PDA

View Full Version : mdelk.exe & wintems.exe, hldrrr.exe??? help me please!


Blown
2008-01-21, 20:50
Hello,

I think I got sth really bad on my poor pc... I downloaded a program, executed it and then everything went wrong: AVG was disabled, WLAN didn's work, PDF files I save contain nothing... I fixed the WLAN connection, but now it takes ages to acces a site... what do I do?

Thanks
Rorschach112
2008-01-21, 22:07
Hello

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.




Please download and unzip Icesword (http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip)to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Now, click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Now post all of the data collected under the headings for :

Processes
Win32 Services
SSDT
Startup
Blown
2008-01-22, 12:40
MAIN


Deckard's System Scanner v20071014.68
Run by Marina on 2008-01-19 17:48:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-01-19 16:48:54 UTC - RP249 - Deckard's System Scanner Restore Point
41: 2008-01-19 12:08:50 UTC - RP248 - Entfernt LexifacePRO
40: 2008-01-17 19:20:19 UTC - RP247 - Software Distribution Service 3.0
39: 2008-01-17 18:17:39 UTC - RP246 - Microsoft AutoRoute 2005 wird entfernt
38: 2008-01-17 18:14:19 UTC - RP245 - AntiVir PersonalEdition Classic - 17.01.2008 19:14


-- First Restore Point --
1: 2007-12-13 18:26:01 UTC - RP208 - Systemprüfpunkt


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).
Blown
2008-01-22, 12:41
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-19 17:53:55
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.0.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\WButton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Common Files\X10\Common\X10nets.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Intel\Wireless\Bin\iFrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wintems.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wisptis.exe
C:\Dokumente und Einstellungen\Marina\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\GoogleToolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\OPTIONS.HTM
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\OPTIONS.HTM
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104261081168
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\TSMSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\Programme\Common Files\X10\Common\X10nets.exe
O24 - Desktop Component 0: - http://www.trm.md/radiom/antena.gif

--
End of file - 14590 bytes

-- File Associations -----------------------------------------------------------

All associations okay.
Blown
2008-01-22, 12:42
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 avgntmgr - c:\windows\system32\drivers\avgntmgr.sys <Not Verified; AVIRA GmbH; AntiVir®>
R1 Hotkey - c:\windows\system32\drivers\hotkey.sys
R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 Asapi - c:\windows\system32\drivers\asapi.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.700>
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.700>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S1 Wbutton - c:\windows\system32\drivers\wbutton.sys (file missing)
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\programme\t-dsl speedmanager\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 TNPacket (T-Systems Nova Packet Capture Driver) - c:\programme\t-dsl speedmanager\tnpacket.sys <Not Verified; T-Systems Nova GmbH; T-DSL SpeedManager>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 X10UIF (%DESCRIPTION%) - c:\windows\system32\drivers\x10uif.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 OwnershipProtocol - c:\programme\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - c:\programme\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R3 x10nets (X10 Device Network Service) - c:\progra~1\common~1\x10\common\x10nets.exe <Not Verified; X10; x10 Module>

S3 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\programme\home cinema\powercinema\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
S3 CLSched (CyberLink Task Scheduler (CTS)) - "c:\programme\home cinema\powercinema\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
S3 CyberLink Media Library Service - "c:\programme\cyberlink\shared files\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server>
S3 TSMService - "c:\programme\t-dsl speedmanager\tsmsvc.exe" <Not Verified; T-Systems Nova, Berkom; T-DSL SpeedManager>
S4 AntiVirScheduler (AntiVir Scheduler) - c:\programme\antivir personaledition classic\sched.exe <Not Verified; Avira GmbH; Scheduler>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2006-09-17 20:54:51 222 --a------ C:\WINDOWS\Tasks\Low Battery Alarm Program.job


-- Files created between 2007-12-19 and 2008-01-19 -----------------------------

2008-01-19 17:35:43 2855 --a------ C:\WINDOWS\system32\mdelk.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-19 17:27:50 0 d-------- C:\totalcmd
2008-01-18 13:42:52 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2008-01-18 13:41:38 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2008-01-18 13:38:32 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools
2008-01-17 18:28:01 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:27:48 0 d-------- C:\Programme\Spyware Doctor
2008-01-17 14:56:01 0 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-17 14:51:48 0 d-------- C:\WINDOWS\system32\drivers\down
2008-01-15 10:16:13 0 d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02:24 0 d-------- C:\xaware
2008-01-13 18:02:24 0 d--h----- C:\Programme\Zero G Registry
2008-01-13 18:01:26 0 d--h----- C:\Dokumente und Einstellungen\Marina\InstallAnywhere
2008-01-13 13:25:48 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-13 13:25:48 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 12:55:24 45056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:55:24 116224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55:22 0 d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55:22 0 d-------- C:\Dokumente und Einstellungen\All Users\FreePDF
2008-01-13 12:51:46 0 d-------- C:\Programme\gs
2008-01-06 19:08:48 0 d-------- C:\TreeTagger
2008-01-06 12:37:17 0 d-------- C:\Programme\Babylon
2008-01-06 12:15:45 0 d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33:50 0 d-------- C:\Programme\SnagIt 7
2008-01-05 11:31:54 0 d-------- C:\Programme\TreeTagger
2007-12-23 17:26:30 1159242 --a------ C:\saxon.exe
2007-12-20 13:45:54 1159242 --a------ C:\Programme\saxon.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-19 15:05:21 42746 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\wklnhst.dat
2008-01-19 15:03:21 86992 --a----c- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-01-19 13:43:40 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Skype
2008-01-19 13:09:15 0 d--h----- C:\Programme\InstallShield Installation Information
2008-01-18 15:52:31 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon
2008-01-18 13:43:28 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Intel
2008-01-18 13:41:32 0 d-------- C:\Programme\Intel
2008-01-18 13:38:43 400786 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-18 13:38:43 69040 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-18 13:38:35 0 d-------- C:\Programme\Windows NT
2008-01-18 13:03:18 0 d--h----- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m
2008-01-17 19:10:37 0 d-------- C:\Programme\Altova
2008-01-17 19:07:02 0 d-------- C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 18:27:48 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\PC Tools
2008-01-17 16:33:39 0 d-------- C:\Programme\eMule
2008-01-13 13:29:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\pdf995
2008-01-06 15:15:34 0 d-------- C:\Programme\TRADOS
2008-01-05 20:56:52 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Trados
2008-01-05 11:31:48 115157 --a------ C:\Programme\tree-tagger-windows-3.1.zip
2007-12-20 18:20:03 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Adobe
2007-12-13 12:51:59 0 d-------- C:\Programme\Gemeinsame Dateien
2007-12-01 14:10:02 0 d-------- C:\Programme\SSH Communications Security
2007-11-23 15:23:06 86016 --a------ C:\WINDOWS\system32\LinkDropHandler.dll <Not Verified; Altova GmbH; Shortcut Drop Handler Shell Extension>
2007-11-23 15:16:22 491520 -ra------ C:\WINDOWS\system32\XmlSpyLib.dll <Not Verified; ; XmlSpyLib Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04.08.2004 13:00 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [06.08.2004 14:04]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [11.11.2004 15:13]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [26.07.2004 14:52]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [23.11.2004 16:01]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [16.09.2003 14:28]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [26.11.2004 18:49]
"AGRSMMSG"="AGRSMMSG.exe" [22.07.2004 13:38 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [05.10.2004 16:25]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [05.10.2004 16:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04.08.2004 13:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04.08.2004 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04.08.2004 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04.08.2004 13:00]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [21.12.2004 21:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 10:50]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [02.11.2004 20:24]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [11.01.2005 18:17]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [01.01.2005 19:31]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [02.01.2005 09:17]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [19.01.2008 17:01]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 00:11]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [10.10.2007 17:06]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [26.06.2007 20:27]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [10.12.2007 14:53]
"@"="" []
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [15.10.2004 11:27]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [15.10.2004 11:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [09.12.2004 15:38]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [23.01.2004 08:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 13:00]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe [29.11.2004 18:55:44]
Cisco Systems VPN Client.lnk - C:\Programme\Cisco Systems\VPN Client\vpngui.exe [24.02.2006 14:58:47]
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [13.02.2001 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 15.10.2004 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-01-19 17:55:35 ------------
Blown
2008-01-22, 12:44
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: German

CPU 0: Intel(R) Pentium(R) M processor 1.70GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 510.98 MiB / 153.44 MiB
Pagefile Memory (total/avail): 1249.59 MiB / 547.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.85 MiB

C: is Fixed (NTFS) - 46.29 GiB total, 19.97 GiB free.
D: is Fixed (NTFS) - 36.88 GiB total, 1.91 GiB free.
E: is Fixed (FAT32) - 9.86 GiB total, 0.22 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST9100823A - 93.16 GiB - 4 partitions
\PARTITION0 (bootable) - Installierbares Dateisystem - 46.29 GiB - C:
\PARTITION1 - Erweitert mit Int 13 (erweitert) - 46.75 GiB - D: - E:
\PARTITION2 - Unknown - 94.13 MiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
FirewallOverride is set.

AV: Spyware Doctor with AntiVirus v4.4.2 (PC Tools)
AV: AntiVir PersonalEdition Classic Virenschutz v0.0.0.0 (AntiVir PersonalProducts GmbH)
AV: AntiVir PersonalEdition Classic Virenschutz v0.0.0.0 (AntiVir PersonalProducts GmbH)
AV: AntiVir PersonalEdition Classic Virenschutz v 6.38.1.193
(AntiVir PersonalProducts GmbH) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:Enabled:Remoteunterstützung"
"%ProgramFiles%\\Messenger\\msmsgs.exe"="%ProgramFiles%\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%ProgramFiles%\\AOL 9.0\\AOL.exe"="%ProgramFiles%\\AOL 9.0\\AOL.exe:*:enabled:AOL 9.0"
"%ProgramFiles%\\AOL 9.0\\WAOL.exe"="%ProgramFiles%\\AOL 9.0\\WAOL.exe:*:enabled:AOL 9.0"
"%WinDir%\\system32\\fxsclnt.exe"="%WinDir%\\system32\\fxsclnt.exe:*:enabled:Microsoft Fax Console"
"%ProgramFiles%\\CA\\eTrust Antivirus\\InocIT.exe"="%ProgramFiles%\\CA\\eTrust Antivirus\\InocIT.exe:*:enabled:eTrust Antivirus - Local Scanner"
"%ProgramFiles%\\CA\\eTrust Antivirus\\Realmon.exe"="%ProgramFiles%\\CA\\eTrust Antivirus\\Realmon.exe:*:enabled:eTrust Antivirus - Realtime monitor"
"%ProgramFiles%\\CA\\eTrust Antivirus\\InoRpc.exe"="%ProgramFiles%\\CA\\eTrust Antivirus\\InoRpc.exe:*:enabled:eTrust Antivirus - RPC Server"
"%ProgramFiles%\\WIDCOMM\\Bluetooth Software\\BTTray.exe"="%ProgramFiles%\\WIDCOMM\\Bluetooth Software\\BTTray.exe:*:enabled:BTTray"
"C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLDIAL.exe"="C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLDIAL.exe:*:Enabled:AOL"
"C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLACSD.exe"="C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLACSD.exe:*:Enabled:AOL"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:Enabled:Remoteunterstützung"
"%ProgramFiles%\\AOL 9.0\\AOL.exe"="%ProgramFiles%\\AOL 9.0\\AOL.exe:*:enabled:AOL 9.0"
"%ProgramFiles%\\AOL 9.0\\WAOL.exe"="%ProgramFiles%\\AOL 9.0\\WAOL.exe:*:enabled:AOL 9.0"
"%WinDir%\\system32\\fxsclnt.exe"="%WinDir%\\system32\\fxsclnt.exe:*:enabled:Microsoft Fax Console"
"%ProgramFiles%\\CA\\eTrust Antivirus\\InocIT.exe"="%ProgramFiles%\\CA\\eTrust Antivirus\\InocIT.exe:*:enabled:eTrust Antivirus - Local Scanner"
"%ProgramFiles%\\CA\\eTrust Antivirus\\Realmon.exe"="%ProgramFiles%\\CA\\eTrust Antivirus\\Realmon.exe:*:enabled:eTrust Antivirus - Realtime monitor"
"%ProgramFiles%\\CA\\eTrust Antivirus\\InoRpc.exe"="%ProgramFiles%\\CA\\eTrust Antivirus\\InoRpc.exe:*:enabled:eTrust Antivirus - RPC Server"
"%ProgramFiles%\\WIDCOMM\\Bluetooth Software\\BTTray.exe"="%ProgramFiles%\\WIDCOMM\\Bluetooth Software\\BTTray.exe:*:enabled:BTTray"
"C:\\Programme\\Home Cinema\\PowerCinema\\PowerCinema.exe"="C:\\Programme\\Home Cinema\\PowerCinema\\PowerCinema.exe:*:Enabled:PowerCinema"
"C:\\Programme\\Messenger\\msmsgs.exe"="C:\\Programme\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Python23\\pythonw.exe"="C:\\Python23\\pythonw.exe:*:Enabled:pythonw"
"C:\\Programme\\eMule\\emule.exe"="C:\\Programme\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLDIAL.exe"="C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLDIAL.exe:*:Enabled:AOL"
"C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLACSD.exe"="C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLACSD.exe:*:Enabled:AOL"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Programme\\Snowball\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Snowball\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Programme\\Yahoo!\\Messenger\\YServer.exe"="C:\\Programme\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Dokumente und Einstellungen\All Users
APPDATA=C:\Dokumente und Einstellungen\Marina\Anwendungsdaten
CLASSPATH=.;set CLASSPATH=c:\dbs2\sod2.jar;c:\dbs2\sod2tools.jar;c:\xt_win\xt.exe;c:\java\jdk\bin;
CommonProgramFiles=C:\Programme\Gemeinsame Dateien
COMPUTERNAME=NAME-01CFAA9CBF
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Dokumente und Einstellungen\Marina
LOGONSERVER=\\NAME-01CFAA9CBF
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Perl\bin;C:\TreeTagger\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;;C:\PROGRA~1\GEMEIN~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Programme
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOKUME~1\Marina\LOKALE~1\Temp
TMP=C:\DOKUME~1\Marina\LOKALE~1\Temp
UNILEXDIR=C:\Programme\Pons\LexifacePRO\
USERDOMAIN=NAME-01CFAA9CBF
USERNAME=Marina
USERPROFILE=C:\Dokumente und Einstellungen\Marina
windir=C:\WINDOWS
Blown
2008-01-22, 12:46
-- User Profiles ---------------------------------------------------------------

Marina (admin)
Gast (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Programme\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Programme\Gemeinsame Dateien\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUn0407.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ActivePerl 5.8.7 Build 815 --> MsiExec.exe /I{5246151F-717A-4119-A592-85AFC71EB60D}
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 - Deutsch --> MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A00000000001}
Altova XMLSpy 2007 Enterprise Edition --> MsiExec.exe /I{17135707-F9C3-492C-86F3-F8B729B7EF44}
ATI - Dienstprogramm zur Deinstallation der Software --> C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir PersonalEdition Classic --> C:\Programme\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
AviSynth 2.5 --> "C:\Programme\AviSynth 2.5\Uninstall.exe"
AVManager V1.1.1.2 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{52E42344-1C48-453D-B80C-081C431F4E08}\setup.exe" -l0x9
Babylon --> C:\Programme\Babylon\Babylon-Pro\Utils\uninstbb.exe
Broadcom 440x 10/100 Integrated Controller --> C:\Programme\Gemeinsame Dateien\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1031
BSPlayer --> "C:\Programme\BSplayer\uninstall.exe"
Creatix 2.0 AC'97 Modem --> agrsmdel
DVD Shrink 3.1.4 --> "C:\Programme\DVD Shrink\unins000.exe"
eMule --> "C:\Programme\eMule\Uninstall.exe"
eTrust Antivirus Registration --> MsiExec.exe /I{C5223522-2B12-4522-B165-99EE6C88771E}
FreePDF XP (Remove only) --> C:\Programme\FreePDF_XP\fpsetup.exe /r
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\programme\google\googletoolbar4.dll"
GPL Ghostscript 8.61 --> C:\Programme\gs\uninstgs.exe "C:\Programme\gs\gs8.61\uninstal.txt"
GPL Ghostscript Fonts --> C:\Programme\gs\uninstgs.exe "C:\Programme\gs\fonts\uninstal.txt"
GSpot Codec Information Appliance --> C:\Programme\GSpot\Uninstall.exe
HighMAT-Erweiterung für den Microsoft Windows XP-Assistenten zum Schreiben von CDs --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Home Cinema --> C:\Programme\Uninstall_PCM.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Informationen über Ihren PC --> MsiExec.exe /I{3D1A6B70-3E02-49BC-88B0-916C80274632}
Intel(R) PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
J2SE Development Kit 5.0 Update 11 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150110}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java 2 Runtime Environment, SE v1.4.2_06 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Launch Manager V1.2.9 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{D0846526-66DD-4DC9-A02C-98F9A2806812}\Setup.exe" -l0x7
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
MediaShow 3.0 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{D5A9B7C0-8751-11D8-9D75-000129760D75}\setup.exe" -uninstall
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Enzyklopädie 2005 --> MsiExec.exe /I{05440044-64A6-4248-A026-9745C1E9E159}
Microsoft Flight Simulator 2004 - Das Jahrhundert der Luftfahrt --> "C:\Programme\Microsoft Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office XP Professional mit FrontPage --> MsiExec.exe /I{90280407-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Foto Premium 10 --> "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows-Journal-Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Word 2002 --> MsiExec.exe /I{911B0407-6000-11D3-8CFE-0050048383C9}
Microsoft Works --> MsiExec.exe /I{B26E3B0D-C2FA-4370-B068-7C476766F029}
Microsoft Works Suite-Add-Ins für Microsoft Word --> MsiExec.exe /I{C6A12D9B-D86A-4ee6-B980-95E4B26A2E13}
MinGW 5.0.0 --> c:\MinGW\uninst.exe
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.11) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
Multimedia-Kurs Tippen --> C:\WINDOWS\unin0407.exe -fC:\KOCH\MMTippen\DeIsL1.isu
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x7 -uninst
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero Suite --> C:\Programme\Gemeinsame Dateien\Ahead\Uninstall\setup.exe /uninstall ExtraUninstallID=""
NetBeans IDE 5.5 --> C:\Programme\netbeans-5.5\_uninst\uninstaller.exe
O&O FormatRecovery --> MsiExec.exe /X{534803A0-780C-4011-AB72-DAAB0CB82FD6}
PhotoNow! 1.0 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{D36DD326-7280-11D8-97C8-000129760CBE}\setup.exe" -uninstall
PowerCinema 4.0 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
PowerDirector --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
PROMT XT Office Giant --> MsiExec.exe /I{B6CD2545-8E53-498F-97FE-54C1572B7F62}
Python 2.3 --> C:\Python23\UNWISE.EXE C:\Python23\INSTALL.LOG
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Programme\Gemeinsame Dateien\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RedMon - Redirection Port Monitor --> C:\WINDOWS\system32\unredmon.exe
RoDEX v1.1 --> C:\Programme\Sign\RoDEX11\uninstall.exe
Schnell schreiben 2.4 --> "C:\Programme\Schnell schreiben\unins000.exe"
Sentinel Protection Installer 7.0.0 --> MsiExec.exe /I{547D4265-AF45-42E9-A62A-C58182AA35B9}
Setup-Start von Microsoft Works 2005 --> C:\Programme\Microsoft Works Suite 2005\Setup\Launcher.exe /ARP F:\
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Sicherheitsupdate für Step by Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Sicherheitsupdate für Step by Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB883939) --> "C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896688) --> "C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899588) --> "C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB903235) --> "C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB905915) --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB912812) --> "C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB913446) --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB916281) --> "C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917159) --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB931768) --> "C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB933566) --> "C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB936021)
Blown
2008-01-22, 12:47
--> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Skype 3.1 --> "C:\Programme\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SnagIt 7 --> C:\Programme\SnagIt 7\SIUNINST.EXE
Spyware Doctor 5.5 --> C:\Programme\Spyware Doctor\unins001.exe /LOG
SSH Secure Shell --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
Sun Download Manager 2.0 (web) --> C:\WINDOWS\system32\javaws.exe -uninstall "http://javadl-esd.sun.com/update/sdm20/sdm20.jnlp"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Programme\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
T-DSL SpeedManager --> C:\PROGRA~1\T-DSLS~1\TSMInst.exe /u
T-Online 5.0 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8283FCCD-AC71-4DC1-A81E-4F244FBBE11D}\setup.exe" CPAS
T-Online Fotoservice --> C:\PROGRA~1\T-ONLI~1\UNWISE.EXE C:\PROGRA~1\T-ONLI~1\INSTALL.LOG
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C9D90376-50C8-4907-AFA2-CA77364A8D51}
Total Commander (Remove or Repair) --> c:\totalcmd\tcuninst.exe
TRADOS 7 Freelance --> MsiExec.exe /I{B18D166F-6E14-45EA-A909-07DBFE15089D}
Update für Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update für Windows XP (KB896727) --> "C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update für Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update für Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update für Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update für Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update für Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update für Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update für Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update für Windows XP (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update für Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update für Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update für Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update für Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update für Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update für Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update für Windows XP (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update für Windows XP (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.8.4a --> C:\Programme\VideoLAN\VLC\uninstall.exe
videon --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{261D0486-9127-4071-BA1D-FE784310752E}\Setup.exe" -l0x7
VPN Client --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
WIDCOMM Bluetooth Software --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
Windows-Sicherungsprogramm --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Live Messenger --> MsiExec.exe /I{279DB581-239C-4E13-97F8-0F48E40BE75C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP-Hotfix - KB834707 --> C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP-Hotfix - KB867282 --> C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP-Hotfix - KB873333 --> C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP-Hotfix - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP-Hotfix - KB885250 --> C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP-Hotfix - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP-Hotfix - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP-Hotfix - KB885884 --> C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP-Hotfix - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP-Hotfix - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP-Hotfix - KB887742 --> C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP-Hotfix - KB887797 --> C:\WINDOWS\$NtUninstallKB887797$\spuninst\spuninst.exe
Windows XP-Hotfix - KB888113 --> C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP-Hotfix - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP-Hotfix - KB890047 --> C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP-Hotfix - KB890175 --> C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP-Hotfix - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP-Hotfix - KB890923 --> "C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP-Hotfix - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP-Hotfix - KB893066 --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP-Hotfix - KB893086 --> "C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Programme\WinRAR\uninstall.exe
XAware 5.0 --> "C:\xaware\UninstallerData\Uninstall XA-Suite.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type10731 / Warning
Event Submitted/Written: 01/19/2008 03:34:13 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Erkennung von Produkt "{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" und Funktion "DefaultFeature" fehlgeschlagen beim Anfordern von Komponente "{A4AD656D-72E9-43A7-9DD0-E5F6AF438E72}".

Event Record #/Type10730 / Warning
Event Submitted/Written: 01/19/2008 03:34:13 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Erkennung von Produkt "{43DCF766-6838-4F9A-8C91-D92DA586DFA7}", Funktion "DefaultFeature" und Komponente "{9F47ECA8-A740-EC80-1AE2-C48048D83AA4}" fehlgeschlagen. Die Ressource "HKEY_CURRENT_USER\Software\Microsoft\Journal Viewer\" ist nicht vorhanden.

Event Record #/Type10729 / Warning
Event Submitted/Written: 01/19/2008 03:32:50 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Erkennung von Produkt "{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" und Funktion "DefaultFeature" fehlgeschlagen beim Anfordern von Komponente "{A4AD656D-72E9-43A7-9DD0-E5F6AF438E72}".

Event Record #/Type10728 / Warning
Event Submitted/Written: 01/19/2008 03:32:50 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Erkennung von Produkt "{43DCF766-6838-4F9A-8C91-D92DA586DFA7}", Funktion "DefaultFeature" und Komponente "{9F47ECA8-A740-EC80-1AE2-C48048D83AA4}" fehlgeschlagen. Die Ressource "HKEY_CURRENT_USER\Software\Microsoft\Journal Viewer\" ist nicht vorhanden.

Event Record #/Type10727 / Warning
Event Submitted/Written: 01/19/2008 03:32:49 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Erkennung von Produkt "{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" und Funktion "DefaultFeature" fehlgeschlagen beim Anfordern von Komponente "{A4AD656D-72E9-43A7-9DD0-E5F6AF438E72}".



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type77129 / Error
Event Submitted/Written: 01/19/2008 05:19:10 PM
Event ID/Source: 10010 / DCOM
Event Description:
Der Server "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}" konnte innerhalb des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.

Event Record #/Type77127 / Error
Event Submitted/Written: 01/19/2008 05:18:36 PM
Event ID/Source: 10010 / DCOM
Event Description:
Der Server "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}" konnte innerhalb des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.

Event Record #/Type77126 / Error
Event Submitted/Written: 01/19/2008 05:18:02 PM
Event ID/Source: 10010 / DCOM
Event Description:
Der Server "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}" konnte innerhalb des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.

Event Record #/Type77125 / Error
Event Submitted/Written: 01/19/2008 05:17:29 PM
Event ID/Source: 10010 / DCOM
Event Description:
Der Server "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}" konnte innerhalb des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.

Event Record #/Type77124 / Error
Event Submitted/Written: 01/19/2008 05:16:55 PM
Event ID/Source: 10010 / DCOM
Event Description:
Der Server "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}" konnte innerhalb des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.



-- End of Deckard's System Scanner: finished at 2008-01-19 17:55:35 ------------
Blown
2008-01-22, 12:48
Process:

System Idle Process
System
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Programme\Intel\Wireless\Bin\iFrmewrk.exe
C:\Programme\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\smss.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Dokumente und Einstellungen\Marina\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\WButton.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\alg.exe
Blown
2008-01-22, 12:51
Started Service:

Service Name:ALG Display Name:Gatewaydienst auf Anwendungsebene
Service Name:AudioSrv Display Name:Windows Audio
Service Name:Browser Display Name:Computerbrowser
Service Name:BthServ Display Name:Bluetooth Support Service
Service Name:btwdins Display Name:Bluetooth Service
Service Name:CryptSvc Display Name:Kryptografiedienste
Service Name:CVPND Display Name:Cisco Systems, Inc. VPN Service
Service Name:DcomLaunch Display Name:DCOM-Server-Prozessstart
Service Name:Dhcp Display Name:DHCP-Client
Service Name:Dnscache Display Name:DNS-Client
Service Name:ERSvc Display Name:Fehlerberichterstattungsdienst
Service Name:Eventlog Display Name:Ereignisprotokoll
Service Name:EventSystem Display Name:COM+-Ereignissystem
Service Name:EvtEng Display Name:EvtEng
Service Name:FastUserSwitchingCompatibility Display Name:Kompatibilität für schnelle Benutzerumschaltung
Service Name:helpsvc Display Name:Hilfe und Support
Service Name:HTTPFilter Display Name:HTTP-SSL
Service Name:Irmon Display Name:Infrarotüberwachung
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Arbeitsstationsdienst
Service Name:LmHosts Display Name:TCP/IP-NetBIOS-Hilfsprogramm
Service Name:MDM Display Name:Machine Debug Manager
Service Name:Netman Display Name:Netzwerkverbindungen
Service Name:Nla Display Name:NLA (Network Location Awareness)
Service Name:OwnershipProtocol Display Name:OwnershipProtocol
Service Name:PlugPlay Display Name:Plug & Play
Service Name:PolicyAgent Display Name:IPSEC-Dienste
Service Name:ProtectedStorage Display Name:Geschützter Speicher
Service Name:RasMan Display Name:RAS-Verbindungsverwaltung
Service Name:RegSrvc Display Name:RegSrvc
Service Name:RpcSs Display Name:Remoteprozeduraufruf (RPC)
Service Name:S24EventMonitor Display Name:Spectrum24 Event Monitor
Service Name:Schedule Display Name:Taskplaner
Service Name:sdAuxService Display Name:PC Tools Auxiliary Service
Service Name:sdCoreService Display Name:PC Tools Security Service
Service Name:seclogon Display Name:Sekundäre Anmeldung
Service Name:SENS Display Name:Systemereignisbenachrichtigung
Service Name:SentinelProtectionServer Display Name:SentinelProtectionServer
Service Name:SharedAccess Display Name:Windows-Firewall/Gemeinsame Nutzung der Internetverbindung
Service Name:ShellHWDetection Display Name:Shellhardwareerkennung
Service Name:Spooler Display Name:Druckwarteschlange
Service Name:srservice Display Name:Systemwiederherstellungsdienst
Service Name:SSDPSRV Display Name:SSDP-Suchdienst
Service Name:stisvc Display Name:Windows-Bilderfassung (WIA)
Service Name:TapiSrv Display Name:Telefonie
Service Name:TermService Display Name:Terminaldienste
Service Name:Themes Display Name:Designs
Service Name:TrkWks Display Name:Überwachung verteilter Verknüpfungen (Client)
Service Name:W32Time Display Name:Windows-Zeitgeber
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows-Verwaltungsinstrumentation
Service Name:x10nets Display Name:X10 Device Network Service
---------------------------


Startup
Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BluetoothAuthenticationAgent
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LaunchAp
C:\Programme\Launch Manager\LaunchAp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotkeyApp
C:\Programme\Launch Manager\HotkeyApp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LMgrOSD
C:\Programme\Launch Manager\OSD.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Wbutton
"C:\Programme\Launch Manager\Wbutton.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CtrlVol
C:\Programme\Launch Manager\CtrlVol.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVManager
"C:\Programme\Wistron\AVManager\AVManager.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AGRSMMSG
AGRSMMSG.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPLpr
C:\Programme\Synaptics\SynTP\SynTPLpr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Programme\Synaptics\SynTP\SynTPEnh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.1
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSPY2002
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002ASync
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002A
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATIPTA
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
C:\WINDOWS\system32\NeroCheck.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RemoteControl
"C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PCMService
"C:\Programme\Home Cinema\PowerCinema\PCMService.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe
"C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Programme\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avgnt
"C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Babylon Client
C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FreePDF Assistant
C:\Programme\FreePDF_XP\fpassist.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISTray
"C:\Programme\Spyware Doctor\pctsTray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelWireless
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EOUApp
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NBJ
"C:\Programme\Ahead\Nero BackItUp\NBJ.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
BTTray.lnk
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Remark£ºVerknüpfung zur Anwendung Widcomm BTTray in der Task-Leiste)

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Cisco Systems VPN Client.lnk
C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Remark£º)

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
desktop.ini


C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Microsoft Office.lnk
C:\Programme\Microsoft Office\Office10\OSA.EXE (Remark£ºMicrosoft Office Autostart)

C:\Dokumente und Einstellungen\Marina\Startmenü\Programme\Autostart
desktop.ini

------------------
SSDT

red KModule
\SystemRoot\system32\drivers\iksysflt.sys


---------------
Thank you!
Rorschach112
2008-01-22, 15:45
Hello

Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe




Now for the fix. Close all windows and run IceSword.exe. Do not restart your until the very end to ensure the fix works

Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.

C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\hldrrr.exe


Step 2 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them if present.

C:\WINDOWS\system32\mdelk.PIF
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\down << folder
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
c:\windows\system32\drivers\srosa.sys
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe


Step 3 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys and delete the registry values in bold

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe



Then delete these registry keys in bold if present

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa

Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Win32 Services", and "Startup" tabs, taking note of any red entries from them and from the SSDT tab.


Also post a new DSS log
Blown
2008-01-22, 21:12
I run IceSword and following happened:
When killing processes:
not present: C:\WINDOWS\system32\wintems.exe - same when deleting the rooted files -

also: couldn't find "flec006.exe" under C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\

After rebooting & running IceSword:

Under Processes I found flec006.exe and
C:\WINDOWS\system32\drivers\hldrrr.exe is there again... hm:(

here's the dss main log

Deckard's System Scanner v20071014.68
Run by Marina on 2008-01-22 21:01:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Marina.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:28, on 22.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Dokumente und Einstellungen\Marina\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marina.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

--
End of file - 12575 bytes
------
Blown
2008-01-22, 21:15
-- Files created between 2007-12-22 and 2008-01-22 -----------------------------

2008-01-22 20:42:21 0 d-------- C:\WINDOWS\system32\drivers\down
2008-01-22 12:04:08 0 d-------- C:\Programme\Trend Micro
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-19 17:27:50 0 d-------- C:\totalcmd
2008-01-18 13:42:52 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2008-01-18 13:41:38 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools
2008-01-17 18:28:01 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:27:48 0 d-------- C:\Programme\Spyware Doctor
2008-01-15 10:16:13 0 d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02:24 0 d-------- C:\xaware
2008-01-13 18:02:24 0 d--h----- C:\Programme\Zero G Registry
2008-01-13 18:01:26 0 d--h----- C:\Dokumente und Einstellungen\Marina\InstallAnywhere
2008-01-13 13:25:48 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-13 13:25:48 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 12:55:24 45056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:55:24 116224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55:22 0 d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55:22 0 d-------- C:\Dokumente und Einstellungen\All Users\FreePDF
2008-01-13 12:51:46 0 d-------- C:\Programme\gs
2008-01-06 19:08:48 0 d-------- C:\TreeTagger
2008-01-06 12:37:17 0 d-------- C:\Programme\Babylon
2008-01-06 12:15:45 0 d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33:50 0 d-------- C:\Programme\SnagIt 7
2008-01-05 11:31:54 0 d-------- C:\Programme\TreeTagger
2007-12-23 17:26:30 1159242 --a------ C:\saxon.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-22 20:42:44 0 d--h----- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m
2008-01-22 15:38:38 42766 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\wklnhst.dat
2008-01-20 13:35:28 0 d-------- C:\Programme\Gemeinsame Dateien
2008-01-19 15:03:21 86992 --a----c- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-01-19 13:43:40 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Skype
2008-01-19 13:09:15 0 d--h----- C:\Programme\InstallShield Installation Information
2008-01-18 15:52:31 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon
2008-01-18 13:43:28 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Intel
2008-01-18 13:41:32 0 d-------- C:\Programme\Intel
2008-01-18 13:38:43 400786 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-18 13:38:43 69040 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-18 13:38:35 0 d-------- C:\Programme\Windows NT
2008-01-17 19:10:37 0 d-------- C:\Programme\Altova
2008-01-17 19:07:02 0 d-------- C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 18:27:48 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\PC Tools
2008-01-17 16:33:39 0 d-------- C:\Programme\eMule
2008-01-13 13:29:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\pdf995
2008-01-06 15:15:34 0 d-------- C:\Programme\TRADOS
2008-01-05 20:56:52 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Trados
2008-01-05 11:31:48 115157 --a------ C:\Programme\tree-tagger-windows-3.1.zip
2007-12-20 18:20:03 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Adobe
2007-12-01 14:10:02 0 d-------- C:\Programme\SSH Communications Security
2007-11-23 15:23:06 86016 --a------ C:\WINDOWS\system32\LinkDropHandler.dll <Not Verified; Altova GmbH; Shortcut Drop Handler Shell Extension>
2007-11-23 15:16:22 491520 -ra------ C:\WINDOWS\system32\XmlSpyLib.dll <Not Verified; ; XmlSpyLib Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04.08.2004 13:00 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [06.08.2004 14:04]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [11.11.2004 15:13]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [26.07.2004 14:52]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [23.11.2004 16:01]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [16.09.2003 14:28]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [26.11.2004 18:49]
"AGRSMMSG"="AGRSMMSG.exe" [22.07.2004 13:38 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [05.10.2004 16:25]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [05.10.2004 16:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04.08.2004 13:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04.08.2004 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04.08.2004 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04.08.2004 13:00]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [21.12.2004 21:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 10:50]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [02.11.2004 20:24]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [11.01.2005 18:17]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [01.01.2005 19:31]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [02.01.2005 09:17]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [21.01.2008 22:00]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 00:11]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [10.10.2007 17:06]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [26.06.2007 20:27]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [10.12.2007 14:53]
"@"="" []
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [15.10.2004 11:27]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [15.10.2004 11:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [09.12.2004 15:38]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [23.01.2004 08:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 13:00]

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [20.10.2005 12:04:08]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe [29.11.2004 18:55:44]
Cisco Systems VPN Client.lnk - C:\Programme\Cisco Systems\VPN Client\vpngui.exe [24.02.2006 14:58:47]
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [13.02.2001 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 15.10.2004 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-01-22 21:02:27 ------------
Blown
2008-01-22, 21:19
Processes log
Process:

System Idle Process
System
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\explorer.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\smss.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Intel\Wireless\Bin\iFrmewrk.exe
C:\Programme\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\WButton.exe
C:\Dokumente und Einstellungen\Marina\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe


Serveces log
Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:Browser Display Name:Computerbrowser
Service Name:BthServ Display Name:Bluetooth Support Service
Service Name:btwdins Display Name:Bluetooth Service
Service Name:CryptSvc Display Name:Kryptografiedienste
Service Name:CVPND Display Name:Cisco Systems, Inc. VPN Service
Service Name:DcomLaunch Display Name:DCOM-Server-Prozessstart
Service Name:Dhcp Display Name:DHCP-Client
Service Name:Dnscache Display Name:DNS-Client
Service Name:ERSvc Display Name:Fehlerberichterstattungsdienst
Service Name:Eventlog Display Name:Ereignisprotokoll
Service Name:EventSystem Display Name:COM+-Ereignissystem
Service Name:EvtEng Display Name:EvtEng
Service Name:FastUserSwitchingCompatibility Display Name:Kompatibilität für schnelle Benutzerumschaltung
Service Name:helpsvc Display Name:Hilfe und Support
Service Name:Irmon Display Name:Infrarotüberwachung
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Arbeitsstationsdienst
Service Name:LmHosts Display Name:TCP/IP-NetBIOS-Hilfsprogramm
Service Name:MDM Display Name:Machine Debug Manager
Service Name:Netman Display Name:Netzwerkverbindungen
Service Name:Nla Display Name:NLA (Network Location Awareness)
Service Name:OwnershipProtocol Display Name:OwnershipProtocol
Service Name:PlugPlay Display Name:Plug & Play
Service Name:PolicyAgent Display Name:IPSEC-Dienste
Service Name:ProtectedStorage Display Name:Geschützter Speicher
Service Name:RasMan Display Name:RAS-Verbindungsverwaltung
Service Name:RegSrvc Display Name:RegSrvc
Service Name:RpcSs Display Name:Remoteprozeduraufruf (RPC)
Service Name:S24EventMonitor Display Name:Spectrum24 Event Monitor
Service Name:Schedule Display Name:Taskplaner
Service Name:sdAuxService Display Name:PC Tools Auxiliary Service
Service Name:sdCoreService Display Name:PC Tools Security Service
Service Name:seclogon Display Name:Sekundäre Anmeldung
Service Name:SENS Display Name:Systemereignisbenachrichtigung
Service Name:SentinelProtectionServer Display Name:SentinelProtectionServer
Service Name:ShellHWDetection Display Name:Shellhardwareerkennung
Service Name:Spooler Display Name:Druckwarteschlange
Service Name:srservice Display Name:Systemwiederherstellungsdienst
Service Name:SSDPSRV Display Name:SSDP-Suchdienst
Service Name:stisvc Display Name:Windows-Bilderfassung (WIA)
Service Name:TapiSrv Display Name:Telefonie
Service Name:TermService Display Name:Terminaldienste
Service Name:Themes Display Name:Designs
Service Name:TrkWks Display Name:Überwachung verteilter Verknüpfungen (Client)
Service Name:W32Time Display Name:Windows-Zeitgeber
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows-Verwaltungsinstrumentation
Service Name:WZCSVC Display Name:Konfigurationsfreie drahtlose Verbindung
Service Name:x10nets Display Name:X10 Device Network Service

Startup
Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BluetoothAuthenticationAgent
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LaunchAp
C:\Programme\Launch Manager\LaunchAp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotkeyApp
C:\Programme\Launch Manager\HotkeyApp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LMgrOSD
C:\Programme\Launch Manager\OSD.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Wbutton
"C:\Programme\Launch Manager\Wbutton.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CtrlVol
C:\Programme\Launch Manager\CtrlVol.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVManager
"C:\Programme\Wistron\AVManager\AVManager.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AGRSMMSG
AGRSMMSG.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPLpr
C:\Programme\Synaptics\SynTP\SynTPLpr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Programme\Synaptics\SynTP\SynTPEnh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.1
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSPY2002
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002ASync
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002A
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATIPTA
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
C:\WINDOWS\system32\NeroCheck.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RemoteControl
"C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PCMService
"C:\Programme\Home Cinema\PowerCinema\PCMService.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe
"C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Programme\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avgnt
"C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Babylon Client
C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FreePDF Assistant
C:\Programme\FreePDF_XP\fpassist.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISTray
"C:\Programme\Spyware Doctor\pctsTray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelWireless
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EOUApp
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NBJ
"C:\Programme\Ahead\Nero BackItUp\NBJ.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
BTTray.lnk
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Remark£ºVerknüpfung zur Anwendung Widcomm BTTray in der Task-Leiste)

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Cisco Systems VPN Client.lnk
C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Remark£º)

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
desktop.ini


C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Microsoft Office.lnk
C:\Programme\Microsoft Office\Office10\OSA.EXE (Remark£ºMicrosoft Office Autostart)

C:\Dokumente und Einstellungen\Marina\Startmenü\Programme\Autostart
desktop.ini


C:\Dokumente und Einstellungen\Marina\Startmenü\Programme\Autostart
ERUNT AutoBackup.lnk
C:\Programme\ERUNT\AUTOBACK.EXE (Remark£º)

SSDT
red KModule
\SystemRoot\system32\drivers\iksysflt.sys (9 times)

---------------

thank you!
Rorschach112
2008-01-23, 01:31
Hello

Lets try this once more


Now for the fix. Close all windows and run IceSword.exe. Do not restart your until the very end to ensure the fix works

Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.

C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe


Step 2 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them if present.

C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe


Step 3 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them if present.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa

Then navigate to these registry keys and delete the values in bold

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe


Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Win32 Services", and "Startup" tabs, taking note of any red entries from them and from the SSDT tab.
Blown
2008-01-24, 00:16
hello,

I've deleted everything now a couple of times, but after rebooting everything is back:(
is the way I reboot relevant? clicking File->Reboot and Monitor from IceSword or closing IceWord and usual reboot through Start -> Reboot

here the logs:

Process:

System Idle Process
System
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\Dokumente und Einstellungen\Marina\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\iFrmewrk.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\WButton.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe

Services:
Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:BthServ Display Name:Bluetooth Support Service
Service Name:btwdins Display Name:Bluetooth Service
Service Name:CryptSvc Display Name:Kryptografiedienste
Service Name:CVPND Display Name:Cisco Systems, Inc. VPN Service
Service Name:DcomLaunch Display Name:DCOM-Server-Prozessstart
Service Name:Dhcp Display Name:DHCP-Client
Service Name:Dnscache Display Name:DNS-Client
Service Name:ERSvc Display Name:Fehlerberichterstattungsdienst
Service Name:Eventlog Display Name:Ereignisprotokoll
Service Name:EventSystem Display Name:COM+-Ereignissystem
Service Name:EvtEng Display Name:EvtEng
Service Name:FastUserSwitchingCompatibility Display Name:Kompatibilität für schnelle Benutzerumschaltung
Service Name:helpsvc Display Name:Hilfe und Support
Service Name:HTTPFilter Display Name:HTTP-SSL
Service Name:Irmon Display Name:Infrarotüberwachung
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Arbeitsstationsdienst
Service Name:LmHosts Display Name:TCP/IP-NetBIOS-Hilfsprogramm
Service Name:MDM Display Name:Machine Debug Manager
Service Name:Netman Display Name:Netzwerkverbindungen
Service Name:Nla Display Name:NLA (Network Location Awareness)
Service Name:OwnershipProtocol Display Name:OwnershipProtocol
Service Name:PlugPlay Display Name:Plug & Play
Service Name:PolicyAgent Display Name:IPSEC-Dienste
Service Name:ProtectedStorage Display Name:Geschützter Speicher
Service Name:RasMan Display Name:RAS-Verbindungsverwaltung
Service Name:RegSrvc Display Name:RegSrvc
Service Name:RpcSs Display Name:Remoteprozeduraufruf (RPC)
Service Name:S24EventMonitor Display Name:Spectrum24 Event Monitor
Service Name:Schedule Display Name:Taskplaner
Service Name:sdAuxService Display Name:PC Tools Auxiliary Service
Service Name:sdCoreService Display Name:PC Tools Security Service
Service Name:seclogon Display Name:Sekundäre Anmeldung
Service Name:SENS Display Name:Systemereignisbenachrichtigung
Service Name:SentinelProtectionServer Display Name:SentinelProtectionServer
Service Name:ShellHWDetection Display Name:Shellhardwareerkennung
Service Name:Spooler Display Name:Druckwarteschlange
Service Name:srservice Display Name:Systemwiederherstellungsdienst
Service Name:SSDPSRV Display Name:SSDP-Suchdienst
Service Name:stisvc Display Name:Windows-Bilderfassung (WIA)
Service Name:TapiSrv Display Name:Telefonie
Service Name:TermService Display Name:Terminaldienste
Service Name:Themes Display Name:Designs
Service Name:TrkWks Display Name:Überwachung verteilter Verknüpfungen (Client)
Service Name:W32Time Display Name:Windows-Zeitgeber
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows-Verwaltungsinstrumentation
Service Name:x10nets Display Name:X10 Device Network Service

Start up:
Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BluetoothAuthenticationAgent
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LaunchAp
C:\Programme\Launch Manager\LaunchAp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotkeyApp
C:\Programme\Launch Manager\HotkeyApp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LMgrOSD
C:\Programme\Launch Manager\OSD.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Wbutton
"C:\Programme\Launch Manager\Wbutton.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CtrlVol
C:\Programme\Launch Manager\CtrlVol.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVManager
"C:\Programme\Wistron\AVManager\AVManager.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AGRSMMSG
AGRSMMSG.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPLpr
C:\Programme\Synaptics\SynTP\SynTPLpr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Programme\Synaptics\SynTP\SynTPEnh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.1
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSPY2002
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002ASync
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002A
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATIPTA
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
C:\WINDOWS\system32\NeroCheck.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RemoteControl
"C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PCMService
"C:\Programme\Home Cinema\PowerCinema\PCMService.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe
"C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Programme\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avgnt
"C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Babylon Client
C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FreePDF Assistant
C:\Programme\FreePDF_XP\fpassist.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISTray
"C:\Programme\Spyware Doctor\pctsTray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelWireless
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EOUApp
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NBJ
"C:\Programme\Ahead\Nero BackItUp\NBJ.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
BTTray.lnk
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Remark£ºVerknüpfung zur Anwendung Widcomm BTTray in der Task-Leiste)

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Cisco Systems VPN Client.lnk
C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Remark£º)

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
desktop.ini


C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Microsoft Office.lnk
C:\Programme\Microsoft Office\Office10\OSA.EXE (Remark£ºMicrosoft Office Autostart)

C:\Dokumente und Einstellungen\Marina\Startmenü\Programme\Autostart
desktop.ini


C:\Dokumente und Einstellungen\Marina\Startmenü\Programme\Autostart
ERUNT AutoBackup.lnk
C:\Programme\ERUNT\AUTOBACK.EXE (Remark£º)

----------
Rorschach112
2008-01-24, 00:19
Do this instead

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 3 (http://www.forospyware.com/sUBs/ComboFix.exe) Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Blown
2008-01-24, 12:30
Hello,

I ran Combofix, but where do I find the log? I was'n watching it when it finished (in case it promts where the log is).

Thank you.
Blown
2008-01-24, 12:37
Hello again,

here's the Combofix log:
ComboFix 08-01-23.2 - Marina 2008-01-24 12:09:26.1 - NTFSx86
ausgeführt von:: C:\Dokumente und Einstellungen\Marina\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\srosa.sys
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa


((((((((((((((((((((((( Dateien erstellt von 2007-12-24 bis 2008-01-24 ))))))))))))))))))))))))))))))
.

2008-01-24 12:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 23:19 . 2008-01-24 09:47 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-23 23:19 . 2004-01-23 08:03 664,545 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
2008-01-22 22:09 . 2008-01-22 22:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 22:09 . 2008-01-22 22:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 12:04 . 2008-01-22 12:04 <DIR> d-------- C:\Programme\Trend Micro
2008-01-19 17:47 . 2008-01-19 17:47 <DIR> d-------- C:\Deckard
2008-01-19 17:27 . 2008-01-19 17:28 <DIR> d-------- C:\totalcmd
2008-01-19 17:27 . 2008-01-19 17:42 725 --a------ C:\WINDOWS\wincmd.ini
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-18 13:52 . 2004-10-29 18:48 3,222,784 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-01-18 13:52 . 2004-10-15 10:20 458,752 --a------ C:\WINDOWS\system32\w29NCPA.dll
2008-01-18 13:42 . 2008-01-18 13:42 17,119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-18 13:41 . 2004-10-15 10:20 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.DLL
2008-01-18 13:41 . 2004-11-09 16:31 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic
2008-01-18 13:38 . 2004-08-04 13:00 5,632 --a--c--- C:\WINDOWS\system32\dllcache\write.exe
2008-01-17 18:28 . 2008-01-17 18:39 <DIR> d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:28 . 2007-12-10 14:53 218,504 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-01-17 18:27 . 2008-01-23 23:19 <DIR> d-------- C:\Programme\Spyware Doctor
2008-01-17 18:27 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-17 18:27 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-17 18:27 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-17 18:27 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-17 16:09 . 2008-01-17 16:09 126 --a------ C:\WINDOWS\system32\mmc.exe.config
2008-01-15 10:16 . 2008-01-15 10:16 <DIR> d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02 . 2008-01-13 18:07 <DIR> d-------- C:\xaware
2008-01-13 18:02 . 2008-01-13 18:07 <DIR> d--h----- C:\Programme\Zero G Registry
2008-01-13 13:25 . 2008-01-13 13:25 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-01-13 13:25 . 2008-01-13 13:25 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 13:25 . 2008-01-13 13:28 59 --a------ C:\WINDOWS\wpd99.drv
2008-01-13 12:55 . 2008-01-13 12:55 <DIR> d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55 . 2005-01-06 18:33 119,152 --a------ C:\WINDOWS\system32\redmon.hlp
2008-01-13 12:55 . 2005-01-06 18:33 116,224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55 . 2005-01-06 18:33 45,056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:51 . 2008-01-13 12:54 <DIR> d-------- C:\Programme\gs
2008-01-06 19:08 . 2008-01-07 14:39 <DIR> d-------- C:\TreeTagger
2008-01-06 12:37 . 2008-01-06 12:42 <DIR> d-------- C:\Programme\Babylon
2008-01-06 12:15 . 2008-01-06 12:42 <DIR> d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33 . 2008-01-17 18:19 <DIR> d-------- C:\Programme\SnagIt 7
2008-01-05 11:31 . 2008-01-06 18:23 <DIR> d-------- C:\Programme\TreeTagger
2008-01-05 11:31 . 2008-01-05 11:31 115,157 --a------ C:\Programme\tree-tagger-windows-3.1.zip

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 12:09 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-01-18 12:41 --------- d-----w C:\Programme\Intel
2008-01-17 18:10 --------- d-----w C:\Programme\Altova
2008-01-17 18:07 --------- d-----w C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 15:33 --------- d-----w C:\Programme\eMule
2008-01-06 14:15 --------- d-----w C:\Programme\TRADOS
2007-12-01 13:10 --------- d-----w C:\Programme\SSH Communications Security
2006-09-28 18:31 77 ----a-w C:\Programme\Show Desktop.scf
2006-04-25 23:35 9,692,886 ----a-w C:\Programme\vlc-0.8.4a-win32.exe
2006-03-13 03:49 13,417,940 ----a-w C:\Programme\ActivePerl-5.8.7.815-MSWin32-x86-211909.msi
2006-02-03 11:32 7,993,931 ----a-w C:\Programme\vpnclient-win-is-4.7.00.0533-k9-hd.exe
2003-08-11 17:40 1,159,242 ----a-w C:\Programme\saxon.exe
2003-08-11 15:33 12,548 ----a-w C:\Programme\instant.html
2005-01-02 10:31 8 -csh--r C:\WINDOWS\system32\571AC95229.sys
2005-01-02 10:31 4,704 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38 1937408]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2004-01-23 08:03 664545]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"mule_st_key"="C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe" [2008-01-24 09:47 96772]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04 32768]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13 49152]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52 204800]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01 73728]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49 81920]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 88361 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25 98394]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24 688218]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05 344064]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17 118926]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31 180269]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17 98304]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-24 12:14 327720]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06 2997984]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27 312320]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31 356352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

SafeBoot Registrierungsschlüssel muss repariert werden. Dieser PC kann nicht im abgesicherten Modus starten.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 15:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2006-12-24 17:14]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-04-23 10:34]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2007-12-10 14:53]
R2 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-05-12 13:48]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []
S3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2004-10-06 14:10]
S3 TNPacket;T-Systems Nova Packet Capture Driver;C:\Programme\T-DSL SpeedManager\TNPACKET.SYS [2002-10-09 11:38]

.
Inhalt des "geplante Tasks" Ordners
"2006-09-17 19:54:51 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- D:\Poze\Barcelona2005\CIMG0143.AVI
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 12:20:38
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Blown
2008-01-24, 12:41
and the HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

--
End of file - 12546 bytes

Thank you
Rorschach112
2008-01-24, 14:18
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe

Folder::
C:\WINDOWS\system32\drivers\down

dirlook::
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [mule_st_key] C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Blown
2008-01-24, 15:57
Hello

Here's the ColboFix & HJT Logs. I ran ComboFix twice because I wasn't sure if the fix was done when I exit the program. The second time the 4 entries weren't anymore, but Spy Doctor still finds hldrrr.

ComboFix 08-01-23.2 - Marina 2008-01-24 15:33:58.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.131 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Marina\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Marina\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
.
---- Previous Run -------
.
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\109056.exe
C:\WINDOWS\system32\drivers\down\112321.exe
C:\WINDOWS\system32\drivers\down\112561.exe
C:\WINDOWS\system32\drivers\down\114484.exe
C:\WINDOWS\system32\drivers\down\115055.exe
C:\WINDOWS\system32\drivers\down\115566.exe
C:\WINDOWS\system32\drivers\down\116727.exe
C:\WINDOWS\system32\drivers\down\117248.exe
C:\WINDOWS\system32\drivers\down\117468.exe
C:\WINDOWS\system32\drivers\down\118640.exe
C:\WINDOWS\system32\drivers\down\118780.exe
C:\WINDOWS\system32\drivers\down\118870.exe
C:\WINDOWS\system32\drivers\down\119031.exe
C:\WINDOWS\system32\drivers\down\160410.exe
C:\WINDOWS\system32\drivers\down\170975.exe
C:\WINDOWS\system32\drivers\down\171226.exe
C:\WINDOWS\system32\drivers\down\177795.exe
C:\WINDOWS\system32\drivers\down\178416.exe
C:\WINDOWS\system32\drivers\down\179478.exe
C:\WINDOWS\system32\drivers\down\181420.exe
C:\WINDOWS\system32\drivers\down\181711.exe
C:\WINDOWS\system32\drivers\down\182302.exe
C:\WINDOWS\system32\drivers\down\182522.exe
C:\WINDOWS\system32\drivers\down\183083.exe
C:\WINDOWS\system32\drivers\down\183353.exe
C:\WINDOWS\system32\drivers\down\183634.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa


-------\LEGACY_SROSA
-------\srosa


-------\LEGACY_SROSA
-------\srosa


((((((((((((((((((((((( Dateien erstellt von 2007-12-24 bis 2008-01-24 ))))))))))))))))))))))))))))))
.

2008-01-24 14:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 22:09 . 2008-01-22 22:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 22:09 . 2008-01-22 22:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 12:04 . 2008-01-22 12:04 <DIR> d-------- C:\Programme\Trend Micro
2008-01-19 17:47 . 2008-01-19 17:47 <DIR> d-------- C:\Deckard
2008-01-19 17:27 . 2008-01-19 17:28 <DIR> d-------- C:\totalcmd
2008-01-19 17:27 . 2008-01-19 17:42 725 --a------ C:\WINDOWS\wincmd.ini
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-18 13:52 . 2004-10-29 18:48 3,222,784 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-01-18 13:52 . 2004-10-15 10:20 458,752 --a------ C:\WINDOWS\system32\w29NCPA.dll
2008-01-18 13:42 . 2008-01-18 13:42 17,119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-18 13:41 . 2004-10-15 10:20 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.DLL
2008-01-18 13:41 . 2004-11-09 16:31 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic
2008-01-18 13:38 . 2004-08-04 13:00 5,632 --a--c--- C:\WINDOWS\system32\dllcache\write.exe
2008-01-17 18:28 . 2008-01-17 18:39 <DIR> d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:28 . 2007-12-10 14:53 218,504 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-01-17 18:27 . 2008-01-24 15:42 <DIR> d-------- C:\Programme\Spyware Doctor
2008-01-17 18:27 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-17 18:27 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-17 18:27 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-17 18:27 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-17 16:09 . 2008-01-17 16:09 126 --a------ C:\WINDOWS\system32\mmc.exe.config
2008-01-15 10:16 . 2008-01-15 10:16 <DIR> d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02 . 2008-01-13 18:07 <DIR> d-------- C:\xaware
2008-01-13 18:02 . 2008-01-13 18:07 <DIR> d--h----- C:\Programme\Zero G Registry
2008-01-13 13:25 . 2008-01-13 13:25 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-01-13 13:25 . 2008-01-13 13:25 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 13:25 . 2008-01-13 13:28 59 --a------ C:\WINDOWS\wpd99.drv
2008-01-13 12:55 . 2008-01-13 12:55 <DIR> d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55 . 2005-01-06 18:33 119,152 --a------ C:\WINDOWS\system32\redmon.hlp
2008-01-13 12:55 . 2005-01-06 18:33 116,224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55 . 2005-01-06 18:33 45,056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:51 . 2008-01-13 12:54 <DIR> d-------- C:\Programme\gs
2008-01-06 19:08 . 2008-01-07 14:39 <DIR> d-------- C:\TreeTagger
2008-01-06 12:37 . 2008-01-06 12:42 <DIR> d-------- C:\Programme\Babylon
2008-01-06 12:15 . 2008-01-06 12:42 <DIR> d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33 . 2008-01-17 18:19 <DIR> d-------- C:\Programme\SnagIt 7
2008-01-05 11:31 . 2008-01-06 18:23 <DIR> d-------- C:\Programme\TreeTagger
2008-01-05 11:31 . 2008-01-05 11:31 115,157 --a------ C:\Programme\tree-tagger-windows-3.1.zip

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 12:09 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-01-18 12:41 --------- d-----w C:\Programme\Intel
2008-01-17 18:10 --------- d-----w C:\Programme\Altova
2008-01-17 18:07 --------- d-----w C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 15:33 --------- d-----w C:\Programme\eMule
2008-01-06 14:15 --------- d-----w C:\Programme\TRADOS
2007-12-01 13:10 --------- d-----w C:\Programme\SSH Communications Security
2006-09-28 18:31 77 ----a-w C:\Programme\Show Desktop.scf
2006-04-25 23:35 9,692,886 ----a-w C:\Programme\vlc-0.8.4a-win32.exe
2006-03-13 03:49 13,417,940 ----a-w C:\Programme\ActivePerl-5.8.7.815-MSWin32-x86-211909.msi
2006-02-03 11:32 7,993,931 ----a-w C:\Programme\vpnclient-win-is-4.7.00.0533-k9-hd.exe
2003-08-11 17:40 1,159,242 ----a-w C:\Programme\saxon.exe
2003-08-11 15:33 12,548 ----a-w C:\Programme\instant.html
2005-01-02 10:31 8 -csh--r C:\WINDOWS\system32\571AC95229.sys
2005-01-02 10:31 4,704 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m ----

2008-01-19 10:52 651264 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\data.oct
2008-01-19 10:52 6400 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\list.oct
2008-01-19 10:52 327 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\srvlist.oct


((((((((((((((((((((((((((((( snapshot@2008-01-24_12.25.01.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-01-24\ERDNT.EXE
+ 2008-01-24 11:22:18 7,303,168 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-01-24\Users\00000001\ntuser.dat
+ 2008-01-24 11:22:19 241,664 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-01-24\Users\00000002\UsrClass.dat
- 2008-01-24 11:08:19 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 14:33:10 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 11:08:20 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 14:33:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 11:08:20 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 14:33:10 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 11:08:20 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 14:33:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 11:08:20 7,303,168 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 14:33:12 7,303,168 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-24 11:08:20 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 14:33:12 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38 1937408]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2004-01-23 08:03 664545]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04 32768]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13 49152]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52 204800]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01 73728]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49 81920]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 88361 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25 98394]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24 688218]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05 344064]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17 118926]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31 180269]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17 98304]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-24 15:38 327720]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06 2997984]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27 312320]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31 356352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

SafeBoot Registrierungsschlüssel muss repariert werden. Dieser PC kann nicht im abgesicherten Modus starten.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 15:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2006-12-24 17:14]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-04-23 10:34]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2007-12-10 14:53]
R2 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-05-12 13:48]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []
S3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2004-10-06 14:10]
S3 TNPacket;T-Systems Nova Packet Capture Driver;C:\Programme\T-DSL SpeedManager\TNPACKET.SYS [2002-10-09 11:38]

.
Inhalt des "geplante Tasks" Ordners
"2006-09-17 19:54:51 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- D:\Poze\Barcelona2005\CIMG0143.AVI
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 15:43:17
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Blown
2008-01-24, 15:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:22, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

--
End of file - 12039 bytes
Rorschach112
2008-01-24, 17:29
Looking good

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.




Download and run SafeBootKeyRepair-CF from:

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
or
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply
Blown
2008-01-25, 21:23
Hello,

Kaspersky Scan's been running for 8 hours now, but the progress is only 36%. Is this normal? It found 7 viruses and 118 infected objects. Shall I let it finish?

Thank you
Rorschach112
2008-01-25, 21:49
Run this instead then

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.



Also do the other step in my previous instructions
Blown
2008-01-26, 00:26
Hello,

Kaspersky eventually finished scanning, so here are the logs:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 26, 2008 12:12:44 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/01/2008
Kaspersky Anti-Virus database records: 532201
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 124803
Number of viruses found: 7
Number of infected objects: 118
Number of suspicious objects: 0
Duration of the scan process: 10:57:05

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Dr Watson\drwtsn32.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\muvee Technologies\030625\0237\0192\values Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon\log_file.txt Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temp\~DF300E.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\3T0YMLGU\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\B7IXU7DM\b64[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\B7IXU7DM\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ULAKYBYB\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008012520080126\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\ntuser.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\Programme\Save\ACM.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\Programme\Save\Save.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\Programme\Save\SaveNowupdate.exe/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\SaveNowupdate.exe/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\SaveNowupdate.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\SaveNowupdate.exe EmbeddedCAB: infected - 3 skipped
C:\Programme\Save\Saveupdate.exe/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\Saveupdate.exe/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\Saveupdate.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\Saveupdate.exe EmbeddedCAB: infected - 3 skipped
C:\Programme\Spyware Doctor\NetworkLayer\InterfaceDLL.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\109056.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\112561.exe.vir Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\114484.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\115055.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\160410.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\171226.exe.vir Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\177795.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\178416.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-01-24_150759.29.zip/flec006.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-01-24_150759.29.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\QooBox\Quarantine\catchme2008-01-24_150759.29.zip ZIP: infected - 2 skipped
C:\QooBox\Quarantine\catchme2008-01-24_154249.85.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\QooBox\Quarantine\catchme2008-01-24_154249.85.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\Registry_backups\LEGACY_SROSA.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\QooBox\Quarantine\Registry_backups\services_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP240\A0093705.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP243\A0096035.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP243\A0096036.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096439.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096440.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096447.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096448.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096449.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096465.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096524.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096525.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096634.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096635.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096765.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096766.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096812.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096881.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096882.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096896.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096897.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096910.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP248\A0096973.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP248\A0097019.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP248\A0097042.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP248\A0097043.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0097077.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0097078.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0097093.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0098077.exe Infected: Email-Worm.Win32.Bagle.of skipped
Blown
2008-01-26, 00:28
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0098078.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098168.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098169.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098171.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098172.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098173.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098176.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098177.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098179.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098180.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098193.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098195.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098196.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098197.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098198.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098202.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098207.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098209.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098212.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098215.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098229.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098231.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098232.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098236.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098243.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098245.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098246.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098258.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098356.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098358.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098359.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098360.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098369.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098370.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098373.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098374.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098375.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098376.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098377.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098378.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0099420.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP251\A0099459.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099504.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099506.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099507.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099508.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099517.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099519.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099520.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099521.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\A0099645.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\A0100645.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\A0100646.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\A0100661.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\change.log Object is locked skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\drivers\down\14599212.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\255457.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\WINDOWS\system32\drivers\down\260644.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\262507.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\spnserv.dat Object is locked skipped
C:\WINDOWS\Temp\spserv.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

-------
Blown
2008-01-26, 00:29
Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice
Rorschach112
2008-01-26, 00:33
Hello

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Save
C:\WINDOWS\system32\drivers\down


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



purity


Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Also post a new DSS log and tell me how your PC is running
Blown
2008-01-26, 00:51
Here's the move it result.

As for the ATF Cleaner: it terminates immediately after I run it. It just flashes and disapears.

Also: I'm using Firefox now, but I used Explorer before things went wrong... Can I choose both? and how do I make it run properly?

----------------------

C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe moved successfully.
C:\Programme\Save moved successfully.
C:\WINDOWS\system32\drivers\down moved successfully.
[Custom Input]
< purity >

OTMoveIt2 v1.0.14 log created on 01262008_004215
Rorschach112
2008-01-26, 00:52
How is your PC running now

Any problems ?
Blown
2008-01-26, 01:04
Now ATF Cleaner works, but what do I choose?
will "Main" -> select all -> work for IExplorer?

Spy Doctor's still complaining...

here's the HJT log:


Deckard's System Scanner v20071014.68
Run by Marina on 2008-01-26 01:04:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Marina.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:04, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Marina\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marina.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif
Blown
2008-01-26, 01:05
--
End of file - 12282 bytes

-- Files created between 2007-12-26 and 2008-01-26 -----------------------------

2008-01-24 22:25:35 70660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-24 18:29:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-22 12:04:08 0 d-------- C:\Programme\Trend Micro
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-19 17:27:50 0 d-------- C:\totalcmd
2008-01-18 13:42:52 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2008-01-18 13:41:38 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools
2008-01-17 18:28:01 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:27:48 0 d-------- C:\Programme\Spyware Doctor
2008-01-15 10:16:13 0 d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02:24 0 d-------- C:\xaware
2008-01-13 18:02:24 0 d--h----- C:\Programme\Zero G Registry
2008-01-13 18:01:26 0 d--h----- C:\Dokumente und Einstellungen\Marina\InstallAnywhere
2008-01-13 13:25:48 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-13 13:25:48 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 12:55:24 45056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:55:24 116224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55:22 0 d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55:22 0 d-------- C:\Dokumente und Einstellungen\All Users\FreePDF
2008-01-13 12:51:46 0 d-------- C:\Programme\gs
2008-01-06 19:08:48 0 d-------- C:\TreeTagger
2008-01-06 12:37:17 0 d-------- C:\Programme\Babylon
2008-01-06 12:15:45 0 d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33:50 0 d-------- C:\Programme\SnagIt 7
2008-01-05 11:31:54 0 d-------- C:\Programme\TreeTagger


-- Find3M Report ---------------------------------------------------------------

2008-01-26 00:39:34 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Skype
2008-01-25 12:38:53 0 d--h----- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m
2008-01-24 14:35:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon
2008-01-24 11:40:55 42766 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\wklnhst.dat
2008-01-20 13:35:28 0 d-------- C:\Programme\Gemeinsame Dateien
2008-01-19 15:03:21 86992 --a----c- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-01-19 13:09:15 0 d--h----- C:\Programme\InstallShield Installation Information
2008-01-18 13:43:28 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Intel
2008-01-18 13:41:32 0 d-------- C:\Programme\Intel
2008-01-18 13:38:43 400786 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-18 13:38:43 69040 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-18 13:38:35 0 d-------- C:\Programme\Windows NT
2008-01-17 19:10:37 0 d-------- C:\Programme\Altova
2008-01-17 19:07:02 0 d-------- C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 18:27:48 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\PC Tools
2008-01-17 16:33:39 0 d-------- C:\Programme\eMule
2008-01-13 13:29:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\pdf995
2008-01-06 15:15:34 0 d-------- C:\Programme\TRADOS
2008-01-05 20:56:52 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Trados
2008-01-05 11:31:48 115157 --a------ C:\Programme\tree-tagger-windows-3.1.zip
2007-12-20 18:20:03 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Adobe
2007-12-01 14:10:02 0 d-------- C:\Programme\SSH Communications Security
2007-11-23 15:23:06 86016 --a------ C:\WINDOWS\system32\LinkDropHandler.dll <Not Verified; Altova GmbH; Shortcut Drop Handler Shell Extension>
2007-11-23 15:16:22 491520 -ra------ C:\WINDOWS\system32\XmlSpyLib.dll <Not Verified; ; XmlSpyLib Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 19:38]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44]
Cisco Systems VPN Client.lnk - C:\Programme\Cisco Systems\VPN Client\vpngui.exe [2006-02-24 14:58:47]
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-01-26 01:05:47 ------------
Rorschach112
2008-01-26, 01:07
Ignore Spyware Doctor it is useless


Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\WINDOWS\system32\mdelk.exe


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



purity


Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




will "Main" -> select all -> work for IExplorer?
Yes


Post a new DSS log after that
Blown
2008-01-26, 01:26
Done! I think it worked :):):)
The useless Doctor didn'z complain either:)
This feels so goooooood!!!!

What do you think? looks good?

Deckard's System Scanner v20071014.68
Run by Marina on 2008-01-26 01:18:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Marina.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:18, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\System32\svchost.exe
C:\Dokumente und Einstellungen\Marina\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marina.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

--
End of file - 12201 bytes

-- Files created between 2007-12-26 and 2008-01-26 -----------------------------

2008-01-24 22:25:35 70660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-24 18:29:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-22 12:04:08 0 d-------- C:\Programme\Trend Micro
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-19 17:27:50 0 d-------- C:\totalcmd
2008-01-18 13:42:52 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2008-01-18 13:41:38 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools
2008-01-17 18:28:01 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:27:48 0 d-------- C:\Programme\Spyware Doctor
2008-01-15 10:16:13 0 d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02:24 0 d-------- C:\xaware
2008-01-13 18:02:24 0 d--h----- C:\Programme\Zero G Registry
2008-01-13 18:01:26 0 d--h----- C:\Dokumente und Einstellungen\Marina\InstallAnywhere
2008-01-13 13:25:48 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-13 13:25:48 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 12:55:24 45056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:55:24 116224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55:22 0 d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55:22 0 d-------- C:\Dokumente und Einstellungen\All Users\FreePDF
2008-01-13 12:51:46 0 d-------- C:\Programme\gs
2008-01-06 19:08:48 0 d-------- C:\TreeTagger
2008-01-06 12:37:17 0 d-------- C:\Programme\Babylon
2008-01-06 12:15:45 0 d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33:50 0 d-------- C:\Programme\SnagIt 7
2008-01-05 11:31:54 0 d-------- C:\Programme\TreeTagger


-- Find3M Report ---------------------------------------------------------------

2008-01-26 01:15:46 0 d--h----- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m
2008-01-26 00:39:34 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Skype
2008-01-24 14:35:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon
2008-01-24 11:40:55 42766 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\wklnhst.dat
2008-01-20 13:35:28 0 d-------- C:\Programme\Gemeinsame Dateien
2008-01-19 15:03:21 86992 --a----c- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-01-19 13:09:15 0 d--h----- C:\Programme\InstallShield Installation Information
2008-01-18 13:43:28 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Intel
2008-01-18 13:41:32 0 d-------- C:\Programme\Intel
2008-01-18 13:38:43 400786 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-18 13:38:43 69040 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-18 13:38:35 0 d-------- C:\Programme\Windows NT
2008-01-17 19:10:37 0 d-------- C:\Programme\Altova
2008-01-17 19:07:02 0 d-------- C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 18:27:48 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\PC Tools
2008-01-17 16:33:39 0 d-------- C:\Programme\eMule
2008-01-13 13:29:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\pdf995
2008-01-06 15:15:34 0 d-------- C:\Programme\TRADOS
2008-01-05 20:56:52 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Trados
2008-01-05 11:31:48 115157 --a------ C:\Programme\tree-tagger-windows-3.1.zip
2007-12-20 18:20:03 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Adobe
2007-12-01 14:10:02 0 d-------- C:\Programme\SSH Communications Security
2007-11-23 15:23:06 86016 --a------ C:\WINDOWS\system32\LinkDropHandler.dll <Not Verified; Altova GmbH; Shortcut Drop Handler Shell Extension>
2007-11-23 15:16:22 491520 -ra------ C:\WINDOWS\system32\XmlSpyLib.dll <Not Verified; ; XmlSpyLib Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown
Blown
2008-01-26, 01:26
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 19:38]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44]
Cisco Systems VPN Client.lnk - C:\Programme\Cisco Systems\VPN Client\vpngui.exe [2006-02-24 14:58:47]
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-01-26 01:19:39 ------------
Rorschach112
2008-01-26, 01:27
One file is refusing to go

Can you run IceSword.exe again

Click File then navigate and delete the file in bold

C:\WINDOWS\system32\mdelk.exe


Tell me how that goes and send a new DSS log
Blown
2008-01-26, 01:39
It's gone!!!!!!!!!!????????

Deckard's System Scanner v20071014.68
Run by Marina on 2008-01-26 01:36:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Marina.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:36, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Marina\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marina.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

--
End of file - 12243 bytes
Blown
2008-01-26, 01:40
-- Files created between 2007-12-26 and 2008-01-26 -----------------------------

2008-01-24 18:29:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-22 12:04:08 0 d-------- C:\Programme\Trend Micro
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-19 17:27:50 0 d-------- C:\totalcmd
2008-01-18 13:42:52 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2008-01-18 13:41:38 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools
2008-01-17 18:28:01 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:27:48 0 d-------- C:\Programme\Spyware Doctor
2008-01-15 10:16:13 0 d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02:24 0 d-------- C:\xaware
2008-01-13 18:02:24 0 d--h----- C:\Programme\Zero G Registry
2008-01-13 18:01:26 0 d--h----- C:\Dokumente und Einstellungen\Marina\InstallAnywhere
2008-01-13 13:25:48 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-13 13:25:48 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 12:55:24 45056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:55:24 116224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55:22 0 d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55:22 0 d-------- C:\Dokumente und Einstellungen\All Users\FreePDF
2008-01-13 12:51:46 0 d-------- C:\Programme\gs
2008-01-06 19:08:48 0 d-------- C:\TreeTagger
2008-01-06 12:37:17 0 d-------- C:\Programme\Babylon
2008-01-06 12:15:45 0 d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33:50 0 d-------- C:\Programme\SnagIt 7
2008-01-05 11:31:54 0 d-------- C:\Programme\TreeTagger


-- Find3M Report ---------------------------------------------------------------

2008-01-26 01:15:46 0 d--h----- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m
2008-01-26 00:39:34 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Skype
2008-01-24 14:35:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon
2008-01-24 11:40:55 42766 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\wklnhst.dat
2008-01-20 13:35:28 0 d-------- C:\Programme\Gemeinsame Dateien
2008-01-19 15:03:21 86992 --a----c- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-01-19 13:09:15 0 d--h----- C:\Programme\InstallShield Installation Information
2008-01-18 13:43:28 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Intel
2008-01-18 13:41:32 0 d-------- C:\Programme\Intel
2008-01-18 13:38:43 400786 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-18 13:38:43 69040 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-18 13:38:35 0 d-------- C:\Programme\Windows NT
2008-01-17 19:10:37 0 d-------- C:\Programme\Altova
2008-01-17 19:07:02 0 d-------- C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 18:27:48 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\PC Tools
2008-01-17 16:33:39 0 d-------- C:\Programme\eMule
2008-01-13 13:29:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\pdf995
2008-01-06 15:15:34 0 d-------- C:\Programme\TRADOS
2008-01-05 20:56:52 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Trados
2008-01-05 11:31:48 115157 --a------ C:\Programme\tree-tagger-windows-3.1.zip
2007-12-20 18:20:03 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Adobe
2007-12-01 14:10:02 0 d-------- C:\Programme\SSH Communications Security
2007-11-23 15:23:06 86016 --a------ C:\WINDOWS\system32\LinkDropHandler.dll <Not Verified; Altova GmbH; Shortcut Drop Handler Shell Extension>
2007-11-23 15:16:22 491520 -ra------ C:\WINDOWS\system32\XmlSpyLib.dll <Not Verified; ; XmlSpyLib Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 19:38]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44]
Cisco Systems VPN Client.lnk - C:\Programme\Cisco Systems\VPN Client\vpngui.exe [2006-02-24 14:58:47]
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-01-26 01:37:28 ------------
Rorschach112
2008-01-26, 01:41
Finally, your logs are clean


Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.




Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.
Blown
2008-01-26, 02:17
When removing Java, should these be removes too:

Sun Download Manager
J2SE Development Kit Update
J2SE Runtime Environment Update?

Also: I remember I installed Erunt and made a registry back up, but never used it later. Is there anything I need to do? I don't need to restore anything, do I? Can I delete then Erunt and that registry backup?
Blown
2008-01-26, 10:58
I'm sorry to bother you again... There's some clouds on my sky:(

I tried installing AntiVir, but after installing it I can't run it and get promted that this is "a not allowed Win32 Application".

Then I tried AVG. Error message:
Error: Action failed for file avgamsvr.exe: starting service....Der Dienst antwortete nicht rechtzeitig auf die Start- oder Steuerungsanforderung. (1053) (~The service is not responding in time to the start or control request).

You think there's something wrong?

Windows Updates don't work either. Error message says something about "missing cryptographic services".

I also get a Dial-up error 623, but I assume this a minor problem?

Thank you
Rorschach112
2008-01-26, 13:44
Hello


When removing Java, should these be removes too:

Sun Download Manager
J2SE Development Kit Update
J2SE Runtime Environment Update?
Only remove the Runtime Environment Updates


Also: I remember I installed Erunt and made a registry back up, but never used it later. Is there anything I need to do? I don't need to restore anything, do I? Can I delete then Erunt and that registry backup?
Yes you can go ahead and delete it



You think there's something wrong?

Windows Updates don't work either. Error message says something about "missing cryptographic services".

I also get a Dial-up error 623, but I assume this a minor problem?
Not sure what is causing this, it is not malware related anyway.


Any more questions ?
Blown
2008-01-26, 14:28
Just one:

I tried installing AntiVir, but after installing it I can't run it and get promted that this is "a not allowed Win32 Application".

Then I tried AVG. Error message:
Error: Action failed for file avgamsvr.exe: starting service....Der Dienst antwortete nicht rechtzeitig auf die Start- oder Steuerungsanforderung. (1053) (~The service is not responding in time to the start or control request).

What should I do about this? If it's not malware connected, then I will not bother you anymore;)

BIG THANK YOU for all your help!!!!!!!!!!!!!!!!! :bow:

It's been already said, but you guys do make the world better!!!

Cheers,
M.
Rorschach112
2008-01-26, 14:30
I really don't know why you are getting that error message

If you make a topic here

http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html

And tell them your problem they should be able to fix you up. Just make sure to mention that I sent you over.


Anything else or shall we close the topic?
Blown
2008-01-26, 17:13
Hey, thanks again. My pc is so much quicker now. I even didn't realize before how slow it was.

And for Antivirus I've posted where you told me.

Cheers
Rorschach112
2008-01-26, 17:16
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.