mdelk.exe & wintems.exe, hldrrr.exe??? help me please!

Rorschach112 · Jan 24, 2008

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe

Folder::
C:\WINDOWS\system32\drivers\down

dirlook::
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [mule_st_key] C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Blown · Jan 24, 2008

Hello

Here's the ColboFix & HJT Logs. I ran ComboFix twice because I wasn't sure if the fix was done when I exit the program. The second time the 4 entries weren't anymore, but Spy Doctor still finds hldrrr.

ComboFix 08-01-23.2 - Marina 2008-01-24 15:33:58.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.131 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Marina\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Marina\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
.
---- Previous Run -------
.
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\flec006.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\109056.exe
C:\WINDOWS\system32\drivers\down\112321.exe
C:\WINDOWS\system32\drivers\down\112561.exe
C:\WINDOWS\system32\drivers\down\114484.exe
C:\WINDOWS\system32\drivers\down\115055.exe
C:\WINDOWS\system32\drivers\down\115566.exe
C:\WINDOWS\system32\drivers\down\116727.exe
C:\WINDOWS\system32\drivers\down\117248.exe
C:\WINDOWS\system32\drivers\down\117468.exe
C:\WINDOWS\system32\drivers\down\118640.exe
C:\WINDOWS\system32\drivers\down\118780.exe
C:\WINDOWS\system32\drivers\down\118870.exe
C:\WINDOWS\system32\drivers\down\119031.exe
C:\WINDOWS\system32\drivers\down\160410.exe
C:\WINDOWS\system32\drivers\down\170975.exe
C:\WINDOWS\system32\drivers\down\171226.exe
C:\WINDOWS\system32\drivers\down\177795.exe
C:\WINDOWS\system32\drivers\down\178416.exe
C:\WINDOWS\system32\drivers\down\179478.exe
C:\WINDOWS\system32\drivers\down\181420.exe
C:\WINDOWS\system32\drivers\down\181711.exe
C:\WINDOWS\system32\drivers\down\182302.exe
C:\WINDOWS\system32\drivers\down\182522.exe
C:\WINDOWS\system32\drivers\down\183083.exe
C:\WINDOWS\system32\drivers\down\183353.exe
C:\WINDOWS\system32\drivers\down\183634.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa

-------\LEGACY_SROSA
-------\srosa

-------\LEGACY_SROSA
-------\srosa

((((((((((((((((((((((( Dateien erstellt von 2007-12-24 bis 2008-01-24 ))))))))))))))))))))))))))))))
.

2008-01-24 14:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 22:09 . 2008-01-22 22:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 22:09 . 2008-01-22 22:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 12:04 . 2008-01-22 12:04 <DIR> d-------- C:\Programme\Trend Micro
2008-01-19 17:47 . 2008-01-19 17:47 <DIR> d-------- C:\Deckard
2008-01-19 17:27 . 2008-01-19 17:28 <DIR> d-------- C:\totalcmd
2008-01-19 17:27 . 2008-01-19 17:42 725 --a------ C:\WINDOWS\wincmd.ini
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-18 13:52 . 2004-10-29 18:48 3,222,784 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-01-18 13:52 . 2004-10-15 10:20 458,752 --a------ C:\WINDOWS\system32\w29NCPA.dll
2008-01-18 13:42 . 2008-01-18 13:42 17,119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-18 13:41 . 2004-10-15 10:20 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.DLL
2008-01-18 13:41 . 2004-11-09 16:31 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic
2008-01-18 13:38 . 2004-08-04 13:00 5,632 --a--c--- C:\WINDOWS\system32\dllcache\write.exe
2008-01-17 18:28 . 2008-01-17 18:39 <DIR> d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:28 . 2007-12-10 14:53 218,504 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-01-17 18:27 . 2008-01-24 15:42 <DIR> d-------- C:\Programme\Spyware Doctor
2008-01-17 18:27 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-17 18:27 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-17 18:27 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-17 18:27 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-17 16:09 . 2008-01-17 16:09 126 --a------ C:\WINDOWS\system32\mmc.exe.config
2008-01-15 10:16 . 2008-01-15 10:16 <DIR> d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02 . 2008-01-13 18:07 <DIR> d-------- C:\xaware
2008-01-13 18:02 . 2008-01-13 18:07 <DIR> d--h----- C:\Programme\Zero G Registry
2008-01-13 13:25 . 2008-01-13 13:25 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-01-13 13:25 . 2008-01-13 13:25 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 13:25 . 2008-01-13 13:28 59 --a------ C:\WINDOWS\wpd99.drv
2008-01-13 12:55 . 2008-01-13 12:55 <DIR> d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55 . 2005-01-06 18:33 119,152 --a------ C:\WINDOWS\system32\redmon.hlp
2008-01-13 12:55 . 2005-01-06 18:33 116,224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55 . 2005-01-06 18:33 45,056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:51 . 2008-01-13 12:54 <DIR> d-------- C:\Programme\gs
2008-01-06 19:08 . 2008-01-07 14:39 <DIR> d-------- C:\TreeTagger
2008-01-06 12:37 . 2008-01-06 12:42 <DIR> d-------- C:\Programme\Babylon
2008-01-06 12:15 . 2008-01-06 12:42 <DIR> d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33 . 2008-01-17 18:19 <DIR> d-------- C:\Programme\SnagIt 7
2008-01-05 11:31 . 2008-01-06 18:23 <DIR> d-------- C:\Programme\TreeTagger
2008-01-05 11:31 . 2008-01-05 11:31 115,157 --a------ C:\Programme\tree-tagger-windows-3.1.zip

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 12:09 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-01-18 12:41 --------- d-----w C:\Programme\Intel
2008-01-17 18:10 --------- d-----w C:\Programme\Altova
2008-01-17 18:07 --------- d-----w C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 15:33 --------- d-----w C:\Programme\eMule
2008-01-06 14:15 --------- d-----w C:\Programme\TRADOS
2007-12-01 13:10 --------- d-----w C:\Programme\SSH Communications Security
2006-09-28 18:31 77 ----a-w C:\Programme\Show Desktop.scf
2006-04-25 23:35 9,692,886 ----a-w C:\Programme\vlc-0.8.4a-win32.exe
2006-03-13 03:49 13,417,940 ----a-w C:\Programme\ActivePerl-5.8.7.815-MSWin32-x86-211909.msi
2006-02-03 11:32 7,993,931 ----a-w C:\Programme\vpnclient-win-is-4.7.00.0533-k9-hd.exe
2003-08-11 17:40 1,159,242 ----a-w C:\Programme\saxon.exe
2003-08-11 15:33 12,548 ----a-w C:\Programme\instant.html
2005-01-02 10:31 8 -csh--r C:\WINDOWS\system32\571AC95229.sys
2005-01-02 10:31 4,704 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m ----

2008-01-19 10:52 651264 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\data.oct
2008-01-19 10:52 6400 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\list.oct
2008-01-19 10:52 327 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m\srvlist.oct

((((((((((((((((((((((((((((( snapshot@2008-01-24_12.25.01.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-01-24\ERDNT.EXE
+ 2008-01-24 11:22:18 7,303,168 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-01-24\Users\00000001\ntuser.dat
+ 2008-01-24 11:22:19 241,664 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-01-24\Users\00000002\UsrClass.dat
- 2008-01-24 11:08:19 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 14:33:10 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 11:08:20 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 14:33:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 11:08:20 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 14:33:10 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 11:08:20 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 14:33:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 11:08:20 7,303,168 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 14:33:12 7,303,168 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-24 11:08:20 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 14:33:12 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38 1937408]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2004-01-23 08:03 664545]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04 32768]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13 49152]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52 204800]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01 73728]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49 81920]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 88361 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25 98394]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24 688218]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05 344064]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17 118926]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31 180269]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17 98304]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-24 15:38 327720]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06 2997984]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27 312320]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31 356352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

SafeBoot Registrierungsschlüssel muss repariert werden. Dieser PC kann nicht im abgesicherten Modus starten.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 15:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2006-12-24 17:14]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-04-23 10:34]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2007-12-10 14:53]
R2 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-05-12 13:48]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []
S3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2004-10-06 14:10]
S3 TNPacket;T-Systems Nova Packet Capture Driver;C:\Programme\T-DSL SpeedManager\TNPACKET.SYS [2002-10-09 11:38]

.
Inhalt des "geplante Tasks" Ordners
"2006-09-17 19:54:51 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- D:\Poze\Barcelona2005\CIMG0143.AVI
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 15:43:17
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.

Blown · Jan 24, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:22, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

--
End of file - 12039 bytes

Rorschach112 · Jan 24, 2008

Looking good

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Download and run SafeBootKeyRepair-CF from:

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
or
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply

Blown · Jan 25, 2008

Kaspersky

Hello,

Kaspersky Scan's been running for 8 hours now, but the progress is only 36%. Is this normal? It found 7 viruses and 118 infected objects. Shall I let it finish?

Thank you

Rorschach112 · Jan 25, 2008

Run this instead then

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Also do the other step in my previous instructions

Blown · Jan 25, 2008

Kaspersky & Safeboot_Repair Logs

Hello,

Kaspersky eventually finished scanning, so here are the logs:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 26, 2008 12:12:44 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/01/2008
Kaspersky Anti-Virus database records: 532201
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 124803
Number of viruses found: 7
Number of infected objects: 118
Number of suspicious objects: 0
Duration of the scan process: 10:57:05

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Dr Watson\drwtsn32.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\muvee Technologies\030625\0237\0192\values Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon\log_file.txt Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temp\~DF300E.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\3T0YMLGU\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\B7IXU7DM\b64[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\B7IXU7DM\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ULAKYBYB\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008012520080126\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\ntuser.dat Object is locked skipped
C:\Dokumente und Einstellungen\Marina\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\Programme\Save\ACM.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\Programme\Save\Save.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\Programme\Save\SaveNowupdate.exe/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\SaveNowupdate.exe/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\SaveNowupdate.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\SaveNowupdate.exe EmbeddedCAB: infected - 3 skipped
C:\Programme\Save\Saveupdate.exe/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\Saveupdate.exe/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\Saveupdate.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped
C:\Programme\Save\Saveupdate.exe EmbeddedCAB: infected - 3 skipped
C:\Programme\Spyware Doctor\NetworkLayer\InterfaceDLL.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\109056.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\112561.exe.vir Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\114484.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\115055.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\160410.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\171226.exe.vir Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\177795.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\178416.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-01-24_150759.29.zip/flec006.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-01-24_150759.29.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\QooBox\Quarantine\catchme2008-01-24_150759.29.zip ZIP: infected - 2 skipped
C:\QooBox\Quarantine\catchme2008-01-24_154249.85.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\QooBox\Quarantine\catchme2008-01-24_154249.85.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\Registry_backups\LEGACY_SROSA.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\QooBox\Quarantine\Registry_backups\services_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP240\A0093705.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP243\A0096035.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP243\A0096036.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096439.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096440.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096447.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096448.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096449.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096465.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096524.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096525.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096634.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096635.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096765.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096766.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096812.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096881.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096882.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096896.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096897.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP247\A0096910.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP248\A0096973.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP248\A0097019.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP248\A0097042.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP248\A0097043.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0097077.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0097078.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0097093.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0098077.exe Infected: Email-Worm.Win32.Bagle.of skipped

Blown · Jan 25, 2008

continued

C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP249\A0098078.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098168.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098169.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098171.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098172.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098173.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098176.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098177.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098179.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098180.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098193.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098195.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098196.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098197.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098198.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098202.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098207.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098209.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098212.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098215.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098229.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098231.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098232.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098236.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098243.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098245.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098246.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098258.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098356.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098358.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098359.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098360.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098369.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098370.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098373.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098374.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098375.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098376.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098377.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0098378.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP250\A0099420.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP251\A0099459.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099504.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099506.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099507.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099508.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099517.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099519.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099520.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP252\A0099521.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\A0099645.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\A0100645.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\A0100646.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\A0100661.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{586CC8E9-3CC5-410D-A14C-81EE23D99D0B}\RP253\change.log Object is locked skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\drivers\down\14599212.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\255457.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\WINDOWS\system32\drivers\down\260644.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\262507.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\spnserv.dat Object is locked skipped
C:\WINDOWS\Temp\spserv.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

-------

Blown · Jan 25, 2008

Safeboot Log

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

Rorschach112 · Jan 25, 2008

Hello

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Save
C:\WINDOWS\system32\drivers\down
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
purity
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Also post a new DSS log and tell me how your PC is running

Blown · Jan 25, 2008

OTMoveIt2 Log

Here's the move it result.

As for the ATF Cleaner: it terminates immediately after I run it. It just flashes and disapears.

Also: I'm using Firefox now, but I used Explorer before things went wrong... Can I choose both? and how do I make it run properly?

----------------------

C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe moved successfully.
C:\Programme\Save moved successfully.
C:\WINDOWS\system32\drivers\down moved successfully.
[Custom Input]
< purity >

OTMoveIt2 v1.0.14 log created on 01262008_004215

Rorschach112 · Jan 25, 2008

How is your PC running now

Any problems ?

Blown · Jan 26, 2008

Now ATF Cleaner works, but what do I choose?
will "Main" -> select all -> work for IExplorer?

Spy Doctor's still complaining...

here's the HJT log:

Deckard's System Scanner v20071014.68
Run by Marina on 2008-01-26 01:04:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Marina.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:04, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Marina\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marina.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

Blown · Jan 26, 2008

DSS log continued

--
End of file - 12282 bytes

-- Files created between 2007-12-26 and 2008-01-26 -----------------------------

2008-01-24 22:25:35 70660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-24 18:29:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-22 12:04:08 0 d-------- C:\Programme\Trend Micro
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-19 17:27:50 0 d-------- C:\totalcmd
2008-01-18 13:42:52 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2008-01-18 13:41:38 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools
2008-01-17 18:28:01 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:27:48 0 d-------- C:\Programme\Spyware Doctor
2008-01-15 10:16:13 0 d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02:24 0 d-------- C:\xaware
2008-01-13 18:02:24 0 d--h----- C:\Programme\Zero G Registry
2008-01-13 18:01:26 0 d--h----- C:\Dokumente und Einstellungen\Marina\InstallAnywhere
2008-01-13 13:25:48 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-13 13:25:48 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 12:55:24 45056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:55:24 116224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55:22 0 d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55:22 0 d-------- C:\Dokumente und Einstellungen\All Users\FreePDF
2008-01-13 12:51:46 0 d-------- C:\Programme\gs
2008-01-06 19:08:48 0 d-------- C:\TreeTagger
2008-01-06 12:37:17 0 d-------- C:\Programme\Babylon
2008-01-06 12:15:45 0 d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33:50 0 d-------- C:\Programme\SnagIt 7
2008-01-05 11:31:54 0 d-------- C:\Programme\TreeTagger

-- Find3M Report ---------------------------------------------------------------

2008-01-26 00:39:34 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Skype
2008-01-25 12:38:53 0 d--h----- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m
2008-01-24 14:35:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon
2008-01-24 11:40:55 42766 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\wklnhst.dat
2008-01-20 13:35:28 0 d-------- C:\Programme\Gemeinsame Dateien
2008-01-19 15:03:21 86992 --a----c- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-01-19 13:09:15 0 d--h----- C:\Programme\InstallShield Installation Information
2008-01-18 13:43:28 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Intel
2008-01-18 13:41:32 0 d-------- C:\Programme\Intel
2008-01-18 13:38:43 400786 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-18 13:38:43 69040 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-18 13:38:35 0 d-------- C:\Programme\Windows NT
2008-01-17 19:10:37 0 d-------- C:\Programme\Altova
2008-01-17 19:07:02 0 d-------- C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 18:27:48 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\PC Tools
2008-01-17 16:33:39 0 d-------- C:\Programme\eMule
2008-01-13 13:29:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\pdf995
2008-01-06 15:15:34 0 d-------- C:\Programme\TRADOS
2008-01-05 20:56:52 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Trados
2008-01-05 11:31:48 115157 --a------ C:\Programme\tree-tagger-windows-3.1.zip
2007-12-20 18:20:03 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Adobe
2007-12-01 14:10:02 0 d-------- C:\Programme\SSH Communications Security
2007-11-23 15:23:06 86016 --a------ C:\WINDOWS\system32\LinkDropHandler.dll <Not Verified; Altova GmbH; Shortcut Drop Handler Shell Extension>
2007-11-23 15:16:22 491520 -ra------ C:\WINDOWS\system32\XmlSpyLib.dll <Not Verified; ; XmlSpyLib Dynamic Link Library>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 19:38]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44]
Cisco Systems VPN Client.lnk - C:\Programme\Cisco Systems\VPN Client\vpngui.exe [2006-02-24 14:58:47]
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2008-01-26 01:05:47 ------------

Rorschach112 · Jan 26, 2008

Ignore Spyware Doctor it is useless

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
C:\WINDOWS\system32\mdelk.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
purity
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

will "Main" -> select all -> work for IExplorer?

Yes

Post a new DSS log after that

Blown · Jan 26, 2008

Done! I think it worked

The useless Doctor didn'z complain either

This feels so goooooood!!!!

What do you think? looks good?

Deckard's System Scanner v20071014.68
Run by Marina on 2008-01-26 01:18:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Marina.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:18, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\System32\svchost.exe
C:\Dokumente und Einstellungen\Marina\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marina.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

--
End of file - 12201 bytes

-- Files created between 2007-12-26 and 2008-01-26 -----------------------------

2008-01-24 22:25:35 70660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-24 18:29:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-22 12:04:08 0 d-------- C:\Programme\Trend Micro
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-19 17:27:50 0 d-------- C:\totalcmd
2008-01-18 13:42:52 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2008-01-18 13:41:38 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools
2008-01-17 18:28:01 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:27:48 0 d-------- C:\Programme\Spyware Doctor
2008-01-15 10:16:13 0 d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02:24 0 d-------- C:\xaware
2008-01-13 18:02:24 0 d--h----- C:\Programme\Zero G Registry
2008-01-13 18:01:26 0 d--h----- C:\Dokumente und Einstellungen\Marina\InstallAnywhere
2008-01-13 13:25:48 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-13 13:25:48 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 12:55:24 45056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:55:24 116224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55:22 0 d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55:22 0 d-------- C:\Dokumente und Einstellungen\All Users\FreePDF
2008-01-13 12:51:46 0 d-------- C:\Programme\gs
2008-01-06 19:08:48 0 d-------- C:\TreeTagger
2008-01-06 12:37:17 0 d-------- C:\Programme\Babylon
2008-01-06 12:15:45 0 d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33:50 0 d-------- C:\Programme\SnagIt 7
2008-01-05 11:31:54 0 d-------- C:\Programme\TreeTagger

-- Find3M Report ---------------------------------------------------------------

2008-01-26 01:15:46 0 d--h----- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m
2008-01-26 00:39:34 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Skype
2008-01-24 14:35:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon
2008-01-24 11:40:55 42766 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\wklnhst.dat
2008-01-20 13:35:28 0 d-------- C:\Programme\Gemeinsame Dateien
2008-01-19 15:03:21 86992 --a----c- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-01-19 13:09:15 0 d--h----- C:\Programme\InstallShield Installation Information
2008-01-18 13:43:28 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Intel
2008-01-18 13:41:32 0 d-------- C:\Programme\Intel
2008-01-18 13:38:43 400786 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-18 13:38:43 69040 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-18 13:38:35 0 d-------- C:\Programme\Windows NT
2008-01-17 19:10:37 0 d-------- C:\Programme\Altova
2008-01-17 19:07:02 0 d-------- C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 18:27:48 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\PC Tools
2008-01-17 16:33:39 0 d-------- C:\Programme\eMule
2008-01-13 13:29:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\pdf995
2008-01-06 15:15:34 0 d-------- C:\Programme\TRADOS
2008-01-05 20:56:52 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Trados
2008-01-05 11:31:48 115157 --a------ C:\Programme\tree-tagger-windows-3.1.zip
2007-12-20 18:20:03 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Adobe
2007-12-01 14:10:02 0 d-------- C:\Programme\SSH Communications Security
2007-11-23 15:23:06 86016 --a------ C:\WINDOWS\system32\LinkDropHandler.dll <Not Verified; Altova GmbH; Shortcut Drop Handler Shell Extension>
2007-11-23 15:16:22 491520 -ra------ C:\WINDOWS\system32\XmlSpyLib.dll <Not Verified; ; XmlSpyLib Dynamic Link Library>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

Blown · Jan 26, 2008

DSS log continued

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 19:38]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44]
Cisco Systems VPN Client.lnk - C:\Programme\Cisco Systems\VPN Client\vpngui.exe [2006-02-24 14:58:47]
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2008-01-26 01:19:39 ------------

Rorschach112 · Jan 26, 2008

One file is refusing to go

Can you run IceSword.exe again

Click File then navigate and delete the file in bold

C:\WINDOWS\system32\mdelk.exe

Tell me how that goes and send a new DSS log

Blown · Jan 26, 2008

It's gone!!!!!!!!!!????????

Deckard's System Scanner v20071014.68
Run by Marina on 2008-01-26 01:36:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Marina.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:36, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Wistron\AVManager\AVManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Marina\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marina.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programme\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2007\spy.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: ????????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: ????????? ???????? - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104261081168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://www.trm.md/radiom/antena.gif

--
End of file - 12243 bytes

Blown · Jan 26, 2008

-- Files created between 2007-12-26 and 2008-01-26 -----------------------------

2008-01-24 18:29:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-22 12:04:08 0 d-------- C:\Programme\Trend Micro
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\UC.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-19 17:27:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-19 17:27:50 0 d-------- C:\totalcmd
2008-01-18 13:42:52 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2008-01-18 13:41:38 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data
2008-01-17 18:38:53 0 d-------- C:\Dokumente und Einstellungen\All Users\Application Data\PC Tools
2008-01-17 18:28:01 0 d-------- C:\Programme\Gemeinsame Dateien\PC Tools
2008-01-17 18:27:48 0 d-------- C:\Programme\Spyware Doctor
2008-01-15 10:16:13 0 d-------- C:\Programme\Microsoft.NET
2008-01-13 18:02:24 0 d-------- C:\xaware
2008-01-13 18:02:24 0 d--h----- C:\Programme\Zero G Registry
2008-01-13 18:01:26 0 d--h----- C:\Dokumente und Einstellungen\Marina\InstallAnywhere
2008-01-13 13:25:48 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-13 13:25:48 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-13 12:55:24 45056 --a------ C:\WINDOWS\system32\unredmon.exe
2008-01-13 12:55:24 116224 --a------ C:\WINDOWS\system32\redmonnt.dll
2008-01-13 12:55:22 0 d-------- C:\Programme\FreePDF_XP
2008-01-13 12:55:22 0 d-------- C:\Dokumente und Einstellungen\All Users\FreePDF
2008-01-13 12:51:46 0 d-------- C:\Programme\gs
2008-01-06 19:08:48 0 d-------- C:\TreeTagger
2008-01-06 12:37:17 0 d-------- C:\Programme\Babylon
2008-01-06 12:15:45 0 d-------- C:\Programme\Babylon_didnt_work
2008-01-05 21:33:50 0 d-------- C:\Programme\SnagIt 7
2008-01-05 11:31:54 0 d-------- C:\Programme\TreeTagger

-- Find3M Report ---------------------------------------------------------------

2008-01-26 01:15:46 0 d--h----- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\m
2008-01-26 00:39:34 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Skype
2008-01-24 14:35:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Babylon
2008-01-24 11:40:55 42766 --a------ C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\wklnhst.dat
2008-01-20 13:35:28 0 d-------- C:\Programme\Gemeinsame Dateien
2008-01-19 15:03:21 86992 --a----c- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-01-19 13:09:15 0 d--h----- C:\Programme\InstallShield Installation Information
2008-01-18 13:43:28 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Intel
2008-01-18 13:41:32 0 d-------- C:\Programme\Intel
2008-01-18 13:38:43 400786 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-18 13:38:43 69040 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-18 13:38:35 0 d-------- C:\Programme\Windows NT
2008-01-17 19:10:37 0 d-------- C:\Programme\Altova
2008-01-17 19:07:02 0 d-------- C:\Programme\Gemeinsame Dateien\Altova
2008-01-17 18:27:48 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\PC Tools
2008-01-17 16:33:39 0 d-------- C:\Programme\eMule
2008-01-13 13:29:38 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\pdf995
2008-01-06 15:15:34 0 d-------- C:\Programme\TRADOS
2008-01-05 20:56:52 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Trados
2008-01-05 11:31:48 115157 --a------ C:\Programme\tree-tagger-windows-3.1.zip
2007-12-20 18:20:03 0 d-------- C:\Dokumente und Einstellungen\Marina\Anwendungsdaten\Adobe
2007-12-01 14:10:02 0 d-------- C:\Programme\SSH Communications Security
2007-11-23 15:23:06 86016 --a------ C:\WINDOWS\system32\LinkDropHandler.dll <Not Verified; Altova GmbH; Shortcut Drop Handler Shell Extension>
2007-11-23 15:16:22 491520 -ra------ C:\WINDOWS\system32\XmlSpyLib.dll <Not Verified; ; XmlSpyLib Dynamic Link Library>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl]
"LaunchAp"="C:\Programme\Launch Manager\LaunchAp.exe" [2004-08-06 14:04]
"HotkeyApp"="C:\Programme\Launch Manager\HotkeyApp.exe" [2004-11-11 15:13]
"LMgrOSD"="C:\Programme\Launch Manager\OSD.exe" [2004-07-26 14:52]
"Wbutton"="C:\Programme\Launch Manager\Wbutton.exe" [2004-11-23 16:01]
"CtrlVol"="C:\Programme\Launch Manager\CtrlVol.exe" [2003-09-16 14:28]
"AVManager"="C:\Programme\Wistron\AVManager\AVManager.exe" [2004-11-26 18:49]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 21:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RemoteControl"="C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2005-01-11 18:17]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 19:31]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2005-01-02 09:17]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 19:38]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Babylon Client"="C:\Programme\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 17:06]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"ISTray"="C:\Programme\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

C:\Dokumente und Einstellungen\Marina\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - C:\Programme\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 18:55:44]
Cisco Systems VPN Client.lnk - C:\Programme\Cisco Systems\VPN Client\vpngui.exe [2006-02-24 14:58:47]
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programme\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2008-01-26 01:37:28 ------------

mdelk.exe & wintems.exe, hldrrr.exe??? help me please!

Retired Security Volunteer

New member

New member

Retired Security Volunteer

New member

Retired Security Volunteer

New member

New member

New member

Retired Security Volunteer

New member

Retired Security Volunteer

New member

New member

Retired Security Volunteer

New member

New member

Retired Security Volunteer

New member

New member