# Need some help - HJT log included



## js19

I did a routine scan this morning but pretty soon found that there are too many trojans on my laptop for me to deal with...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:49, on 29.07.2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\P1370Mon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
D:\Opera\opera.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.91.52.155:80
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [P1370Mon.exe] C:\Windows\P1370Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: YouTube Uploader.lnk = C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Suchleiste - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix: 
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/aberdeenuniv/support/plugins/ebraryRdr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-IN/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10442 bytes


----------



## cohen

Hello,

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your reply:

Post the combo fix log
Post a Fresh Hijackthis log

Thankyou


----------



## js19

ComboFix 08-07-28.5 - Janine 2008-07-29 11:52:14.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1031.18.767 [GMT 1:00]
ausgeführt von:: C:\Users\Janine\Documents\Desktop\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((   Dateien erstellt von 2008-06-28 bis 2008-07-29  ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 07:16	---------	d---a-w	C:\ProgramData\TEMP
2008-07-28 20:57	---------	d-----w	C:\Program Files\Google
2008-07-23 10:39	---------	d-----w	C:\Program Files\Common Files\xing shared
2008-07-23 10:39	---------	d-----w	C:\Program Files\Common Files\Real
2008-07-23 10:38	---------	d-----w	C:\Program Files\Real
2008-07-20 20:29	---------	d-----w	C:\Users\Janine\AppData\Roaming\uTorrent
2008-07-19 09:40	---------	d-----w	C:\ProgramData\Microsoft Help
2008-06-21 17:59	---------	d-----w	C:\ProgramData\Creative
2008-06-12 20:39	---------	d-----w	C:\Users\Janine\AppData\Roaming\LimeWire
2008-06-10 09:59	---------	d-----w	C:\Users\Janine\AppData\Roaming\DivX
2008-06-10 09:58	---------	d-----w	C:\Users\Janine\AppData\Roaming\CyberLink
2008-06-02 12:30	---------	d-----w	C:\Program Files\ICQ6
2008-06-02 12:28	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-06-02 12:28	---------	d-----w	C:\Users\Janine\AppData\Roaming\ICQ
2008-05-31 09:42	---------	d-----w	C:\Program Files\CCleaner
2008-05-29 14:28	---------	d-----w	C:\Program Files\Panda Security
2008-05-27 12:22	189,753	----a-w	C:\Windows\System32\subipvoc32.dll
2008-03-31 18:42	726	----a-w	C:\Program Files\INSTALL.LOG
2007-11-28 23:49	32	----a-w	C:\Users\All Users\ezsid.dat
2007-11-28 23:49	32	----a-w	C:\ProgramData\ezsid.dat
2007-08-30 14:14	174	--sha-w	C:\Program Files\desktop.ini
2007-05-28 21:05	10,226,490	----a-w	C:\Program Files\Winamp Pro v5.35.1305.exe
1999-06-25 09:55	149,504	----a-w	C:\Program Files\UNWISE.EXE
2008-03-18 08:42	16,384	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-18 08:42	32,768	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-18 08:42	16,384	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-12-02 19:24	16,384	--sha-w	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-02 19:24	32,768	--sha-w	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-02 19:24	16,384	--sha-w	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 11:25 1232896]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-27 15:19 4670704]
"Creative Live! Cam Manager"="D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 17:00 143360]
"Google Update"="C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-07-15 18:58 119280]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 07:40 857648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 14:26 68640]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 14:17 52256]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 04:35 90112]
"GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"P1370Mon.exe"="C:\Windows\P1370Mon.exe" [2006-06-19 18:00 36864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 00:19 79224]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 21:16 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-23 11:38 185896]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-13 05:11 4489216 C:\Windows\RtHDVCpl.exe]

C:\Users\Janine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe [2007-11-09 14:33:08 71152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-15 01:23:39 110592]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-24 10:50:32 723760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoHotStart"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P1370Cfg.exe]
--a------ 2007-03-31 00:02 28672 C:\Windows\P1370Cfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BDEAFD20-7009-4918-A21B-E72F13CE4DF4}"= C:\Program Files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{F28856A2-B7B7-4B48-B529-FBAAD70CBC45}C:\\program files\\windows sidebar\\sidebar.exe"= UDP:C:\program files\windows sidebar\sidebar.exe:Windows-Sidebar
"UDP Query User{041C3553-67F9-4FF1-BD64-0FEA5DFDD94A}C:\\program files\\windows sidebar\\sidebar.exe"= TCP:C:\program files\windows sidebar\sidebar.exe:Windows-Sidebar
"{EA1093B3-961B-4633-82C3-6D0417F0D2DF}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{6CCAD485-2F13-4D67-A37D-C0E996786691}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{F149A584-BDFB-43D8-8877-0DD2B1CCCD16}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{43DD65FD-41E9-4267-B330-1F7C0D05062C}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C112F8E3-0AC3-4E3A-9F16-725DCB462050}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CFB1D712-DAF5-4016-8921-EEBC55977856}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{057B4668-1F7D-47A4-9755-DD631824FFD1}"= TCP:6004|C:\Programme\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{AA7B1AE0-4644-4EE7-AB90-950B7A6338DE}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{39462FF4-DE31-4CF0-A059-A9EE1E211708}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2F19CD61-8DA9-4D76-AD7B-2A9D73074F0E}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DC0E8F1F-566C-4A01-A687-77E487913B18}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1BD3A435-7835-448A-9468-284141DA80BF}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{A18C0580-EFA9-4FCA-AB0D-2DD05D7D327F}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{58915573-FA78-48AA-A1D2-E88E509A9875}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{980ACDA2-703E-4C2F-98CB-7C6F01639E46}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E614D1BE-A9BD-4BD5-9106-B2B713D09D4A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2007-04-26 02:15]
R0 keriddlg;keriddlg;C:\Windows\system32\DRIVERS\keriddlg.sys [2006-11-02 10:46]
R0 zipecups;zipecups;C:\Windows\system32\DRIVERS\zipecups.sys [2006-11-02 10:46]
R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-05-16 00:20]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-05-16 00:16]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-05-16 00:18]
R2 BcmSqlStartupSvc;SQL Server-Startdienst für Business Contact Manager;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-16 10:51]
R2 HDDlife HDD Access service;HDDlife HDD Access service;C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe [2007-08-09 13:23]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;C:\Windows\system32\DRIVERS\kmdfmemio.sys [2007-07-10 23:37]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 22:38]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-06-13 16:21]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\Windows\system32\drivers\ScreamingBAudio.sys [2007-08-24 16:44]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-05-03 02:14]
S3 btwaudio;Bluetooth-Audiogerät;C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 19:46]
S3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 06:20]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 06:20]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 08:30]
S3 P1370Afx;PD1370 Audio Effects Filter Driver;C:\Windows\system32\Drivers\P1370Afx.sys [2007-04-02 00:01]
S3 P1370Aud;Creative WebCam Audio Control;C:\Windows\system32\Drivers\P1370Aud.sys [2005-12-05 01:29]
S3 P1370Aul;PD1370 Lower Filter Driver;C:\Windows\system32\Drivers\P1370Aul.sys [2005-12-06 01:58]
S3 P1370Vfx;P1370Vfx;C:\Windows\system32\DRIVERS\P1370Vfx.sys [2007-03-05 17:45]
S3 P1370VID;Live! Cam Voice;C:\Windows\system32\DRIVERS\P1370Vid.sys [2007-03-28 09:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
rsmsvcs	REG_MULTI_SZ   	ntmssvc

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners

2008-07-29 C:\Windows\Tasks\User_Feed_Synchronization-{878A2A3D-7BC9-4D81-AE12-7DF80745E33C}.job
- C:\Windows\system32\msfeedssync.exe [2006-11-02 10:45]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

MSConfigStartUp-svchost - C:\Windows\svchost.exe


.
------- Zusätzlicher Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyServer = 217.91.52.155:80
O8 -: Nach Microsoft E&xel exportieren - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 12:14:13
Windows 6.0.6000  NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...


C:\Windows\system32\appotchm.dll 364544 bytes executable
C:\Windows\system32\bmpidcmd
C:\Windows\system32\cpyedmon.dll 217088 bytes executable
C:\Windows\system32\dskunhex.dll 108 bytes
C:\Windows\system32\manafdll.dll 1832 bytes
C:\Windows\system32\nicundde.exe 6320128 bytes executable

Scan erfolgreich abgeschlossen
versteckte Dateien: 6

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

Prozess: C:\Windows\Explorer.exe
-> C:\Windows\system32\modivmak.dll
-> C:\Windows\system32\movixocx.dll
.
Zeit der Fertigstellung: 2008-07-29 12:20:08
ComboFix-quarantined-files.txt  2008-07-29 11:18:34

Pre-Run: Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
Post-Run: 22 Verzeichnis(se), 27,442,180,096 Bytes frei

177	--- E O F ---	2008-07-29 07:22:08











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:49, on 29.07.2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\P1370Mon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
D:\Opera\opera.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.91.52.155:80
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [P1370Mon.exe] C:\Windows\P1370Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: YouTube Uploader.lnk = C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Suchleiste - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix: 
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/aberdeenuniv/support/plugins/ebraryRdr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-IN/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10442 bytes


----------



## cohen

hhmmm... no difference

OK, let's see this then:

Please do a scan with Kaspersky Online Scanner

Click on the *Accept* button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the *Scan* section select *My Computer*.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on *View scan report*
Now, click on the *Save Report as* button.
In the drop down box labeled *Files of type* change the type to *Text file*.
Save the file to your desktop.
Copy and paste that information in your next post.


----------



## js19

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Tuesday, July 29, 2008
 Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Tuesday, July 29, 2008 13:11:46
 Records in database: 1022167
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	C:\
	D:\

Scan statistics:
	Files scanned: 125637
	Threat name: 1
	Infected objects: 1
	Suspicious objects: 0
	Duration of the scan: 02:12:39


File name / Threat name / Threats count
D:\mirc631.exe	Infected: not-a-virus:Client-IRC.Win32.mIRC.631	1

The selected area was scanned.







If this is the only result, then maybe my antivirus programme did a better job than I expected.


----------



## js19

Anyone?


----------



## cohen

I'll leave this one to the pros, to finish off.... sorry


----------



## ceewi1

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

*C:\Windows\System32\subipvoc32.dll*

Then click Send File.  Allow the file to be scanned, and then please copy and paste the results here for me to see.

Please repeat that process for the following files:
*C:\Windows\system32\DRIVERS\keriddlg.sys
C:\Windows\system32\DRIVERS\zipecups.sys*

If that scanner is busy, please use this one: http://virusscan.jotti.org


----------



## js19

Ah, thank you.

Do you need the whole list of results, or is the top bit enough?


File subipvoc32.dll received on 07.31.2008 13:16:16 (CET)
Current status: finished  
Result: 0/35 (0%)


File keriddlg.sys received on 07.31.2008 13:19:45 (CET)
Current status: finished  
Result: 0/35 (0%)


File zipecups.sys received on 07.31.2008 13:21:07 (CET)
Current status: finished  
Result: 0/35 (0%)


----------



## cohen

Best to post all of it.


----------



## js19

File subipvoc32.dll received on 07.31.2008 13:16:16 (CET)
Current status: finished
Result: 0/35 (0.00%)
Compact Compact
Print results Print results
Antivirus 	Version 	Last Update 	Result
AhnLab-V3 	2008.7.29.1 	2008.07.31 	-
AntiVir 	7.8.1.12 	2008.07.31 	-
Authentium 	5.1.0.4 	2008.07.31 	-
Avast 	4.8.1195.0 	2008.07.30 	-
AVG 	8.0.0.156 	2008.07.31 	-
BitDefender 	7.2 	2008.07.31 	-
CAT-QuickHeal 	9.50 	2008.07.30 	-
ClamAV 	0.93.1 	2008.07.31 	-
DrWeb 	4.44.0.09170 	2008.07.31 	-
eSafe 	7.0.17.0 	2008.07.29 	-
eTrust-Vet 	31.6.5997 	2008.07.31 	-
Ewido 	4.0 	2008.07.31 	-
F-Prot 	4.4.4.56 	2008.07.30 	-
F-Secure 	7.60.13501.0 	2008.07.31 	-
Fortinet 	3.14.0.0 	2008.07.31 	-
GData 	2.0.7306.1023 	2008.07.31 	-
Ikarus 	T3.1.1.34.0 	2008.07.31 	-
Kaspersky 	7.0.0.125 	2008.07.31 	-
McAfee 	5350 	2008.07.30 	-
Microsoft 	1.3704 	2008.07.28 	-
NOD32v2 	3313 	2008.07.31 	-
Norman 	5.80.02 	2008.07.30 	-
Panda 	9.0.0.4 	2008.07.31 	-
PCTools 	4.4.2.0 	2008.07.30 	-
Prevx1 	V2 	2008.07.31 	-
Rising 	20.55.32.00 	2008.07.31 	-
Sophos 	4.31.0 	2008.07.31 	-
Sunbelt 	3.1.1537.1 	2008.07.29 	-
Symantec 	10 	2008.07.31 	-
TheHacker 	6.2.96.389 	2008.07.25 	-
TrendMicro 	8.700.0.1004 	2008.07.31 	-
VBA32 	3.12.8.1 	2008.07.29 	-
ViRobot 	2008.7.31.1319 	2008.07.31 	-
VirusBuster 	4.5.11.0 	2008.07.30 	-
Webwasher-Gateway 	6.6.2 	2008.07.31 	-
Additional information
File size: 189753 bytes
MD5...: c26c014124268e2488c64eecfc35a9a6
SHA1..: 59b1a72b7b20a974850be01e9b1109720371d986
SHA256: f0a909d280b087ccc69a7e28d6c232d0a416faa8422d53c687835ff52736c2bf
SHA512: c0812b225844bba32c33d78c1ab6f5b9d2b6da90f2e99a9e8adaa4b1887b2ff7
363cd567a90bfb6eb9c2e1ee4cd23fa72f46d68322637424d7301121492ef834
PEiD..: -
PEInfo: -





 File keriddlg.sys received on 07.31.2008 13:19:45 (CET)
Current status: finished
Result: 0/35 (0.00%)
Compact Compact
Print results Print results
Antivirus 	Version 	Last Update 	Result
AhnLab-V3 	2008.7.29.1 	2008.07.31 	-
AntiVir 	7.8.1.12 	2008.07.31 	-
Authentium 	5.1.0.4 	2008.07.31 	-
Avast 	4.8.1195.0 	2008.07.30 	-
AVG 	8.0.0.156 	2008.07.31 	-
BitDefender 	7.2 	2008.07.31 	-
CAT-QuickHeal 	9.50 	2008.07.30 	-
ClamAV 	0.93.1 	2008.07.31 	-
DrWeb 	4.44.0.09170 	2008.07.31 	-
eSafe 	7.0.17.0 	2008.07.29 	-
eTrust-Vet 	31.6.5997 	2008.07.31 	-
Ewido 	4.0 	2008.07.31 	-
F-Prot 	4.4.4.56 	2008.07.30 	-
F-Secure 	7.60.13501.0 	2008.07.31 	-
Fortinet 	3.14.0.0 	2008.07.31 	-
GData 	2.0.7306.1023 	2008.07.31 	-
Ikarus 	T3.1.1.34.0 	2008.07.31 	-
Kaspersky 	7.0.0.125 	2008.07.31 	-
McAfee 	5350 	2008.07.30 	-
Microsoft 	1.3704 	2008.07.28 	-
NOD32v2 	3313 	2008.07.31 	-
Norman 	5.80.02 	2008.07.30 	-
Panda 	9.0.0.4 	2008.07.31 	-
PCTools 	4.4.2.0 	2008.07.30 	-
Prevx1 	V2 	2008.07.31 	-
Rising 	20.55.32.00 	2008.07.31 	-
Sophos 	4.31.0 	2008.07.31 	-
Sunbelt 	3.1.1537.1 	2008.07.29 	-
Symantec 	10 	2008.07.31 	-
TheHacker 	6.2.96.389 	2008.07.25 	-
TrendMicro 	8.700.0.1004 	2008.07.31 	-
VBA32 	3.12.8.1 	2008.07.29 	-
ViRobot 	2008.7.31.1319 	2008.07.31 	-
VirusBuster 	4.5.11.0 	2008.07.30 	-
Webwasher-Gateway 	6.6.2 	2008.07.31 	-
Additional information
File size: 38528 bytes
MD5...: 674c269fad54e5fd5623b16f6fd018df
SHA1..: efcf8fd8a3a63f1a8b2378e9f2255ab5ea499d9c
SHA256: 1b2237cacc0bf48acc3bc942c237a8801302e8b45e1fdb01c4bdbf2db7cc1445
SHA512: cd4a50a8d5993d6c1e90dc03a7e57e753b33b682e097a25d566c21300965e4ce
2d42db32ef53a2020cf98e1de7861d8237b68b2d23c4a18efdacf4966d08b9e8
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x17ea9
timedatestamp.....: 0x469815d3 (Sat Jul 14 00:16:19 2007)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x3090 0x3100 6.41 12242ace82594fc6385e473d052e0599
.rdata 0x3580 0x13a4 0x1400 5.04 e4df9b13cad6a5028b2600e3dac526c9
.data 0x4980 0x544 0x580 1.25 c3444de4ef510e31a37b8099e1323173
PAGE 0x4f00 0x29c8 0x2a00 6.33 4ecaea06860c1f6e748501a72e71b9db
INIT 0x7900 0x1228 0x1280 5.84 4514c775a86a99744e1f1b9e9b1fc67e
.rsrc 0x8b80 0x310 0x380 2.86 b763dfe2579525db58b4102ada3e74b1
.reloc 0x8f00 0x720 0x780 5.77 e3024ef9dc55782e17a11e8b83c2dfa9

( 2 imports )
> ntoskrnl.exe: ExQueueWorkItem, IoAttachDeviceToDeviceStack, KeDelayExecutionThread, ObfDereferenceObject, ObfReferenceObject, ZwClose, ZwQueryValueKey, ZwOpenKey, _wcsicmp, _wcslwr, _except_handler3, KeWaitForSingleObject, ExAllocatePoolWithTag, ExFreePoolWithTag, _local_unwind2, strchr, ZwReadFile, ZwQueryInformationFile, ZwCreateFile, RtlFreeUnicodeString, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlAddAccessAllowedAce, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ExAllocatePool, RtlLengthSid, KeSetEvent, ExFreePool, KeInsertQueueApc, KeInitializeApc, KeGetCurrentThread, PsGetCurrentProcessId, strncmp, PsLookupProcessByProcessId, IofCompleteRequest, IoDeleteDevice, IoDetachDevice, IoCreateDevice, RtlCompareUnicodeString, IoGetDeviceObjectPointer, IoRegisterFsRegistrationChange, _stricmp, KeTickCount, DbgPrint, PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, ExInitializePagedLookasideList, IoCreateSymbolicLink, InitSafeBootMode, ZwQuerySystemInformation, RtlInitString, ZwAllocateVirtualMemory, KeBugCheckEx, IofCallDriver, PsGetVersion, RtlInitUnicodeString, MmGetSystemRoutineAddress, KeInitializeEvent, IoFreeIrp, RtlVolumeDeviceToDosName, RtlCopyUnicodeString, ObQueryNameString, ExAllocateFromPagedLookasideList, ExFreeToPagedLookasideList, IoAllocateIrp, RtlAppendUnicodeStringToString, IoGetTopLevelIrp, RtlAppendUnicodeToString, RtlAnsiCharToUnicodeChar, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, wcschr, RtlAbsoluteToSelfRelativeSD, ZwCreateKey, ZwSetValueKey
> HAL.dll: KfReleaseSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeGetCurrentIrql, KfAcquireSpinLock

( 0 exports ) 



 File zipecups.sys received on 07.31.2008 13:21:07 (CET)
Current status: finished
Result: 0/35 (0.00%)
Compact Compact
Print results Print results
Antivirus 	Version 	Last Update 	Result
AhnLab-V3 	2008.7.29.1 	2008.07.31 	-
AntiVir 	7.8.1.12 	2008.07.31 	-
Authentium 	5.1.0.4 	2008.07.31 	-
Avast 	4.8.1195.0 	2008.07.30 	-
AVG 	8.0.0.156 	2008.07.31 	-
BitDefender 	7.2 	2008.07.31 	-
CAT-QuickHeal 	9.50 	2008.07.30 	-
ClamAV 	0.93.1 	2008.07.31 	-
DrWeb 	4.44.0.09170 	2008.07.31 	-
eSafe 	7.0.17.0 	2008.07.29 	-
eTrust-Vet 	31.6.5997 	2008.07.31 	-
Ewido 	4.0 	2008.07.31 	-
F-Prot 	4.4.4.56 	2008.07.30 	-
F-Secure 	7.60.13501.0 	2008.07.31 	-
Fortinet 	3.14.0.0 	2008.07.31 	-
GData 	2.0.7306.1023 	2008.07.31 	-
Ikarus 	T3.1.1.34.0 	2008.07.31 	-
Kaspersky 	7.0.0.125 	2008.07.31 	-
McAfee 	5350 	2008.07.30 	-
Microsoft 	1.3704 	2008.07.28 	-
NOD32v2 	3313 	2008.07.31 	-
Norman 	5.80.02 	2008.07.30 	-
Panda 	9.0.0.4 	2008.07.31 	-
PCTools 	4.4.2.0 	2008.07.30 	-
Prevx1 	V2 	2008.07.31 	-
Rising 	20.55.32.00 	2008.07.31 	-
Sophos 	4.31.0 	2008.07.31 	-
Sunbelt 	3.1.1537.1 	2008.07.29 	-
Symantec 	10 	2008.07.31 	-
TheHacker 	6.2.96.389 	2008.07.25 	-
TrendMicro 	8.700.0.1004 	2008.07.31 	-
VBA32 	3.12.8.1 	2008.07.29 	-
ViRobot 	2008.7.31.1319 	2008.07.31 	-
VirusBuster 	4.5.11.0 	2008.07.30 	-
Webwasher-Gateway 	6.6.2 	2008.07.31 	-
Additional information
File size: 39424 bytes
MD5...: 5769096163f397d00b98ac54541ff589
SHA1..: 1846756b38a0ae8324a414f1b5b7421048d1b925
SHA256: 499c02e115f67e74e869efa605117b5df24f996d40b28b1834bb8ca7517e4c71
SHA512: 675b37196e9c1426bebf143f69328bd0d766d7e36fcaca4d4505b9daaa8bc474
91245d713b28260440afed164e970d2ae9ebb27cb76a69f065405500c18e0a5b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x18229
timedatestamp.....: 0x45c7ccac (Tue Feb 06 00:32:44 2007)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x3103 0x3180 6.41 0c8ec24dbd8aec4c38372970e8da8d00
.rdata 0x3600 0x13a4 0x1400 5.06 ed6fce6cefe2942f444a70a1c1a6c882
.data 0x4a00 0x8a4 0x900 0.81 13b33c22ec984ca9e6657b8ac6fd83cb
PAGE 0x5300 0x297e 0x2980 6.33 7b77d387b8ecb11c6ce0e102eddb897f
INIT 0x7c80 0x1254 0x1280 5.87 e06f388c6a91fae5bd2e36ec43126e5a
.rsrc 0x8f00 0x310 0x380 2.86 60f12f19ced945fee82a2e74a1d45e39
.reloc 0x9280 0x738 0x780 5.85 c9fccb43ce82259bde49376e934a440b

( 2 imports )
> ntoskrnl.exe: ExQueueWorkItem, IoAttachDeviceToDeviceStack, KeDelayExecutionThread, ObfDereferenceObject, ObfReferenceObject, ZwClose, ZwQueryValueKey, ZwOpenKey, _wcsicmp, _wcslwr, _except_handler3, KeWaitForSingleObject, ExAllocatePoolWithTag, ExFreePoolWithTag, _local_unwind2, strchr, ZwReadFile, ZwQueryInformationFile, ZwCreateFile, RtlFreeUnicodeString, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlAddAccessAllowedAce, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ExAllocatePool, RtlLengthSid, KeSetEvent, MmMapLockedPages, MmBuildMdlForNonPagedPool, ExFreePool, KeInsertQueueApc, KeInitializeApc, KeGetCurrentThread, PsGetCurrentProcessId, strncmp, PsLookupProcessByProcessId, IofCompleteRequest, IoDeleteDevice, IoDetachDevice, IoCreateDevice, RtlCompareUnicodeString, IoGetDeviceObjectPointer, IoRegisterFsRegistrationChange, _stricmp, KeTickCount, DbgPrint, PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, ExInitializePagedLookasideList, IoCreateSymbolicLink, InitSafeBootMode, ZwQuerySystemInformation, RtlInitString, MmCreateMdl, KeBugCheckEx, IofCallDriver, PsGetVersion, RtlInitUnicodeString, MmGetSystemRoutineAddress, KeInitializeEvent, IoFreeIrp, RtlVolumeDeviceToDosName, RtlCopyUnicodeString, ObQueryNameString, ExAllocateFromPagedLookasideList, ExFreeToPagedLookasideList, IoAllocateIrp, RtlAppendUnicodeStringToString, IoGetTopLevelIrp, RtlAppendUnicodeToString, RtlAnsiCharToUnicodeChar, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, wcschr, RtlAbsoluteToSelfRelativeSD, ZwCreateKey, ZwSetValueKey
> HAL.dll: KfReleaseSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeGetCurrentIrql, KfAcquireSpinLock

( 0 exports )


----------



## ceewi1

Please download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the *Rootkit* tab.
Make sure all the boxes on the right of the screen are checked, *EXCEPT* for ‘Show All’.
Click on *Scan*.
When the scan has run click *Copy* and paste the results (if any) into this thread.

Please download *Deckard's System Scanner (DSS)* and save it to your Desktop.
Close all other windows before proceeding.
Double-click on *dss.exe* and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads *main.txt* and *extra.txt* -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of *main.txt* and *extra.txt* in your next reply.

Please post the gmer results and the DSS logs.


----------



## js19

Deckard's System Scanner v20071014.68
Run by Janine on 2008-08-01 12:39:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
5: 2008-08-01 08:53:54 UTC - RP406 - Windows Update
4: 2008-07-31 08:21:48 UTC - RP405 - Windows Update
3: 2008-07-30 07:52:40 UTC - RP404 - Windows Update
2: 2008-07-29 10:50:44 UTC - RP403 - ComboFix created restore point
1: 2008-07-29 07:20:15 UTC - RP402 - Windows Update


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Janine.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:54, on 01.08.2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\P1370Mon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Janine\Documents\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Janine.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.91.52.155:80
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [P1370Mon.exe] C:\Windows\P1370Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: YouTube Uploader.lnk = C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Suchleiste - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix: 
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/aberdeenuniv/support/plugins/ebraryRdr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-IN/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9637 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.js - JSFile - DefaultIcon - C:\Aptana\Aptana Studio\Icons\standard\aptana_file_js.ico
.js - JSFile - shell\open\command - "C:\Aptana\Aptana Studio\AptanaStudio.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 keriddlg - c:\windows\system32\drivers\keriddlg.sys
R0 zipecups - c:\windows\system32\drivers\zipecups.sys
R1 SASDIFSV - \??\c:\program files\superantispyware\sasdifsv.sys

S3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys
S3 Xponaut_WBD (Xponaut WaveBridge Device (WDM)) - c:\windows\system32\drivers\xpntwbd.sys <Not Verified; Xponaut; Xponaut WaveBridge>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 Samsung Update Plus - "c:\program files\samsung\samsung update plus\slubackgroundservice.exe"


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft-6zu4-Adapter
Device ID: ROOT\*6TO4MP\0004
Manufacturer: Microsoft
Name: Microsoft-6zu4-Adapter #5
PNP Device ID: ROOT\*6TO4MP\0004
Service: tunnel


-- Scheduled Tasks -------------------------------------------------------------

2008-08-01 12:41:39       420 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{878A2A3D-7BC9-4D81-AE12-7DF80745E33C}.job


-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-07-29 11:49:47     68096 --a------ C:\Windows\zip.exe
2008-07-29 11:49:47    161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-29 11:49:47     98816 --a------ C:\Windows\sed.exe
2008-07-29 11:49:47     80412 --a------ C:\Windows\grep.exe
2008-07-29 11:49:47     89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-29 11:49:46     49152 --a------ C:\Windows\VFind.exe
2008-07-29 11:49:46    212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-29 11:49:46    136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-29 11:49:01         0 d-------- C:\327882R2FWJFW
2008-07-23 11:39:05         0 d-------- C:\Program Files\Common Files\xing shared
2008-07-23 11:38:45         0 d-------- C:\Program Files\Real
2008-07-23 11:38:42         0 d-------- C:\Program Files\Common Files\Real


-- Find3M Report ---------------------------------------------------------------

2008-07-31 21:45:51        12 --a------ C:\Windows\bthservsdp.dat
2008-07-29 19:23:02    644854 --a------ C:\Windows\system32\perfh007.dat
2008-07-29 19:23:02    117716 --a------ C:\Windows\system32\perfc007.dat
2008-07-29 12:10:48         0 d-------- C:\Program Files\Common Files
2008-07-28 21:57:06         0 d-------- C:\Program Files\Google
2008-07-23 11:41:25         0 d-------- C:\Users\Janine\AppData\Roaming\Real
2008-07-20 21:29:16         0 d-------- C:\Users\Janine\AppData\Roaming\uTorrent
2008-07-20 15:53:54         0 d-------- C:\Users\Janine\AppData\Roaming\Adobe
2008-06-17 22:48:15         0 d-------- C:\Users\Janine\AppData\Roaming\Mozilla
2008-06-12 21:39:07         0 d-------- C:\Users\Janine\AppData\Roaming\LimeWire
2008-06-10 10:59:21         0 d-------- C:\Users\Janine\AppData\Roaming\DivX
2008-06-10 10:58:56         0 d-------- C:\Users\Janine\AppData\Roaming\CyberLink
2008-06-02 13:30:09         0 d-------- C:\Program Files\ICQ6
2008-06-02 13:28:57         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-02 13:28:01         0 d-------- C:\Users\Janine\AppData\Roaming\ICQ
2008-05-27 13:22:42    189753 --a------ C:\Windows\system32\subipvoc32.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [13.06.2007 05:11 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [23.03.2007 07:40]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [08.01.2007 14:26]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [08.01.2007 14:17]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10.11.2006 04:35]
"GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" [26.10.2006 23:47]
"P1370Mon.exe"="C:\Windows\P1370Mon.exe" [19.06.2006 18:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 02:11]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19.07.2008 15:38]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [19.10.2007 21:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [23.07.2008 11:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [10.01.2008 11:25]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18.10.2007 12:34]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [27.08.2007 15:19]
"Creative Live! Cam Manager"="D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [31.05.2006 17:00]
"Google Update"="C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe" [15.07.2008 18:58]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02.11.2006 13:35]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02.11.2006 13:36]

C:\Users\Janine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe [09.11.2007 14:33:08]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [15.09.2007 01:23:39]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [24.04.2007 10:50:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"NoHotStart"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20.12.2006 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P1370Cfg.exe]
P1370Cfg.exe /d:2

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted	hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs	BthServ
rsmsvcs	ntmssvc

*Newly Created Service* - GMER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-01 12:49:19 ------------


----------



## js19

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium  (build 6000)
Architecture: X86; Language: German

CPU 0: Intel(R) Core(TM)2 Duo CPU     T5250  @ 1.50GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 1789.56 MiB / 1040.84 MiB
Pagefile Memory (total/avail): 3799.34 MiB / 2855.41 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.63 MiB

C: is Fixed (NTFS) - 69.05 GiB total, 25.37 GiB free. 
D: is Fixed (NTFS) - 70 GiB total, 49.5 GiB free. 

\\.\PHYSICALDRIVE0 - FUJITSU MHW2160BH PL ATA Device - 149.05 GiB - 3 partitions
  \PARTITION0 - Unknown - 10 GiB
  \PARTITION1 (bootable) - Installierbares Dateisystem - 69.05 GiB - C:
  \PARTITION2 - Installierbares Dateisystem - 70 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AV: avast! antivirus 4.8.1229 [VPS 080731-0] v4.8.1229 (ALWIL Software)
AS: Spyware Doctor v5.1.0.273 (PC Tools) Disabled
AS: Windows-Defender v1.1.1505.0 (Microsoft Corporation) Disabled Outdated
AS: SUPERAntiSpyware v4, 0, 0, 1154 (SUPERAntiSpyware.com) Disabled
AS: avast! antivirus 4.8.1229 [VPS 080731-0] v4.8.1229 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Janine\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JANINE-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Janine
LOCALAPPDATA=C:\Users\Janine\AppData\Local
LOGONSERVER=\\JANINE-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem;C:\PROGRA~1\DISKEE~1\DISKEE~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Janine\AppData\Local\Temp
TMP=C:\Users\Janine\AppData\Local\Temp
USERDOMAIN=Janine-PC
USERNAME=Janine
USERPROFILE=C:\Users\Janine
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Janine
Michael _(new local, net ready)_


-- Add/Remove Programs ---------------------------------------------------------

 --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
 --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
 --> MsiExec.exe /I{0F122737-72B2-4095-8B3E-7AAE753DFD3D}
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C81600D-D6C7-4687-9362-DD4A78B3483E}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9 
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUN0407.EXE -f"C:\Anwendungen\Photoshop 7.0\Uninst.isu" -c"C:\Anwendungen\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.8 - Deutsch --> MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A70800000002}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Agere Systems HDA Modem --> agrsmdel
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Aptana Studio --> C:\Aptana\Aptana Studio\uninstall.exe
Atheros WLAN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04983D37-2202-4295-94A2-8B547C66133F}\setup.exe" -l0x9 
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AV Voice Changer Software DIAMOND 6.0 --> C:\PROGRA~1\AVVCS6~1.0DI\UNWISE.EXE C:\PROGRA~1\AVVCS6~1.0DI\INSTALL.LOG
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVStation Now --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{FD53302C-8E7B-4730-8AD8-86A889BDBFAB} /l1031 
Before You Know It 3.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{232ACD98-F9FB-49FD-AFC6-F5C4BB6C8E59}\Setup.exe" -l0x9 
BitZipper 5.0.2 --> "C:\Program Files\BitZipper\unins000.exe"
Business Contact Manager für Outlook 2007 SP1 --> "C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {4cb9f93c-9edc-4be9-ae61-af128ddbecfa}
Business Contact Manager für Outlook 2007 SP1 --> MsiExec.exe /X{4CB9F93C-9EDC-4BE9-AE61-AF128DDBECFA}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Creative Live! Cam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9  /remove
Creative Live! Cam Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9  /remove
Creative Live! Cam Voice Driver (1.03.02.0328) --> C:\Windows\CtDrvIns.exe -uninstall -script PD1370.uns -unsext NT -plugin P1370Pin.dll -pluginres CtCamPin.crl
Creative Photo Calendar --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C81600D-D6C7-4687-9362-DD4A78B3483E}\setup.exe" -l0x9  /remove
Creative Photo Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9  /remove
Diskeeper 2008 Home --> MsiExec.exe /X{457792AF-42A0-48CE-8220-EB381187AD09}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe"  -uninstall
Easy Battery Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F730513-8688-4C3C-90A3-6B9792CE2EF3}\setup.exe" -l0x9 Remove
Easy Display Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17283B95-21A8-4996-97DA-547A48DB266F}\setup.exe" -l0x9  -removeonly
Easy Network Manager 3.0 --> C:\Program Files\InstallShield Installation Information\{4EA8EA5D-8E46-4698-9BF7-2F2AD8E1C185}\setup.exe -runfromtemp -l0x0407
Easy SpeedUp Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF367AA4-070B-493C-9575-85BE59D789C9}\Setup.exe" -l0x9 Remove
FLV Player 2.0, build 23 --> C:\Program Files\FLV Player\uninst.exe
Free YouTube Download 1.3 --> "C:\Program Files\DVDVideoSoft\Free YouTube Download\unins000.exe"
Free YouTube to Mp3 Converter version 2.4 --> "D:\vixy\Free YouTube to Mp3 Converter\unins000.exe"
Google Earth --> MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
HDDlife 3.0 Vista Gadget --> MsiExec.exe /I{05AAED02-5599-4D6E-A348-9D954678C6C9}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ICQ6 --> "C:\Program Files\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
imagine digital freedom - Samsung --> MsiExec.exe /X{00AF10C1-44BD-4862-9D7F-24E6BA3E87FD}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Encarta 2007 – Lernen und Wissen --> MsiExec.exe /I{07101881-E9B4-4DF6-A845-CAAFD093E477}
Microsoft Mathe --> MsiExec.exe /I{07103840-959A-4B0D-8825-2C533F0DDB19}
Microsoft Office Access MUI (German) 2007 --> MsiExec.exe /X{90120000-0015-0407-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (German) 2007 --> MsiExec.exe /X{90120000-0016-0407-0000-0000000FF1CE}
Microsoft Office Groove MUI (German) 2007 --> MsiExec.exe /X{90120000-00BA-0407-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (German) 2007 --> MsiExec.exe /X{90120000-0044-0407-0000-0000000FF1CE}
Microsoft Office OneNote MUI (German) 2007 --> MsiExec.exe /X{90120000-00A1-0407-0000-0000000FF1CE}
Microsoft Office Outlook MUI (German) 2007 --> MsiExec.exe /X{90120000-001A-0407-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (German) 2007 --> MsiExec.exe /X{90120000-0018-0407-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007 --> MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Italian) 2007 --> MsiExec.exe /X{90120000-001F-0410-0000-0000000FF1CE}
Microsoft Office Proofing (German) 2007 --> MsiExec.exe /X{90120000-002C-0407-0000-0000000FF1CE}
Microsoft Office Publisher MUI (German) 2007 --> MsiExec.exe /X{90120000-0019-0407-0000-0000000FF1CE}
Microsoft Office Shared MUI (German) 2007 --> MsiExec.exe /X{90120000-006E-0407-0000-0000000FF1CE}
Microsoft Office Word MUI (German) 2007 --> MsiExec.exe /X{90120000-001B-0407-0000-0000000FF1CE}
Microsoft SOAP Toolkit 2.0 SP2 --> MsiExec.exe /I{36BEAD11-8577-49AD-9250-E06A50AE87B0}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Miranda IM 0.7.3 --> C:\Program Files\Miranda IM\uninstall.exe
MorphVOX Junior --> MsiExec.exe /I{095AD113-0EA3-40FC-906E-18AC2F9D4B28}
MorphVOX Pro --> MsiExec.exe /I{DC50944B-78E2-474D-8ADE-6118E655FAD4}
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Opera 9.51 --> MsiExec.exe /X{1219497F-FA96-4D8E-9571-9C27A2A66B38}
OshoWorld Font Installer --> C:\PROGRA~1\UNWISE.EXE C:\PROGRA~1\INSTALL.LOG
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Play AVStation --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{955597D8-E5E1-474D-B647-60AC44566D24} /l1031 
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe"  -uninstall
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x7  -removeonly
Samsung Magic Doctor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}\Setup.exe" -l0x9 Remove
Samsung Recovery Solution II --> C:\Program Files\InstallShield Installation Information\{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}\setup.exe -runfromtemp -l0x0007 -removeonly
Samsung Update Plus --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{685707A4-911C-468D-BFC4-64A50E5E3A0C} /l1031 
SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB934062) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Sephonics --> C:\PROGRA~1\SEPHON~1\UNWISE.EXE C:\PROGRA~1\SEPHON~1\INSTALL.LOG
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Sims 2 --> D:\Sims\EAUninstall.exe
The Sims 2 HomeCrafter Plus --> C:\Program Files\EA GAMES\The Sims 2 HomeCrafter Plus\EAUninstall.exe
The Sims™ 2 FreeTime --> C:\Program Files\EA GAMES\The Sims 2 FreeTime\EAUninstall.exe
The Sims™ 2 Seasons --> C:\Program Files\EA GAMES\The Sims 2 Seasons\EAUninstall.exe
TopStyle Lite (Version 3.0) --> C:\Windows\unlite3.exe "C:\Program Files\Bradbury\TopStyle3"
TreeSize Free V2.1 --> "C:\Program Files\JAM Software\TreeSize Free\unins000.exe"
Turtle's English-Hindi Dictionary (Release 1) --> "C:\Program Files\PublicSoft\EngHinDict\unins000.exe"
Uninstall 1.0.0.0 --> "C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Update for Microsoft Office Outlook 2007 (KB952142) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB932080) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb953463) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {1B78D541-9FF1-4330-ADD8-CED14F0C1E8E}
User Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}\setup.exe" -l0x9 Remove
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Werkzeuge und Vorlagen für Microsoft Office --> MsiExec.exe /X{B348E585-E872-41DF-8234-E2D49917CFBB}
WIDCOMM Bluetooth Software 6.0.1.5000 --> MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Movie Maker 2.6 --> MsiExec.exe /X{B3DAF54F-DB25-4586-9EF1-96D24BB14088}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
YouTube Uploader --> MsiExec.exe /X{171818BA-E0AD-313D-B45A-1BC9D77ADA86}


-- Application Event Log -------------------------------------------------------

Event Record #/Type27226 / Error
Event Submitted/Written: 08/01/2008 00:18:55 PM
Event ID/Source: 1010 / Perflib
Event Description:
EmdCacheC:\Windows\system32\emdmgmt.dll4

Event Record #/Type27225 / Error
Event Submitted/Written: 08/01/2008 00:18:55 PM
Event ID/Source: 1008 / Perflib
Event Description:
DFSRC:\Windows\System32\DfsrPerf.dll4

Event Record #/Type27219 / Success
Event Submitted/Written: 08/01/2008 11:31:47 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type27209 / Error
Event Submitted/Written: 08/01/2008 09:54:22 AM
Event ID/Source: 5007 / WerSvc
Event Description:
Die Zieldatei für die Windows-Feedbackplattform (eine DLL-Datei, die eine Liste der auf diesem Computer aufgetretenen Probleme enthält, für deren Diagnose das Sammeln zusätzlicher Daten erforderlich ist) konnte nicht analysiert werden. Fehlercode 8014FFF9.

Event Record #/Type27202 / Success
Event Submitted/Written: 08/01/2008 09:50:06 AM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type179966 / Error
Event Submitted/Written: 08/01/2008 10:05:10 AM
Event ID/Source: 20 / Microsoft-Windows-WindowsUpdateClient
Event Description:
0x8007000bUpdate für Windows Vista (KB950124){A980D794-9CCF-45D3-A897-3A5C8AE9A145}100

Event Record #/Type179964 / Error
Event Submitted/Written: 08/01/2008 10:05:10 AM
Event ID/Source: 20 / Microsoft-Windows-WindowsUpdateClient
Event Description:
0x8007000bUpdate für Windows Vista (KB950125){1F14AC0B-0F38-4E4A-A606-B3A2EBD72244}100

Event Record #/Type179962 / Error
Event Submitted/Written: 08/01/2008 10:05:10 AM
Event ID/Source: 20 / Microsoft-Windows-WindowsUpdateClient
Event Description:
0x8007000bKumulatives Sicherheitsupdate für ActiveX Killbits für Windows Vista (KB950760){F2A52805-1F01-4BB5-806E-FC613EB11E2C}106

Event Record #/Type179960 / Error
Event Submitted/Written: 08/01/2008 10:04:28 AM
Event ID/Source: 4375 / Microsoft-Windows-Servicing
Event Description:
Windows-Wartung konnte das Paket KB950582 (Security Update) nicht in den Status Aufgelöst(Resolved) setzen.

Event Record #/Type179959 / Error
Event Submitted/Written: 08/01/2008 10:04:28 AM
Event ID/Source: 4375 / Microsoft-Windows-Servicing
Event Description:
Windows-Wartung konnte das Paket KB950582 (Security Update) nicht in den Status Aufgelöst(Resolved) setzen.



-- End of Deckard's System Scanner: finished at 2008-08-01 12:49:19 ------------


----------



## js19

I can't post the gmer log because it's 369795 characters, too big for an attachment too... anywhere I could upload it?


----------



## ceewi1

Yes, please go to http://savefile.com and upload the file there. There is no need to register, just click the *UPLOAD MY FILE* button. After you upload the file, please post the link to the file.


----------



## js19

Okay. Here it is:

http://www.savefile.com/files/1701822


----------



## ceewi1

Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\Windows\system32\modivmak.dll
C:\Windows\system32\movixocx.dll

Driver::
keriddlg
zipecups

Rootkit::
C:\Windows\system32\appotchm.dll
C:\Windows\system32\bmpidcmd
C:\Windows\system32\cpyedmon.dll
C:\Windows\system32\dskunhex.dll
C:\Windows\system32\manafdll.dll
C:\Windows\system32\nicundde.exe


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.  *How is your system running now?*
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.


----------



## js19

It doesn't seem to scan anything... the programme opens, backs up the registry, then something called Windows Command Processor crashes and Combofix disappears altogether.


----------



## ceewi1

Please reboot into Safe Mode (tap F8 on Windows startup and select Safe Mode from the list) and try the script there.


----------



## js19

It doesn't work there either.


----------



## ceewi1

OK, we'll do this another way.

Download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your Desktop.
Run *avenger.exe* by double-clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the *Input script here:* part of the window.  Please do not include the word Code:



		Code:
	

Files to delete:
C:\Windows\system32\modivmak.dll
C:\Windows\system32\movixocx.dll
C:\Windows\system32\appotchm.dll
C:\Windows\system32\cpyedmon.dll
C:\Windows\system32\dskunhex.dll
C:\Windows\system32\manafdll.dll
C:\Windows\system32\nicundde.exe
c:\windows\system32\drivers\keriddlg.sys
c:\windows\system32\drivers\zipecups.sys

Folders to delete:
C:\Windows\system32\bmpidcmd

Drivers to delete:
keriddlg
zipecups


Now click the *Execute* button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the Reboot now? question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at *C:\avenger.txt* and it will popup for you to view when you login after reboot.
Please post the content of the logfile.

Please also run ComboFix again by double clicking on it and post the log it generates.


----------



## js19

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\system32\modivmak.dll" deleted successfully.
File "C:\Windows\system32\movixocx.dll" deleted successfully.
File "C:\Windows\system32\appotchm.dll" deleted successfully.
File "C:\Windows\system32\cpyedmon.dll" deleted successfully.
File "C:\Windows\system32\dskunhex.dll" deleted successfully.
File "C:\Windows\system32\manafdll.dll" deleted successfully.
File "C:\Windows\system32\nicundde.exe" deleted successfully.
File "c:\windows\system32\drivers\keriddlg.sys" deleted successfully.
File "c:\windows\system32\drivers\zipecups.sys" deleted successfully.
Folder "C:\Windows\system32\bmpidcmd" deleted successfully.
Driver "keriddlg" deleted successfully.
Driver "zipecups" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.




The same thing happened with ComboFix again.


----------



## ceewi1

OK, it looks like Avenger has done its job anyway.  Try deleting your copy of ComboFix and downloading an updated one from http://download.bleepingcomputer.com/sUBs/ComboFix.exe.

If that still doesn't work, post new logs with Deckard's System Scanner and gmer instead.


----------



## js19

nDeckard's System Scanner v20071014.68
Run by Janine on 2008-08-05 10:29:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Janine.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29, on 2008-08-05
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\P1370Mon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Opera\opera.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\cmd.exe
C:\Windows\system32\conime.exe
C:\Users\Janine\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Janine.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.91.52.155:80
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [P1370Mon.exe] C:\Windows\P1370Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: YouTube Uploader.lnk = C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Suchleiste - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix: 
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/aberdeenuniv/support/plugins/ebraryRdr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-IN/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9808 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-03 15:58:10         0 d-------- C:\327882R2FWJFW
2008-08-01 19:12:21         0 d-------- C:\Users\All Users\Last.fm
2008-08-01 19:11:47         0 d-------- C:\Program Files\Last.fm
2008-07-29 11:49:47     68096 --a------ C:\Windows\zip.exe
2008-07-29 11:49:47    161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-29 11:49:47     98816 --a------ C:\Windows\sed.exe
2008-07-29 11:49:47     80412 --a------ C:\Windows\grep.exe
2008-07-29 11:49:47     89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-29 11:49:46     49152 --a------ C:\Windows\VFind.exe
2008-07-29 11:49:46    212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-29 11:49:46    136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-23 11:39:05         0 d-------- C:\Program Files\Common Files\xing shared
2008-07-23 11:38:45         0 d-------- C:\Program Files\Real
2008-07-23 11:38:42         0 d-------- C:\Program Files\Common Files\Real


-- Find3M Report ---------------------------------------------------------------

2008-08-04 22:12:44        12 --a------ C:\Windows\bthservsdp.dat
2008-08-02 00:33:31         0 d-------- C:\Users\Janine\AppData\Roaming\uTorrent
2008-07-29 19:23:02    644854 --a------ C:\Windows\system32\perfh007.dat
2008-07-29 19:23:02    117716 --a------ C:\Windows\system32\perfc007.dat
2008-07-29 12:10:48         0 d-------- C:\Program Files\Common Files
2008-07-28 21:57:06         0 d-------- C:\Program Files\Google
2008-07-23 11:41:25         0 d-------- C:\Users\Janine\AppData\Roaming\Real
2008-07-20 15:53:54         0 d-------- C:\Users\Janine\AppData\Roaming\Adobe
2008-06-17 22:48:15         0 d-------- C:\Users\Janine\AppData\Roaming\Mozilla
2008-06-12 21:39:07         0 d-------- C:\Users\Janine\AppData\Roaming\LimeWire
2008-06-10 10:59:21         0 d-------- C:\Users\Janine\AppData\Roaming\DivX
2008-06-10 10:58:56         0 d-------- C:\Users\Janine\AppData\Roaming\CyberLink
2008-05-27 13:22:42    189753 --a------ C:\Windows\system32\subipvoc32.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-13 05:11 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 07:40]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 14:26]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 14:17]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 04:35]
"GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"P1370Mon.exe"="C:\Windows\P1370Mon.exe" [2006-06-19 18:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 15:38]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 21:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-23 11:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 11:25]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-27 15:19]
"Creative Live! Cam Manager"="D:\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 17:00]
"Google Update"="C:\Users\Janine\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-07-15 18:58]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36]

C:\Users\Janine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Users\Janine\AppData\Local\YouTube\Uploader\youtubeuploader.exe [2007-11-09 14:33:08]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-15 01:23:39]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-24 10:50:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"NoHotStart"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P1370Cfg.exe]
P1370Cfg.exe /d:2

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted	hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs	BthServ
rsmsvcs	ntmssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-05 10:29:47 ------------



It didn't produce an extra.txt

Gmer: http://www.savefile.com/files/1709225


----------



## ceewi1

Great!  That's taken care of the main infection.  A few last things:

Your logfiles show signs of *Viewpoint Media Player:*
Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it.

I suggest you remove it.  To do so, click on *Start* -> *Control Panel* -> *Add or Remove Programs*. Click on *Viewpoint Media Player* and click Remove.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries:
*
[*]O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
[*]O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
*

If you chose to remove Viewpoint Media Player, please also check the following entry (if still present):

*O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe*

Please close all open windows except for HijackThis and choose *Fix checked*

*Your Java Runtime Environment is out of date*. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update:
*Updating Java:*

Go to *Start* > *Control Panel* double-click on the *Software* icon > Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it:  
	

	
	
		
		

		
			
		
		
	


	



Select it and click Remove.
Then Download and install the newest version from here:

http://www.java.com/en/download/manual.jsp


How is your system running now?


----------



## js19

Okay, I uninstalled the Viewpoint Manager and updated my Java, but for some reason HijackThis won't fix those entries...nothing happens.


----------



## ceewi1

OK, those two are only leftovers anyway, but this should take care of them:

Please run Notepad and paste the contents of the codebox into a new file.  Please do not include the word Code:


		Code:
	

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]


Save the file to the desktop as *fix.reg* and make sure the *Save as Type* field says *All Files*.  Then please go to the desktop and double-click on *fix.reg*, and click *Yes* to merge it with the registry.

Please post a new HijackThis log once done.  How is your system running now?


----------

