Well it seems as we have an epidemic scope of virtumundo. I've got one too. Unfortunately my former Antivirus-programm was a bad mal-/adware detector and did not find several other virus. When I got suspicious two days ago I got a new antivirus-program which detected several virus. To clean the system completly I also looked around for a new Mal-/Adware removal tool so I came to Spybot S&D. Spybot found a lot of entries which could be removed except the virtumundo-thing no matter how many times I scan and clean it keeps reapearing.
As I read "Before you post" I already uninstalled emule (and will never use it again - I that's where I got the infection from). An I want to thank all the helpers in advance who spend their time helping others with their problems! THANK YOU.

My HJT-File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09:35, on 13.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\VPN Service\cvpnd.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programme\OpenAFS\Server\usr\afs\bin\bosctlsvc.exe
C:\PROGRA~1\OpenAFS\Server\usr\afs\bin\bosserver.exe
C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\Programme\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe
c:\programme\lenovo\system update\suservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Avast4\ashMaiSv.exe
C:\Programme\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lenovo\HOTKEY\TPONSCR.exe
C:\Programme\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Logitech\QuickCam\Quickcam.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\oodtray.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Dokumente und Einstellungen\stef\Desktop\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [547ab152] rundll32.exe "C:\WINDOWS\system32\fpnptjym.dll",b
O4 - HKLM\..\Run: [BM574982ce] Rundll32.exe "C:\WINDOWS\system32\gjgesnti.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services2] cleanmgrs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Senden an Bluetooth - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: An Mindjet MindManager senden - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .csm: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Programme\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.neptun.ethz.ch
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206132832718
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\Software\..\Telephony: DomainName = ethz.ch
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ethz.ch
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Avast4\ashWebSv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\VPN Service\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: OpenAFS Client (TransarcAFSDaemon) - OpenAFS Project - C:\Programme\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: OpenAFS Server (TransarcAFSServer) - OpenAFS Project - C:\Programme\OpenAFS\Server\usr\afs\bin\bosctlsvc.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 17067 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Since directions were not followed, HJT is located unsafely. Follow my directions to correct this.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

1) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log. <<< follow the directions in #2 to post that HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

2) Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks

Hi pskelley

You were right I just saw, that i used a wrong HJT the first time. But I did not use combofix so far, since there was a warnig in "read before post". For your additional information: Since my first post I did not use the computer again and I have it disconnected from the internet. I have an "emergency" laptop on which I'm working till the other is fixed again.

If you need any translation just ask.



ComboFix 08-08-14.05 - stef 2008-08-16 11:41:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.1333 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\stef\Desktop\ComboFix.exe

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM574982ce.txt
C:\WINDOWS\BM574982ce.xml
C:\WINDOWS\system32\aGOWGjlm.ini
C:\WINDOWS\system32\aGOWGjlm.ini2
C:\WINDOWS\system32\cxagylvv.exe
C:\WINDOWS\system32\dgbken.dll
C:\WINDOWS\system32\emcowcdx.dll
C:\WINDOWS\system32\eohxbmkp.exe
C:\WINDOWS\system32\fpnptjym.dll
C:\WINDOWS\system32\isgvxtws.dll
C:\WINDOWS\system32\iwpbydru.ini
C:\WINDOWS\system32\mlJYqQGw.dll
C:\WINDOWS\system32\myjtpnpf.ini
C:\WINDOWS\system32\olqrxhgf.dll
C:\WINDOWS\system32\opnopNEX.dll
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32\qgmrmidy.ini
C:\WINDOWS\system32\qqqehdtn.ini
C:\WINDOWS\system32\qvswcesw.exe
C:\WINDOWS\system32\rqivmqyf.dll
C:\WINDOWS\system32\rqtrie.dll
C:\WINDOWS\system32\urdybpwi.dll
C:\WINDOWS\system32\XENponpo.ini
C:\WINDOWS\system32\XENponpo.ini2
C:\WINDOWS\system32\ygjklbwo.exe

.
((((((((((((((((((((((( Dateien erstellt von 2008-07-16 bis 2008-08-16 ))))))))))))))))))))))))))))))
.

2009-07-09 10:56 . 2009-07-09 10:56 0 --a------ C:\WINDOWS\OODCNT.INI
2009-07-09 10:53 . 2008-08-09 22:43 185 --a------ C:\WINDOWS\system32\Monitored3.dat
2008-08-13 11:39 . 2008-08-13 11:39 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-08-13 11:39 . 2008-08-13 14:58 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-08-13 00:42 . 2008-08-13 15:20 <DIR> d-------- C:\Programme\Avast4
2008-08-12 23:57 . 2008-08-12 23:55 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-12 23:55 . 2008-08-13 00:05 <DIR> d-------- C:\Dokumente und Einstellungen\stef\.housecall6.6
2008-08-10 13:16 . 2008-08-10 13:16 <DIR> d-------- C:\Dokumente und Einstellungen\stef\Anwendungsdaten\XnView
2008-08-09 22:44 . 2008-08-13 13:03 97 --a------ C:\WINDOWS\system32\Monitored2.dat
2008-08-09 22:43 . 2008-08-09 22:43 367,104 --a------ C:\WINDOWS\system32\cliconfgs.exe
2008-08-09 22:43 . 2008-08-09 22:43 52,224 --a------ C:\WINDOWS\system32\cleanmgrs.exe
2008-08-07 08:28 . 2008-08-07 08:28 <DIR> d-------- C:\Dokumente und Einstellungen\stef\Anwendungsdaten\DivX
2008-08-06 19:39 . 2008-08-06 19:39 <DIR> d-------- C:\Programme\DivX
2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Dokumente und Einstellungen\stef\Anwendungsdaten\Sony
2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony
2008-08-05 17:23 . 2008-08-05 17:23 <DIR> d-------- C:\Programme\Sony Setup
2008-08-05 17:23 . 2008-08-05 17:23 <DIR> d-------- C:\Programme\Sony
2008-08-05 17:23 . 2008-08-05 17:23 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Sony Shared
2008-08-05 17:13 . 2008-08-05 17:13 <DIR> d-------- C:\Dokumente und Einstellungen\stef\Anwendungsdaten\Windows Search
2008-08-05 16:39 . 2008-08-05 16:39 <DIR> d-------- C:\Programme\Apple Software Update
2008-08-05 16:17 . 2008-08-05 16:17 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2008-08-05 07:22 . 2008-08-05 07:22 21,672 --a------ C:\WINDOWS\system32\drivers\ggsemc.sys
2008-08-05 07:22 . 2008-08-05 07:22 13,352 --a------ C:\WINDOWS\system32\drivers\ggflt.sys
2008-08-04 20:40 . 2008-08-04 20:40 <DIR> d-------- C:\Programme\Avanquest update
2008-08-04 20:40 . 2008-08-04 20:40 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\BVRP Software
2008-08-04 20:39 . 2008-08-05 07:21 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony Ericsson
2008-08-04 20:25 . 2008-08-04 20:25 <DIR> d-------- C:\Programme\iPod
2008-08-04 20:01 . 2008-08-04 20:01 <DIR> d-------- C:\Dokumente und Einstellungen\stef\Anwendungsdaten\Windows Desktop Search
2008-08-04 19:59 . 2008-03-07 19:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-04 19:59 . 2008-03-07 19:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-04 19:59 . 2008-03-07 19:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-04 19:15 . 2008-08-04 19:15 <DIR> d-------- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Avaya
2008-07-25 10:36 . 2008-07-25 10:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 10:36 . 2008-07-25 10:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-23 18:50 . 2008-07-23 18:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 18:50 . 2008-07-23 18:50 10,152 --a------ C:\WINDOWS\system32\dsm_de.qm
2008-07-23 18:48 . 2008-07-23 18:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 18:48 . 2008-07-23 18:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 18:47 . 2008-07-23 18:47 634,880 --a------ C:\WINDOWS\system32\divxdec.ax
2008-07-23 18:47 . 2008-07-23 18:47 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-07-23 18:47 . 2008-07-23 18:47 8,523 --a------ C:\WINDOWS\system32\dpude.qm
2008-07-23 18:47 . 2008-07-23 18:47 3,051 --a------ C:\WINDOWS\system32\dtu_de.qm
2008-07-23 18:47 . 2008-07-23 18:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 18:47 . 2008-07-23 18:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 18:46 . 2008-07-23 18:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 13:01 --------- d-----w C:\Programme\eMule
2008-08-13 04:57 --------- d-----w C:\Programme\DAEMON Tools Lite
2008-08-12 09:50 --------- d-----w C:\Dokumente und Einstellungen\stef\Anwendungsdaten\gtk-2.0
2008-08-11 18:49 --------- d-----w C:\Programme\Unlocker
2008-08-10 11:16 --------- d-----w C:\Programme\XnView
2008-08-08 20:56 --------- d-----w C:\Programme\DOSBox-0.72
2008-08-08 13:34 --------- d-----w C:\Programme\Zattoo
2008-08-08 04:55 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-08-05 15:23 --------- d-----w C:\Programme\Sony Ericsson
2008-08-05 15:05 --------- d-----w C:\Dokumente und Einstellungen\stef\Anwendungsdaten\CmapTools
2008-08-05 04:10 --------- d-----w C:\Programme\Windows Desktop Search
2008-08-04 18:40 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-08-04 18:37 --------- d-----w C:\Programme\Gemeinsame Dateien\Teleca Shared
2008-08-04 18:37 --------- d-----w C:\Dokumente und Einstellungen\stef\Anwendungsdaten\Teleca
2008-08-04 18:26 --------- d-----w C:\Programme\iTunes
2008-08-04 16:41 --------- d-----w C:\Programme\Lenovo
2008-08-04 16:40 --------- d-----w C:\Programme\Gemeinsame Dateien\Lenovo
2008-08-04 16:39 30,144 ----a-w C:\WINDOWS\system32\drivers\psadd.sys
2008-08-04 16:02 --------- d-----w C:\Programme\VPN Service
2008-08-04 11:07 --------- d-----w C:\Dokumente und Einstellungen\stef\Anwendungsdaten\U3
2008-08-04 09:04 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-07-17 08:23 --------- d-----w C:\Dokumente und Einstellungen\stef\Anwendungsdaten\LimeWire
2008-07-14 05:24 --------- d-----w C:\Programme\QuickTime
2008-07-09 09:14 --------- d-----w C:\Programme\Zak2
2008-07-09 09:14 --------- d-----w C:\Programme\OO Software
2008-07-09 09:13 --------- d-----w C:\Programme\Wolfram Research
2008-07-09 06:24 --------- d-----w C:\Programme\Directories CD
2008-07-07 15:54 89,567 ----a-w C:\Programme\messages.log
2008-07-05 10:27 --------- d-----w C:\Dokumente und Einstellungen\sandy\Anwendungsdaten\Lenovo
2008-07-02 14:36 --------- d-----w C:\Programme\MSBuild

2008-07-02 14:36 --------- d-----w C:\Programme\Microsoft Works
2008-07-02 14:33 --------- d-----w C:\Programme\Microsoft.NET
2008-07-02 14:30 --------- d-----w C:\Programme\Microsoft Visual Studio 8
2008-07-01 22:22 4,224 ----a-w C:\WINDOWS\system32\drivers\IBMBLDID.sys
2008-07-01 22:22 11,520 ----a-w C:\WINDOWS\system32\drivers\ANC.sys
2008-07-01 19:36 --------- d-----w C:\Programme\Xvid
2008-07-01 15:29 --------- d-----w C:\Programme\KompoZer
2008-07-01 10:32 --------- d-----w C:\Dokumente und Einstellungen\stef\Anwendungsdaten\Tinn-R
2008-06-30 17:07 --------- d-----w C:\Programme\WinHex
2008-06-30 12:59 --------- d-----w C:\Programme\Gemeinsame Dateien\Logishrd
2008-06-30 12:04 --------- d-----w C:\Dokumente und Einstellungen\stef\Anwendungsdaten\Lenovo
2008-06-30 12:04 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lenovo
2008-06-27 15:23 --------- d-----w C:\Programme\FSCapture53
2008-06-24 19:43 --------- d-----w C:\Programme\Games
2008-06-22 11:46 --------- d-----w C:\Programme\EasyTax
2008-06-22 11:02 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonIJPLM
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-09 23:40 16,384 ------w C:\WINDOWS\PWMBTHLP.EXE
2008-04-02 05:49 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2007-07-26 15:01 114,688 ----a-w C:\Programme\internet explorer\plugins\ChimeShim.dll
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:22 15360]
"Sony Ericsson PC Suite"="C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 17:19 360448]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKBDLED"="C:\WINDOWS\system32\TpScrLk.exe" [2002-10-08 21:28 40960]
"TPHOTKEY"="C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 10:15 68464]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-06-10 01:40 311296]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-06-10 01:40 208896]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-01-11 03:21 144728]
"TPKMAPHELPER"="C:\Programme\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 20:04 864256]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 02:36 242976]
"ACTray"="C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 01:00 425984]
"ACWLIcon"="C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-05 00:56 143360]
"LogitechQuickCamRibbon"="C:\Programme\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2007-12-05 17:14 122880]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2007-12-05 17:14 524288]
"SoundMAXPnP"="C:\Programme\Analog Devices\Core\smax4pnp.exe" [2005-05-20 10:11 925696]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 06:20 122940]
"TPFNF7"="C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-06-09 04:00 60192]
"TVT Scheduler Proxy"="C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 11:34 487424]
"LogitechCommunicationsManager"="C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]
"AppleSyncNotifier"="C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"TP4EX"="tp4ex.exe" [2005-10-17 02:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"TpShocks"="TpShocks.exe" [2008-06-06 18:21 181536 C:\WINDOWS\system32\TpShocks.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 03:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:22 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NT Printing Services2"="cleanmgrs.exe" [2008-08-09 22:43 52224 C:\WINDOWS\system32\cleanmgrs.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AfsLogon]
2007-02-13 14:20 87640 C:\WINDOWS\system32\afslogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-06-19 01:06 49152 C:\Programme\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\KFWLogon]
2007-02-13 14:20 87640 C:\WINDOWS\system32\afslogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 13:30 72208 c:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 16:54 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 C:\Programme\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 C:\Programme\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-07-05 00:57 32768 C:\Programme\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AFS Credentials.lnk]
backup=C:\WINDOWS\pss\AFS Credentials.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Dataviz Messenger.lnk]
backup=C:\WINDOWS\pss\Dataviz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^ETH Zürich VPN Service.lnk]
backup=C:\WINDOWS\pss\ETH Zürich VPN Service.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HOTSYNCSHORTCUTNAME.lnk]
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Windows-Desktopsuche.lnk]
backup=C:\WINDOWS\pss\Windows-Desktopsuche.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^stef^Startmenü^Programme^Autostart^Microsoft Office Groove.lnk]
path=C:\Dokumente und Einstellungen\stef\Startmenü\Programme\Autostart\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^stef^Startmenü^Programme^Autostart^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^stef^Startmenü^Programme^Autostart^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
--a------ 2005-11-14 15:23 487424 C:\Programme\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
--a------ 2006-11-07 20:51 91688 C:\Programme\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 18:50 1603152 C:\Programme\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 18:01 644696 C:\Programme\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMMUNICATOR]
--a------ 2007-07-23 10:33 5803368 C:\Programme\Microsoft Office\Communicator\communicator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
--a------ 2008-06-13 20:08 3073336 C:\Programme\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 17:15 81920 C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 17:33 563984 C:\Programme\Gemeinsame Dateien\Logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
--------- 2008-01-11 03:21 124248 C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMReminderService]
--a------ 2008-01-14 19:40 37144 C:\Programme\Mindjet\MindManager 7\MmReminderService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Programme\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 13:02 79400 C:\Programme\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 10:03 210472 C:\Programme\Gemeinsame Dateien\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 05:25 144784 C:\Programme\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-23 10:28 151597 C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 11:34 487424 C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-12-05 16:51 1885464 C:\Programme\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Programme\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\SmartFTP Client\\SmartFTP.exe"=

"C:\\Programme\\CIV IV\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Programme\\CIV IV\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Programme\\SPSS16DE\\SPSSWinWrapIDE.exe"=
"C:\\Programme\\SPSS16DE\\spss.exe"=
"C:\\Programme\\SPSS16DE\\spss.com"=
"C:\\Programme\\Maple 10\\jre\\bin\\maple.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Programme\\eclipse\\eclipse.exe"=
"C:\\Programme\\Maple 10\\jre\\bin\\java.exe"=
"C:\\Programme\\IHMC CmapTools\\jre\\bin\\javaw.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
"C:\\Programme\\Zattoo\\zattood.exe"=
"C:\\Programme\\Zattoo\\Zattoo.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Programme\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programme\\Microsoft Office\\Communicator\\communicator.exe"=
"C:\\Programme\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"C:\\Programme\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"C:\\Programme\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=
"C:\\Programme\\Sony Ericsson\\Update Service\\Update Service.exe"=
"C:\\Programme\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7001:UDP"= 7001:UDP:AFS CacheManager Callback (UDP)

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2008-05-14 16:21]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2008-05-14 16:21]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2008-07-02 00:22]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2008-07-02 00:22]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2008-06-10 01:40]
R1 tvtumon;tvtumon;C:\WINDOWS\system32\DRIVERS\tvtumon.sys [2007-12-05 17:42]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 NMSAccessU;NMSAccessU;C:\Programme\CDBurnerXP\NMSAccessU.exe [2007-05-04 10:27]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe [2008-06-10 01:40]
R2 smihlp2;SMI Helper Driver (smihlp2);C:\Programme\Gemeinsame Dateien\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 16:46]
R2 TransarcAFSServer;OpenAFS Server;C:\Programme\OpenAFS\Server\usr\afs\bin\bosctlsvc.exe [2007-02-13 14:21]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe [2007-12-05 18:17]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;C:\Programme\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2007-12-05 17:42]
R3 msloop;Microsoft Loopbackadaptertreiber;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2008-02-22 15:54]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-07-03 19:46]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-08-05 07:22]
S3 IJPLMSVC;PIXMA Extended Survey Program;C:\Programme\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 09:20]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 21:07]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 21:07]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 21:07]
S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 21:08]
S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 21:06]
S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 21:09]
S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 21:06]
.
Inhalt des "geplante Tasks" Ordners

2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-12 C:\WINDOWS\Tasks\itunessicherung.job
- C:\WINDOWS\system32\ntbackup.exe [2008-04-14 04:22]

2008-08-12 C:\WINDOWS\Tasks\outlook backup.job
- C:\WINDOWS\system32\ntbackup.exe [2008-04-14 04:22]

2008-08-16 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-06-10 01:40]
.
- - - - Entfernte verwaiste Registrierungseintr„ge - - - -

BHO-{04944EC5-8075-4D6C-9E19-560F7DECAF10} - C:\Dokumente und Einstellungen\stef\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8Y6ZF33V\3077htsbdjyf[1].dll
BHO-{3C54CB45-52F3-422D-8E07-544853234C02} - C:\WINDOWS\system32\mljGWOGa.dll
HKLM-Run-547ab152 - C:\WINDOWS\system32\fpnptjym.dll
HKLM-Run-BM574982ce - C:\WINDOWS\system32\gjgesnti.dll
Notify-rqRIcdDu - rqRIcdDu.dll
Notify-rqRifEUL - rqRifEUL.dll
MSConfigStartUp-Comrade - (no file)


.
------- Zus„tzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\stef\Anwendungsdaten\Mozilla\Firefox\Profiles\qpeimpbr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ch/
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Programme\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - C:\Programme\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - C:\Programme\Real\RealOne Player\Netscape6\nprpjplug.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 12:29:13
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\VPN Service\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe
C:\PROGRA~1\OpenAFS\Server\usr\afs\bin\bosserver.exe
C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\Lenovo\System Update\SUService.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe
C:\Programme\Avast4\ashMaiSv.exe
C:\Programme\Avast4\ashWebSv.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lenovo\HOTKEY\TPONSCR.exe
C:\Programme\Lenovo\ZOOM\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-16 12:37:57 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-08-16 10:37:51

Pre-Run: 8,486,490,112 Bytes frei
Post-Run: 8,357,610,496 Bytes frei

409 --- E O F --- 2008-08-04 09:04:17


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:37, on 16.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\VPN Service\cvpnd.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programme\OpenAFS\Server\usr\afs\bin\bosctlsvc.exe
C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
C:\PROGRA~1\OpenAFS\Server\usr\afs\bin\bosserver.exe
C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\Programme\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe
c:\programme\lenovo\system update\suservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe
C:\Programme\Avast4\ashMaiSv.exe
C:\Programme\Avast4\ashWebSv.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lenovo\HOTKEY\TPONSCR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Programme\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Logitech\QuickCam\Quickcam.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\oodtray.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services2] cleanmgrs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Senden an Bluetooth - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: An Mindjet MindManager senden - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .csm: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Programme\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.neptun.ethz.ch
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206132832718
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\Software\..\Telephony: DomainName = ethz.ch
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ethz.ch
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AfsLogon - C:\WINDOWS\system32\afslogon.dll
O20 - Winlogon Notify: AwayNotify - C:\Programme\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: KFWLogon - C:\WINDOWS\system32\afslogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Avast4\ashWebSv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\VPN Service\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: OpenAFS Client (TransarcAFSDaemon) - OpenAFS Project - C:\Programme\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: OpenAFS Server (TransarcAFSServer) - OpenAFS Project - C:\Programme\OpenAFS\Server\usr\afs\bin\bosctlsvc.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 17326 bytes

Thanks for returning your information and the offer to help translate. If I need it, I will surely ask, I have problems with English, can you help with those (lol)

If it helps, you are aware we have this: GERMAN/DUTCH FORUM
http://forums.spybot.info/forumdisplay.php?f=15

Though I do not see this running in the HJT log:
C:\Dokumente und Einstellungen\stef\Anwendungsdaten\LimeWire
I need to remind you of the policy here at Safer Networking:
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

Could you tell me you know what this is: O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services2] cleanmgrs.exe
http://spyware-free.us/tutorials/cleanmgr/ <<< I know what cleanmgr is but have not seen it running like this and hackers call their junk what they wish.

combofix removed a lot of junk, let's clean and do a doublecheck with MBAM.

Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file .

Please tell me how the computer is running, any malware issues.

Thanks...Phil

Hi Phil

The answers to your questions:
- I did not know that there is a German forum, but I don't care about the language. I speak english fluently. I happened to me too late, that you might not be able to read it. But since you are working with those log files often (I suppose) I thought you know where what is wirtten. But still ask if there are questions.
- I used LimeWire some time ago, but uninstalled it. Obviously the uninstall-program did not work properly. I guarantee that there is no P2P-program on my pc anymore.
- I have no idea where the cleanmgr-entry came from. I did not run any program while scanning with HJT.
--> Now, I have a question regarding the programs I just had to use. Are MBAM and ATF-Cleaner meant for daily use or are they as well to use under supervision?

Mbam found quite a lot, though some files which were in the quarantine folder of avast. I did the cleaning and was asked to reboot the computer, so did I. Do I have to rescan? On statup, the computer was telling me that now some *.dll are missing which belong to ThinkPad-Services. Checking the functionalities I could not find any different behaviour than normal.

thanks
stefan

Enclosed the asked Log file.

Malwarebytes' Anti-Malware 1.24
Datenbank Version: 1058
Windows 5.1.2600 Service Pack 3

19:17:20 16.08.2008
mbam-log-8-16-2008 (19-17-20).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 385206
Laufzeit: 1 hour(s), 20 minute(s), 22 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 2
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 35

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
C:\WINDOWS\system32\pmnoLeDS.dll (Trojan.Vundo) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\CLSID\{474c31c5-578b-4192-8562-2e474578dc27} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnoleds (Trojan.Vundo) -> Delete on reboot.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{474c31c5-578b-4192-8562-2e474578dc27} (Trojan.Vundo) -> Delete on reboot.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Dokumente und Einstellungen\stef\Lokale Einstellungen\Temporary Internet Files\Content.IE5\LZQN6TGN\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Programme\Wolfram Research\Mathematica\6.0\SystemFiles\Links\NETLink\Examples\Part1\Calling DLLs\libbz2-1.0.0.DLL (Rogue.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cxagylvv.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dgbken.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\emcowcdx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\eohxbmkp.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fpnptjym.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\isgvxtws.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJYqQGw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\olqrxhgf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\opnopNEX.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qvswcesw.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rqivmqyf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rqtrie.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\urdybpwi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ygjklbwo.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000007.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000008.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000009.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000010.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000011.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000012.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000013.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000014.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000015.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000016.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000018.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000020.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A39EFAA0-FACC-4BD0-BE6F-0F69E5A248E6}\RP1\A0000019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMdcbAQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnoLeDS.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\urqPHWoN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Hi stefan, unfortunately, way back in grade school I was smitten with my English teacher and never heard a word she said for a few years

I have no idea where the cleanmgr-entry came from.
We will remove that item before we finish, don't allow me to forget.

Mbam found quite a lot, though some files which were in the quarantine folder of avast.
I suggest you clean the Avast quarantine, no need to scan again with MBAM unless you wish.

On statup, the computer was telling me that now some *.dll are missing which belong to ThinkPad-Services.
We can see exactly what MBAM quarantined, and the rest of the Vundo files are in the combofix "quarantine" folder (having been renamed by Avast4)
Look at the files that were removed, we can restore any file in combofix (C:\QooBox\Quarantine\)
I see most of those files had already been renamed by the antivirus program.
The rest of those are infected System Restore files: C:\System Volume Information\_restore{
which need to be cleaned before we finish.

Can you mention the files that belong to ThinkPad-Services, if I know the names of the .dll files, I can look to see if I see them in the items removed.

Are MBAM and ATF-Cleaner meant for daily use or are they as well to use under supervision?
Both are freeware that you can keep or disgard as you wish. I personally use MBAM as a backup scan once every couple of months or so. ATF-Cleaner...you will not find a better, free, small, program anywhere. I run it about once a month to clean stuff I forget in normal operation. I rarely clean Prefetch with ATF-Cleaner, I just open the folder once a month or so and delete the files manually if it appears necessary.

Let me know about ThinkPad-Services, I do not want to proceed until that issue is resolved.

We do have this issue to resolve before combofix can be uninstalled.

I am sure you saw this:
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks...Phil

Hi Phil

Thanks for the hints using those cute :flame: little tools.


unfortunately, way back in grade school I was smitten with my English teacher and never heard a word she said for a few years
:oops: I hope you got over it!!!


We will remove that item before we finish, don't allow me to forget.
I will not.


I suggest you clean the Avast quarantine...
Done


Let me know about ThinkPad-Services, I do not want to proceed until that issue is resolved.
The error-messages did not appear again this time... Is this a good or a bad sign. Neither did I note the names the first time since I thought they'll come up again anyway nor did I find any dll's in the QooBox-Quarantine which reminded me of the missing (or maybe not missing anymore) ones.


If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
I followed you advice.


If you install RC, post the C:\*CF-RC.txt*.
Here you go:

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

thanks
stefan

Looks good with the RC installation, here is some information:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654

Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

Remove combofix from your computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services2] cleanmgrs.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

cleanmgrs.exe <<< delete that file, be sure of the spelling, must be spelled cleanmgrs
You may have to search for it and it is probably in the C:\Windows\System32\ folder
I checked in my C:\Windows\System32\ folder and the valid file is spelled cleanmgr with no S do not delete the wrong file.

Run a new MBAM scan, no need to post a clean scan result, just report on the performance of your computer.

Thanks...Phil

Hi Phil

There were no more issues found to report. My computer starts up a lot faster... I did not have problems with the performance while I was running applications before the cleaning. Can I consider my computer cured?

I yet have some questions regarding other programms I used to detect such infections. Obviously they did not help.
- So far I used adaware by lavasoft - and it only detected virtumonde, but not the other stuff which was yet on the machine. I thought this is a good programm too - but malwarebytes detected far more infections... Why are there such huge diffrences and would you consider Malwarebytes the best?
- Sophos Antivirus reported only one trojan-infected dll by the time. While I was checking the internet I learnd that avast should detect everything - and it almost did. Obviously there are huge diffrences in quality of the programm. Which would you consider the best?
- Whats the difference between ATF-Cleander and CCleaner which I was using so far?

How much time did it take you to solve my issues?

thanks a lot
stefan

Hello Stefan, the questions you ask are hard to answer. Since kids being bad gave way to organized crime on the internet, malware has become very hard to remove. Vundo is one of the most difficult. I used only a few programs, but have many I could have tried were they needed. Often it depend on how well the user keeps the programs up to date and run. MBAM is new and the malware fighters who maintain it do their best to keep it up to date, but malware changes quickly. Let there be no doubt, it is all about removing your money from you in one way or another. These are criminals and I suggest a firing squad, they would just as quickly kick down your door and walk over you to get to your resources.
Much information is available, here are just a few links to show you what I mean.
http://news.cnet.com/8301-1009_3-9992897-83.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://en.wikipedia.org/wiki/Russian_Business_Network
http://rbnexploit.blogspot.com/
http://www.google.com/search?hl=en&q=infected+websites&btnG=Google+Search

Trying to compare ATF-Cleaner and CCleaner is hard also. Atribune created a basic, simple freeware tool to clean the stuff most of us should be cleaning on a regular basis anyway. CCleaner is a tool that does a much deeper cleaning, it cleans the registry leftovers safely if directions are followed. I personally maintain both tools and use them when I need to. It is also hard to estimate the time involved, it does vary and I am helping upwards of 50 or so folks at the same time. If all is well with your computer, I will leave this information to help you keep it that way.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

Hey Phil

I can't believe it. After my donation for spybot I thought - for the fun of it, run another scan with spybot today and this f... virtumonde is still/again on my computer. Avast moreover is reporting a Win32:Adware-gen [adw] in location C:\windows\System32.
The only things I downloaded in the meanwhile was Comodo FW, Spywareguard and spywareblaster. And I was watching the olympic games as a live-stream on our national TV broadcasters page.
Today I was watching a movie I downloaded months ago (it was way before you cleaned my computer). Is it possible, that such a movie can contain viruses, even if scanned? While I was watching it, I saw a DivX codec icon in the bar on the lower right hand side...
What is happening here? I deleted all movies I downloaded. There might be the divx players which cause the problems... I'm not sure if I shall uninstall those - I tried but comodo defense reported awkward access-requests. I blocked all and killed the unistall-process.

Could you help me once again?
thanks
stefan

You have viewed this information pinned to the top of the forum, have you not?
http://forums.spybot.info/showthread.php?t=7344
It only takes one wrong click at an infected website and if you have exploitable programs onboard all you have to do is pass your mouse over a banner at an infected website, called a drive-by shooting. I will need a new HJT log to begin looking for the problem.

Thanks

Yes, I've read this threat. But I didn't think, that programs installed and scanned can still cause such a behavior. And till now I'm now curious how I can uninstall those DivX-codecs without making the whole thing worse. Shall I just proceed uninstalling and grant the access requested by the uninstall exe-file (it's called au.exe).

Thanks
stefan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:21, on 19.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\COMODO\Firewall\cmdagent.exe
C:\Programme\VPN Service\cvpnd.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programme\OpenAFS\Server\usr\afs\bin\bosctlsvc.exe
C:\PROGRA~1\OpenAFS\Server\usr\afs\bin\bosserver.exe
C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\Programme\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe
C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe
c:\programme\lenovo\system update\suservice.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpScrLk.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Lenovo\HOTKEY\TPONSCR.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Lenovo\Zoom\TpScrex.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\oodtray.exe
C:\Programme\Windows Defender\MSASCui.exe
C:\Programme\COMODO\Firewall\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\SpywareGuard\sgmain.exe
C:\Programme\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programme\Malwarebytes' Anti-Malware\mbam.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programme\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Senden an Bluetooth - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: An Mindjet MindManager senden - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .csm: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Programme\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.neptun.ethz.ch
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206132832718
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\Software\..\Telephony: DomainName = ethz.ch
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ethz.ch
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ethz.ch
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ethz.ch
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AfsLogon - C:\WINDOWS\system32\afslogon.dll
O20 - Winlogon Notify: AwayNotify - C:\Programme\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: KFWLogon - C:\WINDOWS\system32\afslogon.dll
O20 - Winlogon Notify: pmnoLeDS - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Programme\COMODO\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\VPN Service\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: OpenAFS Client (TransarcAFSDaemon) - OpenAFS Project - C:\Programme\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: OpenAFS Server (TransarcAFSServer) - OpenAFS Project - C:\Programme\OpenAFS\Server\usr\afs\bin\bosctlsvc.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 17642 bytes

Stefan, some codecs are safe. If you have any doubts about files, download them to the desktop and scan them with your antivirus program prior to installing them.

au.exe <<<< a google on that shows this:
http://www.google.com/search?hl=en&q=au.exe&btnG=Google+Search
Where are you seeing this?

if you are ever in doubt about a file, use these free scans to find out what it is:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

C:\WINDOWS\system32\afslogon.dll <<< scan that file and post the results, I do not think it is malware.

O20 - Winlogon Notify: pmnoLeDS - C:\WINDOWS\ <<< this is a dead item, use HJT to remove it, there is no file.

I need more information, just exactly what is Avast4 showing you. I need to see the item and location of the item.

Avast moreover is reporting a Win32:Adware-gen [adw] in location C:\windows\System32\(file?) <<< what is the item.

Let's run a Kaspersky online scan to see ehat it show, it will not remove anything but it should show it to us if it is there.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Hi Phil

Well I let Kapersky run over night, the scan of the whole system took 5 and a half ours. Nothing was found. The removal of the found files with the engines which found them might have worked...
___________________________________
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 19, 2008 19:57:43
Records in database: 1111076
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
N:\
O:\
P:\
Scan statistics
Files scanned 411856
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 05:37:18

No malware has been detected. The scan area is clean.
The selected area was scanned.
______________________________________


C:\WINDOWS\system32\afslogon.dll <<< scan that file and post the results, I do not think it is malware.
No its not - no scanner has found anything. Which log do you want to have posted? AFS is a service that allows me to connect with the servers at my university.


O20 - Winlogon Notify: pmnoLeDS - C:\WINDOWS\ <<< this is a dead item, use HJT to remove it, there is no file.
done


Avast moreover is reporting a Win32:Adware-gen [adw] in location C:\windows\System32\(file?) <<< what is the item.
The item is called cliconfgs.exe

The item found by spybot yesterday is:
Virtumonde: [SBI $E7C36CB1] Ausführbare Datei (Datei, nothing done)
C:\Dokumente und Einstellungen\stef\Lokale Einstellungen\temp\removalfile.bat

What do you think?
Thanks
stefan

What do you think?
1) I see TeaTimer running, if it gets in your way, disable it until we finish.

2) I see System Configuration Utility (MSConfig) running in Selective Startup mode. I have no way of knowing what I can not see?

3) I think it is very unusual for Kaspersky Online Scan (KOS) not to find something if it is there.

4) cliconfgs.exe <<< here is the Google:
http://www.google.com/search?hl=en&q=cliconfgs.exe&btnG=Google+Search
If you want to be 100% positive, scan it here: http://virusscan.jotti.org/
and delete that file if it scans bad.

5) C:\Dokumente und Einstellungen\stef\Lokale Einstellungen\temp\removalfile.bat <<< that file
http://spywaredlls.prevx.com/RRCJHJ589259/REMOVALFILE.BAT.html <<< Prevx says it's malware.
Delete the total contents of that temp folder. There may be a few old files placed by Windows that will not delete, just delete the rest and make sure that file is gone.

Let me know if that takes care of your issues.

Thanks

Hi Phil

I just deleted those files and did another scan this afternoon - without result. I think the problem is solved. But there is one question remaining. Is Au_.exe safe to remove the DivX package? The scanners cannot find anything, report it as clean. I may sound paranoid - sorry - but is it safe, since there are several reportings on the net that say its mal- and Spyware.

thanks
stefan

I'll have to let you call that one. Were it my machine I would delete/uninstall anything questionable.

Thanks