1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active VISTA / Got some trojans

Discussion in 'Malware and Virus Removal Archive' started by Eledris, 2009/08/05.

  1. 2009/08/05
    Eledris

    Eledris Inactive Thread Starter

    Joined:
    2008/07/12
    Messages:
    15
    Likes Received:
    0
    [Active] VISTA / Got some trojans

    Hey folks,

    I have a notebook here from a friend of mine and it seems she has caught some trojans.

    I already ran "Malwarebytes Anti Malware" and afterwards Kaspersky and Panda Active Scan. Both of the online scanners had detections so I'm pretty sure that the infection is not totally cleaned yet.

    Also her Antivirus ( free avivas antivir ) is not able to start up. The system tray icon shows but the umbrella does not "open up "


    I'll attach DDS Logs, Malware's and Pandas Log.
    Sorry for the updating processes shown in the DDS Attach logfile - but Vista just proposed that there are updates available :)
    Sorry again for the malware log in German. I can do a new one with language english if neccessary.

    Thanks for all your help in advance,

    Eledris

    DDS

    DDS (Ver_09-07-30.01) - NTFSx86
    Run by silke at 19:19:05,46 on 05.08.2009
    Internet Explorer: 7.0.6001.18000
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.49.1031.18.764.110 [GMT 2:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\System32\svchost.exe -k Cognizance
    C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    C:\windows\system32\svchost.exe -k rpcss
    C:\windows\System32\svchost.exe -k secsvcs
    C:\windows\system32\Ati2evxx.exe
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k GPSvcGroup
    C:\windows\system32\SLsvc.exe
    C:\windows\servicing\TrustedInstaller.exe
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\Hpservice.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\WLANExt.exe
    C:\windows\system32\taskeng.exe
    C:\windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    C:\windows\system32\AEADISRV.EXE
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\windows\system32\svchost.exe -k bthsvcs
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\Windows Live\Family Safety\fsssvc.exe
    c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\windows\System32\svchost.exe -k HPZ12
    C:\windows\System32\svchost.exe -k HPZ12
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\windows\System32\svchost.exe -k WerSvcGroup
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\windows\system32\taskeng.exe
    c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Windows Live\Family Safety\fsui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\Avira\AntiVir Desktop\update.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\Users\silke\Desktop\dds.scr
    C:\windows\system32\conime.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/webhp?hl=de
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: BHO_Startup Class: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
    BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    BHO: Windows Live Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [COMPEACH] "c:\programdata\Ford Lite Lite.v3kgv5 "
    uRun: [Start hide inside slow] "c:\programdata\Draw Aim Bib.yfs2xu8 "
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe "
    mRun: [<NO NAME>]
    mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe "
    mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
    mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe "
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\soundmax.exe /tray
    mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Bild an &Bluetooth-Gerät senden... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Seite an &Bluetooth-Gerät senden... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUpldde-de.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    AppInit_DLLs: APSHook.dll
    LSA: Notification Packages = scecli ASWLNPkg

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-8-3 28544]
    R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-5-30 51376]
    R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-5-30 12928]
    R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-5-30 12496]
    R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-16 182576]
    R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\avira\antivir desktop\sched.exe [2009-7-4 108289]
    R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-1-21 21504]
    R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-1-21 21504]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-2-21 55280]
    R2 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
    R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2008-6-2 18944]
    R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2008-5-30 256512]
    R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2008-7-23 77824]
    R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-4-7 24936]
    R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-7-23 193840]
    S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe --> c:\windows\system32\rpcnetp.exe [?]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-21 179712]

    =============== Created Last 30 ================

    2009-08-03 20:04 28,544 a------- c:\windows\system32\drivers\pavboot.sys
    2009-08-03 20:04 <DIR> --d----- c:\program files\Panda Security
    2009-08-03 19:40 <DIR> --d----- c:\users\silke\appdata\roaming\Malwarebytes
    2009-08-03 19:40 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 19:40 19,096 a------- c:\windows\system32\drivers\mbam.sys
    2009-08-03 19:40 <DIR> --d----- c:\programdata\Malwarebytes
    2009-08-03 19:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-08-03 19:40 <DIR> --d----- c:\progra~2\Malwarebytes
    2009-08-03 19:37 1,383,424 a------- c:\windows\system32\mshtml.tlb
    2009-07-15 08:59 289,792 a------- c:\windows\system32\atmfd.dll
    2009-07-15 08:59 156,672 a------- c:\windows\system32\t2embed.dll
    2009-07-15 08:59 72,704 a------- c:\windows\system32\fontsub.dll
    2009-07-15 08:59 10,240 a------- c:\windows\system32\dciman32.dll

    ==================== Find3M ====================

    2009-08-03 19:57 17,408 a------- c:\windows\system32\rpcnetp.dll
    2009-07-18 18:06 827,904 a------- c:\windows\system32\wininet.dll
    2009-07-18 18:01 78,336 a------- c:\windows\system32\ieencode.dll
    2009-07-18 11:46 26,624 a------- c:\windows\system32\ieUnatt.exe
    2009-07-04 16:18 664,606 a------- c:\windows\system32\perfh007.dat
    2009-07-04 16:18 142,962 a------- c:\windows\system32\perfc007.dat
    2009-06-30 15:36 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryReplaceNew.exe
    2009-06-30 15:10 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryNoTravel.exe
    2009-06-30 15:03 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryAccessories.exe
    2009-06-30 12:44 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryWeakNew.exe
    2009-06-26 18:36 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryUpgrade.exe
    2009-05-12 18:45 51,200 a------- c:\windows\inf\infpub.dat
    2009-05-12 18:45 143,360 a------- c:\windows\inf\infstrng.dat
    2009-05-12 18:45 86,016 a------- c:\windows\inf\infstor.dat
    2009-05-11 19:51 44,544 a------- c:\windows\system32\agremove.exe
    2009-02-03 17:51 665,600 a------- c:\windows\inf\drvindex.dat
    2008-04-16 16:58 36,916 a------- c:\windows\inf\perflib\0407\perfd.dat
    2008-04-16 16:58 36,916 a------- c:\windows\inf\perflib\0407\perfc.dat
    2008-04-16 16:58 290,748 a------- c:\windows\inf\perflib\0407\perfi.dat
    2008-04-16 16:58 290,748 a------- c:\windows\inf\perflib\0407\perfh.dat
    2008-01-21 04:57 174 a--sh--- c:\program files\desktop.ini
    2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 19:20:53,30 ===============


    DDS attach

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)

    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume1
    Install Date: 31.12.2008 12:11:22
    System Uptime: 08.05.2009 19:09:47 (2136 hours ago)

    Motherboard: Hewlett-Packard | | 30E4
    Processor: AMD Athlon(tm)X2 DualCore QL-60 | Unknown | 1000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 223 GiB total, 197,806 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 1,889 GiB free.
    E: is CDROM ()
    F: is FIXED (FAT32) - 1 GiB total, 0,995 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================


    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office system
    32 Bit HP CIO Components Installer
    ActivClient 6.1 x86
    ActiveCheck component for HP Active Support Library
    Adobe Flash Player ActiveX
    Agere Systems HDA Modem
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Install Manager
    Avira AntiVir Personal - Free Antivirus
    BIOS Configuration for HP ProtectTools
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Choice Guard
    Credential Manager for HP ProtectTools
    Drive Encryption for HP ProtectTools
    ESU for Microsoft Vista SP1
    Favorit
    File Sanitizer For HP ProtectTools
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP 3D DriveGuard
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP Easy Setup - Frontend
    HP Integrated Module with Bluetooth wireless technology 6.0.1.6202
    HP JavaCard for HP ProtectTools
    HP ProtectTools Security Manager
    HP ProtectTools Security Manager Suite
    HP Quick Launch Buttons 6.40 E1
    HP Software Setup 5.00.A.7
    HP Update
    HP User Guides 0108
    HP Wallpaper
    HP Webcam
    HP Webcam Application
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPNetworkAssistant
    InterVideo DVD Check
    InterVideo Register Manager
    InterVideo WinDVD
    Java(TM) 6 Update 6
    Junk Mail filter update
    LightScribe System Software 1.12.37.1
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB929729)
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Office Access MUI (Dutch) 2007
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access MUI (French) 2007
    Microsoft Office Access MUI (German) 2007
    Microsoft Office Access MUI (Italian) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel 2007 Help - Aggiornamento (KB963678)
    Microsoft Office Excel MUI (Dutch) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (French) 2007
    Microsoft Office Excel MUI (German) 2007
    Microsoft Office Excel MUI (Italian) 2007
    Microsoft Office Language Pack 2007 Service Pack 1 (SP1)
    Microsoft Office Live Add-in 1.3
    Microsoft Office Outlook 2007 Help - Aggiornamento (KB963677)
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (Dutch) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office Outlook MUI (French) 2007
    Microsoft Office Outlook MUI (German) 2007
    Microsoft Office Outlook MUI (Italian) 2007
    Microsoft Office Powerpoint 2007 Help - Aggiornamento (KB963669)
    Microsoft Office PowerPoint MUI (Dutch) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (French) 2007
    Microsoft Office PowerPoint MUI (German) 2007
    Microsoft Office PowerPoint MUI (Italian) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (Arabic) 2007
    Microsoft Office Proof (Dutch) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Italian) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (Dutch) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (French) 2007
    Microsoft Office Proofing (German) 2007
    Microsoft Office Proofing (Italian) 2007
    Microsoft Office Publisher MUI (Dutch) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Publisher MUI (French) 2007
    Microsoft Office Publisher MUI (German) 2007
    Microsoft Office Publisher MUI (Italian) 2007
    Microsoft Office Shared MUI (Dutch) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (French) 2007
    Microsoft Office Shared MUI (German) 2007
    Microsoft Office Shared MUI (Italian) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word 2007 Help - Aggiornamento (KB963665)
    Microsoft Office Word MUI (Dutch) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (French) 2007
    Microsoft Office Word MUI (German) 2007
    Microsoft Office Word MUI (Italian) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mise à jour Microsoft Office Excel 2007 Help (KB963678)
    Mise à jour Microsoft Office Outlook 2007 Help (KB963677)
    Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)
    Mise à jour Microsoft Office Word 2007 Help (KB963665)
    MSVCRT
    Panda ActiveScan 2.0
    Picasa 3
    QuickTime
    Security Update for 2007 Microsoft Office System (KB951550)
    Security Update for 2007 Microsoft Office System (KB951944)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB969679)
    Security Update for Microsoft Office Excel 2007 (KB969682)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (KB954326)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Skins
    SoundMAX
    Synaptics Pointing Device Driver
    Update für Microsoft Office Excel 2007 Help (KB963678)
    Update für Microsoft Office Outlook 2007 Help (KB963677)
    Update für Microsoft Office Powerpoint 2007 Help (KB963669)
    Update für Microsoft Office Word 2007 Help (KB963665)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB969907)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (kb971933)
    Update voor Microsoft Office Excel 2007 Help (KB963678)
    Update voor Microsoft Office Powerpoint 2007 Help (KB963669)
    Update voor Microsoft Office Word 2007 Help (KB963665)
    Vista Default Settings
    Windows Live-Uploadtool
    Windows Live Anmelde-Assistent
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Fotogalerie
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sync
    Windows Live Writer

    ==== End Of File ===========================
    [/CODE]

    Malwares
    Code:
    Malwarebytes' Anti-Malware 1.39
Datenbank Version: 2551
Windows 6.0.6001 Service Pack 1

03.08.2009 19:53:15
mbam-log-2009-08-03 (19-53-15).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 89514
Laufzeit: 9 minute(s), 30 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qimgkuy (Trojan.Agent.H) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\Users\silke\AppData\Local\qimgkuy.exe (Trojan.Agent.H) -> Delete on reboot.


[B]Panda[/B]
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-03 22:15:03
PROTECTIONS: 1
MALWARE: 10
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;===================================================================================================================================================================================
Windows Defender                             1.1.1505.0                    No        Yes
;===================================================================================================================================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;===================================================================================================================================================================================
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Local\Temp\Low\Cookies\silke@doubleclick[1].txt
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@doubleclick[1].txt
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\silke@atdmt[2].txt
00145393  Cookie/Tradedoubler                TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@tradedoubler[2].txt
00145393  Cookie/Tradedoubler                TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Local\Temp\Low\Cookies\silke@tradedoubler[1].txt
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@tribalfusion[1].txt
00145738  Cookie/Mediaplex                   TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@mediaplex[2].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@ad.yieldmanager[1].txt
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@apmebf[1].txt
00168109  Cookie/Adtech                      TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Local\Temp\Low\Cookies\silke@adtech[1].txt
00170304  Cookie/WebtrendsLive               TrackingCookie      No        0         Yes            No           C:\Users\silke\AppData\Local\Temp\Low\Cookies\silke@statse.webtrendslive[2].txt
03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           C:\Users\silke\AppData\Local\gocic.exe
;===================================================================================================================================================================================
SUSPECTS
Sent      Location                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ����8�9
;===================================================================================================================================================================================
No        C:\Users\silke\AppData\Local\cmmoe.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ����8�9
No        C:\Windows\System32\autochk.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       ����8�9
No        C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id        Severity   Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ����8�9
;===================================================================================================================================================================================
;===================================================================================================================================================================================
     
    Eledris,
    #1
  2. 2009/08/05
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    No need for CODE tags - they make the logs very difficult to read.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2009/08/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #3
  5. 2009/08/06
    Eledris

    Eledris Inactive Thread Starter

    Joined:
    2008/07/12
    Messages:
    15
    Likes Received:
    0
    Hi Broni,

    thanks for your quick reply. Enclosed please find the two log files.

    Should I uninstall and reinstall avivas antivir, as it is not able to activate ?

    Greetz,

    Eledris

    Hijackthis
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:04:42, on 06.08.2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18294)
    Boot mode: Normal

    Running processes:
    C:\windows\system32\taskeng.exe
    C:\windows\system32\Dwm.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Windows Live\Family Safety\fsui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\windows\system32\conime.exe
    C:\windows\system32\wuauclt.exe
    C:\windows\Explorer.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\windows\system32\SearchFilterHost.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll
    O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe "
    O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe "
    O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
    O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [COMPEACH] "C:\ProgramData\Ford Lite Lite.v3kgv5 "
    O4 - HKCU\..\Run: [Start hide inside slow] "C:\ProgramData\Draw Aim Bib.yfs2xu8 "
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O13 - Gopher Prefix:
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUpldde-de.cab
    O20 - AppInit_DLLs: C:\Windows\System32\APSHook.dll
    O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
    O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\windows\system32\Hpservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    --
    End of file - 10155 bytes
    ComboFix
    ComboFix 09-08-04.04 - silke 06.08.2009 20:45.1.2 - NTFSx86
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.49.1031.18.764.189 [GMT 2:00]
    ausgeführt von:: c:\users\silke\Desktop\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-2559858821-157603045-3620735659-500
    c:\$recycle.bin\S-1-5-21-70900338-3400025044-3150093166-500
    c:\users\silke\AppData\Local\eeiac.dat
    c:\users\silke\AppData\Local\eeiac_nav.dat
    c:\users\silke\AppData\Local\eeiac_navps.dat
    c:\users\silke\AppData\Local\iuyeagg.dat
    c:\users\silke\AppData\Local\iuyeagg_nav.dat
    c:\users\silke\AppData\Local\iuyeagg_navps.dat
    c:\users\silke\AppData\Local\qimgkuy.dat
    c:\users\silke\AppData\Local\qimgkuy_navps.dat
    c:\windows\Installer\53523050.msi


    .
    ((((((((((((((((((((((( Dateien erstellt von 2009-07-06 bis 2009-08-06 ))))))))))))))))))))))))))))))
    .

    2009-08-06 18:56 . 2009-08-06 18:57 -------- d-----w- c:\users\silke\AppData\Local\temp
    2009-08-06 18:56 . 2009-08-06 18:56 -------- d-----w- c:\users\Default\AppData\Local\temp
    2009-08-05 17:43 . 2009-08-05 17:43 17408 ----a-w- c:\windows\system32\rpcnetp.exe
    2009-08-03 20:17 . 2009-08-03 20:17 -------- d-----w- c:\windows\Sun
    2009-08-03 18:04 . 2008-06-19 15:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2009-08-03 18:04 . 2009-08-03 18:04 -------- d-----w- c:\program files\Panda Security
    2009-08-03 17:40 . 2009-08-03 17:40 -------- d-----w- c:\users\silke\AppData\Roaming\Malwarebytes
    2009-08-03 17:40 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 17:40 . 2009-08-03 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-03 17:40 . 2009-08-03 17:40 -------- d-----w- c:\programdata\Malwarebytes
    2009-08-03 17:40 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-23 15:10 . 2009-08-03 17:30 90 ----a-w- c:\users\silke\AppData\Local\kesyu.bat
    2009-07-15 06:59 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
    2009-07-15 06:59 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
    2009-07-15 06:59 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
    2009-07-15 06:59 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
    2009-07-08 06:52 . 2009-07-08 06:52 552 ----a-w- c:\users\silke\AppData\Local\d3d8caps.dat

    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-05 17:44 . 2008-07-23 12:49 -------- d-----w- c:\programdata\hpqLog
    2009-08-05 17:44 . 2009-05-12 17:18 17408 ----a-w- c:\windows\system32\rpcnetp.dll
    2009-08-05 17:42 . 2008-12-31 11:10 12 ----a-w- c:\windows\bthservsdp.dat
    2009-08-05 17:29 . 2009-07-03 22:04 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-08-05 17:10 . 2009-02-02 18:24 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-07-18 16:06 . 2009-08-03 17:38 827904 ----a-w- c:\windows\system32\wininet.dll
    2009-07-18 16:01 . 2009-08-03 17:38 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-07-18 09:46 . 2009-08-03 17:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-07-16 07:20 . 2009-05-15 06:03 88 ----a-w- c:\users\silke\AppData\Local\miisumi.bat
    2009-07-16 00:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2009-07-16 00:08 . 2008-07-23 13:16 -------- d-----w- c:\programdata\Microsoft Help
    2009-07-04 14:23 . 2009-07-04 14:23 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2009-07-04 14:21 . 2009-07-04 14:21 -------- d-----w- c:\program files\Google
    2009-07-04 14:18 . 2008-04-16 15:03 664606 ----a-w- c:\windows\system32\perfh007.dat
    2009-07-04 14:18 . 2008-04-16 15:03 142962 ----a-w- c:\windows\system32\perfc007.dat
    2009-07-04 06:06 . 2009-06-16 17:58 -------- d-----w- c:\programdata\Shim pile start hide
    2009-07-04 06:03 . 2009-06-16 17:57 -------- d-----w- c:\programdata\nountitlesixth
    2009-07-03 22:53 . 2009-07-03 22:53 -------- d-----w- c:\programdata\Avira
    2009-07-03 22:04 . 2009-07-03 22:04 -------- d-----w- c:\program files\Avira
    2009-07-03 21:50 . 2008-07-23 13:05 -------- d-----w- c:\programdata\AOL
    2009-07-03 21:44 . 2009-02-02 18:16 -------- d-----w- c:\program files\Windows Live
    2009-06-30 13:36 . 2009-07-14 15:58 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryReplaceNew.exe
    2009-06-30 13:10 . 2009-07-14 15:58 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryNoTravel.exe
    2009-06-30 13:03 . 2009-07-14 15:58 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryAccessories.exe
    2009-06-30 10:44 . 2009-07-14 15:58 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryWeakNew.exe
    2009-06-26 16:36 . 2009-07-14 15:58 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryUpgrade.exe
    2009-06-20 12:30 . 2009-06-20 12:30 270848 ----a-w- c:\users\silke\AppData\Local\gocic.exe
    2009-06-05 10:38 . 2009-06-05 10:38 303104 ----a-w- c:\users\silke\AppData\Local\cmmoe.exe
    2009-05-14 15:51 . 2009-05-14 02:14 90 ----a-w- c:\users\silke\AppData\Local\waoom.bat
    2009-05-14 00:04 . 2009-04-02 13:31 88 ----a-w- c:\users\silke\AppData\Local\eomgk.bat
    2009-05-11 17:51 . 2009-05-02 07:41 44544 ----a-w- c:\windows\system32\agremove.exe
    2008-07-23 13:00 . 2008-07-23 13:00 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMPEACH "= "c:\programdata\Ford Lite Lite.v3kgv5" [X]
    "Start hide inside slow "= "c:\programdata\Draw Aim Bib.yfs2xu8" [X]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-18 2289664]
    "msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "accrdsub "= "c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
    "PTHOSTTR "= "c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-06-02 238984]
    "CognizanceTS "= "c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-05-21 24848]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
    "hpWirelessAssistant "= "c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "HP Health Check Scheduler "= "c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
    "File Sanitizer "= "c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2008-05-14 10244096]
    "SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
    "QlbCtrl.exe "= "c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]
    "WatchDog "= "c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-24 197904]
    "HP Software Update "= "c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1314816]
    "fssui "= "c:\program files\Windows Live\Family Safety\fsui.exe" [2009-02-06 454000]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-13 727592]
    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-7-23 197904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=c:\windows\System32\APSHook.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer2 "=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli ASWLNPkg

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{44511208-0329-4EC5-B367-5574C3138068} "= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
    "TCP Query User{17ACEB68-8251-4A04-A798-C1AA9BAEFE01}c:\\program files\\emule\\emule.exe "= UDP:c:\program files\emule\emule.exe:eMule
    "UDP Query User{5453AEFD-CC93-43D7-A6FC-3ECC867666CA}c:\\program files\\emule\\emule.exe "= TCP:c:\program files\emule\emule.exe:eMule
    "{459EF186-3E85-440E-9DDE-48F97C7910E2} "= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
    "{7AE5C918-BB17-4C8E-92A8-55077C24BF68} "= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{E5B5ED91-AFD3-45CF-A50D-7A78380F4AB7} "= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

    R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [03.08.2009 20:04 28544]
    R0 SbAlg;SbAlg;c:\windows\System32\drivers\SbAlg.sys [30.05.2008 18:37 51376]
    R0 SbFsLock;SbFsLock;c:\windows\System32\drivers\SbFsLock.sys [30.05.2008 18:37 12928]
    R1 RsvLock;RsvLock;c:\windows\System32\drivers\rsvlock.sys [30.05.2008 18:37 12496]
    R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [16.05.2007 01:08 182576]
    R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [04.07.2009 00:53 108289]
    R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [21.01.2008 04:33 21504]
    R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [21.01.2008 04:33 21504]
    R2 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [21.02.2009 10:59 55280]
    R2 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06.02.2009 19:08 533360]
    R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [02.06.2008 19:32 18944]
    R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [30.05.2008 18:36 256512]
    R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [23.07.2008 15:55 77824]
    R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [07.04.2008 20:13 24936]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [23.07.2008 15:57 193840]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21.01.2008 04:32 179712]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    Cognizance REG_MULTI_SZ ASBroker ASChannel
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    bthsvcs REG_MULTI_SZ BthServ

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    "c:\program files\Common Files\LightScribe\LSRunOnce.exe "
    .
    Inhalt des "geplante Tasks" Ordners

    2009-08-06 c:\windows\Tasks\User_Feed_Synchronization-{4515785A-33AA-4710-96FD-A19294CBE7A0}.job
    - c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    uStart Page = hxxp://www.google.com/webhp?hl=de
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-06 20:57
    Windows 6.0.6001 Service Pack 1 NTFS

    Scanne versteckte Prozesse...

    Scanne versteckte Autostarteinträge...

    Scanne versteckte Dateien...


    c:\users\silke\AppData\Local\Temp\catchme.dll 53248 bytes executable

    Scan erfolgreich abgeschlossen
    versteckte Dateien: 1

    **************************************************************************
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:000000b5
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------

    - - - - - - - > 'winlogon.exe'(780)
    c:\windows\system32\APSHook.dll

    - - - - - - - > 'lsass.exe'(688)
    c:\windows\system32\APSHook.dll
    c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
    c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
    .
    Zeit der Fertigstellung: 2009-08-06 21:02
    ComboFix-quarantined-files.txt 2009-08-06 19:02

    Vor Suchlauf: 6 Verzeichnis(se), 212.285.456.384 Bytes frei
    Nach Suchlauf: 6 Verzeichnis(se), 213.367.611.392 Bytes frei

    198 --- E O F --- 2009-08-06 01:02
     
    Eledris,
    #4
  6. 2009/08/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yeah, definitely worth a try now. If it won't work after this step, try it after each step, which follow from now on.


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\rpcnetp.exe
c:\users\silke\AppData\Local\kesyu.bat
c:\windows\system32\rpcnetp.dll
c:\users\silke\AppData\Local\miisumi.bat
c:\users\silke\AppData\Local\gocic.exe
c:\users\silke\AppData\Local\cmmoe.exe
c:\users\silke\AppData\Local\waoom.bat
c:\users\silke\AppData\Local\eomgk.bat


Folder::

Driver::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "COMPEACH "=-
 "Start hide inside slow "=-

RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #5
  7. 2009/08/07
    Eledris

    Eledris Inactive Thread Starter

    Joined:
    2008/07/12
    Messages:
    15
    Likes Received:
    0
    Hi Broni,

    I first uninstalled and reinstalled Aviras AntiVir. Worked good. Now the umbrella opens up.

    After that I followed your instructions and ran the ComboFix. After Combofix was finished ( and this time uploaded something .. ) there was no notification to reboot. So I tried to run Hijack this but I received an error message telling me something about a reg.key that was deleted. I tried to open IE to post it here but received the same error msg. So I rebooted and after that everything worked out fine.
    Please find enclosed both logfiles.

    Thanks for your help,

    ComboFix

    ComboFix 09-08-04.04 - silke 07.08.2009 17:45.2.2 - NTFSx86
    Microsoft® Windows Vistaâ„¢ Home Basic 6.0.6001.1.1252.49.1031.18.764.157 [GMT 2:00]
    ausgeführt von:: c:\users\silke\Desktop\ComboFix.exe
    Benutzte Befehlsschalter :: c:\users\silke\Desktop\CFScript.txt
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "c:\users\silke\AppData\Local\cmmoe.exe "
    "c:\users\silke\AppData\Local\eomgk.bat "
    "c:\users\silke\AppData\Local\gocic.exe "
    "c:\users\silke\AppData\Local\kesyu.bat "
    "c:\users\silke\AppData\Local\miisumi.bat "
    "c:\users\silke\AppData\Local\waoom.bat "
    "c:\windows\system32\rpcnetp.dll "
    "c:\windows\system32\rpcnetp.exe "
    .

    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\silke\AppData\Local\cmmoe.exe
    c:\users\silke\AppData\Local\eomgk.bat
    c:\users\silke\AppData\Local\gocic.exe
    c:\users\silke\AppData\Local\kesyu.bat
    c:\users\silke\AppData\Local\miisumi.bat
    c:\users\silke\AppData\Local\waoom.bat
    c:\windows\system32\rpcnetp.dll


    .
    ((((((((((((((((((((((( Dateien erstellt von 2009-07-07 bis 2009-08-07 ))))))))))))))))))))))))))))))
    .

    2009-08-03 20:17 . 2009-08-03 20:17 -------- d-----w- c:\windows\Sun
    2009-08-03 18:04 . 2008-06-19 15:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2009-08-03 18:04 . 2009-08-03 18:04 -------- d-----w- c:\program files\Panda Security
    2009-08-03 17:40 . 2009-08-03 17:40 -------- d-----w- c:\users\silke\AppData\Roaming\Malwarebytes
    2009-08-03 17:40 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 17:40 . 2009-08-03 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-03 17:40 . 2009-08-03 17:40 -------- d-----w- c:\programdata\Malwarebytes
    2009-08-03 17:40 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-15 06:59 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
    2009-07-15 06:59 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
    2009-07-15 06:59 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
    2009-07-15 06:59 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll

    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-07 15:38 . 2009-08-07 15:38 -------- d-----w- c:\programdata\Avira
    2009-08-07 15:38 . 2009-08-07 15:38 -------- d-----w- c:\program files\Avira
    2009-08-07 15:28 . 2008-07-23 12:49 -------- d-----w- c:\programdata\hpqLog
    2009-08-07 15:27 . 2008-12-31 11:10 12 ----a-w- c:\windows\bthservsdp.dat
    2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\program files\Trend Micro
    2009-08-05 17:10 . 2009-02-02 18:24 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-07-18 16:06 . 2009-08-03 17:38 827904 ----a-w- c:\windows\system32\wininet.dll
    2009-07-18 16:01 . 2009-08-03 17:38 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-07-18 09:46 . 2009-08-03 17:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-07-16 00:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2009-07-16 00:08 . 2008-07-23 13:16 -------- d-----w- c:\programdata\Microsoft Help
    2009-07-08 06:52 . 2009-07-08 06:52 552 ----a-w- c:\users\silke\AppData\Local\d3d8caps.dat
    2009-07-04 14:23 . 2009-07-04 14:23 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2009-07-04 14:21 . 2009-07-04 14:21 -------- d-----w- c:\program files\Google
    2009-07-04 14:18 . 2008-04-16 15:03 664606 ----a-w- c:\windows\system32\perfh007.dat
    2009-07-04 14:18 . 2008-04-16 15:03 142962 ----a-w- c:\windows\system32\perfc007.dat
    2009-07-04 06:06 . 2009-06-16 17:58 -------- d-----w- c:\programdata\Shim pile start hide
    2009-07-04 06:03 . 2009-06-16 17:57 -------- d-----w- c:\programdata\nountitlesixth
    2009-07-03 21:50 . 2008-07-23 13:05 -------- d-----w- c:\programdata\AOL
    2009-07-03 21:44 . 2009-02-02 18:16 -------- d-----w- c:\program files\Windows Live
    2009-06-30 13:36 . 2009-07-14 15:58 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryReplaceNew.exe
    2009-06-30 13:10 . 2009-07-14 15:58 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryNoTravel.exe
    2009-06-30 13:03 . 2009-07-14 15:58 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryAccessories.exe
    2009-06-30 10:44 . 2009-07-14 15:58 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryWeakNew.exe
    2009-06-26 16:36 . 2009-07-14 15:58 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryUpgrade.exe
    2009-05-11 17:51 . 2009-05-02 07:41 44544 ----a-w- c:\windows\system32\agremove.exe
    2008-07-23 13:00 . 2008-07-23 13:00 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-08-06_18.57.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2006-11-02 13:02 . 2009-08-07 15:30 92228 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2009-07-03 22:53 . 2009-05-11 08:12 28520 c:\windows\System32\drivers\ssmdrv.sys
    + 2009-08-07 15:38 . 2009-05-11 08:12 28520 c:\windows\System32\drivers\ssmdrv.sys
    - 2009-07-03 22:53 . 2009-03-30 08:33 96104 c:\windows\System32\drivers\avipbb.sys
    + 2009-08-07 15:38 . 2009-03-30 08:33 96104 c:\windows\System32\drivers\avipbb.sys
    + 2009-08-07 15:38 . 2009-03-24 14:08 55640 c:\windows\System32\drivers\avgntflt.sys
    - 2008-04-17 16:30 . 2009-08-06 18:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-04-17 16:30 . 2009-08-07 15:40 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-04-17 16:30 . 2009-08-07 15:40 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-04-17 16:30 . 2009-08-06 18:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-04-17 16:30 . 2009-08-07 15:40 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-04-17 16:30 . 2009-08-06 18:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-01-01 13:13 . 2009-08-07 15:30 9274 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3011125254-4045064411-2310107302-1004_UserData.bin
    - 2009-01-01 13:13 . 2009-08-05 17:51 9274 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3011125254-4045064411-2310107302-1004_UserData.bin
    - 2009-08-05 17:44 . 2009-08-05 17:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2009-08-07 15:28 . 2009-08-07 15:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2009-08-07 15:28 . 2009-08-07 15:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-08-05 17:44 . 2009-08-05 17:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-01-15 08:20 . 2009-08-07 15:20 283340 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
    - 2009-01-15 08:20 . 2009-08-03 17:25 283340 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
    - 2006-11-02 10:22 . 2009-08-06 01:02 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
    + 2006-11-02 10:22 . 2009-08-07 15:27 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-18 2289664]
    "msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "accrdsub "= "c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
    "PTHOSTTR "= "c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-06-02 238984]
    "CognizanceTS "= "c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-05-21 24848]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
    "hpWirelessAssistant "= "c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "HP Health Check Scheduler "= "c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
    "File Sanitizer "= "c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2008-05-14 10244096]
    "SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
    "QlbCtrl.exe "= "c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]
    "WatchDog "= "c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-24 197904]
    "HP Software Update "= "c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1314816]
    "fssui "= "c:\program files\Windows Live\Family Safety\fsui.exe" [2009-02-06 454000]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-13 727592]
    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-7-23 197904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=c:\windows\System32\APSHook.dll c:\windows\System32\APSHook.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer2 "=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli ASWLNPkg

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{44511208-0329-4EC5-B367-5574C3138068} "= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
    "TCP Query User{17ACEB68-8251-4A04-A798-C1AA9BAEFE01}c:\\program files\\emule\\emule.exe "= UDP:c:\program files\emule\emule.exe:eMule
    "UDP Query User{5453AEFD-CC93-43D7-A6FC-3ECC867666CA}c:\\program files\\emule\\emule.exe "= TCP:c:\program files\emule\emule.exe:eMule
    "{459EF186-3E85-440E-9DDE-48F97C7910E2} "= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
    "{7AE5C918-BB17-4C8E-92A8-55077C24BF68} "= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{E5B5ED91-AFD3-45CF-A50D-7A78380F4AB7} "= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

    R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [03.08.2009 20:04 28544]
    R0 SbAlg;SbAlg;c:\windows\System32\drivers\SbAlg.sys [30.05.2008 18:37 51376]
    R0 SbFsLock;SbFsLock;c:\windows\System32\drivers\SbFsLock.sys [30.05.2008 18:37 12928]
    R1 RsvLock;RsvLock;c:\windows\System32\drivers\rsvlock.sys [30.05.2008 18:37 12496]
    R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [16.05.2007 01:08 182576]
    R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [07.08.2009 17:38 108289]
    R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [21.01.2008 04:33 21504]
    R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [21.01.2008 04:33 21504]
    R2 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [21.02.2009 10:59 55280]
    R2 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06.02.2009 19:08 533360]
    R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [02.06.2008 19:32 18944]
    R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [30.05.2008 18:36 256512]
    R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [23.07.2008 15:55 77824]
    R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [07.04.2008 20:13 24936]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [23.07.2008 15:57 193840]
    S2 rpcnetp;rpcnetp;c:\windows\System32\rpcnetp.exe --> c:\windows\System32\rpcnetp.exe [?]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21.01.2008 04:32 179712]

    --- Andere Dienste/Treiber im Speicher ---

    *NewlyCreated* - AVGIO
    *NewlyCreated* - AVIPBB

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    Cognizance REG_MULTI_SZ ASBroker ASChannel
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    bthsvcs REG_MULTI_SZ BthServ

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    "c:\program files\Common Files\LightScribe\LSRunOnce.exe "
    .
    Inhalt des "geplante Tasks" Ordners

    2009-08-06 c:\windows\Tasks\User_Feed_Synchronization-{4515785A-33AA-4710-96FD-A19294CBE7A0}.job
    - c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    uStart Page = hxxp://www.google.com/webhp?hl=de
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-07 17:57
    Windows 6.0.6001 Service Pack 1 NTFS

    Scanne versteckte Prozesse...

    Scanne versteckte Autostarteinträge...

    Scanne versteckte Dateien...

    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0

    **************************************************************************
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:000000b5
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------

    - - - - - - - > 'lsass.exe'(668)
    c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
    c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
    .
    Zeit der Fertigstellung: 2009-08-07 18:02
    ComboFix-quarantined-files.txt 2009-08-07 16:02
    ComboFix2.txt 2009-08-06 19:02

    Vor Suchlauf: 6 Verzeichnis(se), 213.810.647.040 Bytes frei
    Nach Suchlauf: 6 Verzeichnis(se), 213.169.430.528 Bytes frei

    218 --- E O F --- 2009-08-07 15:25


    hijack
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:16:39, on 07.08.2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18294)
    Boot mode: Normal

    Running processes:
    C:\windows\system32\taskeng.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Windows Live\Family Safety\fsui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\windows\system32\wuauclt.exe
    C:\windows\system32\Taskmgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll
    O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe "
    O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe "
    O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
    O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O13 - Gopher Prefix:
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUpldde-de.cab
    O20 - AppInit_DLLs: C:\Windows\System32\APSHook.dll C:\Windows\System32\APSHook.dll APSHook.dll
    O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
    O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\windows\system32\Hpservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    --
    End of file - 10064 bytes
     
    Eledris,
    #6
  8. 2009/08/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Combofix:
    Go Start > Run
    Type in:
    combofix /u
    Note the space between the "combofix" and the "/u "
    Restart computer.

    ================================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!


    STEP 3.
    Post fresh HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #7
  9. 2009/08/08
    Eledris

    Eledris Inactive Thread Starter

    Joined:
    2008/07/12
    Messages:
    15
    Likes Received:
    0
    here are the fresh logs :

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/08/2009 at 09:38 AM

    Application Version : 4.27.1002

    Core Rules Database Version : 4045
    Trace Rules Database Version: 1985

    Scan type : Complete Scan
    Total Scan Time : 00:28:20

    Memory items scanned : 262
    Memory threats detected : 0
    Registry items scanned : 6307
    Registry threats detected : 0
    File items scanned : 24921
    File threats detected : 24

    Adware.Tracking Cookie
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\silke@atdmt[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\silke@kaspersky.122.2o7[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@tto2.traffictrack[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@kaspersky.122.2o7[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@ad.yieldmanager[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@zanox-affiliate[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@ad.zanox[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@apmebf[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@statse.webtrendslive[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@mediaplex[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@specificclick[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@richmedia.yahoo[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@webmasterplan[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@tradedoubler[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@www.zanox-affiliate[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@serving-sys[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@traffictrack[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@bs.serving-sys[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@zanox[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@adtech[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@adviva[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@ads.infinisource[1].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@tribalfusion[2].txt
    C:\Users\silke\AppData\Roaming\Microsoft\Windows\Cookies\Low\silke@doubleclick[1].txt


    Malwarebytes' Anti-Malware 1.40
    Datenbank Version: 2577
    Windows 6.0.6001 Service Pack 1

    08.08.2009 11:37:19
    mbam-log-2009-08-08 (11-37-19).txt

    Scan-Methode: Vollständiger Scan (C:\|D:\|F:\|)
    Durchsuchte Objekte: 213280
    Laufzeit: 1 hour(s), 8 minute(s), 0 second(s)

    Infizierte Speicherprozesse: 0
    Infizierte Speichermodule: 0
    Infizierte Registrierungsschlüssel: 0
    Infizierte Registrierungswerte: 0
    Infizierte Dateiobjekte der Registrierung: 0
    Infizierte Verzeichnisse: 0
    Infizierte Dateien: 0

    Infizierte Speicherprozesse:
    (Keine bösartigen Objekte gefunden)

    Infizierte Speichermodule:
    (Keine bösartigen Objekte gefunden)

    Infizierte Registrierungsschlüssel:
    (Keine bösartigen Objekte gefunden)

    Infizierte Registrierungswerte:
    (Keine bösartigen Objekte gefunden)

    Infizierte Dateiobjekte der Registrierung:
    (Keine bösartigen Objekte gefunden)

    Infizierte Verzeichnisse:
    (Keine bösartigen Objekte gefunden)

    Infizierte Dateien:
    (Keine bösartigen Objekte gefunden)


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:56:35, on 08.08.2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18294)
    Boot mode: Normal

    Running processes:
    C:\windows\system32\taskeng.exe
    c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Windows Live\Family Safety\fsui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\windows\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll
    O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe "
    O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe "
    O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
    O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O13 - Gopher Prefix:
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUpldde-de.cab
    O20 - AppInit_DLLs: C:\Windows\System32\APSHook.dll C:\Windows\System32\APSHook.dll APSHook.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
    O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\windows\system32\Hpservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: rpcnetp - Unknown owner - C:\windows\System32\rpcnetp.exe (file missing)

    --
    End of file - 10355 bytes
     
    Eledris,
    #8
  10. 2009/08/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Are you still using Computrace program by Absolute Software (http://www.absolute.com)

    ================================================================

    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ================================================================

    Disable Windows Defender, as it'll interfere with cleaning process:
    - Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
    - Click Tools
    then...

    ++ Windows XP:
    - Click General Settings
    - Scroll down to Real Time Protection Options
    - Uncheck Turn on Real Time Protection
    - After you uncheck this, click on the Save button
    - Close Windows Defender

    ++ Windows Vista:
    - Click Options
    - Under Administrator options, clear the Use Windows Defender check box, and then click Save.

    Enable Windows Defender, when all cleaning is done.

    ================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    - O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    - O4 - Global Startup: BTTray.lnk = ?


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe "
    - O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    - O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    - O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    - O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (leave this one alone, if you have paid version)
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (leave this one alone, if you have paid version)


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #9
  11. 2009/08/09
    Eledris

    Eledris Inactive Thread Starter

    Joined:
    2008/07/12
    Messages:
    15
    Likes Received:
    0
    Hi Broni,

    I'm unable to answer this one.. but she's not aware of tracing software.. so I would guess we can remove it.

    Downloaded JRE 6 Update 15 from the Website. Hope this was the right one ?

    Sorry - I did not totally understand this one. Is this something that I should do or something that you advise me to do optional ? I did not follow this step.


    Maybe stupid question from my side - but isn't this the Bluetooth tray service ?


    Unless the questions above I was able to follow all of your steps. I have now re-enabled the Defender. I'll post Hijack log on the end of my post.
    One additional question : Vista proposed me several updates ( e.g. IE 8 ! ), should I update ? Attached a .jpg with the avaiable updates.

    Image - Link

    Thanks for your great support Broni !

    Eledris

    HiJackthis
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:14:47, on 09.08.2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18294)
    Boot mode: Normal

    Running processes:
    C:\windows\system32\taskeng.exe
    C:\windows\system32\Dwm.exe
    c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    C:\windows\Explorer.EXE
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Windows Live\Family Safety\fsui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\windows\system32\wuauclt.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll
    O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe "
    O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
    O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O13 - Gopher Prefix:
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUpldde-de.cab
    O20 - AppInit_DLLs: C:\Windows\System32\APSHook.dll C:\Windows\System32\APSHook.dll APSHook.dll
    O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
    O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\windows\system32\Hpservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    --
    End of file - 8871 bytes
     
    Eledris,
    #10
  12. 2009/08/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very well...

    Go Start>Run (Vista users - "Start search "), type in:
    cmd
    Click OK (Vista users - hold CTRL, and SHIFT keys, press Enter).

    Command Prompt window will open.
    Type in:
    sc stop rpcnetp
    Press Enter.
    Wait for the service to be stopped.

    Type in:
    sc delete rpcnetp
    Press Enter.
    Wait for confirmation.

    Restart computer.

    Yes.

    Don't worry about this one.

    As far, as I can tell, it's dead entry (question mark at the end).

    When we're done with cleaning (one more step), please, feel free to do so.

    When done with the above, post fresh HJT log.
     
    broni,
    #11
  13. 2009/08/09
    Eledris

    Eledris Inactive Thread Starter

    Joined:
    2008/07/12
    Messages:
    15
    Likes Received:
    0
    When I tried stopping the rpcnetp it said that it was not running, but deleting it was successful.

    I'll wait with IE 8 till you'll advise me.

    Heres the new HJT

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:00:36, on 09.08.2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18294)
    Boot mode: Normal

    Running processes:
    C:\windows\system32\taskeng.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Windows Live\Family Safety\fsui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=83&bd=all&pf=cmnb
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll
    O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe "
    O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
    O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O13 - Gopher Prefix:
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUpldde-de.cab
    O20 - AppInit_DLLs: C:\Windows\System32\APSHook.dll C:\Windows\System32\APSHook.dll APSHook.dll
    O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
    O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\windows\system32\Hpservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    --
    End of file - 8796 bytes
     
    Eledris,
    #12
  14. 2009/08/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Alrighty...


    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #13

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...