PDA

View Full Version : Virtumonde dll + prx



hanfman84
2008-10-04, 15:24
Sorry for posting the same thing again but I replied to my last post myself because I wanted to ask an additional question - and now I'm afraid it won't be mentioned anymore because it's marked as answered.... :lip:


Hello, since I downloaded some "strange" software with azureus my spybot shows virtumonde.dll and .prx....

Well, I read some other threads about this topic and installed hijackthis, renamed the exe to hanfman84 and scanned. But I did not have the heart to go further without professional supervision... I appreciate your help very much!


Thats what hijackthis says:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:00 PM, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Nero\QG44\java.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
C:\Programme\MSD_0.653\MSD 0.653\MSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\Programme\Trend Micro\HijackThis\hanfman84.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {04DFD3AB-95F9-4F3D-8B3A-5BAE77971F8A} - (no file)
O2 - BHO: (no name) - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: {7ba35278-73f6-2ffa-9fb4-197221f66fd2} - {2df66f12-2791-4bf9-aff2-6f3787253ab7} - C:\WINDOWS\system32\fpwpwj.dll
O2 - BHO: (no name) - {333C4D08-1AD8-4502-B6A4-9434DF2D2A11} - (no file)
O2 - BHO: (no name) - {5063E63B-F225-4660-9093-52F66F0F365B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54A8264B-AFFB-4614-95FE-0234817EA282} - C:\WINDOWS\system32\nnnliijG.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {66F95BAD-EB20-4038-B2C2-613933C8ACF5} - C:\WINDOWS\system32\fccbaXQG.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D85A260B-4A52-4498-85F4-682BACB5EEBB} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Java] "C:\Programme\Nero\QG44\java.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Verknüpfung mit MSD.lnk = C:\Programme\MSD_0.653\MSD 0.653\MSD.exe
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Programme\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Programme\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: aorkki.dll fpwpwj.dll
O20 - Winlogon Notify: nnnliijG - C:\WINDOWS\SYSTEM32\nnnliijG.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 11019 bytes

Blade81
2008-10-05, 14:13
Hi

Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

hanfman84
2008-10-06, 01:09
Here are the new results:

Combofix (really a pleasure to see that freak-dlls die :present:):

ComboFix 08-10-05.03 - Le Chef 2008-10-05 23:40:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.618 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Le Chef\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\All Users\Startmenü\UUSEE~1.LNK
C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\UUSee ÍøÂçµçÊÓ.lnk
C:\Dokumente und Einstellungen\Le Chef\Cookies\le_chef@komtrack[2].txt
C:\Programme\Hide Real IP
C:\Programme\Hide Real IP\ProxyNew.dll
C:\Programme\uusee
C:\Programme\uusee\AD\1\000\index_new.html
C:\Programme\uusee\AD\1\000\uue_new.jpg
C:\Programme\uusee\AD\1\001\index_new.html
C:\Programme\uusee\AD\1\001\uue_new.jpg
C:\Programme\uusee\AD\1\cy\cy.html
C:\Programme\uusee\AD\1\dm\dm.html
C:\Programme\uusee\AD\1\dsj\dsj.html
C:\Programme\uusee\AD\1\dy\dy.html
C:\Programme\uusee\AD\1\jk\jk.html
C:\Programme\uusee\AD\1\ty\ty.html
C:\Programme\uusee\AD\1\uu\uu.html
C:\Programme\uusee\AD\1\yl\yl.html
C:\Programme\uusee\AD\1\yx\yx.html
C:\Programme\uusee\AD\1\zx\zx.html
C:\Programme\uusee\AD\2\100\index.html
C:\Programme\uusee\AD\2\300\index.html
C:\Programme\uusee\AD\2\400\index.html
C:\Programme\uusee\AD\UUAD_Banner.gif
C:\Programme\uusee\AD\UUAD_Banner.html
C:\Programme\uusee\AD\UUAD_Banner_1.html
C:\Programme\uusee\AD\UUAD_Banner_3.html
C:\Programme\uusee\AD\UUAD_Buffering.html
C:\Programme\uusee\AD\UUAD_Buffering.jpg
C:\Programme\uusee\AD\UUAD_TextLink_0.xml
C:\Programme\uusee\bass-plugins.exe
C:\Programme\uusee\channelid_chatid.txt
C:\Programme\uusee\skins\UUPlayer\About.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_Compact_1.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_Compact_2.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_Compact_3.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_FullScreen_1.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_FullScreen_2.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_FullScreen_3.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_pause_1.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_pause_2.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_pause_3.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_pause_4.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_Recording_1.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_Recording_2.bmp
C:\Programme\uusee\skins\UUPlayer\Control_Button_Recording_3.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_CheckBox_1.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_CheckBox_2.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_CheckBox_3.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_CheckBox_4.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_CheckBox_C1.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_CheckBox_C2.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_CheckBox_C3.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_CheckBox_C4.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_ComboBox_1.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_ComboBox_2.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_ComboBox_3.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_ComboBox_4.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_Edit_1.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_Edit_4.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_PushButton_1.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_PushButton_2.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_PushButton_3.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_PushButton_4.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_RadioButton_1.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_RadioButton_2.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_RadioButton_3.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_RadioButton_4.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_RadioButton_C1.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_RadioButton_C2.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_RadioButton_C3.bmp
C:\Programme\uusee\skins\UUPlayer\Ctrl_RadioButton_C4.bmp
C:\Programme\uusee\skins\UUPlayer\Dlg_Back.bmp
C:\Programme\uusee\skins\UUPlayer\Dlg_Detect.bmp
C:\Programme\uusee\skins\UUPlayer\Dlg_Frame_1.bmp
C:\Programme\uusee\skins\UUPlayer\Dlg_Frame_2.bmp
C:\Programme\uusee\skins\UUPlayer\Dlg_Frame_3.bmp
C:\Programme\uusee\skins\UUPlayer\Dlg_Record_Task_1.bmp
C:\Programme\uusee\skins\UUPlayer\Icon_Information.bmp
C:\Programme\uusee\skins\UUPlayer\Icon_Question.bmp
C:\Programme\uusee\skins\UUPlayer\Icon_Stop.bmp
C:\Programme\uusee\skins\UUPlayer\ListHeader_1.bmp
C:\Programme\uusee\skins\UUPlayer\ListHeader_2.bmp
C:\Programme\uusee\skins\UUPlayer\ListHeader_3.bmp
C:\Programme\uusee\skins\UUPlayer\ListHeader_ArrowD.bmp
C:\Programme\uusee\skins\UUPlayer\ListHeader_ArrowU.bmp
C:\Programme\uusee\skins\UUPlayer\ListHeader_SP.bmp
C:\Programme\uusee\skins\UUPlayer\Play_Window_Rec_icon.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_Block_1.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_Block_2.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_Block_3.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_Block_4.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_BM_0.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_BM_1.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_BM_2.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_BM_3.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_BM_4.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_BM_5.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_BM_6.bmp
C:\Programme\uusee\skins\UUPlayer\Progressbar_BM_7.bmp
C:\Programme\uusee\skins\UUPlayer\Resource.h
C:\Programme\uusee\skins\UUPlayer\Setting_Group_1_1.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_1_2.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_1_3.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_2_1.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_2_2.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_2_3.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_3_1.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_3_2.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_3_3.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_4_1.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_4_2.bmp
C:\Programme\uusee\skins\UUPlayer\Setting_Group_4_3.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Button_1_1.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Button_1_2.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Button_1_3.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Group_1.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Group_2.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Group_3.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Group_x1.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Group_x2.bmp
C:\Programme\uusee\skins\UUPlayer\Sidebar_Group_x3.bmp
C:\Programme\uusee\skins\UUPlayer\Thumbs.db
C:\Programme\uusee\skins\UUPlayer\Titlebar_button_Res_1.bmp
C:\Programme\uusee\skins\UUPlayer\Titlebar_button_Res_2.bmp
C:\Programme\uusee\skins\UUPlayer\Titlebar_button_Res_3.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_Compact_1.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_Compact_2.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_Compact_3.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_FullScreen_1.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_FullScreen_2.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_FullScreen_3.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_TopMost_1.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_TopMost_2.bmp
C:\Programme\uusee\skins\UUPlayer\Toolbar_Button_TopMost_3.bmp
C:\Programme\uusee\skins\UUPlayer\TopTab_Browse.bmp
C:\Programme\uusee\skins\UUPlayer\TopTab_Browse1.bmp
C:\Programme\uusee\skins\UUPlayer\TopTab_Play.bmp
C:\Programme\uusee\skins\UUPlayer\TopTab_Play1.bmp
C:\Programme\uusee\skins\UUPlayer\TopTab_Record.bmp
C:\Programme\uusee\skins\UUPlayer\TopTab_Record1.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_Arrow.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_Collapse.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_Expand.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_Header.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_ScrollBar_D.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_ScrollBar_H.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_ScrollBar_N.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_ScrollBar_S.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_ScrollBarThumb_D.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_ScrollBarThumb_H.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_ScrollBarThumb_N.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_ScrollBarThumb_S.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_SortIconDown.bmp
C:\Programme\uusee\skins\UUPlayer\Tree_SortIconUp.bmp
C:\Programme\uusee\skins\UUPlayer\UUSEE.ui
C:\Programme\uusee\skins\UUPlayer\Volume_Bar_Block_1.bmp
C:\Programme\uusee\skins\UUPlayer\Volume_Bar_Block_2.bmp
C:\Programme\uusee\skins\UUPlayer\Volume_Bar_Block_3.bmp
C:\Programme\uusee\skins\UUPlayer\Volume_Button_2_1.bmp
C:\Programme\uusee\skins\UUPlayer\Volume_Button_2_2.bmp
C:\Programme\uusee\skins\UUPlayer\Volume_Button_2_3.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Browser_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Browser_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Browser_3.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_ChannelInfo.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_ChannelInfo_5.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Control_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Control_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Control_3.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Control_4.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Info.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Main_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Main_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Main_3.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Main_5.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Play_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Play_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Play_5.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Record_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Record_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Record_3.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Record_4.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Setting_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Setting_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Setting_3.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Side_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Side_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Side_3.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Toolbar_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Toolbar_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Toolbar_3.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Toolbar_4.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Top_1.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Top_2.bmp
C:\Programme\uusee\skins\UUPlayer\Wnd_Top_3.bmp
C:\Programme\uusee\uninstuusee.exe
C:\Programme\uusee\UUPlayer.dll
C:\Programme\uusee\UUPlayer_update.ini
C:\Programme\uusee\UUSee.url
C:\Programme\uusee\UUSeePlayer.exe
C:\Programme\uusee\UUTV_Chat.xml
C:\Programme\uusee\UUTV_MY.xml
C:\Programme\uusee\UUTV_UUPlayer.xml
C:\WINDOWS\BM07776110.txt
C:\WINDOWS\BM07776110.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aorkki.dll

.
((((((((((((((((((((((( Dateien erstellt von 2008-09-05 bis 2008-10-05 ))))))))))))))))))))))))))))))
.

2008-10-05 02:55 . 2008-10-05 23:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-05 02:55 . 2008-10-05 23:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-04 17:15 . 2008-10-05 02:08 <DIR> d-------- C:\Programme\Poker Indicator
2008-10-04 04:13 . 2008-10-04 04:13 <DIR> d-------- C:\Programme\Trend Micro
2008-10-04 01:13 . 2008-10-04 01:13 <DIR> d-------- C:\Programme\PostgreSQL
2008-10-03 23:01 . 2008-10-03 23:01 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-10-03 22:16 . 2008-10-05 02:53 540 --a------ C:\WINDOWS\wininit.ini
2008-10-03 19:55 . 2008-10-05 22:59 <DIR> d-------- C:\Programme\Poker Tracker V2
2008-10-03 19:55 . 2003-06-17 14:54 87,280 --a------ C:\WINDOWS\system32\wsatrace.dll
2008-10-03 18:01 . 2003-06-26 14:52 464,128 --a------ C:\WINDOWS\system32\csimxctl.ocx
2008-10-03 00:42 . 2008-10-04 19:11 <DIR> d-------- C:\Dokumente und Einstellungen\postgres
2008-10-02 20:14 . 2008-10-03 18:26 <DIR> d-------- C:\Programme\PokerAce Hud
2008-10-02 18:33 . 2008-10-05 22:37 <DIR> d-------- C:\Programme\Everest Poker
2008-09-30 23:30 . 2008-09-30 23:30 <DIR> d-------- C:\Programme\FLV Player
2008-09-30 19:18 . 2008-09-30 19:51 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-27 15:45 . 2008-09-27 16:27 13 --a------ C:\WINDOWS\msgtn.ini
2008-09-27 15:18 . 2008-09-27 15:47 <DIR> d-------- C:\Programme\Gemeinsame Dateien\uusee
2008-09-27 15:05 . 2008-09-27 15:05 <DIR> d-------- C:\Programme\TVAnts
2008-09-27 15:05 . 2008-09-27 18:12 <DIR> d-------- C:\Programme\PPStream
2008-09-27 15:05 . 2008-09-27 18:12 <DIR> d-------- C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\ppstream
2008-09-23 21:28 . 2008-09-23 21:28 244 --ah----- C:\sqmnoopt01.sqm
2008-09-23 21:28 . 2008-09-23 21:28 232 --ah----- C:\sqmdata01.sqm
2008-09-16 19:47 . 2008-09-16 19:47 <DIR> d-------- C:\Programme\7-Zip
2008-09-10 16:54 . 2008-09-10 16:54 <DIR> d-------- C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\WinAVI
2008-09-10 16:53 . 2008-09-10 17:36 <DIR> d-------- C:\Programme\WinAVI FLV Converter
2008-09-10 16:44 . 2008-09-10 16:44 237,568 --a------ C:\WINDOWS\system32\rmc_rtspdl.dll
2008-09-10 16:44 . 2008-09-10 16:44 156,672 --a------ C:\WINDOWS\system32\rmc_fixasf.exe
2008-09-10 16:41 . 2008-09-10 16:41 323,584 --a------ C:\WINDOWS\system32\AUDIOGENIE2.DLL
2008-09-10 16:40 . 2008-09-10 16:40 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-09-10 16:39 . 2008-09-10 17:05 <DIR> d-------- C:\Programme\Replay Media Catcher
2008-09-09 16:04 . 2008-09-09 16:15 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-09-08 03:42 . 2008-09-10 16:48 <DIR> d-------- C:\Programme\Free FLV Converter
2008-09-08 03:42 . 2008-06-04 18:42 364,544 --a------ C:\WINDOWS\system32\PropertyGrid.ocx
2008-09-08 03:42 . 2008-09-03 01:53 258,048 --a------ C:\WINDOWS\system32\TubeFinder.exe
2008-09-08 03:42 . 2008-06-04 18:42 208,500 --a------ C:\WINDOWS\system32\ReyXpBasics.tlb
2008-09-08 03:42 . 2008-06-04 18:42 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2008-09-08 03:42 . 2008-06-04 18:42 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2008-09-08 03:42 . 2008-06-04 18:42 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-09-08 03:42 . 2008-06-04 18:42 84,512 --a------ C:\WINDOWS\system32\PICCLP32.OCX
2008-09-08 03:42 . 2008-06-04 18:42 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2008-09-08 03:42 . 2008-06-04 18:42 24,576 --a------ C:\WINDOWS\system32\ControlSubX.ocx
2008-09-08 03:42 . 2008-06-04 18:42 9,728 --a------ C:\WINDOWS\system32\PCCLPFR.DLL

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 20:59 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-10-05 17:18 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-10-05 15:01 --------- d-----w C:\Programme\SopCast
2008-10-05 14:30 --------- d-----w C:\Programme\PartyGaming
2008-10-04 20:20 --------- d-----w C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\Azureus
2008-10-04 15:17 --------- d-----w C:\Programme\Full Tilt Poker
2008-10-03 21:01 --------- d-----w C:\Programme\Lavasoft
2008-10-03 19:11 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-10-03 17:54 --------- d-----w C:\Programme\Nero
2008-10-02 16:40 --------- d-----w C:\Programme\ICQ6
2008-09-27 23:02 --------- d-----w C:\Programme\Google
2008-09-27 15:37 --------- d-----w C:\Programme\MSN Messenger
2008-09-26 15:48 --------- d-----w C:\Programme\PokerStars
2008-09-22 19:29 138,912 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-16 23:02 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-09-15 13:05 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-09-10 19:20 --------- d-----w C:\Programme\HiDownload
2008-09-09 12:31 --------- d-----w C:\Programme\Winamp
2008-08-26 17:25 --------- d-----w C:\Programme\MSD_0.653
2008-08-21 14:16 --------- d-----w C:\Programme\Micronet Wireless Network Utility
2008-08-21 13:59 --------- d-----w C:\Programme\MSBuild
2008-08-21 13:59 --------- d-----w C:\Programme\Microsoft Works
2008-08-21 13:55 --------- d-----w C:\Programme\Microsoft Visual Studio 8
2008-08-21 11:51 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-17 02:26 --------- d-----w C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\vlc
2008-08-16 17:51 --------- d-----w C:\Programme\VideoLAN
2008-08-16 12:48 --------- d-----w C:\Programme\TVUPlayer
2008-08-16 12:48 --------- d-----w C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\TVU Networks
2008-08-16 12:48 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TVU Networks
2008-08-13 13:25 --------- d-----w C:\Programme\PKR
2008-08-12 22:34 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-08-11 12:55 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-08-08 14:33 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ATI
2008-08-08 12:01 --------- d-----w C:\Programme\ATI Technologies
2008-07-09 12:34 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-17 17:28 22,328 ----a-w C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\PnkBstrK.sys
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 405583]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DAEMON Tools"="C:\Programme\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 160768]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-13 C:\WINDOWS\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]
"Spyware Doctor"="C:\Programme\Spyware Doctor\swdoctor.exe" [2005-10-23 2076160]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
IEEE 802.11g Wireless LAN Utility.lnk - C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe [2008-06-23 610304]
Verknpfung mit MSD.lnk - C:\Programme\MSD_0.653\MSD 0.653\MSD.exe [2008-08-26 1656320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=aorkki.dll zbuvab.dll nafhsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"msacm.dvacm"= C:\PROGRA~1\GEMEIN~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Le Chef^Startmenü^Programme^Autostart^PPS.lnk]
path=C:\Dokumente und Einstellungen\Le Chef\Startmenü\Programme\Autostart\PPS.lnk
backup=C:\WINDOWS\pss\PPS.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-07-21 17:52 266497 C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--------- 2005-09-03 16:18 94208 C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
--a------ 2007-12-23 01:03 916240 C:\Programme\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEREST AutoStart]
--------- 2006-09-21 19:32 1532928 C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--------- 2005-01-04 13:27 405583 C:\Programme\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Programme\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-01-22 15:15 77824 C:\Programme\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shutdown]
--a------ 2006-07-25 01:36 86016 C:\DOKUME~1\LECHEF~1\Desktop\tools\shutdown.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
--------- 2005-10-23 23:15 2076160 C:\PROGRA~1\SPYWAR~1\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Programme\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-21 13:37 185896 C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
--a------ 2007-11-22 23:49 12889088 C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2005-01-07 18:07 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--------- 2005-06-21 09:09 90112 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"gusvc"=3 (0x3)
"SDhelper"=2 (0x2)
"ICQ Service"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"aawservice"=2 (0x2)
"ATI Smart"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Programme\\Microsoft ActiveSync\\WCESMgr.exe"=
"D:\\Spiele\\Simulationen\\skat\\GutGemischt2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Azureus\\Azureus.exe"=
"C:\\Programme\\AntiVir PersonalEdition Classic\\avcenter.exe"=
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programme\\MSN Messenger\\livecall.exe"=
"C:\\Programme\\SopCast\\adv\\SopAdver.exe"=
"C:\\Programme\\SopCast\\SopCast.exe"=
"D:\\Spiele\\Shooter\\bf2\\BF2.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Programme\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Programme\\SecondLife\\SLVoice.exe"=
"D:\\Spiele\\Simulationen\\creed\\AssassinsCreed_Dx9.exe"=
"D:\\Spiele\\Simulationen\\creed\\AssassinsCreed_Dx10.exe"=
"D:\\Spiele\\Simulationen\\creed\\AssassinsCreed_Launcher.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\\Programme\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Programme\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Spiele\\Simulationen\\skat\\bin\\cards.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"D:\\Spiele\\Shooter\\CoD4\\iw3mp.exe"=
"C:\\Programme\\TVAnts\\Tvants.exe"=
"C:\\Programme\\Nero\\QG44\\java.exe"=
"C:\\Programme\\Nero\\QG44\\RQQ63.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51001:TCP"= 51001:TCP:port 1
"51002:TCP"= 51002:TCP:port 2
"51003:TCP"= 51003:TCP:port 3
"51002:UDP"= 51002:UDP:port2
"51003:UDP"= 51003:UDP:port3
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"88:TCP"= 88:TCP:earth
"88:UDP"= 88:UDP:earth
"123:TCP"= 123:TCP:earth
"123:UDP"= 123:UDP:earth

R0 PDDSLHND;PDDSLHND;C:\WINDOWS\system32\drivers\PDDSLHND.sys [2005-05-05 15187]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2008-03-14 162432]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2008-03-14 12032]
R3 Ltn_stk7070P;PCTV based TV tuner device;C:\WINDOWS\system32\DRIVERS\Ltn_stk7070P.sys [2007-06-14 466048]
R3 Ltn_stkrc;PCTV Infrared Receiver;C:\WINDOWS\system32\DRIVERS\Ltn_stkrc.sys [2007-06-13 13440]
R3 PDDSLADP;ProDyne DSL Adapter;C:\WINDOWS\system32\DRIVERS\PDDSLADP.SYS [2005-05-05 15571]
R3 Tetri5;Tetri5 driver;C:\WINDOWS\system32\Drivers\Tetri5.sys [2008-03-14 53088]
R4 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\ZDCNDIS5.sys [2005-11-11 17664]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\EVEREST Ultimate Edition 2006\kerneld.wnt [2006-08-10 11776]
S3 NB760_XP;NB 802.11g XG762 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2005-10-28 402432]
.
Inhalt des "geplante Tasks" Ordners

2008-10-05 C:\WINDOWS\Tasks\ADBDBB6391562BAB.job
- c:\dokume~1\lechef~1\anwend~1\acidby~1\regsexittons.exe []
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{04DFD3AB-95F9-4F3D-8B3A-5BAE77971F8A} - (no file)
BHO-{333C4D08-1AD8-4502-B6A4-9434DF2D2A11} - (no file)
BHO-{334528AC-5DE6-440E-A0B6-07CDDD86A971} - C:\WINDOWS\system32\fccbaXQG.dll
BHO-{4507578B-4613-4CC8-BFB5-DF1448EB9D6F} - (no file)
BHO-{5063E63B-F225-4660-9093-52F66F0F365B} - (no file)
BHO-{54A8264B-AFFB-4614-95FE-0234817EA282} - C:\WINDOWS\system32\nnnliijG.dll
BHO-{5AE9DBE7-CC16-43F3-A5A1-E7E84EBC3646} - (no file)
BHO-{66F95BAD-EB20-4038-B2C2-613933C8ACF5} - (no file)
HKLM-Run-BM07776110 - C:\WINDOWS\system32\pqoiplba.dll
ShellExecuteHooks-{54A8264B-AFFB-4614-95FE-0234817EA282} - C:\WINDOWS\system32\nnnliijG.dll
MSConfigStartUp-BM07776110 - C:\WINDOWS\system32\pqoiplba.dll
MSConfigStartUp-Free Download Manager - C:\Programme\Free Download Manager\fdm.exe
MSConfigStartUp-Logdoes - C:\DOKUME~1\LECHEF~1\ANWEND~1\ACIDBY~1\LessFrag.exe
MSConfigStartUp-Mousotron - C:\Programme\Mousotron Pro\Mousotron.exe
MSConfigStartUp-NetPumper - C:\Programme\NetPumper\NetPumperIEProxy.exe
MSConfigStartUp-Once Love Flaw Real - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\manager wma once love\coal mapi.exe
MSConfigStartUp-Red Swoosh - C:\Programme\RSSoft\RedSwoosh.exe
MSConfigStartUp-SweetIM - C:\Programme\Macrogaming\SweetIM\SweetIM.exe
MSConfigStartUp-swg - C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-TotalRecorderScheduler - C:\Programme\HighCriteria\TotalRecorder\TotRecSched.exe
MSConfigStartUp-updateMgr - C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\Mozilla\Firefox\Profiles\tcyzyixb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.metacrawler.com/
FF -: plugin - C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\Mozilla\Firefox\Profiles\tcyzyixb.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - C:\Programme\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npJoostPlugin.dll
FF -: plugin - C:\Programme\Opera\program\plugins\npdivx32.dll
FF -: plugin - C:\Programme\Opera\program\plugins\npJoostPlugin.dll
FF -: plugin - C:\Programme\Opera\program\plugins\NPOFF12.DLL
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 23:47:34
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\EVEREST Ultimate Edition 2006\kerneld.wnt"
.
------------------------ Weitere laufende Prozesse ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-10-05 23:52:00 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-10-05 21:51:57

Vor Suchlauf: 14 Verzeichnis(se), 10,930,941,952 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 11,546,005,504 Bytes frei

508 --- E O F --- 2008-09-10 13:03:34




Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:29 AM, on 10/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
C:\Programme\MSD_0.653\MSD 0.653\MSD.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\d7ca437757bb79190d8fe0f22734e38b\update\update.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Trend Micro\HijackThis\hanfman84.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {04DFD3AB-95F9-4F3D-8B3A-5BAE77971F8A} - (no file)
O2 - BHO: (no name) - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {333C4D08-1AD8-4502-B6A4-9434DF2D2A11} - (no file)
O2 - BHO: (no name) - {4507578B-4613-4CC8-BFB5-DF1448EB9D6F} - (no file)
O2 - BHO: (no name) - {5063E63B-F225-4660-9093-52F66F0F365B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54A8264B-AFFB-4614-95FE-0234817EA282} - (no file)
O2 - BHO: (no name) - {5AE9DBE7-CC16-43F3-A5A1-E7E84EBC3646} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {66F95BAD-EB20-4038-B2C2-613933C8ACF5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D85A260B-4A52-4498-85F4-682BACB5EEBB} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Verknüpfung mit MSD.lnk = C:\Programme\MSD_0.653\MSD 0.653\MSD.exe
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Programme\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Programme\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: aorkki.dll zbuvab.dll nafhsp.dll
O20 - Winlogon Notify: nnnliijG - C:\WINDOWS\
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 10765 bytes (seems not all freak dlls are dead? :spider:)


Thank u very much for helping! :bigthumb:

Blade81
2008-10-06, 07:44
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus


I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\Azureus
C:\Programme\Azureus

Empty Recycle Bin.

After that:


Disable Spybot's TeaTimer and please keep it disabled until fixing process is finished.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {04DFD3AB-95F9-4F3D-8B3A-5BAE77971F8A} - (no file)
O2 - BHO: (no name) - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {333C4D08-1AD8-4502-B6A4-9434DF2D2A11} - (no file)
O2 - BHO: (no name) - {4507578B-4613-4CC8-BFB5-DF1448EB9D6F} - (no file)
O2 - BHO: (no name) - {5063E63B-F225-4660-9093-52F66F0F365B} - (no file)
O2 - BHO: (no name) - {54A8264B-AFFB-4614-95FE-0234817EA282} - (no file)
O2 - BHO: (no name) - {5AE9DBE7-CC16-43F3-A5A1-E7E84EBC3646} - (no file)
O2 - BHO: (no name) - {66F95BAD-EB20-4038-B2C2-613933C8ACF5} - (no file)
O2 - BHO: (no name) - {D85A260B-4A52-4498-85F4-682BACB5EEBB} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O20 - Winlogon Notify: nnnliijG - C:\WINDOWS\

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\Tasks\ADBDBB6391562BAB.job

Folder::
C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\Azureus
C:\Programme\Azureus
c:\dokume~1\lechef~1\anwend~1\acidby~1

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Azureus\\Azureus.exe"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.

hanfman84
2008-10-06, 21:43
Here is the new stuff:

Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39:58, on 06.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Le Chef\Lokale Einstellungen\temp\jkos-Le Chef\binaries\ScanningProcess.exe
C:\Dokumente und Einstellungen\Le Chef\Lokale Einstellungen\temp\jkos-Le Chef\binaries\ScanningProcess.exe
C:\Programme\Winamp\winamp.exe
C:\Programme\Microsoft Office\Office12\WINWORD.EXE
C:\Programme\Trend Micro\HijackThis\hanfman84.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {04DFD3AB-95F9-4F3D-8B3A-5BAE77971F8A} - (no file)
O2 - BHO: (no name) - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {333C4D08-1AD8-4502-B6A4-9434DF2D2A11} - (no file)
O2 - BHO: (no name) - {4507578B-4613-4CC8-BFB5-DF1448EB9D6F} - (no file)
O2 - BHO: (no name) - {5063E63B-F225-4660-9093-52F66F0F365B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54A8264B-AFFB-4614-95FE-0234817EA282} - (no file)
O2 - BHO: (no name) - {5AE9DBE7-CC16-43F3-A5A1-E7E84EBC3646} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {66F95BAD-EB20-4038-B2C2-613933C8ACF5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D85A260B-4A52-4498-85F4-682BACB5EEBB} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Programme\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Programme\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: nnnliijG - C:\WINDOWS\
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 10012 bytes


Combofix:

ComboFix 08-10-05.06 - Le Chef 2008-10-06 12:15:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.630 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Le Chef\Desktop\spywar!\ComboFix.exe
Benutzte Befehlsschalter :: C:\Dokumente und Einstellungen\Le Chef\Desktop\spywar!\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

FILE ::
C:\WINDOWS\Tasks\ADBDBB6391562BAB.job
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokume~1\lechef~1\anwend~1\acidby~1
c:\dokume~1\lechef~1\anwend~1\acidby~1\714FF6F2
C:\WINDOWS\Tasks\ADBDBB6391562BAB.job

.
((((((((((((((((((((((( Dateien erstellt von 2008-09-06 bis 2008-10-06 ))))))))))))))))))))))))))))))
.

2008-10-06 00:41 . 2008-10-06 00:41 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-10-06 00:40 . 2008-03-29 17:36 125,328 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2008-10-06 00:40 . 2008-03-29 17:36 106,768 --a------ C:\WINDOWS\system32\dneinobj.dll
2008-10-06 00:39 . 2008-10-06 00:39 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Deterministic Networks
2008-10-06 00:39 . 2008-10-06 00:39 <DIR> d-------- C:\Programme\Cisco Systems
2008-10-06 00:39 . 2008-10-06 00:41 1,593 --a------ C:\WINDOWS\VPNInstall.MIF
2008-10-05 02:55 . 2008-10-05 23:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-05 02:55 . 2008-10-05 23:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-04 17:15 . 2008-10-05 02:08 <DIR> d-------- C:\Programme\Poker Indicator
2008-10-04 04:13 . 2008-10-04 04:13 <DIR> d-------- C:\Programme\Trend Micro
2008-10-04 01:13 . 2008-10-04 01:13 <DIR> d-------- C:\Programme\PostgreSQL
2008-10-03 23:01 . 2008-10-03 23:01 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-10-03 22:16 . 2008-10-05 02:53 540 --a------ C:\WINDOWS\wininit.ini
2008-10-03 19:55 . 2008-10-05 22:59 <DIR> d-------- C:\Programme\Poker Tracker V2
2008-10-03 19:55 . 2003-06-17 14:54 87,280 --a------ C:\WINDOWS\system32\wsatrace.dll
2008-10-03 18:01 . 2003-06-26 14:52 464,128 --a------ C:\WINDOWS\system32\csimxctl.ocx
2008-10-03 00:42 . 2008-10-04 19:11 <DIR> d-------- C:\Dokumente und Einstellungen\postgres
2008-10-02 20:14 . 2008-10-03 18:26 <DIR> d-------- C:\Programme\PokerAce Hud
2008-10-02 18:33 . 2008-10-05 22:37 <DIR> d-------- C:\Programme\Everest Poker
2008-09-30 23:30 . 2008-09-30 23:30 <DIR> d-------- C:\Programme\FLV Player
2008-09-30 19:18 . 2008-10-06 00:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-27 15:45 . 2008-09-27 16:27 13 --a------ C:\WINDOWS\msgtn.ini
2008-09-27 15:18 . 2008-09-27 15:47 <DIR> d-------- C:\Programme\Gemeinsame Dateien\uusee
2008-09-27 15:05 . 2008-09-27 15:05 <DIR> d-------- C:\Programme\TVAnts
2008-09-27 15:05 . 2008-09-27 18:12 <DIR> d-------- C:\Programme\PPStream
2008-09-27 15:05 . 2008-09-27 18:12 <DIR> d-------- C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\ppstream
2008-09-23 21:28 . 2008-09-23 21:28 244 --ah----- C:\sqmnoopt01.sqm
2008-09-23 21:28 . 2008-09-23 21:28 232 --ah----- C:\sqmdata01.sqm
2008-09-16 19:47 . 2008-09-16 19:47 <DIR> d-------- C:\Programme\7-Zip
2008-09-10 16:54 . 2008-09-10 16:54 <DIR> d-------- C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\WinAVI
2008-09-10 16:53 . 2008-09-10 17:36 <DIR> d-------- C:\Programme\WinAVI FLV Converter
2008-09-10 16:44 . 2008-09-10 16:44 237,568 --a------ C:\WINDOWS\system32\rmc_rtspdl.dll
2008-09-10 16:44 . 2008-09-10 16:44 156,672 --a------ C:\WINDOWS\system32\rmc_fixasf.exe
2008-09-10 16:41 . 2008-09-10 16:41 323,584 --a------ C:\WINDOWS\system32\AUDIOGENIE2.DLL
2008-09-10 16:40 . 2008-09-10 16:40 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-09-10 16:39 . 2008-09-10 17:05 <DIR> d-------- C:\Programme\Replay Media Catcher
2008-09-09 16:04 . 2008-09-09 16:15 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-09-08 03:42 . 2008-09-10 16:48 <DIR> d-------- C:\Programme\Free FLV Converter
2008-09-08 03:42 . 2008-06-04 18:42 364,544 --a------ C:\WINDOWS\system32\PropertyGrid.ocx
2008-09-08 03:42 . 2008-09-03 01:53 258,048 --a------ C:\WINDOWS\system32\TubeFinder.exe
2008-09-08 03:42 . 2008-06-04 18:42 208,500 --a------ C:\WINDOWS\system32\ReyXpBasics.tlb
2008-09-08 03:42 . 2008-06-04 18:42 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2008-09-08 03:42 . 2008-06-04 18:42 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2008-09-08 03:42 . 2008-06-04 18:42 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-09-08 03:42 . 2008-06-04 18:42 84,512 --a------ C:\WINDOWS\system32\PICCLP32.OCX
2008-09-08 03:42 . 2008-06-04 18:42 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2008-09-08 03:42 . 2008-06-04 18:42 24,576 --a------ C:\WINDOWS\system32\ControlSubX.ocx
2008-09-08 03:42 . 2008-06-04 18:42 9,728 --a------ C:\WINDOWS\system32\PCCLPFR.DLL

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 20:59 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-10-05 17:18 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-10-05 15:01 --------- d-----w C:\Programme\SopCast
2008-10-05 14:30 --------- d-----w C:\Programme\PartyGaming
2008-10-04 15:17 --------- d-----w C:\Programme\Full Tilt Poker
2008-10-03 21:01 --------- d-----w C:\Programme\Lavasoft
2008-10-03 19:11 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-10-03 17:54 --------- d-----w C:\Programme\Nero
2008-10-02 16:40 --------- d-----w C:\Programme\ICQ6
2008-09-27 23:02 --------- d-----w C:\Programme\Google
2008-09-27 15:37 --------- d-----w C:\Programme\MSN Messenger
2008-09-26 15:48 --------- d-----w C:\Programme\PokerStars
2008-09-25 23:11 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-09-22 19:29 183,256 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-09-22 19:29 138,912 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-16 23:02 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-09-15 13:05 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-09-10 19:20 --------- d-----w C:\Programme\HiDownload
2008-09-09 12:31 --------- d-----w C:\Programme\Winamp
2008-08-26 17:25 --------- d-----w C:\Programme\MSD_0.653
2008-08-21 14:16 --------- d-----w C:\Programme\Micronet Wireless Network Utility
2008-08-21 13:59 --------- d-----w C:\Programme\MSBuild
2008-08-21 13:59 --------- d-----w C:\Programme\Microsoft Works
2008-08-21 13:55 --------- d-----w C:\Programme\Microsoft Visual Studio 8
2008-08-21 11:51 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-17 02:26 --------- d-----w C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\vlc
2008-08-16 17:51 --------- d-----w C:\Programme\VideoLAN
2008-08-16 12:48 --------- d-----w C:\Programme\TVUPlayer
2008-08-16 12:48 --------- d-----w C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\TVU Networks
2008-08-16 12:48 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TVU Networks
2008-08-13 13:25 --------- d-----w C:\Programme\PKR
2008-08-12 22:34 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-08-11 12:55 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-08-08 14:33 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ATI
2008-08-08 12:01 --------- d-----w C:\Programme\ATI Technologies
2008-08-04 09:46 47,558,401 ----a-w C:\WINDOWS\system32\Astronomy 2005.scr
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-09 12:34 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-01-17 17:28 22,328 ----a-w C:\Dokumente und Einstellungen\Le Chef\Anwendungsdaten\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-05_23.51.35.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-05 22:41:33 6,144 ----a-r C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED1.exe
+ 2008-04-17 07:08:44 193,312 ----a-w C:\WINDOWS\system32\CSGina.dll
+ 2007-01-18 15:28:02 5,275 ----a-w C:\WINDOWS\system32\drivers\CVirtA.sys
+ 2008-04-17 07:07:52 306,299 ----a-w C:\WINDOWS\system32\drivers\CVPNDRVA.sys
- 2008-10-05 21:42:03 70,850 ----a-w C:\WINDOWS\system32\perfc007.dat
+ 2008-10-06 09:27:28 70,850 ----a-w C:\WINDOWS\system32\perfc007.dat
- 2008-10-05 21:42:03 58,392 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-06 09:27:28 58,392 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-05 21:42:03 407,386 ----a-w C:\WINDOWS\system32\perfh007.dat
+ 2008-10-06 09:27:28 407,386 ----a-w C:\WINDOWS\system32\perfh007.dat
- 2008-10-05 21:42:03 394,178 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-06 09:27:29 394,178 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2004-08-03 23:58:14 8,192 ------w C:\WINDOWS\system32\spdwnwxp.exe
+ 2008-04-14 02:23:01 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
- 2006-09-25 16:58:48 23,856 ------w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-08-10 18:44:56 26,488 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2008-04-17 07:08:56 197,408 ----a-w C:\WINDOWS\system32\vpnapi.dll
+ 2005-01-26 09:22:16 75,536 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2005-01-26 09:22:20 280,344 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2005-01-26 09:22:28 124,688 ----a-w C:\WINDOWS\system32\vsinit.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 405583]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"EVEREST AutoStart"="C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe" [2006-09-21 1532928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-13 C:\WINDOWS\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]
"Spyware Doctor"="C:\Programme\Spyware Doctor\swdoctor.exe" [2005-10-23 2076160]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
IEEE 802.11g Wireless LAN Utility.lnk - C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe [2008-06-23 610304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"msacm.dvacm"= C:\PROGRA~1\GEMEIN~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Verknüpfung mit MSD.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Verknüpfung mit MSD.lnk
backup=C:\WINDOWS\pss\Verknüpfung mit MSD.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^VPN Client.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Le Chef^Startmenü^Programme^Autostart^PPS.lnk]
path=C:\Dokumente und Einstellungen\Le Chef\Startmenü\Programme\Autostart\PPS.lnk
backup=C:\WINDOWS\pss\PPS.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-07-21 17:52 266497 C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--------- 2005-09-03 16:18 94208 C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 16:57 133016 C:\Programme\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
--a------ 2007-12-23 01:03 916240 C:\Programme\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--------- 2005-01-04 13:27 405583 C:\Programme\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Programme\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-01-22 15:15 77824 C:\Programme\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shutdown]
--a------ 2006-07-25 01:36 86016 C:\DOKUME~1\LECHEF~1\Desktop\tools\shutdown.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
--------- 2005-10-23 23:15 2076160 C:\PROGRA~1\SPYWAR~1\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Programme\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-21 13:37 185896 C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
--a------ 2007-11-22 23:49 12889088 C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2005-01-07 18:07 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--------- 2005-06-21 09:09 90112 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"gusvc"=3 (0x3)
"SDhelper"=2 (0x2)
"ICQ Service"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"aawservice"=2 (0x2)
"ATI Smart"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Programme\\Microsoft ActiveSync\\WCESMgr.exe"=
"D:\\Spiele\\Simulationen\\skat\\GutGemischt2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\AntiVir PersonalEdition Classic\\avcenter.exe"=
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programme\\MSN Messenger\\livecall.exe"=
"C:\\Programme\\SopCast\\adv\\SopAdver.exe"=
"C:\\Programme\\SopCast\\SopCast.exe"=
"D:\\Spiele\\Shooter\\bf2\\BF2.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Programme\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Programme\\SecondLife\\SLVoice.exe"=
"D:\\Spiele\\Simulationen\\creed\\AssassinsCreed_Dx9.exe"=
"D:\\Spiele\\Simulationen\\creed\\AssassinsCreed_Dx10.exe"=
"D:\\Spiele\\Simulationen\\creed\\AssassinsCreed_Launcher.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\\Programme\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Programme\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Spiele\\Simulationen\\skat\\bin\\cards.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"D:\\Spiele\\Shooter\\CoD4\\iw3mp.exe"=
"C:\\Programme\\TVAnts\\Tvants.exe"=
"C:\\Programme\\Nero\\QG44\\java.exe"=
"C:\\Programme\\Nero\\QG44\\RQQ63.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51001:TCP"= 51001:TCP:port 1
"51002:TCP"= 51002:TCP:port 2
"51003:TCP"= 51003:TCP:port 3
"51002:UDP"= 51002:UDP:port2
"51003:UDP"= 51003:UDP:port3
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"88:TCP"= 88:TCP:earth
"88:UDP"= 88:UDP:earth
"123:TCP"= 123:TCP:earth
"123:UDP"= 123:UDP:earth

R0 PDDSLHND;PDDSLHND;C:\WINDOWS\system32\drivers\PDDSLHND.sys [2005-05-05 15187]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2008-03-14 162432]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2008-03-14 12032]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\EVEREST Ultimate Edition 2006\kerneld.wnt [2006-08-10 11776]
R3 Ltn_stk7070P;PCTV based TV tuner device;C:\WINDOWS\system32\DRIVERS\Ltn_stk7070P.sys [2007-06-14 466048]
R3 Ltn_stkrc;PCTV Infrared Receiver;C:\WINDOWS\system32\DRIVERS\Ltn_stkrc.sys [2007-06-13 13440]
R3 NB760_XP;NB 802.11g XG762 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2005-10-28 402432]
R3 PDDSLADP;ProDyne DSL Adapter;C:\WINDOWS\system32\DRIVERS\PDDSLADP.SYS [2005-05-05 15571]
R3 Tetri5;Tetri5 driver;C:\WINDOWS\system32\Drivers\Tetri5.sys [2008-03-14 53088]
R4 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\ZDCNDIS5.sys [2005-11-11 17664]

*Newly Created Service* - EVERESTDRIVER
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 12:17:34
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\EVEREST Ultimate Edition 2006\kerneld.wnt"
.
Zeit der Fertigstellung: 2008-10-06 12:18:45
ComboFix-quarantined-files.txt 2008-10-06 10:18:42

Vor Suchlauf: 14 Verzeichnis(se), 11,591,720,960 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 11,575,418,880 Bytes frei

292 --- E O F --- 2008-10-05 22:15:47

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, October 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, October 06, 2008 13:05:11
Records in database: 1294374
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 159086
Threat name: 4
Infected objects: 7
Suspicious objects: 1
Duration of the scan: 03:23:13


File name / Threat name / Threats count
C:\Dokumente und Einstellungen\Le Chef\Eigene Dateien\Eigene Musik\My Playlists\stuff\stuffstuff\john-16w.zip Infected: HackTool.Win32.John 3
C:\Dokumente und Einstellungen\Le Chef\Eigene Dateien\Outlook.pst Infected: Trojan-Spy.HTML.Bankfraud.od 3
C:\Dokumente und Einstellungen\Le Chef\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Programme\PKR\pkr.exe Infected: not-a-virus:Monitor.Win32.PKRPoker.e 1

The selected area was scanned.

Blade81
2008-10-06, 22:15
Hi

Delete C:\Dokumente und Einstellungen\Le Chef\Eigene Dateien\Eigene Musik\My Playlists\stuff\stuffstuff\john-16w.zip file. Also, go thru your Outlook inbox & archive box and delete all suspicious email messages.

Did you disable TeaTimer as instructed? Anyway, it seems that TeaTimer is running again. To get those hjt entries permanently fixed you have to disable TeaTimer.

Also, it looks like you installed new Java but didn't uninstall previous versions yet. Please do so now.


Now let's try entry fixing again. Disable TeaTimer and this time please don't re-enable yet :)


Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {04DFD3AB-95F9-4F3D-8B3A-5BAE77971F8A} - (no file)
O2 - BHO: (no name) - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {333C4D08-1AD8-4502-B6A4-9434DF2D2A11} - (no file)
O2 - BHO: (no name) - {4507578B-4613-4CC8-BFB5-DF1448EB9D6F} - (no file)
O2 - BHO: (no name) - {5063E63B-F225-4660-9093-52F66F0F365B} - (no file)
O2 - BHO: (no name) - {54A8264B-AFFB-4614-95FE-0234817EA282} - (no file)
O2 - BHO: (no name) - {5AE9DBE7-CC16-43F3-A5A1-E7E84EBC3646} - (no file)
O2 - BHO: (no name) - {66F95BAD-EB20-4038-B2C2-613933C8ACF5} - (no file)
O2 - BHO: (no name) - {D85A260B-4A52-4498-85F4-682BACB5EEBB} - (no file)
O20 - Winlogon Notify: nnnliijG - C:\WINDOWS\

Close browsers and fix checked.

Reboot and post a fresh hjt log.

hanfman84
2008-10-06, 22:16
Hello Blade,
there have been some problems lately... After the new installation of Java i started kasparski as u told and the complete system froze at some time of the scanning process. - reset -
I tried to start kasparki again and the system froze at the moment the little kasparki-window opened. - reset -
I uninstalled Java and restarted and installed it again as tutored by you. After that kasparski worked until the end.
BUT
After posting the results and surfing around the system froze again... What is it? I can't do anything no task-manager, no alt+tab just the reset button works.
By the way Windows offered me to install SP3 - could it be fixed by installing it? I intended to wait until the system is completely free of malware.... :sad:

Blade81
2008-10-06, 22:22
Hi

Please see my response above. Installing SP3 is recommended after we've got the system clean.

hanfman84
2008-10-06, 22:43
I disabled tea timer - and it is still now
I looked for Java entries and there were Java DB 10.3.1.4, Java (TM) SE Development Kit 6 update 7 and Java (TM) 6 update 7 - i deinstalled everything except the last one... thanks for your patience :red:

new Hijack:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:37:08, on 06.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\HijackThis\hanfman84.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Programme\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Programme\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8785 bytes

hanfman84
2008-10-06, 23:54
I reinstalled Java 6.7, TeaTimer ist still off and the entrys in Hijackthis are fixed.... but its still freezing from time to time :sad:

Blade81
2008-10-07, 08:33
Hi

Looks like all entries didn't go. Let's try to remove those in safe mode (http://www.computerhope.com/issues/chsafe.htm#02).

While in safe mode fix following entries with hjt:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - - (no file)

Reboot back into normal mode.

Post a fresh hjt log. Does the freezing occur after some specific action or randomly? Hard drive defragmentation should be done if not done lately.

hanfman84
2008-10-07, 12:46
I couldn not find any determinants for the freezing - it seems to occur randomly. I'll try defragmentation and report what happens.

but first, the new Hijackthis (i deleted the sweet IM entries too because I deinstalled that program a long time ago):


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:33, on 07.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\HijackThis\hanfman84.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Programme\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Programme\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8329 bytes

Blade81
2008-10-07, 13:05
Ok. I'll waiting for your input. After defragging you may want to reset TeaTimer.

Reset Teatimer

* Right-click >here (http://downloads.subratam.org/ResetTeaTimer.bat)< and select "Save as" and save it without changing the name to your desktop
* Double click ResetTeaTimer.bat
* Open Spybot S&D
o Click Mode > check Advanced Mode
o Go to the left Panel and click Tools then, also in left panel, click Resident (OK any firewall prompts)
o Check the box labeled Resident Tea-Timer and OK any prompts
o Use File > Exit to terminate Spybot
* Reboot your machine for the changes to take effect
* You can now delete ResetTeaTimer.bat

hanfman84
2008-10-07, 23:45
After that day witout freezing I installed SP3 - and it happened again. It seems that it just freezes when a browser is opened (but that determinant could also be incidentally).... don't know! Could ComboFix have deleted critical files?
:oops: :fear: :oops::spider:

Blade81
2008-10-08, 07:49
Hi

I don't think ComboFix has anything to do with freezing.

Download MVPS Hosts file (http://www.mvps.org/winhelp2002/hosts.htm) and install it according to the instructions found behind the link. Reboot and post a fresh hjt log. Does the system still freeze?

hanfman84
2008-10-08, 17:45
??????? Those stupid entries are back ??????? :mad:
I reallly had anything turned off while fixing it with hjt!
It seems it reappeared when IE got started. I normally use Firefox but not my girl friend....

I installed the host file. If it still freezes I don't know because I just came back home.

new hjt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:41:16, on 08.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Trend Micro\HijackThis\hanfman84.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {04DFD3AB-95F9-4F3D-8B3A-5BAE77971F8A} - (no file)
O2 - BHO: (no name) - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {333C4D08-1AD8-4502-B6A4-9434DF2D2A11} - (no file)
O2 - BHO: (no name) - {4507578B-4613-4CC8-BFB5-DF1448EB9D6F} - (no file)
O2 - BHO: (no name) - {5063E63B-F225-4660-9093-52F66F0F365B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54A8264B-AFFB-4614-95FE-0234817EA282} - (no file)
O2 - BHO: (no name) - {5AE9DBE7-CC16-43F3-A5A1-E7E84EBC3646} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {66F95BAD-EB20-4038-B2C2-613933C8ACF5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D85A260B-4A52-4498-85F4-682BACB5EEBB} - (no file)
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Programme\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Programme\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: nnnliijG - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 10241 bytes

Blade81
2008-10-08, 18:34
Hi

Looks like TeaTimer reset batch didn't do its job. Let's uninstall Spybot for now. Reinstall it after we've re-cleaned the entries (and I've checked those are gone).

Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {04DFD3AB-95F9-4F3D-8B3A-5BAE77971F8A} - (no file)
O2 - BHO: (no name) - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {333C4D08-1AD8-4502-B6A4-9434DF2D2A11} - (no file)
O2 - BHO: (no name) - {4507578B-4613-4CC8-BFB5-DF1448EB9D6F} - (no file)
O2 - BHO: (no name) - {5063E63B-F225-4660-9093-52F66F0F365B} - (no file)
O2 - BHO: (no name) - {54A8264B-AFFB-4614-95FE-0234817EA282} - (no file)
O2 - BHO: (no name) - {5AE9DBE7-CC16-43F3-A5A1-E7E84EBC3646} - (no file)
O2 - BHO: (no name) - {66F95BAD-EB20-4038-B2C2-613933C8ACF5} - (no file)
O2 - BHO: (no name) - {D85A260B-4A52-4498-85F4-682BACB5EEBB} - (no file)
O20 - Winlogon Notify: nnnliijG - C:\WINDOWS\

Close browsers and fix checked.

Reboot and post a fresh hjt log.

hanfman84
2008-10-08, 18:58
I deinstalled Spybot and deleted the entries. I just wanted to post the results and it froze again...

but first the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:50:14, on 08.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\hanfman84.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\EVEREST Ultimate Edition 2006\everest.exe
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Programme\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programme\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Programme\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Programme\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8908 bytes

hanfman84
2008-10-08, 19:37
I checked it out - it also freezes when no browsers are opened. I just used my some poker-rooms and it freezed.
In my opinion the problems started after deinstalling the old javas and installing the new one.... :spider:

Blade81
2008-10-08, 19:43
Hi

Does the freezing occur only when you use Internet Explorer and after you installed latest Java version? If so, could you try uninstalling it to see if removal has any effect?

The log itself looks clear.

hanfman84
2008-10-08, 19:49
Well, I didn't have any IE-browser-windows opened when it occoured the last time.... it happened the very first time when I tried kasperski - after you instructed me to use combo fix, reinstall java and stuff... I'll try deinstalling IE but I don't expect any change. :banghead: :)

hanfman84
2008-10-08, 19:49
I started kasparski from FireFox....

Blade81
2008-10-08, 19:59
Hi

By uninstalling I meant uninstalling Java, not IE.

hanfman84
2008-10-08, 20:32
Yes, sry I'm a little confused. I uninstalled Java (and IE7 :oops:) but nothing changed - same without Java and with IE6.
I can "let it happen" when i want - i just need to run 3 or 4 of the poker applications and the system freezes (yeeehaaaa there is a constant :bighug:)

Blade81
2008-10-08, 20:40
Hi

One thing you could try is to uninstall all your poker programs. Then install one by one those you necessarily need. Test between installations whether or not freezing occurs.

hanfman84
2008-10-08, 21:27
I did uninstall all applications - it's still happening. This time just while surfing via firefox.... seems i have to "format c:" and reinstall?

hanfman84
2008-10-08, 22:14
Hi Blade, now I really found a pattern! The system freezes or runs instable when any media-playing software is on (Media player, VLC Player, Winamp). If I keep that programs off and run appz or surf nothing happens if I turn it on everything freezes and the sound keeps repeating until restart. So could it be some codecs? I have the directx9.0....

Blade81
2008-10-09, 07:27
Hi

Please check event viewer log in case there's some entries that correspond the timestamp of freezing.

To open Event Viewer, follow these steps:
1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, click Event Viewer.

The Application, Security, and System logs are displayed in the Event Viewer window.

Detailed instructions here (http://support.microsoft.com/kb/308427).

hanfman84
2008-10-11, 19:06
Hi Blade, I think we'd have figured the problem out sometimes but really don't have that much time. I formatted my boot partition and reinstalled a fresh virgin-xp... Sry for that time-waste. I apreciated your help very much!!! :)

Blade81
2008-10-12, 10:31
Ok. Main thing is that problem got sorted out :)

Since this issue appears to be resolved ... this Topic has been closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.