE
Folder::
c:\programme\FreePDF_XP
  • Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#11 klingsor2010

klingsor2010
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 02 September 2010 - 12:15 AM

ComboFix 10-09-01.02 - user 02.09.2010 1:02.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2526.2003 [GMT -4:00]
ausgeführt von:: c:\dokumente und einstellungen\user\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\user\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programme\FreePDF_XP
c:\programme\FreePDF_XP\fpsetup.exe

c:\windows\system32\winlogon.exe . . . ist infiziert!!

c:\windows\explorer.exe . . . ist infiziert!!

.
((((((((((((((((((((((( Dateien erstellt von 2010-08-02 bis 2010-09-02 ))))))))))))))))))))))))))))))
.

2010-09-01 23:36 . 2010-09-01 23:36 -------- d-----w- C:\_OTL
2010-09-01 17:04 . 2010-09-01 17:04 -------- d-----r- c:\dokumente und einstellungen\Administrator\Eigene Dateien
2010-09-01 17:03 . 2010-09-01 17:03 -------- d-sh--w- c:\dokumente und einstellungen\Administrator\IETldCache
2010-08-26 13:17 . 2010-08-26 13:17 61440 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ca5b7fe-n\decora-sse.dll
2010-08-26 13:17 . 2010-08-26 13:17 503808 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\msvcp71.dll
2010-08-26 13:17 . 2010-08-26 13:17 499712 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\jmc.dll
2010-08-26 13:17 . 2010-08-26 13:17 348160 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\msvcr71.dll
2010-08-26 13:17 . 2010-08-26 13:17 12800 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ca5b7fe-n\decora-d3d.dll
2010-08-26 13:16 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 03:28 . 2010-08-26 03:28 -------- d-----r- c:\dokumente und einstellungen\NetworkService\Favoriten
2010-08-26 01:51 . 2010-08-26 01:51 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Malwarebytes
2010-08-26 01:50 . 2010-08-26 01:50 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-08-25 20:11 . 2010-08-25 20:11 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\C6E031F47CFCBECAF13BED1327434290
2010-08-21 14:37 . 2010-08-22 14:22 -------- d-----w- C:\Greg_C
2010-08-08 16:59 . 2010-08-08 16:59 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Ahead

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-01 23:36 . 2008-04-14 12:00 90436 ----a-w- c:\windows\system32\perfc007.dat
2010-09-01 23:36 . 2008-04-14 12:00 474460 ----a-w- c:\windows\system32\perfh007.dat
2010-08-26 13:17 . 2009-07-03 08:57 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
2010-08-26 13:16 . 2009-07-03 08:57 -------- d-----w- c:\programme\Java
2010-08-21 07:37 . 2009-08-18 18:29 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Skype
2010-08-21 07:17 . 2009-08-18 18:31 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\skypePM
2010-08-15 10:29 . 2009-07-30 18:00 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2010-07-29 23:34 . 2009-07-03 08:59 1 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-24 01:29 . 2010-06-21 23:58 -------- d-----w- c:\programme\McAfee
2010-07-15 19:18 . 2010-06-21 23:59 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-30 12:28 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02 . 2008-04-14 12:00 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 23:45 . 2009-07-03 11:32 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-21 15:27 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-07-02 18:45 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2004-02-20 11:31 . 2009-07-03 15:41 69632 ----a-w- c:\programme\uninstgs.exe
2009-11-27 05:44 . 2008-10-30 15:34 65536 ----a-w- c:\programme\mozilla firefox\components\FFComm.dll
2008-08-16 15:42 . 2008-08-16 15:42 13112 ----a-w- c:\programme\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 15:42 . 2008-08-16 15:42 70456 ----a-w- c:\programme\mozilla firefox\plugins\CgpCore.dll
2008-08-16 15:42 . 2008-08-16 15:42 91448 ----a-w- c:\programme\mozilla firefox\plugins\confmgr.dll
2008-08-16 15:42 . 2008-08-16 15:42 20800 ----a-w- c:\programme\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 15:43 . 2008-08-16 15:43 206136 ----a-w- c:\programme\mozilla firefox\plugins\ctxmui.dll
2008-08-16 15:42 . 2008-08-16 15:42 31032 ----a-w- c:\programme\mozilla firefox\plugins\icafile.dll
2008-08-16 15:42 . 2008-08-16 15:42 40248 ----a-w- c:\programme\mozilla firefox\plugins\icalogon.dll
2008-05-21 06:41 . 2008-05-21 06:41 479232 ----a-w- c:\programme\mozilla firefox\plugins\msvcm80.dll
2008-05-21 06:41 . 2008-05-21 06:41 548864 ----a-w- c:\programme\mozilla firefox\plugins\msvcp80.dll
2008-05-21 06:41 . 2008-05-21 06:41 626688 ----a-w- c:\programme\mozilla firefox\plugins\msvcr80.dll
2008-06-05 11:58 . 2008-06-05 11:58 648504 ----a-w- c:\programme\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 15:42 . 2008-08-16 15:42 23864 ----a-w- c:\programme\mozilla firefox\plugins\TcpPServ.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 59AC2CEA6FA728A48A2FBD568C696C72 . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 3D48E32B692D6EAA8029D4941B3AF1BB . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-09-02_02.38.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-02 04:38 . 2010-09-02 04:38 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-26 16862720]
"AzMixerSel"="c:\programme\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\programme\Acer\Acer Bio Protection\PdtWzd.exe" [2009-07-03 3686400]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StartCCC"="c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2008-02-12 1028096]
"BackupNowEZtray"="c:\programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-09-19 562944]
"mcagent_exe"="c:\programme\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - c:\programme\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
Windows Search.lnk - c:\programme\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programme\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2009-07-03 15:35 3077120 ----a-w- c:\programme\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Gemeinsame Dateien\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19422:TCP"= 19422:TCP:spport
"14101:TCP"= 14101:TCP:spport
"26737:TCP"= 26737:TCP:spport
"13877:TCP"= 13877:TCP:spport
"23415:TCP"= 23415:TCP:spport
"16803:TCP"= 16803:TCP:spport
"14213:TCP"= 14213:TCP:spport
"14179:TCP"= 14179:TCP:spport
"21250:TCP"= 21250:TCP:spport
"19451:TCP"= 19451:TCP:spport
"29493:TCP"= 29493:TCP:spport
"11720:TCP"= 11720:TCP:spport
"13183:TCP"= 13183:TCP:spport
"19528:TCP"= 19528:TCP:spport
"16396:TCP"= 16396:TCP:spport
"28978:TCP"= 28978:TCP:spport
"12721:TCP"= 12721:TCP:spport
"13569:TCP"= 13569:TCP:spport
"27451:TCP"= 27451:TCP:spport
"13955:TCP"= 13955:TCP:spport
"29044:TCP"= 29044:TCP:spport
"22680:TCP"= 22680:TCP:spport
"18062:TCP"= 18062:TCP:spport

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [03.07.2009 11:35 43184]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [19.09.2009 08:04 45312]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [03.07.2009 11:32 96856]
S2 IGBASVC;iGroupTec Service;c:\programme\Acer\Acer Bio Protection\BASVC.exe [03.07.2009 11:35 3481088]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys --> c:\windows\system32\drivers\bdfm.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Inhalt des "geplante Tasks" Ordners

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-21 16:22]

2010-06-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-21 16:22]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.purdue.edu/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/forgotPassword.asp?affid=550-22&langid=1&close=true&RW=1
uInternet Settings,ProxyServer = http=127.0.0.1:6522
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Senden an &Bluetooth-Gerät... - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: netlibrary.com\www
FF - ProfilePath - c:\dokumente und einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\
FF - prefs.js: browser.startup.homepage - google.de
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\programme\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programme\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien:

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\programme\Acer\Acer Bio Protection\WinNotify.dll
c:\programme\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\ATSC70.DLL
c:\windows\system32\ATSC70PBA.dll
.
Zeit der Fertigstellung: 2010-09-02 01:09:58
ComboFix-quarantined-files.txt 2010-09-02 05:09
ComboFix2.txt 2010-09-02 04:59
ComboFix3.txt 2010-09-02 02:43

Vor Suchlauf: 11 Verzeichnis(se), 301.739.102.208 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 301.721.300.992 Bytes frei

- - End Of File - - 0089D5F21D0DFC7E76B6BEE79E519EB7


#12 klingsor2010

klingsor2010
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 02 September 2010 - 04:05 AM

Hi,

I wasn't sure if I should disable firewall as well when using Combofix, so I did it a second time with it disabled.



ComboFix 10-09-01.02 - user 02.09.2010 4:41.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2526.1953 [GMT -4:00]
ausgeführt von:: c:\dokumente und einstellungen\user\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\user\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . ist infiziert!!

c:\windows\explorer.exe . . . ist infiziert!!

.
((((((((((((((((((((((( Dateien erstellt von 2010-08-02 bis 2010-09-02 ))))))))))))))))))))))))))))))
.

2010-09-01 23:36 . 2010-09-01 23:36 -------- d-----w- C:\_OTL
2010-09-01 17:04 . 2010-09-01 17:04 -------- d-----r- c:\dokumente und einstellungen\Administrator\Eigene Dateien
2010-09-01 17:03 . 2010-09-01 17:03 -------- d-sh--w- c:\dokumente und einstellungen\Administrator\IETldCache
2010-08-26 13:17 . 2010-08-26 13:17 61440 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ca5b7fe-n\decora-sse.dll
2010-08-26 13:17 . 2010-08-26 13:17 503808 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\msvcp71.dll
2010-08-26 13:17 . 2010-08-26 13:17 499712 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\jmc.dll
2010-08-26 13:17 . 2010-08-26 13:17 348160 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a9e3f6f-n\msvcr71.dll
2010-08-26 13:17 . 2010-08-26 13:17 12800 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ca5b7fe-n\decora-d3d.dll
2010-08-26 13:16 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 03:28 . 2010-08-26 03:28 -------- d-----r- c:\dokumente und einstellungen\NetworkService\Favoriten
2010-08-26 01:51 . 2010-08-26 01:51 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Malwarebytes
2010-08-26 01:50 . 2010-08-26 01:50 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-08-25 20:11 . 2010-08-25 20:11 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\C6E031F47CFCBECAF13BED1327434290
2010-08-21 14:37 . 2010-08-22 14:22 -------- d-----w- C:\Greg_C
2010-08-08 16:59 . 2010-08-08 16:59 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Ahead

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-01 23:36 . 2008-04-14 12:00 90436 ----a-w- c:\windows\system32\perfc007.dat
2010-09-01 23:36 . 2008-04-14 12:00 474460 ----a-w- c:\windows\system32\perfh007.dat
2010-08-26 13:17 . 2009-07-03 08:57 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
2010-08-26 13:16 . 2009-07-03 08:57 -------- d-----w- c:\programme\Java
2010-08-21 07:37 . 2009-08-18 18:29 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\Skype
2010-08-21 07:17 . 2009-08-18 18:31 -------- d-----w- c:\dokumente und einstellungen\user\Anwendungsdaten\skypePM
2010-08-15 10:29 . 2009-07-30 18:00 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2010-07-29 23:34 . 2009-07-03 08:59 1 ----a-w- c:\dokumente und einstellungen\user\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-24 01:29 . 2010-06-21 23:58 -------- d-----w- c:\programme\McAfee
2010-07-15 19:18 . 2010-06-21 23:59 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-30 12:28 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02 . 2008-04-14 12:00 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 23:45 . 2009-07-03 11:32 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-21 15:27 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-07-02 18:45 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2004-02-20 11:31 . 2009-07-03 15:41 69632 ----a-w- c:\programme\uninstgs.exe
2009-11-27 05:44 . 2008-10-30 15:34 65536 ----a-w- c:\programme\mozilla firefox\components\FFComm.dll
2008-08-16 15:42 . 2008-08-16 15:42 13112 ----a-w- c:\programme\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 15:42 . 2008-08-16 15:42 70456 ----a-w- c:\programme\mozilla firefox\plugins\CgpCore.dll
2008-08-16 15:42 . 2008-08-16 15:42 91448 ----a-w- c:\programme\mozilla firefox\plugins\confmgr.dll
2008-08-16 15:42 . 2008-08-16 15:42 20800 ----a-w- c:\programme\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 15:43 . 2008-08-16 15:43 206136 ----a-w- c:\programme\mozilla firefox\plugins\ctxmui.dll
2008-08-16 15:42 . 2008-08-16 15:42 31032 ----a-w- c:\programme\mozilla firefox\plugins\icafile.dll
2008-08-16 15:42 . 2008-08-16 15:42 40248 ----a-w- c:\programme\mozilla firefox\plugins\icalogon.dll
2008-05-21 06:41 . 2008-05-21 06:41 479232 ----a-w- c:\programme\mozilla firefox\plugins\msvcm80.dll
2008-05-21 06:41 . 2008-05-21 06:41 548864 ----a-w- c:\programme\mozilla firefox\plugins\msvcp80.dll
2008-05-21 06:41 . 2008-05-21 06:41 626688 ----a-w- c:\programme\mozilla firefox\plugins\msvcr80.dll
2008-06-05 11:58 . 2008-06-05 11:58 648504 ----a-w- c:\programme\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 15:42 . 2008-08-16 15:42 23864 ----a-w- c:\programme\mozilla firefox\plugins\TcpPServ.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 59AC2CEA6FA728A48A2FBD568C696C72 . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 3D48E32B692D6EAA8029D4941B3AF1BB . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-09-02_02.38.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-02 08:31 . 2010-09-02 08:31 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
- 2009-07-02 18:51 . 2010-08-26 17:27 32768 c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2009-07-02 18:51 . 2010-09-02 05:11 32768 c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2009-07-02 18:51 . 2010-09-02 05:11 32768 c:\windows\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-02 18:51 . 2010-08-26 17:27 32768 c:\windows\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-02 05:11 . 2010-09-02 05:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-07-02 18:51 . 2010-08-26 17:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-26 16862720]
"AzMixerSel"="c:\programme\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\programme\Acer\Acer Bio Protection\PdtWzd.exe" [2009-07-03 3686400]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StartCCC"="c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2008-02-12 1028096]
"BackupNowEZtray"="c:\programme\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-09-19 562944]
"mcagent_exe"="c:\programme\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - c:\programme\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
Windows Search.lnk - c:\programme\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programme\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2009-07-03 15:35 3077120 ----a-w- c:\programme\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Gemeinsame Dateien\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19422:TCP"= 19422:TCP:spport
"14101:TCP"= 14101:TCP:spport
"26737:TCP"= 26737:TCP:spport
"13877:TCP"= 13877:TCP:spport
"23415:TCP"= 23415:TCP:spport
"16803:TCP"= 16803:TCP:spport
"14213:TCP"= 14213:TCP:spport
"14179:TCP"= 14179:TCP:spport
"21250:TCP"= 21250:TCP:spport
"19451:TCP"= 19451:TCP:spport
"29493:TCP"= 29493:TCP:spport
"11720:TCP"= 11720:TCP:spport
"13183:TCP"= 13183:TCP:spport
"19528:TCP"= 19528:TCP:spport
"16396:TCP"= 16396:TCP:spport
"28978:TCP"= 28978:TCP:spport
"12721:TCP"= 12721:TCP:spport
"13569:TCP"= 13569:TCP:spport
"27451:TCP"= 27451:TCP:spport
"13955:TCP"= 13955:TCP:spport
"29044:TCP"= 29044:TCP:spport
"22680:TCP"= 22680:TCP:spport
"18062:TCP"= 18062:TCP:spport

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [03.07.2009 11:35 43184]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\programme\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [19.09.2009 08:04 45312]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [03.07.2009 11:32 96856]
S2 IGBASVC;iGroupTec Service;c:\programme\Acer\Acer Bio Protection\BASVC.exe [03.07.2009 11:35 3481088]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys --> c:\windows\system32\drivers\bdfm.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Inhalt des "geplante Tasks" Ordners

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-21 16:22]

2010-06-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-21 16:22]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.purdue.edu/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/forgotPassword.asp?affid=550-22&langid=1&close=true&RW=1
uInternet Settings,ProxyServer = http=127.0.0.1:6522
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Senden an &Bluetooth-Gerät... - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: netlibrary.com\www
FF - ProfilePath - c:\dokumente und einstellungen\user\Anwendungsdaten\Mozilla\Firefox\Profiles\fjn0fk2u.default\
FF - prefs.js: browser.startup.homepage - google.de
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\programme\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programme\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 04:50
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
c:\programme\Acer\Acer Bio Protection\WinNotify.dll
c:\programme\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\ATSC70.DLL
c:\windows\system32\ATSC70PBA.dll
.
Zeit der Fertigstellung: 2010-09-02 04:53:20
ComboFix-quarantined-files.txt 2010-09-02 08:53
ComboFix2.txt 2010-09-02 05:09
ComboFix3.txt 2010-09-02 04:59
ComboFix4.txt 2010-09-02 02:43

Vor Suchlauf: 11 Verzeichnis(se), 301.725.016.064 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 301.709.213.696 Bytes frei

- - End Of File - - D411D4353C034F5C3C13BE9FCBB80ED1


#13 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:43 PM

Posted 02 September 2010 - 10:19 AM

Hi there,

Please download SystemLook from one of the links below and save it to your Desktop.Double-click SystemLook.exe to run it. Copy the content of the following code box into the main text field:
CODE
:filefind
explorer.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#14 klingsor2010

klingsor2010
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 02 September 2010 - 10:34 AM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:29 on 02/09/2010 by user (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a--- 1036800 bytes [12:00 14/04/2008] [12:00 14/04/2008] 3D48E32B692D6EAA8029D4941B3AF1BB

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a--- 513024 bytes [12:00 14/04/2008] [12:00 14/04/2008] 59AC2CEA6FA728A48A2FBD568C696C72

-=End Of File=-

#15 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:43 PM

Posted 02 September 2010 - 10:41 AM

Do you have a Windows disc?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users