Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Redirected Through Google Search Results


  • Please log in to reply
20 replies to this topic

#1 georgom

georgom

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 24 March 2007 - 09:00 AM

Hello, it began 3 or 4 days ago and nothing seems to help. Everytime I klick on a Google result I get redirected through various sites (sometimes and only for a second I see the URL www.mamma.com, but also maxfiles.com and others) to sites such as: www.btcar.com, www.heavy.com, www.adultfinder.com, www.ebay.de, www.mycare.de and so on. I have gone through online-checking, CleanUp, SpyBotS&D, Norton AV (my AV), Adaware. Once I got redirected to a site in the Ukrane (not so sure, but I gave an IP from the HiJackThisLog in Google and read it relates to a Provider in the Ukrane), I saw my IP on the screen and the name of the city I live in. Does this make a sense? :thumbsup:

Here is my HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 14:52:44, on 24.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Apoint2K\Apoint.exe
C:\Programme\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE
C:\Programme\TOSHIBA\TME3\TMEEJME.EXE
C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\Apoint2K\Apntex.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {C9763878-801D-4106-957D-F1AFCF0CAE54} - C:\WINDOWS\system32\wshisn32.dll (file missing)
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Programme\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PC-Bibliothek-Direktsuche.lnk = C:\pc-bib\PCLib.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www16.brinkster.com/puranaanuuru/vi...ar/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160843819781
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FB3F835-C810-4BD1-9308-EDE2A253C392}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AD2FE39-CE9B-4730-8D21-F57A484511A3}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FDF7CB2-43D3-4192-AD21-67764809633F}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{96C4B9D8-B118-4C0A-816F-303CED42AC8F}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7510DD8-01FD-41E0-BB75-917EAD339B84}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{E06D2D0E-EC21-43B9-AEB9-EBED412BF017}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FB3F835-C810-4BD1-9308-EDE2A253C392}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Programme\TOSHIBA\TME3\Tmesrv31.exe


Any help will be appreciated, thanks in advance.
Yours,
Georg

BC AdBot (Login to Remove)

 


#2 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:04:38 AM

Posted 24 March 2007 - 10:17 AM

Hello and welcome to BleepingComputer!

I am logreeval and will be helping you clean your computer.

Give me some time to look over your log, I will post back ASAP.

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#3 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:04:38 AM

Posted 25 March 2007 - 10:05 AM

Hey again. :thumbsup:

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

When done post the Fixwareout log and a fresh HijackThis log.

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#4 georgom

georgom
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 25 March 2007 - 11:57 AM

Hello, Logreeval, and thank you for your prompt response! I read in a German forum that such a problem (in the HijackThis Log you´ll see an entry with this strange IP: NameServer = 85.255.116.35 85.255.112.65) kann only be solved by formatting the HDD and installing everything new. Would you give that a thought or do you think it can be solved through Fixwareout&Co.? Would formatting be an overreaction?

So, first the Fixwareout Report:

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdjjr.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\Temp\kdjjr.ren 63885 04.08.2004



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\\WINDOWS\\system32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Apoint"="C:\\Programme\\Apoint2K\\Apoint.exe"
"TouchED"="C:\\Programme\\TOSHIBA\\TouchED\\TouchED.Exe"
"AGRSMMSG"="AGRSMMSG.exe"
"TFNF5"="TFNF5.exe"
"SmoothView"="C:\\Programme\\TOSHIBA\\TOSHIBA Zoom-Dienstprogramm\\SmoothView.exe"
"TPSMain"="TPSMain.exe"
"TPSODDCtl"="TPSODDCtl.exe"
"TMESRV.EXE"="C:\\Programme\\TOSHIBA\\TME3\\TMESRV31.EXE /Logon"
"TMERzCtl.EXE"="C:\\Programme\\TOSHIBA\\TME3\\TMERzCtl.EXE /Service"
"TOSDCR"="TOSDCR.EXE"
"TFncKy"="TFncKy.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"IntelZeroConfig"="C:\\Programme\\Intel\\Wireless\\bin\\ZCfgSvc.exe"
"IntelWireless"="C:\\Programme\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"EOUApp"="C:\\Programme\\Intel\\Wireless\\Bin\\EOUWiz.exe"
"HP Component Manager"="\"C:\\Programme\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Software Update"="C:\\Programme\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Programme\\Gemeinsame Dateien\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Programme\\Norton Internet Security\\osCheck.exe\""
"CFSServ.exe"="CFSServ.exe -NoClient"
"WinampAgent"="\"C:\\Programme\\Winamp\\Winampa.exe\""
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TOSCDSPD"="C:\\Programme\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"SpybotSD TeaTimer"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


And, the HijackThis Log: [u]

Logfile of HijackThis v1.99.1
Scan saved at 18:44:07, on 25.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Apoint2K\Apoint.exe
C:\Programme\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE
C:\Programme\TOSHIBA\TME3\TMEEJME.EXE
C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\Apoint2K\Apntex.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Programme\Norton Internet Security\Norton AntiVirus\NAVW32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {C9763878-801D-4106-957D-F1AFCF0CAE54} - C:\WINDOWS\system32\wshisn32.dll (file missing)
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Programme\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PC-Bibliothek-Direktsuche.lnk = C:\pc-bib\PCLib.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www16.brinkster.com/puranaanuuru/vi...ar/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160843819781
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Programme\TOSHIBA\TME3\Tmesrv31.exe



Awaiting new orders :thumbsup: ! Thank you for your kind help!
G.

#5 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:04:38 AM

Posted 25 March 2007 - 12:15 PM

Don't worry, you don't have to reformat!

So far it is looking good, I will reply later today with instructions :thumbsup:

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#6 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:04:38 AM

Posted 25 March 2007 - 01:01 PM

Hi again :thumbsup:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {C9763878-801D-4106-957D-F1AFCF0CAE54} - C:\WINDOWS\system32\wshisn32.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
When done post the AVG AntiSpyware log and a fresh HijackThis log. Also, Are you still getting redirected?

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#7 georgom

georgom
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 25 March 2007 - 04:07 PM

Hello, Logreeval! So, I downloaded AVG and ran it in safe mode. "Nothing found" was the result. Is it bad that "resident shield" was inactive in safe mode ? I hope not. I also deleted the two entries in HijackThis. Well, the good news is, I klicked twice on a couple of Google results and didn´t get redirected. The bad news is that this strange Ukrane(not sure :thumbsup: )-Server entry is still there (O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65). Thank you for your patience and help.

Here is the new HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 22:56:52, on 25.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\TOSHIBA\TME3\Tmesrv31.exe
C:\Programme\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Apoint2K\Apoint.exe
C:\Programme\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE
C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Apoint2K\Apntex.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {C9763878-801D-4106-957D-F1AFCF0CAE54} - (no file)
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Programme\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PC-Bibliothek-Direktsuche.lnk = C:\pc-bib\PCLib.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www16.brinkster.com/puranaanuuru/vi...ar/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160843819781
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Programme\TOSHIBA\TME3\Tmesrv31.exe

An addition: I just noticed that these two numbers (:85.255.116.35 85.255.112.65) are given under Internet Protocol / Properties as DNS Adresses. Is this the problem or only the result of the problem? Thank you.

Edited by georgom, 25 March 2007 - 04:50 PM.


#8 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:04:38 AM

Posted 25 March 2007 - 10:28 PM

Hi again :thumbsup:

If the AVG Resident shield is not enabled in Safe mode that is Normal :flowers:

Lets begin..

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

=====

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

=====

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

When done post a fresh HijackThis log and the Blacklight log.

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#9 georgom

georgom
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 26 March 2007 - 04:17 AM

Hello, Logreeval, thank you for your tips. Here the Blacklight Log, it didn´t find anything:

03/26/07 10:55:04 [Info]: BlackLight Engine 1.0.55 initialized
03/26/07 10:55:04 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/26/07 10:55:04 [Note]: 7019 4
03/26/07 10:55:04 [Note]: 7005 0
03/26/07 10:55:22 [Note]: 7006 0
03/26/07 10:55:22 [Note]: 7011 948
03/26/07 10:55:22 [Note]: 7026 0
03/26/07 10:55:22 [Note]: 7026 0
03/26/07 10:55:30 [Note]: FSRAW library version 1.7.1021
03/26/07 11:02:59 [Note]: 7007 0

And here is the HijackThis Log, the Ukrane Servers are not there anymore, and in a previous scan I saw the two ones from my own provider (Arcor.de), but now I couldn´t find them; Spybot Resident didn´t accept the change of "Main Page, blank" into "Google", should I uninstall Spybot?:

Logfile of HijackThis v1.99.1
Scan saved at 11:08:38, on 26.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Apoint2K\Apoint.exe
C:\Programme\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE
C:\Programme\TOSHIBA\TME3\TMEEJME.EXE
C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Apoint2K\Apntex.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {C9763878-801D-4106-957D-F1AFCF0CAE54} - (no file)
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Programme\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PC-Bibliothek-Direktsuche.lnk = C:\pc-bib\PCLib.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www16.brinkster.com/puranaanuuru/vi...ar/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160843819781
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Programme\TOSHIBA\TME3\Tmesrv31.exe

Thank you very much :thumbsup:

#10 georgom

georgom
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 26 March 2007 - 06:42 AM

-

Edited by georgom, 26 March 2007 - 02:42 PM.


#11 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:04:38 AM

Posted 26 March 2007 - 06:50 PM

Hi again :flowers:

Yes, the TeaTimer is spybot's resident shield. :thumbsup:

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean or you can just leave it disabled, its your choice :huh:
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
When TeaTimer is disabled, Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {C9763878-801D-4106-957D-F1AFCF0CAE54} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

==========

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
==========

When done post a fresh HijackThis log.

How are things running?

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#12 georgom

georgom
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 27 March 2007 - 08:56 AM

Hallo, lieber Logreeval! :flowers:
I ran the Kaspersky Scanner, a Trojaner (sorry, this is the German word for this sort of malware) called Win32.DNSChanger.in and a couple of infected objects are the result. I couldn´t find the "infected objects" in the report, but I underlined the "Trojaner". I´m not much of a help.
Here is the report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 27, 2007 3:11:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/03/2007
Kaspersky Anti-Virus database records: 286811
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 46406
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:45:30

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\settings.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\LiveUpdate\2007-03-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtETmp\2C81F349.TMP Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtETmp\4AC86C7A.TMP Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Dokumente und Einstellungen\Georg\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Georg\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Georg\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Georg\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Georg\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Georg\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Georg\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007032720070328\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Georg\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Georg\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDCON.log Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDFW.log Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Programme\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Programme\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Programme\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Programme\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{40E6197E-3EAE-428C-BC63-F5A876001A17}\RP122\A0012906.exe Infected: Trojan.Win32.DNSChanger.in skipped
C:\System Volume Information\_restore{40E6197E-3EAE-428C-BC63-F5A876001A17}\RP123\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E26E50CE-21DD-45A4-980C-4DB55E400F99}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


And here is the HijackThis Report:

Logfile of HijackThis v1.99.1
Scan saved at 15:39:09, on 27.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Apoint2K\Apoint.exe
C:\Programme\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE
C:\Programme\TOSHIBA\TME3\TMEEJME.EXE
C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Programme\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PC-Bibliothek-Direktsuche.lnk = C:\pc-bib\PCLib.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www16.brinkster.com/puranaanuuru/vi...ar/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160843819781
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 195.50.140.252 195.50.140.114
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Programme\TOSHIBA\TME3\Tmesrv31.exe


The good news is, I don´t get redirected. Only once, yesterday I did get redirected to a site with my IP and the name of the city I live in, Munich, and an ad about some Antispyware programms (a trojan that wants to sell me antispyware-programms?! :thumbsup: ), I didn´t really understand what had gone wrong, ´cause this time I had got redirected through another page and not Google) and I closed the Explorer Page without copying the URL of the site, sorry about that, I don´t have the URL so I can´t post it. Since that I didn´t get redirected anymore.
Awaiting new instructions, when you find the time, thanks again! :huh:

Edited by georgom, 27 March 2007 - 09:02 AM.


#13 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:04:38 AM

Posted 27 March 2007 - 02:23 PM

I am sorry, but I am busy today, but I will try to post back by tonight :thumbsup:

Thanks for your patience.

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#14 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:04:38 AM

Posted 27 March 2007 - 06:22 PM

Hey :thumbsup:

That file that was found is located in your System Restore point, what that is is the files that control your system restore, they are locked away and dormant :flowers: the only time this would be a problem is if you used System restore. We will clear out that file at the end :huh:

Have you been redirected at all since last time you said?

I need to see a few logs just to make sure nothing is left. :huh:

Download DSS to your Desktop.


1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open in Notepad - main.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, extra.txt.
6. Please paste the contents of that file into your next post as well.


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

==========

Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

{C9763878-801D-4106-957D-F1AFCF0CAE54}

- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply along with the DSS log.

logreeval

Edited by logreeval, 27 March 2007 - 06:25 PM.

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#15 georgom

georgom
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 28 March 2007 - 02:38 AM

Hello, Logreeval.

To your question: no, except for the one time I told you, I didn´t get redirected again.

Now to the Logs, I ran both programms, here are the Logs:

DSS
MAIN.TXT
Deckard's System Scanner v20070318.32
Run by Georg on 2007-03-28 at 09:02:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
56: 2007-03-28 07:02:38 UTC - RP124 - Deckard's System Scanner Restore Point
55: 2007-03-26 21:19:00 UTC - RP123 - Systemprüfpunkt
54: 2007-03-24 19:54:28 UTC - RP122 - Systemprüfpunkt
53: 2007-03-22 18:02:49 UTC - RP121 - Installed Ad-Aware SE Personal
52: 2007-03-21 19:30:44 UTC - RP120 - Systemprüfpunkt


-- First Restore Point --
1: 2007-01-02 19:34:50 UTC - RP69 - Systemprüfpunkt


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Georg.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 09:03:30, on 28.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Apoint2K\Apoint.exe
C:\Programme\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programme\TOSHIBA\TME3\TMEEJME.EXE
C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE
C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Apoint2K\Apntex.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Dokumente und Einstellungen\Georg\Desktop\dss.exe
C:\PROGRA~2\HIJACK~1\Georg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Programme\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Programme\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PC-Bibliothek-Direktsuche.lnk = C:\pc-bib\PCLib.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www16.brinkster.com/puranaanuuru/vi...ar/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160843819781
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 195.50.140.252 195.50.140.114
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Programme\TOSHIBA\TME3\Tmesrv31.exe


-- HijackThis Fixed Entries (C:\PROGRA~2\HIJACK~1\backups\) --------------------

backup-20070324-193813-432 O17 - HKLM\System\CCS\Services\Tcpip\..\{4FDF7CB2-43D3-4192-AD21-67764809633F}: NameServer = 85.255.116.35,85.255.112.65
backup-20070324-193813-464 O17 - HKLM\System\CCS\Services\Tcpip\..\{E06D2D0E-EC21-43B9-AEB9-EBED412BF017}: NameServer = 85.255.116.35,85.255.112.65
backup-20070324-193813-642 O17 - HKLM\System\CCS\Services\Tcpip\..\{A7510DD8-01FD-41E0-BB75-917EAD339B84}: NameServer = 85.255.116.35,85.255.112.65
backup-20070324-193813-653 O17 - HKLM\System\CCS\Services\Tcpip\..\{2AD2FE39-CE9B-4730-8D21-F57A484511A3}: NameServer = 85.255.116.35,85.255.112.65
backup-20070324-193813-731 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
backup-20070324-193813-735 O17 - HKLM\System\CCS\Services\Tcpip\..\{0FB3F835-C810-4BD1-9308-EDE2A253C392}: NameServer = 85.255.116.35,85.255.112.65
backup-20070324-193813-816 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
backup-20070324-193813-828 O17 - HKLM\System\CCS\Services\Tcpip\..\{96C4B9D8-B118-4C0A-816F-303CED42AC8F}: NameServer = 85.255.116.35,85.255.112.65
backup-20070324-193813-930 O17 - HKLM\System\CS1\Services\Tcpip\..\{0FB3F835-C810-4BD1-9308-EDE2A253C392}: NameServer = 85.255.116.35,85.255.112.65
backup-20070325-191350-738 O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65
backup-20070325-211912-353 O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65
backup-20070325-211912-436 O2 - BHO: (no name) - {C9763878-801D-4106-957D-F1AFCF0CAE54} - C:\WINDOWS\system32\wshisn32.dll (file missing)
backup-20070325-230904-735 O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65
backup-20070326-013431-642 O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65
backup-20070326-104707-356 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20070326-104707-439 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
backup-20070326-104707-576 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
backup-20070326-104707-597 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20070326-104731-977 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20070326-211732-131 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20070326-211732-675 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20070327-125605-185 O2 - BHO: (no name) - {C9763878-801D-4106-957D-F1AFCF0CAE54} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys
R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys
R0 TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalz.sys
R1 SRTSP - c:\windows\system32\drivers\srtsp.sys
R1 SRTSPX - c:\windows\system32\drivers\srtspx.sys
R1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys
R1 ssrtln - c:\windows\system32\drivers\ssrtln.sys
R1 TMEI3E - c:\windows\system32\drivers\tmei3e.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys
R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys
R2 s24trans (WLAN-Transport) - c:\windows\system32\drivers\s24trans.sys
R2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys
R2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys
R2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys
R2 tfsndres - c:\windows\system32\dla\tfsndres.sys
R2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys
R2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys
R2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys
R2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys
R2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys
R3 AgereSoftModem (TOSHIBA V92 Software Modem) - c:\windows\system32\drivers\agrsm.sys
R3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys
R3 BlueletSCOAudio (Bluetooth SCO Audio Service) - c:\windows\system32\drivers\blueletscoaudio.sys
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys
R3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys
R3 IWCA (Intel Wireless Connection Agent Miniport for Win XP) - c:\windows\system32\drivers\iwca.sys
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys
R3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\windows\system32\drivers\rootmdm.sys
R3 STAC97 (SigmaTel C-Major Audio) - c:\windows\system32\drivers\stac97.sys
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys
R3 w29n51 (Intel® PRO/Wireless 2200BG Netzwerkverbindungstreiber für Windows XP) - c:\windows\system32\drivers\w29n51.sys

S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Automatisches LiveUpdate - Scheduler - "c:\programme\symantec\liveupdate\aluschedulersvc.exe"
R2 BlueSoleil Hid Service - c:\programme\ivt corporation\bluesoleil\btntservice.exe
R2 CFSvcs (ConfigFree Service) - c:\programme\toshiba\configfree\cfsvcs.exe
R2 OwnershipProtocol - c:\programme\intel\wireless\bin\oprotsvc.exe
R2 RegSrvc - c:\programme\intel\wireless\bin\regsrvc.exe
R2 Tmesrv (Tmesrv3) - c:\programme\toshiba\tme3\tmesrv31.exe /service


-- Scheduled Tasks -------------------------------------------------------------

2007-03-28 09:01:00 350 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job<SYMANT~1.JOB>
2007-03-22 18:21:01 276 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2007-03-16 22:44:42 608 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Vollständige Systemprüfung ausführen - Georg.job<NORTON~1.JOB>


-- Files created between 2007-02-28 and 2007-03-28 -----------------------------

2007-03-27 13:13:47 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-03-25 21:23:14 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-23 22:17:12 0 d-------- C:\Programme\RegCleaner<REGCLE~1>
2007-03-22 20:02:50 0 d-------- C:\Programme\Lavasoft
2007-03-22 20:01:58 0 d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard<WISEIN~1>
2007-03-22 19:37:26 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools<PCTOOL~1>
2007-03-22 19:36:57 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools<PCTOOL~1>
2007-03-22 19:36:03 626688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-03-08 20:09:03 0 d-------- C:\Programme\Gemeinsame Dateien\xing shared<XINGSH~1>
2007-03-04 02:09:40 0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2007-03-28 09:01:35 0 d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared<SYMANT~1>
2007-03-28 08:52:01 0 d-------- C:\Programme\Norton Internet Security<NORTON~1>
2007-03-25 11:27:08 394744 --a------ C:\WINDOWS\system32\perfh007.dat
2007-03-25 11:27:07 64796 --a------ C:\WINDOWS\system32\perfc007.dat
2007-03-22 20:03:17 0 d-------- C:\Dokumente und Einstellungen\Georg\Anwendungsdaten\Lavasoft
2007-03-22 20:01:58 0 d-------- C:\Programme\Gemeinsame Dateien<GEMEIN~1>
2007-03-08 20:11:29 0 d-------- C:\Dokumente und Einstellungen\Georg\Anwendungsdaten\Real
2007-03-08 20:09:00 0 d-------- C:\Programme\Gemeinsame Dateien\Real
2007-03-07 12:10:07 2988 --a------ C:\WINDOWS\desctemp.dat
2007-03-04 02:17:12 0 d-------- C:\Programme\Total Video Converter<TOTALV~1>
2007-02-22 18:29:03 0 d-------- C:\Programme\QuickTime<QUICKT~1>
2007-02-22 18:28:28 0 d-------- C:\Dokumente und Einstellungen\Georg\Anwendungsdaten\Apple Computer<APPLEC~1>
2007-02-22 18:21:47 0 d-------- C:\Programme\Apple Software Update<APPLES~1>
2007-02-16 00:41:33 0 d-------- C:\Programme\Gemeinsame Dateien\Microsoft Shared<MICROS~1>
2007-01-28 19:29:19 0 d-------- C:\Programme\MIKSOFT
2007-01-28 19:14:38 0 d-------- C:\Programme\Gemeinsame Dateien\AVSMedia
2007-01-28 18:56:56 0 d-------- C:\Programme\101 AVI MPEG WMV Converter<101AVI~1>
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-06 01:20:14 2638186 --a------ C:\Programme\mirlight.zip


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TOSCDSPD"="C:\\Programme\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"00THotkey"="C:\\WINDOWS\\system32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Apoint"="C:\\Programme\\Apoint2K\\Apoint.exe"
"TouchED"="C:\\Programme\\TOSHIBA\\TouchED\\TouchED.Exe"
"AGRSMMSG"="AGRSMMSG.exe"
"TFNF5"="TFNF5.exe"
"SmoothView"="C:\\Programme\\TOSHIBA\\TOSHIBA Zoom-Dienstprogramm\\SmoothView.exe"
"TPSMain"="TPSMain.exe"
"TPSODDCtl"="TPSODDCtl.exe"
"TMESRV.EXE"="C:\\Programme\\TOSHIBA\\TME3\\TMESRV31.EXE /Logon"
"TMERzCtl.EXE"="C:\\Programme\\TOSHIBA\\TME3\\TMERzCtl.EXE /Service"
"TOSDCR"="TOSDCR.EXE"
"TFncKy"="TFncKy.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"IntelZeroConfig"="C:\\Programme\\Intel\\Wireless\\bin\\ZCfgSvc.exe"
"IntelWireless"="C:\\Programme\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"EOUApp"="C:\\Programme\\Intel\\Wireless\\Bin\\EOUWiz.exe"
"HP Component Manager"="\"C:\\Programme\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Software Update"="C:\\Programme\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Programme\\Gemeinsame Dateien\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Programme\\Norton Internet Security\\osCheck.exe\""
"CFSServ.exe"="CFSServ.exe -NoClient"
"WinampAgent"="\"C:\\Programme\\Winamp\\Winampa.exe\""
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Programme\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="kdjjr.exe"



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


-- End of Deckard's System Scanner: finished at 2007-03-28 at 09:04:02 ---------

EXTRA.TXT
Deckard's System Scanner v20070318.32
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: German

CPU 0: Intel® Celeron® M processor 1.50GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 759.23 MiB / 428.99 MiB
Pagefile Memory (total/avail): 1857.65 MiB / 1512.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1994.82 MiB

C: is Fixed (NTFS) - 93.16 GiB total, 82.11 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Dokumente und Einstellungen\All Users
APPDATA=C:\Dokumente und Einstellungen\Georg\Anwendungsdaten
CLIENTNAME=Console
CommonProgramFiles=C:\Programme\Gemeinsame Dateien
COMPUTERNAME=GEORGSPC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Dokumente und Einstellungen\Georg
LOGONSERVER=\\GEORGSPC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Programme\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Programme
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOKUME~1\Georg\LOKALE~1\Temp
TMP=C:\DOKUME~1\Georg\LOKALE~1\Temp
USERDOMAIN=GEORGSPC
USERNAME=Georg
USERPROFILE=C:\Dokumente und Einstellungen\Georg
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Georg (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Programme\Gemeinsame Dateien\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUn0407.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 - Deutsch --> MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A70900000002}
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
AVG Anti-Spyware 7.5 --> C:\Programme\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BlueSoleil --> MsiExec.exe /X{57D5CF00-60C0-43AB-80CD-84D0EB1BBE39}
C-Major Audio --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x7 -remove -removeonly
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x7
CleanUp! --> C:\Programme\CleanUp!\uninstall.exe
Corona Visualization Plug-in for WMP --> MsiExec.exe /I{6C3CE73B-E7B8-4979-8740-1476C5CBDEBA}
FastStone Photo Resizer 2.3 --> C:\Programme\FastStone Photo Resizer\uninst.exe
G-Force --> C:\Programme\SoundSpectrum\G-Force\Uninstall.exe
Google Earth --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x7 -removeonly
HijackThis 1.99.1 --> C:\Programme\HijackThis.exe /uninstall
Horoscope Explorer Pro 3.6 --> C:\Programme\PublicSoft\HoroExPro\unins000.exe
Hotfix für Windows XP (KB893357) --> "C:\WINDOWS\$NtUninstallKB893357$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB894871) --> "C:\WINDOWS\$NtUninstallKB894871$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet 3740 --> msiexec /x{F901CA6D-A074-42D3-A11D-33AAE6FFD0C1}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD Creator 2 --> "C:\Programme\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD for TOSHIBA --> "C:\Programme\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Programme\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
MEL --> C:\WINDOWS\IsUninst.exe -fC:\Programme\Tegopoulos-Fytrakhs\mel\Uninst.isu
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10407-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120407-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Multiple Image Resizer .NET --> C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A46CD8B-9BBB-4F2D-810C-5C3DAA0E2B20}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{7CD7A451-7224-49C8-95EF-9A1859C66607}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Programme\Gemeinsame Dateien\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_0_0_86\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
PC-Bibliothek 3.0 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{4CE4B975-A5C1-43C0-A565-C00F0ABFC94C}\setup.exe" -uninst
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Programme\Gemeinsame Dateien\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Sicherheitsupdate für Step by Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Sicherheitsupdate für Step by Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB883939) --> "C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB893066) --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899589) --> "C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB903235) --> "C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917159) --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy 1.4 --> "C:\Programme\Spybot - Search & Destroy\unins000.exe"
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
TGeb V5.4 --> C:\WINDOWS\st6unst.exe -n "C:\Programme\TGeb\ST6UNST.LOG"
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x7
TOSHIBA Benutzerhandbücher --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{3EB6332B-AF02-457C-A31C-835458C5B48B}\setup.exe" -l0x7 -removeonly
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x7 UNINSTALL
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x7 UNINSTALL
TOSHIBA Dienstprogramme --> C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{56190F69-01D3-46CA-9861-43377C5E9B87}
TOSHIBA Hotkey Utility für Anzeigegeräte --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TFNF5Wxp.inf,DefaultUninstall,5
TOSHIBA Mobile Extension3 für Windows XP V3.73.00.XP --> C:\WINDOWS\IsUn0407.exe -fC:\Programme\TOSHIBA\TME3\Uninst.isu -cC:\Programme\TOSHIBA\TME3\uninstx.dll
TOSHIBA Passwort-Utility --> C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{C0FC3B56-E345-40CD-A5CB-7EB791CE3E74}
TOSHIBA PC-Diagnose-Tool --> C:\WINDOWS\IsUn0407.exe -fC:\Programme\TOSHIBA\PCDiag\Uninst.isu
TOSHIBA Power Saver --> C:\WINDOWS\IsUn0407.exe -f"C:\Programme\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Touchpad Ein/Aus Utility V2.05.01 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{24300A63-DD78-4AA5-A914-4D582C41D33A}\Setup.exe" -l0x7 -uninst
TOSHIBA Utility zum Bildschirmwechsel --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TDspBtn.inf,DefaultUninstall,5
TOSHIBA Zoom-Dienstprogramm --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\setup.exe"
Update für Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update für Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update für Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update für Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update für Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update für Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update für Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update für Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update für Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update für Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update für Windows XP (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update für Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP-Hotfix - KB873333 --> C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP-Hotfix - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP-Hotfix - KB884018 -->
Windows XP-Hotfix - KB885250 --> C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP-Hotfix - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP-Hotfix - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP-Hotfix - KB885855 --> C:\WINDOWS\$NtUninstallKB885855$\spuninst\spuninst.exe
Windows XP-Hotfix - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP-Hotfix - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP-Hotfix - KB888113 --> C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP-Hotfix - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP-Hotfix - KB889673 --> C:\WINDOWS\$NtUninstallKB889673$\spuninst\spuninst.exe
Windows XP-Hotfix - KB890047 --> C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP-Hotfix - KB890175 --> C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP-Hotfix - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP-Hotfix - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP-Hotfix - KB893056 --> C:\WINDOWS\$NtUninstallKB893056$\spuninst\spuninst.exe
Windows XP-Hotfix - KB893086 --> "C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP-Hotfix - KB895200 --> "C:\WINDOWS\$NtUninstallKB895200$\spuninst\spuninst.exe"
WinZip --> "C:\Programme\WinZip\WINZIP32.EXE" /uninstall


-- End of Deckard's System Scanner: finished at 2007-03-28 at 09:04:02 ---------


REGSEARCH
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 28.03.2007 09:15:10 for strings:
; '{c9763878-801d-4106-957d-f1afcf0cae54}'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C9763878-801D-4106-957D-F1AFCF0CAE54}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C9763878-801D-4106-957D-F1AFCF0CAE54}\iexplore]
; End Of The Log...

Thank you for your time. :thumbsup:

P.S.: Somewhere in the reports I saw the name of a file (kddjr.exe), which - as I searched in Google - is a form of this Trojan Win32.DNSchanger.in. But I couldn´t understand whether it has been removed or not. I think that it has been removed by Fixwareout, Spybot refused to accept some changes in Winlogon (I have memorized the procedure, but I haven´t got a clue, what all this jargon means!) made by Fixwareout. Should I ru

Edited by georgom, 28 March 2007 - 02:49 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users