Infected with Win64:Sirefef-A, Win32:Sirefef-PF and Win32:Atraps-PF - Windows XP SP3

Solved
By Korcas
Jul 4, 2012
Topic Status:
Not open for further replies.
  1. Hello all,

    given the symptoms of Sirefef-A, I'm surprised that googling actually brought up this Forum, and not a number of junk-links.

    I have spent some time reading other topics, both here, and on the avast forums, about the Sirefef Virus variations, and since everyone says not to use the fixes that other users were given, I decided to post my issues too.

    The trouble started when I had my PC running overnight on Sunday, something I rarely do. The next morning when I got back to it, everything was pretty much frozen, so I had to close myself out of every program running. Since then, I have had problems to get my main broswer (Opera) to start, as it froze up with every startup.

    I then tried to copy the folder from my H drive, which is rather small with its 30 gig, believing that it was a memory issue, but I got the error E/A 1450, saying there were no system resources available.

    I then just installed a new version of Opera on another drive, and deleted the original installation from H, hoping that fixed it. But being paranoid as I am, I started a virus scan, and got a couple of results.

    Ever since that first virus scan, I have had Avast warn me of threats about every ten to twenty minutes, those threats being Win64:Sirefef-A, Win32:Atraps-PF and Win32:Malware-gen, all of them being triggered by the Explorer.exe. According to Avast, these items are stored in my user data, but have immediately been quarantined by Avast.

    I tried removing Sirefef-PF via Avast, but found out that it's linked to my desktop.ini, so I couldn't delete it. Since then, Avast has also found it in system recovery files.

    I'm running Windows XP with Service Pack 3, I have Avast with a purchased full license as my virus guard. I did not notice any other memory problems, other than the Opera freezing, my Google results have not seemed in any way weird.

    All of the viruses have been moved to quarantine, the quarantined files have not been deleted.

    What can I do, what programs should I used to get rid of it, what logs need to be posted? I have a 1 gig USB stick at my disposal, will that be enough?

    In terms of logs, all I have is a Hijack This Log, I hope that helps for a first glimpse. I'll post it on the next post.
  2. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 07:27:26, on 04.07.2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    H:\WINDOWS\System32\smss.exe
    H:\WINDOWS\system32\csrss.exe
    H:\WINDOWS\system32\winlogon.exe
    H:\WINDOWS\system32\services.exe
    H:\WINDOWS\system32\lsass.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\System32\svchost.exe
    H:\Programme\WTouch\WTouchService.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\system32\svchost.exe
    H:\Programme\Alwil Software\Avast5\afwServ.exe
    H:\Programme\WTouch\WTouchUser.exe
    H:\Programme\Alwil Software\Avast5\AvastSvc.exe
    H:\WINDOWS\system32\spoolsv.exe
    H:\WINDOWS\Explorer.EXE
    H:\WINDOWS\system32\svchost.exe
    H:\Programme\AskBarDis\bar\bin\AskService.exe
    H:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe
    H:\Programme\Java\jre6\bin\jqs.exe
    H:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
    H:\WINDOWS\SOUNDMAN.EXE
    H:\Programme\FreePDF_XP\fpassist.exe
    H:\Programme\BurnAware Professional\nmsaccessu.exe
    H:\WINDOWS\system32\nvsvc32.exe
    H:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe
    H:\Programme\Trojancheck 6\tcguard.exe
    H:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\system32\Pen_Tablet.exe
    H:\WINDOWS\system32\wdfmgr.exe
    H:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
    I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrotray.exe
    H:\Programme\Alwil Software\Avast5\avastUI.exe
    H:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    H:\WINDOWS\system32\RunDLL32.exe
    H:\WINDOWS\system32\ctfmon.exe
    H:\Programme\Internet Explorer\IEXPLORE.EXE
    I:\AdobeCS5.5\Adobe Bridge CS5.1\Bridge.exe
    H:\WINDOWS\System32\alg.exe
    H:\Programme\Internet Explorer\IEXPLORE.EXE
    H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
    I:\Opera\opera.exe
    I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
    I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
    I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
    H:\Dokumente und Einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Google Talk Plugin\googletalkplugin.exe
    H:\Dokumente und Einstellungen\Korcas\Desktop\HiJackThis204.exe
    H:\WINDOWS\system32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - H:\Programme\Vuze_Remote\prxtbVuz2.dll
    R3 - URLSearchHook: uTorrentBar_DE Toolbar - {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - H:\Programme\uTorrentBar_DE\prxtbuTor.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - I:\AdobeCS5.5\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - H:\Programme\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Programme\Java\jre6\bin\ssv.dll
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - H:\Programme\Alwil Software\Avast5\aswWebRepIE.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - H:\Programme\Vuze_Remote\prxtbVuz2.dll
    O2 - BHO: uTorrentBar_DE - {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - H:\Programme\uTorrentBar_DE\prxtbuTor.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Programme\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - H:\Programme\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: FreeRIP.com Toolbar - {081230F8-EA50-42A9-983C-D22ABC2EED3B} - H:\Programme\FreeRIP3\toolband.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - I:\AdobeCS5.5\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - H:\Programme\Vuze_Remote\prxtbVuz2.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - H:\Programme\Alwil Software\Avast5\aswWebRepIE.dll
    O3 - Toolbar: uTorrentBar_DE Toolbar - {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - H:\Programme\uTorrentBar_DE\prxtbuTor.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] H:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [FreePDF Assistant] H:\Programme\FreePDF_XP\fpassist.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\reader\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "H:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Trojancheck 6 Guard] H:\Programme\Trojancheck 6\tcguard.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] H:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "H:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "H:\Programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    O4 - HKLM\..\Run: [SwitchBoard] H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
    O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "H:\Programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [avast] "H:\Programme\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] H:\Programme\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [mobtus] rundll32.exe "H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\mobtus.dll",BuildNotificationPackage
    O4 - HKLM\..\RunOnce: [aswAhAScr.dll] "H:\Programme\Alwil Software\Avast5\aswRegSvr.exe" "H:\Programme\Alwil Software\Avast5\AhAScr.dll"
    O4 - HKLM\..\RunOnce: [aswasOutExt.dll] "H:\Programme\Alwil Software\Avast5\aswRegSvr.exe" "H:\Programme\Alwil Software\Avast5\asOutExt.dll"
    O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TBPanel] H:\Programme\Vtune\TBPanel.exe /A
    O4 - HKCU\..\Run: [AshSnap] I:\Ashampoo Snap 4\ashsnap.exe
    O4 - HKCU\..\Run: [Google Update] "H:\Dokumente und Einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [EPSON P50 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFFE.EXE /FU "H:\DOKUME~1\Korcas\LOKALE~1\Temp\E_S35EF.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [AdobeBridge] "I:\AdobeCS5.5\Adobe Bridge CS5.1\Bridge.exe" -stealth
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
    O4 - HKUS\S-1-5-21-436374069-1757981266-725345543-1004\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = I:\MS Office\Office\OSA9.EXE
    O8 - Extra context menu item: &FreeRIP Search - res://H:\Programme\FreeRIP3\toolband.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: An vorhandene PDF-Datei anfügen - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: In Adobe PDF konvertieren - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Linkziel an vorhandene PDF-Datei anhängen - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Linkziel in Adobe PDF konvertieren - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - H:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - H:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - H:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: ASKService - Unknown owner - H:\Programme\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - H:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: avast! Antivirus - AVAST Software - H:\Programme\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Firewall - AVAST Software - H:\Programme\Alwil Software\Avast5\afwServ.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Programme\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
    O23 - Service: NMSAccessU - Unknown owner - H:\Programme\BurnAware Professional\nmsaccessu.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - H:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    O23 - Service: SwitchBoard - Adobe Systems Incorporated - H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: TabletServicePen - Wacom Technology, Corp. - H:\WINDOWS\system32\Pen_Tablet.exe
    O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - H:\Programme\WTouch\WTouchService.exe
    --
    End of file - 12238 bytes
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Before we make an assumption that Sirefef has taken over the system, I'd like to point this out:

    You are using several file sharing programs> at least Vuze and uTorrent. And the Ask.com entries are plentiful. So these will all have to be considered.

    HijackThis isn't used to screen for malware, so please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ==================================
    The additional logs will give me more information about what's running on the system.

    Please don't use the file sharing programs while I am helping you and don't use any other cleaning or scanning programs unless I direct you to do so.
  4. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Yeah, I had been considering to clean up the ask.com things recently, actually. Unfortunately sometimes Vuze and uTorrent become necessary, but they are rarely used. None of the programs will be in use while we work this issue out, I promise that.

    Will I have to turn off any of my virus or trojan protection, while running the preliminary steps? Will be getting home in about two hours, so I'll try to post as much as I can tonight!

    Thank you for taking on my case!
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    GMER is the only one of the preliminary scans that instructs you to disable the AV.
  6. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Okay, done with scanning, time for the logs:

    Malwarebytes Anti-Malware (Test) 1.61.0.1400
    www.malwarebytes.org

    Datenbank Version: v2012.07.04.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Korcas :: GREYBOX [Administrator]

    Schutz: Aktiviert

    04.07.2012 18:32:59
    mbam-log-2012-07-04 (18-32-59).txt

    Art des Suchlaufs: Quick-Scan
    Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
    Deaktivierte Suchlaufeinstellungen: P2P
    Durchsuchte Objekte: 223719
    Laufzeit: 3 Minute(n), 35 Sekunde(n)

    Infizierte Speicherprozesse: 0
    (Keine bösartigen Objekte gefunden)

    Infizierte Speichermodule: 0
    (Keine bösartigen Objekte gefunden)

    Infizierte Registrierungsschlüssel: 0
    (Keine bösartigen Objekte gefunden)

    Infizierte Registrierungswerte: 0
    (Keine bösartigen Objekte gefunden)

    Infizierte Dateiobjekte der Registrierung: 0
    (Keine bösartigen Objekte gefunden)

    Infizierte Verzeichnisse: 0
    (Keine bösartigen Objekte gefunden)

    Infizierte Dateien: 1
    h:\windows\assembly\gac\desktop.ini (Trojan.0access) -> Erfolgreich gelöscht und in Quarantäne gestellt.

    (Ende)
  7. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-07-04 19:00:28
    Windows 5.1.2600 Service Pack 3 Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T0L0-17 WDC_WD20EARS-00MVWB0 rev.51.0AB51
    Running: 0ot1m6o7.exe; Driver: H:\DOKUME~1\Korcas\LOKALE~1\Temp\kwldqpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB02E8162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB02E7FCD]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB0390744]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
  8. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Korcas at 19:04:54 on 2012-07-04
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.2165 [GMT 2:00]
    .
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: avast! Internet Security *Disabled*
    .
    ============== Running Processes ===============
    .
    H:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    H:\WINDOWS\System32\svchost.exe -k netsvcs
    H:\Programme\WTouch\WTouchService.exe
    svchost.exe
    svchost.exe
    H:\Programme\Alwil Software\Avast5\afwServ.exe
    H:\Programme\WTouch\WTouchUser.exe
    H:\Programme\Alwil Software\Avast5\AvastSvc.exe
    H:\WINDOWS\system32\spoolsv.exe
    H:\WINDOWS\Explorer.EXE
    svchost.exe
    H:\Programme\AskBarDis\bar\bin\AskService.exe
    H:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe
    H:\Programme\Java\jre6\bin\jqs.exe
    H:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
    I:\Malwarebytes' Anti-Malware\mbamservice.exe
    H:\Programme\BurnAware Professional\nmsaccessu.exe
    H:\WINDOWS\system32\nvsvc32.exe
    H:\WINDOWS\system32\svchost.exe -k imgsvc
    H:\WINDOWS\system32\Pen_Tablet.exe
    H:\WINDOWS\SOUNDMAN.EXE
    H:\Programme\FreePDF_XP\fpassist.exe
    H:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
    I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrotray.exe
    H:\Programme\Alwil Software\Avast5\avastUI.exe
    H:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    H:\WINDOWS\system32\RunDLL32.exe
    I:\Malwarebytes' Anti-Malware\mbamgui.exe
    H:\WINDOWS\system32\ctfmon.exe
    I:\Opera\opera.exe
    I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
    H:\WINDOWS\system32\wscntfy.exe
    H:\WINDOWS\system32\NOTEPAD.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
    uURLSearchHooks: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - I:\adobecs5.5\adobe contribute cs5.1\plugins\ieplugin\contributeieplugin.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - h:\programme\askbardis\bar\bin\askBar.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\programme\java\jre6\bin\ssv.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - h:\programme\alwil software\avast5\aswWebRepIE.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
    BHO: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\programme\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - h:\programme\askbardis\bar\bin\askBar.dll
    TB: FreeRIP.com Toolbar: {081230f8-ea50-42a9-983c-d22abc2eed3b} - h:\programme\freerip3\toolband.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - I:\adobecs5.5\adobe contribute cs5.1\plugins\ieplugin\contributeieplugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - h:\programme\alwil software\avast5\aswWebRepIE.dll
    TB: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
    EB: Ask Toolbar Quick View: {b0de3308-5d5a-470d-81b9-634fc078393b} - h:\windows\system32\shdocvw.dll
    uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
    uRun: [TBPanel] h:\programme\vtune\TBPanel.exe /A
    uRun: [AshSnap] I:\ashampoo snap 4\ashsnap.exe
    uRun: [Google Update] "h:\dokumente und einstellungen\korcas\lokale einstellungen\anwendungsdaten\google\update\GoogleUpdate.exe" /c
    uRun: [EPSON P50 Series] h:\windows\system32\spool\drivers\w32x86\3\e_fatiffe.exe /fu "h:\dokume~1\korcas\lokale~1\temp\E_S35EF.tmp" /EF "HKCU"
    uRun: [AdobeBridge] "I:\adobecs5.5\adobe bridge cs5.1\Bridge.exe" -stealth
    mRun: [IMJPMIG8.1] "h:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] h:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [FreePDF Assistant] h:\programme\freepdf_xp\fpassist.exe
    mRun: [Adobe Reader Speed Launcher] "I:\reader\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "h:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Trojancheck 6 Guard] h:\programme\trojancheck 6\tcguard.exe
    mRun: [ISUSPM Startup] h:\progra~1\gemein~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "h:\programme\gemeinsame dateien\installshield\updateservice\issch.exe" -start
    mRun: [AdobeAAMUpdater-1.0] "h:\programme\gemeinsame dateien\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SwitchBoard] h:\programme\gemeinsame dateien\adobe\switchboard\SwitchBoard.exe
    mRun: [AdobeCS5.5ServiceManager] "h:\programme\gemeinsame dateien\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
    mRun: [<NO NAME>]
    mRun: [Adobe Acrobat Speed Launcher] "I:\adobecs5.5\acrobat 10.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "I:\adobecs5.5\acrobat 10.0\acrobat\Acrotray.exe"
    mRun: [avast] "h:\programme\alwil software\avast5\avastUI.exe" /nogui
    mRun: [SunJavaUpdateSched] "h:\programme\gemeinsame dateien\java\java update\jusched.exe"
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] h:\programme\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [Malwarebytes' Anti-Malware] "I:\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [CTFMON.EXE] h:\windows\system32\CTFMON.EXE
    StartupFolder: h:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~1.lnk - h:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: h:\dokume~1\alluse~1\startm~1\progra~1\autost~1\micros~1.lnk - I:\ms office\office\OSA9.EXE
    IE: &FreeRIP Search - h:\programme\freerip3\toolband.dll/MENUSEARCH.HTM
    IE: An vorhandene PDF-Datei anfügen - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: In Adobe PDF konvertieren - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Linkziel in Adobe PDF konvertieren - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\programme\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: Interfaces\{DD995B81-4F4E-4A09-8784-27B622190A54} : DhcpNameServer = 192.168.178.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\gemein~1\skype\SKYPE4~1.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "h:\programme\gemeinsame dateien\lightscribe\LSRunOnce.exe"
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [2011-11-11 12112]
    R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [2011-11-11 202928]
    R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [2011-11-11 113776]
    R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [2012-2-25 18544]
    R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2011-11-11 721000]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [2010-12-28 353688]
    R1 avgio;avgio;I:\avira\antivir desktop\avgio.sys [2009-10-17 11608]
    R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [2011-6-25 9600]
    R2 ASKService;ASKService;h:\programme\askbardis\bar\bin\AskService.exe [2009-10-18 464264]
    R2 ASKUpgrade;ASKUpgrade;h:\programme\askbardis\bar\bin\ASKUpgrade.exe [2009-10-18 234888]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [2010-12-28 21256]
    R2 avast! Antivirus;avast! Antivirus;h:\programme\alwil software\avast5\AvastSvc.exe [2010-12-28 44808]
    R2 avast! Firewall;avast! Firewall;h:\programme\alwil software\avast5\afwServ.exe [2011-11-11 133912]
    R2 avgntflt;avgntflt;h:\windows\system32\drivers\avgntflt.sys [2009-10-17 56816]
    R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [2012-7-4 654408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\nvidia corporation\nvidia updatus\daemonu.exe [2012-3-6 2214504]
    R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [2009-10-18 4497704]
    R2 WTouchService;WTouch Service;h:\programme\wtouch\WTouchService.exe [2009-10-18 113448]
    R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [2012-7-4 22344]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [2009-12-20 1381632]
    R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [2009-10-18 16168]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 250056]
    S3 appliandMP;appliandMP;h:\windows\system32\drivers\appliand.sys --> h:\windows\system32\drivers\appliand.sys [?]
    S3 SwitchBoard;SwitchBoard;h:\programme\gemeinsame dateien\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S4 AntiVirSchedulerService;Avira AntiVir Planer;I:\avira\antivir desktop\sched.exe [2009-10-17 108289]
    S4 AntiVirService;Avira AntiVir Guard;I:\avira\antivir desktop\avguard.exe [2009-10-17 185089]
    .
    =============== Created Last 30 ================
    .
    2012-07-04 16:32:16 -------- d-----w- h:\dokumente und einstellungen\korcas\anwendungsdaten\Malwarebytes
    2012-07-04 16:32:06 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
    2012-07-04 16:32:06 -------- d-----w- h:\dokumente und einstellungen\all users\anwendungsdaten\Malwarebytes
    2012-07-03 05:16:29 -------- d-----w- h:\windows\system32\wbem\repository\FS
    2012-07-03 05:16:29 -------- d-----w- h:\windows\system32\wbem\Repository
    2012-06-14 02:47:36 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
    .
    ==================== Find3M ====================
    .
    2012-07-03 16:21:53 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
    2012-07-03 16:21:53 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
    2012-07-03 16:21:53 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
    2012-07-03 16:21:52 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
    2012-07-03 16:21:32 41224 ----a-w- h:\windows\avastSS.scr
    2012-07-02 02:27:17 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-02 02:27:17 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
    2012-06-02 13:19:38 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
    2012-06-02 13:19:38 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
    2012-06-02 13:19:38 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
    2012-06-02 13:19:34 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 13:19:28 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
    2012-05-31 13:22:01 604160 ----a-w- h:\windows\system32\crypt32.dll
    2012-05-16 15:07:03 916992 ----a-w- h:\windows\system32\wininet.dll
    2012-05-15 13:56:00 1863296 ----a-w- h:\windows\system32\win32k.sys
    2012-05-11 14:40:24 43520 ----a-w- h:\windows\system32\licmgr10.dll
    2012-05-11 14:40:24 1469440 ------w- h:\windows\system32\inetcpl.cpl
    2012-05-11 11:38:02 385024 ----a-w- h:\windows\system32\html.iec
    2012-05-05 03:14:31 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
    2012-05-05 03:14:31 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46:30 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
    2012-04-26 08:31:56 273344 ----a-w- h:\windows\system32\nvdrsdb1.bin
    2012-04-26 08:31:56 1 ----a-w- h:\windows\system32\nvdrssel.bin
    2012-04-26 08:31:55 273344 ----a-w- h:\windows\system32\nvdrsdb0.bin
    .
    ============= FINISH: 19:05:03,43 ===============
  9. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 17.10.2009 16:31:13
    System Uptime: 04.07.2012 18:38:40 (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | M4A785D-M PRO
    Processor: AMD Phenom(tm) II X4 945 Processor | AM2 | 3008/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 1863 GiB total, 23,253 GiB free.
    D: is CDROM (UDF)
    E: is CDROM (UDF)
    G: is FIXED (NTFS) - 932 GiB total, 43,371 GiB free.
    H: is FIXED (NTFS) - 29 GiB total, 12,628 GiB free.
    I: is FIXED (NTFS) - 49 GiB total, 29,807 GiB free.
    J: is FIXED (NTFS) - 853 GiB total, 42,579 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP933: 15.06.2012 19:31:32 - Systemprüfpunkt
    RP934: 17.06.2012 00:31:49 - Systemprüfpunkt
    RP935: 18.06.2012 23:23:22 - Systemprüfpunkt
    RP936: 20.06.2012 06:20:54 - Systemprüfpunkt
    RP937: 22.06.2012 05:49:29 - Systemprüfpunkt
    RP938: 23.06.2012 13:16:41 - Systemprüfpunkt
    RP939: 27.06.2012 23:40:15 - Systemprüfpunkt
    RP940: 30.06.2012 02:38:40 - Systemprüfpunkt
    RP941: 01.07.2012 03:04:48 - Systemprüfpunkt
    RP942: 03.07.2012 07:07:26 - Systemprüfpunkt
    RP943: 03.07.2012 08:19:52 - Wiederherstellungsvorgang
    .
    ==== Installed Programs ======================
    .
    µTorrent
    3D??????
    Adobe Acrobat X Pro - English, Français, Deutsch
    Adobe AIR
    Adobe Community Help
    Adobe Content Viewer
    Adobe Creative Suite 5.5 Master Collection
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Media Player
    Adobe Photoshop 7.0
    Adobe Reader 9.4.0 - Deutsch
    Adobe Widget Browser
    Applian Director
    Ashampoo Snap 4.2.0
    avast! Internet Security
    Avira AntiVir Personal - Free Antivirus
    AVM FRITZ!Box Dokumentation
    Badaboom 1.2.0.87
    Bamboo
    BufferChm
    BurnAware Professional 2.3.1 cracked by minimaL
    CanoScan LiDE 100 Scanner Driver
    CdCoverCreator 2.5.2
    CDisplay 1.8
    Combined Community Codec Pack 2011-07-30
    Destinations
    DeviceFunctionQFolder
    DeviceManagementQFolder
    DreamerRO's 10.11
    EPSON P50 Series Printer Uninstall
    Epson Print CD
    Epson Stylus Photo P50_T50 Handbuch
    eSupportQFolder
    FILEminimizer Pictures
    Foxit Reader 5.0
    Free Windows Registry Cleaner 2.0
    FreePDF (Remove only)
    FreeRIP v3.30
    Google Talk (remove only)
    Google Talk Plugin
    GPL Ghostscript 8.71
    Hotfix für Windows XP (KB2158563)
    Hotfix für Windows XP (KB2443685)
    Hotfix für Windows XP (KB2570791)
    Hotfix für Windows XP (KB2633952)
    Hotfix für Windows XP (KB952287)
    Hotfix für Windows XP (KB961118)
    Hotfix für Windows XP (KB970653-v3)
    Hotfix für Windows XP (KB976098-v2)
    Hotfix für Windows XP (KB979306)
    Hotfix für Windows XP (KB981793)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB976002-v5)
    HP Deskjet 3900 series
    HP Imaging Device Functions 5.0
    HP Software Update
    HP Solution Center & Imaging Support Tools 5.0
    HPDeskjet3900Series
    IPS Wizard
    ips XP 1.11.2600
    ISODisk 1.1
    Java Auto Updater
    Java(TM) 6 Update 30
    JDownloader
    LightScribe Applications
    LightScribe System Software
    Logitech Harmony Remote Software
    Malwarebytes Anti-Malware Version 1.61.0.1400
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2000 Professional
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFCLOC_x86
    mIRC
    MKVtoolnix 4.0.0
    NVIDIA Grafiktreiber 275.33
    NVIDIA Install Application
    NVIDIA nView 135.85
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA Systemsteuerung 275.33
    NVIDIA Update 1.3.5
    NVIDIA Update Components
    Opera 12.00
    PDF Settings CS5
    pdfsam
    PS3 Media Server
    PxMergeModule
    QuickTime
    Realtek AC'97 Audio
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    RedMon - Redirection Port Monitor
    Replay Video Capture
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Sicherheitsupdate für Microsoft Windows (KB2564958)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2183461)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2360131)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2416400)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2482017)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2497640)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2510531)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2530548)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2544521)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2559049)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2586448)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2618444)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2647516)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2675157)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB2699988)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB971961)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB974455)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB976325)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB978207)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB981332)
    Sicherheitsupdate für Windows Internet Explorer 8 (KB982381)
    Sicherheitsupdate für Windows Media Player (KB2378111)
    Sicherheitsupdate für Windows Media Player (KB952069)
    Sicherheitsupdate für Windows Media Player (KB954155)
    Sicherheitsupdate für Windows Media Player (KB968816)
    Sicherheitsupdate für Windows Media Player (KB973540)
    Sicherheitsupdate für Windows Media Player (KB975558)
    Sicherheitsupdate für Windows Media Player (KB978695)
    Sicherheitsupdate für Windows Media Player (KB979402)
    Sicherheitsupdate für Windows XP (KB2079403)
    Sicherheitsupdate für Windows XP (KB2115168)
    Sicherheitsupdate für Windows XP (KB2121546)
    Sicherheitsupdate für Windows XP (KB2160329)
    Sicherheitsupdate für Windows XP (KB2229593)
    Sicherheitsupdate für Windows XP (KB2259922)
    Sicherheitsupdate für Windows XP (KB2279986)
    Sicherheitsupdate für Windows XP (KB2286198)
    Sicherheitsupdate für Windows XP (KB2296011)
    Sicherheitsupdate für Windows XP (KB2296199)
    Sicherheitsupdate für Windows XP (KB2347290)
    Sicherheitsupdate für Windows XP (KB2360937)
    Sicherheitsupdate für Windows XP (KB2387149)
    Sicherheitsupdate für Windows XP (KB2393802)
    Sicherheitsupdate für Windows XP (KB2412687)
    Sicherheitsupdate für Windows XP (KB2419632)
    Sicherheitsupdate für Windows XP (KB2423089)
    Sicherheitsupdate für Windows XP (KB2436673)
    Sicherheitsupdate für Windows XP (KB2440591)
    Sicherheitsupdate für Windows XP (KB2443105)
    Sicherheitsupdate für Windows XP (KB2476490)
    Sicherheitsupdate für Windows XP (KB2476687)
    Sicherheitsupdate für Windows XP (KB2478960)
    Sicherheitsupdate für Windows XP (KB2478971)
    Sicherheitsupdate für Windows XP (KB2479628)
    Sicherheitsupdate für Windows XP (KB2479943)
    Sicherheitsupdate für Windows XP (KB2481109)
    Sicherheitsupdate für Windows XP (KB2483185)
    Sicherheitsupdate für Windows XP (KB2485376)
    Sicherheitsupdate für Windows XP (KB2485663)
    Sicherheitsupdate für Windows XP (KB2503658)
    Sicherheitsupdate für Windows XP (KB2503665)
    Sicherheitsupdate für Windows XP (KB2506212)
    Sicherheitsupdate für Windows XP (KB2506223)
    Sicherheitsupdate für Windows XP (KB2507618)
    Sicherheitsupdate für Windows XP (KB2507938)
    Sicherheitsupdate für Windows XP (KB2508272)
    Sicherheitsupdate für Windows XP (KB2508429)
    Sicherheitsupdate für Windows XP (KB2509553)
    Sicherheitsupdate für Windows XP (KB2511455)
    Sicherheitsupdate für Windows XP (KB2524375)
    Sicherheitsupdate für Windows XP (KB2535512)
    Sicherheitsupdate für Windows XP (KB2536276-v2)
    Sicherheitsupdate für Windows XP (KB2536276)
    Sicherheitsupdate für Windows XP (KB2544893-v2)
    Sicherheitsupdate für Windows XP (KB2544893)
    Sicherheitsupdate für Windows XP (KB2555917)
    Sicherheitsupdate für Windows XP (KB2562937)
    Sicherheitsupdate für Windows XP (KB2566454)
    Sicherheitsupdate für Windows XP (KB2567053)
    Sicherheitsupdate für Windows XP (KB2567680)
    Sicherheitsupdate für Windows XP (KB2570222)
    Sicherheitsupdate für Windows XP (KB2570947)
    Sicherheitsupdate für Windows XP (KB2584146)
    Sicherheitsupdate für Windows XP (KB2585542)
    Sicherheitsupdate für Windows XP (KB2592799)
    Sicherheitsupdate für Windows XP (KB2598479)
    Sicherheitsupdate für Windows XP (KB2603381)
    Sicherheitsupdate für Windows XP (KB2618451)
    Sicherheitsupdate für Windows XP (KB2619339)
    Sicherheitsupdate für Windows XP (KB2620712)
    Sicherheitsupdate für Windows XP (KB2621440)
    Sicherheitsupdate für Windows XP (KB2624667)
    Sicherheitsupdate für Windows XP (KB2631813)
    Sicherheitsupdate für Windows XP (KB2633171)
    Sicherheitsupdate für Windows XP (KB2639417)
    Sicherheitsupdate für Windows XP (KB2641653)
    Sicherheitsupdate für Windows XP (KB2646524)
    Sicherheitsupdate für Windows XP (KB2647518)
    Sicherheitsupdate für Windows XP (KB2653956)
    Sicherheitsupdate für Windows XP (KB2659262)
    Sicherheitsupdate für Windows XP (KB2660465)
    Sicherheitsupdate für Windows XP (KB2661637)
    Sicherheitsupdate für Windows XP (KB2676562)
    Sicherheitsupdate für Windows XP (KB2685939)
    Sicherheitsupdate für Windows XP (KB2686509)
    Sicherheitsupdate für Windows XP (KB2695962)
    Sicherheitsupdate für Windows XP (KB2707511)
    Sicherheitsupdate für Windows XP (KB2709162)
    Sicherheitsupdate für Windows XP (KB923561)
    Sicherheitsupdate für Windows XP (KB941569)
    Sicherheitsupdate für Windows XP (KB946648)
    Sicherheitsupdate für Windows XP (KB950762)
    Sicherheitsupdate für Windows XP (KB950974)
    Sicherheitsupdate für Windows XP (KB951066)
    Sicherheitsupdate für Windows XP (KB951376-v2)
    Sicherheitsupdate für Windows XP (KB951748)
    Sicherheitsupdate für Windows XP (KB952004)
    Sicherheitsupdate für Windows XP (KB952954)
    Sicherheitsupdate für Windows XP (KB954459)
    Sicherheitsupdate für Windows XP (KB955069)
    Sicherheitsupdate für Windows XP (KB956572)
    Sicherheitsupdate für Windows XP (KB956744)
    Sicherheitsupdate für Windows XP (KB956802)
    Sicherheitsupdate für Windows XP (KB956803)
    Sicherheitsupdate für Windows XP (KB956844)
    Sicherheitsupdate für Windows XP (KB957097)
    Sicherheitsupdate für Windows XP (KB958644)
    Sicherheitsupdate für Windows XP (KB958687)
    Sicherheitsupdate für Windows XP (KB958869)
    Sicherheitsupdate für Windows XP (KB959426)
    Sicherheitsupdate für Windows XP (KB960225)
    Sicherheitsupdate für Windows XP (KB960803)
    Sicherheitsupdate für Windows XP (KB960859)
    Sicherheitsupdate für Windows XP (KB961371-v2)
    Sicherheitsupdate für Windows XP (KB961501)
    Sicherheitsupdate für Windows XP (KB968537)
    Sicherheitsupdate für Windows XP (KB969059)
    Sicherheitsupdate für Windows XP (KB969947)
    Sicherheitsupdate für Windows XP (KB970238)
    Sicherheitsupdate für Windows XP (KB970430)
    Sicherheitsupdate für Windows XP (KB971468)
    Sicherheitsupdate für Windows XP (KB971486)
    Sicherheitsupdate für Windows XP (KB971557)
    Sicherheitsupdate für Windows XP (KB971633)
    Sicherheitsupdate für Windows XP (KB971657)
    Sicherheitsupdate für Windows XP (KB971961)
    Sicherheitsupdate für Windows XP (KB972270)
    Sicherheitsupdate für Windows XP (KB973354)
    Sicherheitsupdate für Windows XP (KB973507)
    Sicherheitsupdate für Windows XP (KB973525)
    Sicherheitsupdate für Windows XP (KB973869)
    Sicherheitsupdate für Windows XP (KB973904)
    Sicherheitsupdate für Windows XP (KB974112)
    Sicherheitsupdate für Windows XP (KB974318)
    Sicherheitsupdate für Windows XP (KB974392)
    Sicherheitsupdate für Windows XP (KB974455)
    Sicherheitsupdate für Windows XP (KB974571)
    Sicherheitsupdate für Windows XP (KB975025)
    Sicherheitsupdate für Windows XP (KB975467)
    Sicherheitsupdate für Windows XP (KB975560)
    Sicherheitsupdate für Windows XP (KB975561)
    Sicherheitsupdate für Windows XP (KB975562)
    Sicherheitsupdate für Windows XP (KB975713)
    Sicherheitsupdate für Windows XP (KB977165)
    Sicherheitsupdate für Windows XP (KB977816)
    Sicherheitsupdate für Windows XP (KB977914)
    Sicherheitsupdate für Windows XP (KB978037)
    Sicherheitsupdate für Windows XP (KB978251)
    Sicherheitsupdate für Windows XP (KB978262)
    Sicherheitsupdate für Windows XP (KB978338)
    Sicherheitsupdate für Windows XP (KB978542)
    Sicherheitsupdate für Windows XP (KB978601)
    Sicherheitsupdate für Windows XP (KB978706)
    Sicherheitsupdate für Windows XP (KB979309)
    Sicherheitsupdate für Windows XP (KB979482)
    Sicherheitsupdate für Windows XP (KB979559)
    Sicherheitsupdate für Windows XP (KB979683)
    Sicherheitsupdate für Windows XP (KB979687)
    Sicherheitsupdate für Windows XP (KB980195)
    Sicherheitsupdate für Windows XP (KB980218)
    Sicherheitsupdate für Windows XP (KB980232)
    Sicherheitsupdate für Windows XP (KB980436)
    Sicherheitsupdate für Windows XP (KB981322)
    Sicherheitsupdate für Windows XP (KB981852)
    Sicherheitsupdate für Windows XP (KB981957)
    Sicherheitsupdate für Windows XP (KB981997)
    Sicherheitsupdate für Windows XP (KB982132)
    Sicherheitsupdate für Windows XP (KB982214)
    Sicherheitsupdate für Windows XP (KB982665)
    Sicherheitsupdate für Windows XP (KB982802)
    Skype™ 4.2
    SolutionCenter
    Status
    TrayApp
    Trojancheck 6
    UnderCoverXP 1.23
    Update für Windows Internet Explorer 8 (KB973874)
    Update für Windows Internet Explorer 8 (KB976662)
    Update für Windows Internet Explorer 8 (KB976749)
    Update für Windows Internet Explorer 8 (KB980182)
    Update für Windows XP (KB2141007)
    Update für Windows XP (KB2345886)
    Update für Windows XP (KB2467659)
    Update für Windows XP (KB2541763)
    Update für Windows XP (KB2607712)
    Update für Windows XP (KB2616676)
    Update für Windows XP (KB2641690)
    Update für Windows XP (KB2718704)
    Update für Windows XP (KB951978)
    Update für Windows XP (KB955759)
    Update für Windows XP (KB967715)
    Update für Windows XP (KB968389)
    Update für Windows XP (KB971029)
    Update für Windows XP (KB971737)
    Update für Windows XP (KB973687)
    Update für Windows XP (KB973815)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    uTorrentBar_DE Toolbar
    Video Padlock
    VLC media player 1.1.9
    Vtune 7.5
    Vuze
    Vuze Remote Toolbar
    Vuze Toolbar
    WebFldrs XP
    WebReg
    WebTablet IE Plugin
    WebTablet Netscape Plugin
    Winamp
    Windows Feature Pack für die Speicherung (32-Bit) - IMAPI-Update für Blu-Ray
    Windows Feature Pack für die Speicherung (32-Bit) - Smartcardtreiber
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows XP Service Pack 3
    WinRAR
    XnView 1.97
    .
    ==== Event Viewer Messages From Past Week ========
    .
    04.07.2012 19:01:34, error: Dhcp [1002] - Die IP-Adresslease 192.168.2.104 für die Netzwerkkarte mit der Netzwerkadresse 90E6BA06D472 wurde durch den DHCP-Server 192.168.2.1 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet).
    04.07.2012 18:39:34, error: sr [1] - Beim Verarbeiten der Datei "" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC0000001" aufgetreten. Die Volumeüberwachung wurde angehalten.
    03.07.2012 08:19:52, error: sr [1] - Beim Verarbeiten der Datei "greybox.err" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC000009A" aufgetreten. Die Volumeüberwachung wurde angehalten.
    03.07.2012 07:59:02, error: Service Control Manager [7000] - Der Dienst "Windows Installer" wurde aufgrund folgenden Fehlers nicht gestartet: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen.
    03.07.2012 07:09:03, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
    03.07.2012 07:09:03, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
    03.07.2012 07:09:03, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.VC90.CRT fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
    03.07.2012 07:09:03, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\system32\TAPI32.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
    03.07.2012 07:09:03, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\System32\cscui.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
    03.07.2012 07:09:03, error: SideBySide [59] - Generate Activation Context ist für H:\PROGRA~1\ALWILS~1\Avast5\1031\Base.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
    03.07.2012 07:08:48, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
    03.07.2012 07:08:48, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.VC90.CRT fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
    03.07.2012 07:08:48, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\System32\cscui.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
    03.07.2012 07:08:48, error: SideBySide [59] - Generate Activation Context ist für H:\PROGRA~1\ALWILS~1\Avast5\1031\Base.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
    03.07.2012 07:07:26, error: sr [1] - Beim Verarbeiten der Datei "3590660602868218.tmp" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC000009A" aufgetreten. Die Volumeüberwachung wurde angehalten.
    03.07.2012 06:52:18, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
    03.07.2012 06:52:18, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\system32\shimgvw.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
    03.07.2012 06:52:00, error: Service Control Manager [7000] - Der Dienst "Windows Installer" wurde aufgrund folgenden Fehlers nicht gestartet: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen.
    03.07.2012 06:52:00, error: DCOM [10005] - Bei DCOM ist der Fehler "%1450" aufgetreten, als der Dienst "MSIServer" mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {000C101C-0000-0000-C000-000000000046}
    03.07.2012 06:51:45, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
    03.07.2012 06:51:45, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\System32\wiadefui.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
    03.07.2012 06:51:44, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.VC90.CRT fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
    03.07.2012 06:51:44, error: SideBySide [59] - Generate Activation Context ist für H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
    .
    ==== End Of File ===========================
  10. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Sorry for the german in there, unfortunately I'm running the german edition of XP. If you need translations, I'll help you out!
  11. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    After the initial scannings and logs, and Malwarebytes deleting the one infected file, I can say that Avast is no longer detecting any sort of infected files every couple of minutes. I still have a ton of files in quarantine with Avast, but will do nothing with them until further advised.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I think you have misunderstood this:
    You've mixed up hard drive size with RAM> to simplify:
    The hard drive is where the programs, files, folders, drivers, etc. occupy 'space.'
    The above shows that Drive H is of an approximate 29GB. Of this, approximately 126GB or about 43% is free, Ideally, you should work as close as possible to keeping 80% free.

    Going one step further, out of the 3726GB totals for Drives C, G, H, I and J, there is only about 4% of free space!
    --------------------------------
    When you run the program or open the files to use, then you are using 'memory' or RAM. A message telling you there are no resources available means that all the RAM is in use. To find how much RAM is installed:
    Control Panel> System> the General tab of the System Properties will open and the RAM figure will be on lower right.

    But there is X amount of RAM installed. The more processes running, the more RAM in use. If the use is at capacity, there won't be any more resources available.

    To free up the RAM, some processes need to be closed and/or a reboot might help.
    ----------------------------------------------------
    Where the RAM is going> running processes:
    1. Two antivirus programs: Avira/Avast. You should only have one. Multiple AV make the system more vulnerable and slow the system down.
    Please remove one of the AV programs and reboot the computer when finished.

    2. Multiple file sharing Toolbars (TB) and Browser Helper Objects(BHO)
    Vuze Remote Toolbar> TB, BHO
    uTorrentBar_DE Toolbar> TB, BHO

    3. Foistware:
    AskBar> TB, BHO
    Ask Toolbar Quick View
    FreeRIP.com Toolbar

    4. Two PDF Readers:
    FreePDF Assistant
    Adobe Reader

    I know you didn't come here for a lesson on the system, but take what I said as a Warning. If you decide not to have any of the above, I can remove most after you run Combofix.
    ==================================
    I'd like you to run Combofix and the online Eset Virus scan. Please be sure to follow the directions for each so that we get the best results possible.

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HEREand save to the desktop
      • Double click combofix.exe & follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ======================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Please leave both logs in your next reply.
  13. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    I thank you for your continued assistance. I won't have the time to run the advised programs before I get back from work tonight, but I will post the logs as soon as I have them. I took tomorrow off, so hopefully we'll be able to finish the cleanup by then.

    As for the issues with several virus programs, toolbars and the like, I would love some help with getting rid of these, once we're done cleaning. I actually used to run Avira, instead of Avast, but since Avira failed to protect, hell, even notify me of some issues, I dumped it, and went for Avast, instead. I haven't run Avira in ages, but I guess it still takes up resources. I mainly kept it around for its easy to access boot sector scanning.

    Which program would you advise I keep? Or should I go for a new virus protection alltogether? So far, I'm really satisfied with Avast.

    I'll keep you posted on the logs, as soon as I can!
     
  14. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Another thing. I have no idea if I'm handling Avast correctly, right now. As mentioned in my first post, there are several infected items in my Avast container, quarantined away. Should I list all these things, too, or can we consider these blocked/solved? Should I delete the entries from quarantine before I take any new steps?

    Also, sometimes I hear the clicking sound from Windows, something that only appears on my system when Internet Explorer is being used, without IE even being open or running at the moment. Does this have anything to do with a possible infection?
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    No problem. Post the logs when you can.

    It's okay to change your antivirus program- but you can't just abandon it! It should be uninstalled. If you want n evaluation between Avira and Avast, I suggest choosing Avast. We stopped recommending Avira when they started bundling junk with the download- did I tell you that?

    Please check with Avira Support for uninstall directions.

    Avast Support says this:
    Their idea of leaving them in the chest is based on the possibility that a file may have been removed erroneously. Once it's deleted, it's gone, but it can be restored from the chest.
    To delete files in the Virus Chest:Open Avast> Maintenance> Virus Chest>
    Right-click on the desired file (or highlighted multiple files) in the contents table on the VIRUS CHEST screen and select 'Delete' from the context menu:
    [​IMG]
    (Image from Avast Support)
    When asked to confirm> Choose Yes.
    ===================================
    About the 'clicking' sound> usually any 'sound' caused by malware is music in the background. I don't know what a 'clicking' sound is like! But you have all the sounds in the Control Panel> Sounds & Audio> Sounds tab: you can preview the sound by highlighting the sound line, then Preview. If you haven't changed the sounds, you should be able to find what the 'clicking' sound means. Patience on this because you're actually going to be working backwards on the sound!
  16. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Okay here we go. I uninstalled Avira, as advised, then ran ComboFix, here is the log:

    ComboFix 12-07-05.03 - Korcas 05.07.2012 19:01:55.1.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.1969 [GMT 2:00]
    Running from: h:\dokumente und einstellungen\Korcas\Desktop\ComboFix.exe
    AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    h:\dokumente und einstellungen\All Users\Anwendungsdaten\F2BDD61C-7F20-44BD-A1DB-F510E492AB22
    h:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
    h:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
    h:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
    h:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\FFSJ
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\FFSJ\FFSJ.cfg
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\1.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\2229.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\2260.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\4489.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\450.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\a.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\b.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\c.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\d.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\e.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\f.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\g.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\h.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\I.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\j.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\k.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\l.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\m.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\mru.xml
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\n.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\o.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\p.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\q.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\r.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\s.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\t.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\u.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\v.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\w.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\wlu.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\x.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\y.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\z.txt
    h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Tempals_inst.exe
    h:\dokumente und einstellungen\Korcas\Recent\Thumbs.db
    h:\dokumente und einstellungen\Korcas\WINDOWS
    h:\windows\system32\dllcache\dlimport.exe
    h:\windows\system32\Thumbs.db
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\Korcas\Anwendungsdaten\Malwarebytes
    2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
    2012-07-04 16:32 . 2012-04-04 13:56 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
    2012-07-03 05:16 . 2012-07-03 05:16 -------- d-----w- h:\windows\system32\wbem\Repository
    2012-06-14 02:47 . 2012-05-11 14:40 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-03 16:21 . 2010-12-28 17:32 54232 ----a-w- h:\windows\system32\drivers\aswTdi.sys
    2012-07-03 16:21 . 2012-02-25 08:54 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
    2012-07-03 16:21 . 2011-11-11 06:24 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
    2012-07-03 16:21 . 2011-11-11 06:24 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
    2012-07-03 16:21 . 2010-12-28 17:32 21256 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
    2012-07-03 16:21 . 2010-12-28 17:32 353688 ----a-w- h:\windows\system32\drivers\aswSP.sys
    2012-07-03 16:21 . 2010-12-28 17:32 35928 ----a-w- h:\windows\system32\drivers\aswRdr.sys
    2012-07-03 16:21 . 2010-12-28 17:32 97608 ----a-w- h:\windows\system32\drivers\aswmon2.sys
    2012-07-03 16:21 . 2010-12-28 17:32 89624 ----a-w- h:\windows\system32\drivers\aswmon.sys
    2012-07-03 16:21 . 2011-11-11 06:24 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
    2012-07-03 16:21 . 2010-12-28 17:32 25256 ----a-w- h:\windows\system32\drivers\aavmker4.sys
    2012-07-03 16:21 . 2010-12-28 17:32 41224 ----a-w- h:\windows\avastSS.scr
    2012-07-03 16:21 . 2010-12-28 17:32 227648 ----a-w- h:\windows\system32\aswBoot.exe
    2012-07-02 02:27 . 2012-04-01 15:06 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
    2012-07-02 02:27 . 2011-07-01 18:33 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 13:19 . 2009-10-17 14:26 329240 ----a-w- h:\windows\system32\wucltui.dll
    2012-06-02 13:19 . 2009-10-17 14:26 210968 ----a-w- h:\windows\system32\wuweb.dll
    2012-06-02 13:19 . 2009-10-17 14:26 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
    2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
    2012-06-02 13:19 . 2008-10-16 12:07 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
    2012-06-02 13:19 . 2009-10-17 14:26 53784 ----a-w- h:\windows\system32\wuauclt.exe
    2012-06-02 13:19 . 2009-10-17 14:26 35864 ----a-w- h:\windows\system32\wups.dll
    2012-06-02 13:19 . 2008-10-16 12:09 45080 ----a-w- h:\windows\system32\wups2.dll
    2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 13:19 . 2007-07-27 12:00 97304 ----a-w- h:\windows\system32\cdm.dll
    2012-06-02 13:19 . 2008-10-16 12:08 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
    2012-06-02 13:19 . 2009-10-17 14:26 577048 ----a-w- h:\windows\system32\wuapi.dll
    2012-06-02 13:19 . 2009-10-17 14:26 1933848 ----a-w- h:\windows\system32\wuaueng.dll
    2012-05-31 13:22 . 2007-07-27 12:00 604160 ----a-w- h:\windows\system32\crypt32.dll
    2012-05-16 15:07 . 2007-07-27 12:00 916992 ----a-w- h:\windows\system32\wininet.dll
    2012-05-15 13:56 . 2007-07-27 12:00 1863296 ----a-w- h:\windows\system32\win32k.sys
    2012-05-11 14:40 . 2007-07-27 12:00 43520 ----a-w- h:\windows\system32\licmgr10.dll
    2012-05-11 14:40 . 2007-07-27 12:00 1469440 ------w- h:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2007-07-27 12:00 385024 ----a-w- h:\windows\system32\html.iec
    2012-05-05 03:14 . 2007-07-27 12:00 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
    2012-05-05 03:14 . 2004-08-04 00:50 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2009-10-17 14:24 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
    2002-11-19 23:01 . 2006-02-17 15:51 28672 ----a-w- h:\programme\opera\program\plugins\PlugDef.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
    "{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2011-05-09 09:49 176936 ----a-w- h:\programme\Vuze_Remote\prxtbVuz2.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    2011-05-09 08:49 176936 ----a-w- h:\programme\uTorrentBar_DE\prxtbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "h:\programme\FreeRIP3\toolband.dll" [2009-10-16 282624]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
    "{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "h:\programme\FreeRIP3\toolband.dll" [2009-10-16 282624]
    "{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
    "{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 121528 ----a-w- h:\programme\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TBPanel"="h:\programme\Vtune\TBPanel.exe" [2009-05-12 2158592]
    "AshSnap"="I:\ashampoo snap 4\ashsnap.exe" [2011-04-01 1528176]
    "AdobeBridge"="I:\adobecs5.5\Adobe Bridge CS5.1\Bridge.exe" [2011-03-02 12008296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-27 208952]
    "MSPY2002"="h:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-07-27 59392]
    "PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
    "PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "Adobe Reader Speed Launcher"="I:\reader\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="h:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Trojancheck 6 Guard"="h:\programme\Trojancheck 6\tcguard.exe" [2002-11-14 590336]
    "ISUSPM Startup"="h:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
    "ISUSScheduler"="h:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
    "AdobeAAMUpdater-1.0"="h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
    "SwitchBoard"="h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="h:\programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "Adobe Acrobat Speed Launcher"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
    "Acrobat Assistant 8.0"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
    "avast"="h:\programme\Alwil Software\Avast5\avastUI.exe" [2012-07-03 4273976]
    "SunJavaUpdateSched"="h:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
    "NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
    "nwiz"="h:\programme\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
    "Malwarebytes' Anti-Malware"="I:\malwarebytes' anti-malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
    Adobe Gamma Loader.lnk - h:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-18 113664]
    Microsoft Office.lnk - I:\ms office\Office\OSA9.EXE [1999-2-17 65588]
    .
    [HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HP Digital Imaging Monitor.lnk]
    path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\HP Digital Imaging Monitor.lnk
    backup=h:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-04-28 22:15 136176 ----atw- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-11-21 02:10 3293184 ----a-w- h:\programme\Google\Google Talk\googletalk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2010-11-22 13:20 2736128 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 02:22 1695232 ------w- h:\programme\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 09:17 421888 ----a-w- I:\quicktime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2010-05-13 14:12 26192168 ----a-r- I:\skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AntiVirService"=2 (0x2)
    "AntiVirSchedulerService"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "I:\\mIRC\\mirc.exe"=
    "I:\\DC++\\DCPlusPlus.exe"=
    "I:\\Trillian\\trillian.exe"=
    "I:\\Azureus\\Azureus.exe"=
    "h:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
    "h:\\Programme\\VideoLAN\\VLC\\vlc.exe"=
    "h:\\Dokumente und Einstellungen\\Korcas\\Lokale Einstellungen\\Anwendungsdaten\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "h:\\Programme\\Vuze\\Azureus.exe"=
    "I:\\Skype\\Plugin Manager\\skypePM.exe"=
    "I:\\Skype\\Phone\\Skype.exe"=
    "h:\\Programme\\Opera\\opera.exe"=
    "h:\\Programme\\Google\\Google Talk\\googletalk.exe"=
    "I:\\AdobeCS5.5\\Adobe Flash Builder 4.5\\FlashBuilder.exe"=
    "h:\\Programme\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
    "h:\\Programme\\uTorrent\\uTorrent.exe"=
    "h:\\Programme\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
    "I:\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
    "I:\\Opera\\opera.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "7935:TCP"= 7935:TCP:Adobe Flash Builder 4.5
    .
    R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [11.11.2011 08:24 12112]
    R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [11.11.2011 08:24 202928]
    R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [11.11.2011 08:24 113776]
    R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [25.02.2012 10:54 18544]
    R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [11.11.2011 08:24 721000]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [28.12.2010 19:32 353688]
    R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [25.06.2011 09:41 9600]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [28.12.2010 19:32 21256]
    R2 avast! Firewall;avast! Firewall;h:\programme\Alwil Software\Avast5\afwServ.exe [11.11.2011 08:24 133912]
    R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [04.07.2012 18:32 654408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [06.03.2012 23:02 2214504]
    R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [18.10.2009 21:34 4497704]
    R2 WTouchService;WTouch Service;h:\programme\WTouch\WTouchService.exe [18.10.2009 21:35 113448]
    R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [04.07.2012 18:32 22344]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [20.12.2009 20:00 1381632]
    R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [18.10.2009 21:34 16168]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01.04.2012 17:06 250056]
    S3 appliandMP;appliandMP;h:\windows\system32\DRIVERS\appliand.sys --> h:\windows\system32\DRIVERS\appliand.sys [?]
    S3 SwitchBoard;SwitchBoard;h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe [19.02.2010 13:37 517096]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-11-22 13:18 451872 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-03 h:\windows\Tasks\AdobeAAMUpdater-1.0-GREYBOX-Korcas.job
    - h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-26 06:46]
    .
    2012-07-05 h:\windows\Tasks\avast! Emergency Update.job
    - h:\programme\Alwil Software\Avast5\AvastEmUpdate.exe [2012-06-30 16:21]
    .
    2012-07-01 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003Core.job
    - h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
    .
    2012-07-05 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003UA.job
    - h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    IE: &FreeRIP Search - h:\programme\FreeRIP3\toolband.dll/MENUSEARCH.HTM
    IE: An vorhandene PDF-Datei anfügen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: In Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Linkziel in Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-avgnt - I:\avira\AntiVir Desktop\avgnt.exe
    MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - h:\programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
    MSConfigStartUp-HP Software Update - h:\programme\HP\HP Software Update\HPWuSchd2.exe
    MSConfigStartUp-NeroFilterCheck - h:\programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
    AddRemove-AVMFBox - h:\programme\FRITZ!Box\install.exe
    AddRemove-GPL Ghostscript 8.71 - h:\programme\gs\uninstgs.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-05 19:07
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\0b\06\0c\17\03\1e?"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2136)
    h:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    h:\programme\WTouch\WTouchUser.exe
    h:\programme\Alwil Software\Avast5\AvastSvc.exe
    h:\programme\Java\jre6\bin\jqs.exe
    h:\programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
    h:\programme\BurnAware Professional\nmsaccessu.exe
    h:\windows\system32\nvsvc32.exe
    h:\windows\system32\wdfmgr.exe
    h:\windows\SOUNDMAN.EXE
    h:\windows\system32\RunDLL32.exe
    h:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-05 19:10:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-05 17:10
    .
    Pre-Run: 6 Verzeichnis(se), 13.851.844.608 Bytes frei
    Post-Run: 8 Verzeichnis(se), 14.704.447.488 Bytes frei
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - A31F85C7F21765BC37021AC404FC8B31
  17. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Now the ESET scan has left me a bit worried, since it actually found three more infected files that nothing else seemed to have picked up? Here the log:

    H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\58ad53fc-4f1e2865 Java/Exploit.CVE-2012-0507.CM trojan
    H:\System Volume Information\_restore{3B94F78F-1988-441F-AAF2-6781DE5D1F65}\RP943\A0167282.ini Win32/Sirefef.EZ trojan
    H:\System Volume Information\_restore{3B94F78F-1988-441F-AAF2-6781DE5D1F65}\RP943\A0167293.dll a variant of Win32/Medfos.AM trojan

    All three of these still exist, as I unchecked the threat removal as advised.

    I also emptied my Avast Container. So far Avast has not detected any new files trying to invade.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Your heavy use of file sharing programs will assure that you have a constant supply of malware! Consider removing all or most of the following:
    DCPlusPlus
    Trillian
    Azureus/Vuze
    uTorrent
    mIRC
    =============================================
    Toolbars and browser helper objects are being removed:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    DDS::
    uStart Page = about:blank
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
    uURLSearchHooks: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - h:\programme\askbardis\bar\bin\askBar.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
    BHO: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - h:\programme\askbardis\bar\bin\askBar.dll
    TB: FreeRIP.com Toolbar: {081230f8-ea50-42a9-983c-d22abc2eed3b} - h:\programme\freerip3\toolband.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
    TB: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
    EB: Ask Toolbar Quick View: {b0de3308-5d5a-470d-81b9-634fc078393b} - h:\windows\system32\shdocvw.dll
    IE: &FreeRIP Search - h:\programme\freerip3\toolband.dll/MENUSEARCH.H
     
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
    "{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"=-
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{081230F8-EA50-42A9-983C-D22ABC2EED3B}"=-
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
    "{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"=-
    [HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{081230F8-EA50-42A9-983C-D22ABC2EED3B}"=-
    "{BA14329E-9550-4989-B3F2-9732E92D17CC}"=-
    "{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2}"=-
    [HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AntiVirService"
    "AntiVirSchedulerService"
     
    Clearjavacache::
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    There is only only new entry in the Eset log. The 2 processes in System Volume are restore points. They are no longer activve in the system. I will have you set a new clean restore point and drop the old ones at the end of cleaning.
    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files
      H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\58ad53fc-4f1e2865 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =======================================
    Please leave the new Combofix log (after running the script), OTM log and CK Scan in your next reply.
  19. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Okay, I ran into a few problems, but first one the filesharing programs.

    mIRC and Trillian are only used for chatting, mIRC for IRC, and Trillian for AIM and IRC. Unfortunately these are necessary, since a lot of friends and colleagues use them to stay in touch with me. DCPlusPlus can go, I've only used it once or twice in the past. Same for uTorrent. Vuze, unfortunately, is sometimes a necessity, as I'm in the fansubbing scene, and we sometimes need to swap files for quality checking and the like. But I'm absolutely up for doing a cleanup of non-necessary files, once we've solved the infection issues.

    Now for the issues I ran into:

    ComboFix:

    1st try: Crashed when trying to scan, had to reboot.
    2nd try: It believed avast was still active, even though I closed the real time protection. Did still run without any noticeable problems afterwards.

    Here the Log:

    ComboFix 12-07-05.04 - Korcas 06.07.2012 5:41.2.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.2554 [GMT 2:00]
    Running from: h:\dokumente und einstellungen\Korcas\Desktop\ComboFix.exe
    AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-05 17:12 . 2012-07-05 17:12 -------- d-----w- h:\programme\ESET
    2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\Korcas\Anwendungsdaten\Malwarebytes
    2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
    2012-07-04 16:32 . 2012-04-04 13:56 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
    2012-07-03 05:16 . 2012-07-03 05:16 -------- d-----w- h:\windows\system32\wbem\Repository
    2012-06-14 02:47 . 2012-05-11 14:40 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-03 16:21 . 2010-12-28 17:32 54232 ----a-w- h:\windows\system32\drivers\aswTdi.sys
    2012-07-03 16:21 . 2012-02-25 08:54 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
    2012-07-03 16:21 . 2011-11-11 06:24 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
    2012-07-03 16:21 . 2011-11-11 06:24 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
    2012-07-03 16:21 . 2010-12-28 17:32 21256 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
    2012-07-03 16:21 . 2010-12-28 17:32 353688 ----a-w- h:\windows\system32\drivers\aswSP.sys
    2012-07-03 16:21 . 2010-12-28 17:32 35928 ----a-w- h:\windows\system32\drivers\aswRdr.sys
    2012-07-03 16:21 . 2010-12-28 17:32 97608 ----a-w- h:\windows\system32\drivers\aswmon2.sys
    2012-07-03 16:21 . 2010-12-28 17:32 89624 ----a-w- h:\windows\system32\drivers\aswmon.sys
    2012-07-03 16:21 . 2011-11-11 06:24 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
    2012-07-03 16:21 . 2010-12-28 17:32 25256 ----a-w- h:\windows\system32\drivers\aavmker4.sys
    2012-07-03 16:21 . 2010-12-28 17:32 41224 ----a-w- h:\windows\avastSS.scr
    2012-07-03 16:21 . 2010-12-28 17:32 227648 ----a-w- h:\windows\system32\aswBoot.exe
    2012-07-02 02:27 . 2012-04-01 15:06 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
    2012-07-02 02:27 . 2011-07-01 18:33 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 13:19 . 2009-10-17 14:26 329240 ----a-w- h:\windows\system32\wucltui.dll
    2012-06-02 13:19 . 2009-10-17 14:26 210968 ----a-w- h:\windows\system32\wuweb.dll
    2012-06-02 13:19 . 2009-10-17 14:26 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
    2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
    2012-06-02 13:19 . 2008-10-16 12:07 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
    2012-06-02 13:19 . 2009-10-17 14:26 53784 ----a-w- h:\windows\system32\wuauclt.exe
    2012-06-02 13:19 . 2009-10-17 14:26 35864 ----a-w- h:\windows\system32\wups.dll
    2012-06-02 13:19 . 2008-10-16 12:09 45080 ----a-w- h:\windows\system32\wups2.dll
    2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 13:19 . 2007-07-27 12:00 97304 ----a-w- h:\windows\system32\cdm.dll
    2012-06-02 13:19 . 2008-10-16 12:08 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
    2012-06-02 13:19 . 2009-10-17 14:26 577048 ----a-w- h:\windows\system32\wuapi.dll
    2012-06-02 13:19 . 2009-10-17 14:26 1933848 ----a-w- h:\windows\system32\wuaueng.dll
    2012-05-31 13:22 . 2007-07-27 12:00 604160 ----a-w- h:\windows\system32\crypt32.dll
    2012-05-16 15:07 . 2007-07-27 12:00 916992 ----a-w- h:\windows\system32\wininet.dll
    2012-05-15 13:56 . 2007-07-27 12:00 1863296 ----a-w- h:\windows\system32\win32k.sys
    2012-05-11 14:40 . 2007-07-27 12:00 43520 ----a-w- h:\windows\system32\licmgr10.dll
    2012-05-11 14:40 . 2007-07-27 12:00 1469440 ------w- h:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2007-07-27 12:00 385024 ----a-w- h:\windows\system32\html.iec
    2012-05-05 03:14 . 2007-07-27 12:00 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
    2012-05-05 03:14 . 2004-08-04 00:50 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2009-10-17 14:24 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
    2002-11-19 23:01 . 2006-02-17 15:51 28672 ----a-w- h:\programme\opera\program\plugins\PlugDef.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-05_17.07.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-07-06 03:37 . 2012-07-06 03:37 16384 h:\windows\Temp\Perflib_Perfdata_5ac.dat
    - 2007-07-27 12:00 . 2012-07-05 16:54 67740 h:\windows\system32\perfc009.dat
    + 2007-07-27 12:00 . 2012-07-06 03:42 67740 h:\windows\system32\perfc009.dat
    - 2007-07-27 12:00 . 2012-07-05 16:54 48036 h:\windows\system32\perfc007.dat
    + 2007-07-27 12:00 . 2012-07-06 03:42 48036 h:\windows\system32\perfc007.dat
    + 2007-07-27 12:00 . 2012-07-06 03:42 432784 h:\windows\system32\perfh009.dat
    - 2007-07-27 12:00 . 2012-07-05 16:54 432784 h:\windows\system32\perfh009.dat
    - 2007-07-27 12:00 . 2012-07-05 16:54 316246 h:\windows\system32\perfh007.dat
    + 2007-07-27 12:00 . 2012-07-06 03:42 316246 h:\windows\system32\perfh007.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
    "{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2011-05-09 09:49 176936 ----a-w- h:\programme\Vuze_Remote\prxtbVuz2.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    2011-05-09 08:49 176936 ----a-w- h:\programme\uTorrentBar_DE\prxtbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "h:\programme\FreeRIP3\toolband.dll" [2009-10-16 282624]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
    "{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "h:\programme\FreeRIP3\toolband.dll" [2009-10-16 282624]
    "{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
    "{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
    [HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 121528 ----a-w- h:\programme\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TBPanel"="h:\programme\Vtune\TBPanel.exe" [2009-05-12 2158592]
    "AshSnap"="I:\ashampoo snap 4\ashsnap.exe" [2011-04-01 1528176]
    "AdobeBridge"="I:\adobecs5.5\Adobe Bridge CS5.1\Bridge.exe" [2011-03-02 12008296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-27 208952]
    "MSPY2002"="h:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-07-27 59392]
    "PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
    "PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "Adobe Reader Speed Launcher"="I:\reader\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="h:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Trojancheck 6 Guard"="h:\programme\Trojancheck 6\tcguard.exe" [2002-11-14 590336]
    "ISUSPM Startup"="h:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
    "ISUSScheduler"="h:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
    "AdobeAAMUpdater-1.0"="h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
    "SwitchBoard"="h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="h:\programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "Adobe Acrobat Speed Launcher"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
    "Acrobat Assistant 8.0"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
    "avast"="h:\programme\Alwil Software\Avast5\avastUI.exe" [2012-07-03 4273976]
    "SunJavaUpdateSched"="h:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
    "NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
    "nwiz"="h:\programme\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
    "Malwarebytes' Anti-Malware"="I:\malwarebytes' anti-malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
    Adobe Gamma Loader.lnk - h:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-18 113664]
    Microsoft Office.lnk - I:\ms office\Office\OSA9.EXE [1999-2-17 65588]
    .
    [HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HP Digital Imaging Monitor.lnk]
    path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\HP Digital Imaging Monitor.lnk
    backup=h:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-04-28 22:15 136176 ----atw- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-11-21 02:10 3293184 ----a-w- h:\programme\Google\Google Talk\googletalk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2010-11-22 13:20 2736128 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 02:22 1695232 ------w- h:\programme\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 09:17 421888 ----a-w- I:\quicktime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2010-05-13 14:12 26192168 ----a-r- I:\skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AntiVirService"=2 (0x2)
    "AntiVirSchedulerService"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "I:\\mIRC\\mirc.exe"=
    "I:\\DC++\\DCPlusPlus.exe"=
    "I:\\Trillian\\trillian.exe"=
    "I:\\Azureus\\Azureus.exe"=
    "h:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
    "h:\\Programme\\VideoLAN\\VLC\\vlc.exe"=
    "h:\\Dokumente und Einstellungen\\Korcas\\Lokale Einstellungen\\Anwendungsdaten\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "h:\\Programme\\Vuze\\Azureus.exe"=
    "I:\\Skype\\Plugin Manager\\skypePM.exe"=
    "I:\\Skype\\Phone\\Skype.exe"=
    "h:\\Programme\\Opera\\opera.exe"=
    "h:\\Programme\\Google\\Google Talk\\googletalk.exe"=
    "I:\\AdobeCS5.5\\Adobe Flash Builder 4.5\\FlashBuilder.exe"=
    "h:\\Programme\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
    "h:\\Programme\\uTorrent\\uTorrent.exe"=
    "h:\\Programme\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
    "I:\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
    "I:\\Opera\\opera.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "7935:TCP"= 7935:TCP:Adobe Flash Builder 4.5
    .
    R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [11.11.2011 08:24 12112]
    R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [11.11.2011 08:24 202928]
    R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [11.11.2011 08:24 113776]
    R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [25.02.2012 10:54 18544]
    R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [11.11.2011 08:24 721000]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [28.12.2010 19:32 353688]
    R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [25.06.2011 09:41 9600]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [28.12.2010 19:32 21256]
    R2 avast! Firewall;avast! Firewall;h:\programme\Alwil Software\Avast5\afwServ.exe [11.11.2011 08:24 133912]
    R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [04.07.2012 18:32 654408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [06.03.2012 23:02 2214504]
    R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [18.10.2009 21:34 4497704]
    R2 WTouchService;WTouch Service;h:\programme\WTouch\WTouchService.exe [18.10.2009 21:35 113448]
    R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [04.07.2012 18:32 22344]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [20.12.2009 20:00 1381632]
    R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [18.10.2009 21:34 16168]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01.04.2012 17:06 250056]
    S3 appliandMP;appliandMP;h:\windows\system32\DRIVERS\appliand.sys --> h:\windows\system32\DRIVERS\appliand.sys [?]
    S3 SwitchBoard;SwitchBoard;h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe [19.02.2010 13:37 517096]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-11-22 13:18 451872 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-06 h:\windows\Tasks\AdobeAAMUpdater-1.0-GREYBOX-Korcas.job
    - h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-26 06:46]
    .
    2012-07-06 h:\windows\Tasks\avast! Emergency Update.job
    - h:\programme\Alwil Software\Avast5\AvastEmUpdate.exe [2012-06-30 16:21]
    .
    2012-07-01 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003Core.job
    - h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
    .
    2012-07-06 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003UA.job
    - h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    IE: &FreeRIP Search - h:\programme\FreeRIP3\toolband.dll/MENUSEARCH.HTM
    IE: An vorhandene PDF-Datei anfügen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: In Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Linkziel in Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-06 05:45
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\0b\06\0c\17\03\1e?"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3140)
    h:\windows\system32\webcheck.dll
    .
    Completion time: 2012-07-06 05:46:48
    ComboFix-quarantined-files.txt 2012-07-06 03:46
    ComboFix2.txt 2012-07-05 17:10
    .
    Pre-Run: 7 Verzeichnis(se), 14.700.904.448 Bytes frei
    Post-Run: 8 Verzeichnis(se), 14.683.389.952 Bytes frei
    .
    - - End Of File - - 361D037A7FC2B4BDE323D6525A0BDB78
  20. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    OTL issues:

    1st: Crashed the first time and MBAM encountered an error. CLosed MBAM protection since. (I probably should uninstall MBAM real time protection, should I not?) Had to reboot the machine.
    2nd: Pressed MoveIt! and the desktop disappeared, OTL froze, had to reboot again, as there was no indication of anything currently being in process
    3rd: Took the machine to safe mode and ran the script, everything worked out. Here the log:

    All processes killed
    ========== FILES ==========
    H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\58ad53fc-4f1e2865 moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56502 bytes

    User: Korcas
    ->Temp folder emptied: 773388 bytes
    ->Temporary Internet Files folder emptied: 8552582 bytes
    ->Java cache emptied: 353491 bytes
    ->Opera cache emptied: 199118 bytes
    ->Flash cache emptied: 373285 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 131206 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56502 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 10,00 mb


    OTM by OldTimer - Version 3.1.21.0 log created on 07062012_060729
  21. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Absolutely no issues with CKScanner.

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.WPAPLR
    ----- EOF -----
  22. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    A question on the side. Is it safe for me, at this point, to log into my e-mail account from this machine? I changed my password at work and haven't logged into my mail on this computer so far. So I'm wondering if I should hook something else up, or if I can check my mails on here.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    NOTE: you need to shut down an other running programs while you run the scans. I think either you don't have enough RAM installed or one of the RAM chips is bad. What you are describing for the crashes makes this a strong possibility.
    I suspect the problem you're having are due to the state of the system which I outlined previously You have a great number of processes starting on boot, then running in the background, using system resources. None need to start on boot and can be accessed from the Programs menu when needed. They include:
    NONE of these need to start on boot!

    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot.
      [o] Leave any processes for Avast
      [o] If you are on a laptop and there is a process for the touchpad like 'Appoint', leave that.
      [o] Uncheck everything else
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    =============================
    Is there some reason you did not run the script I gave you for Combofix? The entries are still present. It includes script for removing:
    ============================================
    Please do this and give me the figure:

    To find how much RAM is installed:
    Control Panel> System> the General tab of the System Properties will open and the RAM figure will be on lower right.
    ==============================================
    You can go to Add/Remove Programs and uninstall these:
    AskBar> TB, BHO
    Ask Toolbar Quick View
    FreeRIP.com Toolbar
    Adobe Reader: You have another program for PDF. The Adobe program is bloated with a lot of junk you don't need.

    Then use Windows Explorer to access Computer> Local Drive> Programs> Find the program folder for each uninstall program and do a right click> Delete.

    You may include any of the File Sharing programs in this.
    ==============================================
    Rerun Combofix with the script.
    ==============================================
    Run the CK Scanner as instructed.
    ==============================================
    In next reply:
    1. Tell me how much RAM is installed.
    2. Tell me which programs you have uninstalled so I can remove 'left-over' entry-if any.
    3. Leave the NEW Combofix log from AFTER you run the script.
    4. Leave the CK Scan log.
    ==============================================
    To clarify:
    I had you run OTMovIt. You referred to a different program, one that I have not had you run, twice:

    If you have OTL on your desktop also, please remove it.
    =============================
    Please note: When you leave a log, leave the entire log with the heading. That has information in it that I need. For instance, you have no header on OTM- you start with File.
  24. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Oh, sorry. I actually meant OTM. I have left the log in the reply, is there still something missing? Because that's all I got. I followed the steps you gave me for Combofix, pulled the script into the program and had it run. However, the first time around it froze up, so I started the program a second time, by double clicking on Combofix, was that wrong?

    I removed the unnecessary parts from the autorun, at least as far as I could Identify them, and will reboot now, will update you on the next steps once that is done.
  25. Korcas

    Korcas Newcomer, in training Topic Starter Posts: 42

    Okay, here we go. I hope Combofix actually worked the way it was intended to this time..
    1. According to the System properties, there are 3.25 Gigabytes of RAM installed. Physically I have 4 Gigabytes of RAM, but AFAIK Windows XP can only use 3.25.
    2. I removed the following programms from the system, using the Microsoft Software removal: uTorrent, uTorrent Toolbar, Vuze Toolbar. Unfortunately I cannot find entries for the ask toolbar, and DC++.
    3. I had to run Combofix twice, it froze on "Scanning for Infected Files" on the normal desktop. Left it running like that for half an hour, but nothing happened. So I created the script again, and copied it into ComboFix in Safemode, that apparently worked. Here the Log:
    ComboFix 12-07-06.02 - Korcas 06.07.2012 20:15:22.3.4 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.2890 [GMT 2:00]
    Running from: h:\dokumente und einstellungen\Korcas\Desktop\ComboFix.exe
    Command switches used :: h:\dokumente und einstellungen\Korcas\Desktop\CFScript.txt
    AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\1.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\a.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\b.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\c.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\d.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\e.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\f.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\g.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\h.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\I.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\j.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\k.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\l.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\m.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\mru.xml
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\n.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\o.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\p.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\q.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\r.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\s.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\t.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\u.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\v.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\w.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\wlu.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\x.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\y.txt
    h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\z.txt
    h:\programme\freerip3\toolband.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-06 03:49 . 2012-07-06 03:49 -------- d-----w- H:\_OTM
    2012-07-05 17:12 . 2012-07-05 17:12 -------- d-----w- h:\programme\ESET
    2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\Korcas\Anwendungsdaten\Malwarebytes
    2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
    2012-07-04 16:32 . 2012-04-04 13:56 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
    2012-07-03 05:16 . 2012-07-03 05:16 -------- d-----w- h:\windows\system32\wbem\Repository
    2012-06-14 02:47 . 2012-05-11 14:40 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-03 16:21 . 2010-12-28 17:32 54232 ----a-w- h:\windows\system32\drivers\aswTdi.sys
    2012-07-03 16:21 . 2012-02-25 08:54 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
    2012-07-03 16:21 . 2011-11-11 06:24 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
    2012-07-03 16:21 . 2011-11-11 06:24 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
    2012-07-03 16:21 . 2010-12-28 17:32 21256 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
    2012-07-03 16:21 . 2010-12-28 17:32 353688 ----a-w- h:\windows\system32\drivers\aswSP.sys
    2012-07-03 16:21 . 2010-12-28 17:32 35928 ----a-w- h:\windows\system32\drivers\aswRdr.sys
    2012-07-03 16:21 . 2010-12-28 17:32 97608 ----a-w- h:\windows\system32\drivers\aswmon2.sys
    2012-07-03 16:21 . 2010-12-28 17:32 89624 ----a-w- h:\windows\system32\drivers\aswmon.sys
    2012-07-03 16:21 . 2011-11-11 06:24 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
    2012-07-03 16:21 . 2010-12-28 17:32 25256 ----a-w- h:\windows\system32\drivers\aavmker4.sys
    2012-07-03 16:21 . 2010-12-28 17:32 41224 ----a-w- h:\windows\avastSS.scr
    2012-07-03 16:21 . 2010-12-28 17:32 227648 ----a-w- h:\windows\system32\aswBoot.exe
    2012-07-02 02:27 . 2012-04-01 15:06 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
    2012-07-02 02:27 . 2011-07-01 18:33 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 13:19 . 2009-10-17 14:26 329240 ----a-w- h:\windows\system32\wucltui.dll
    2012-06-02 13:19 . 2009-10-17 14:26 210968 ----a-w- h:\windows\system32\wuweb.dll
    2012-06-02 13:19 . 2009-10-17 14:26 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
    2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
    2012-06-02 13:19 . 2008-10-16 12:07 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
    2012-06-02 13:19 . 2009-10-17 14:26 53784 ----a-w- h:\windows\system32\wuauclt.exe
    2012-06-02 13:19 . 2009-10-17 14:26 35864 ----a-w- h:\windows\system32\wups.dll
    2012-06-02 13:19 . 2008-10-16 12:09 45080 ----a-w- h:\windows\system32\wups2.dll
    2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 13:19 . 2007-07-27 12:00 97304 ----a-w- h:\windows\system32\cdm.dll
    2012-06-02 13:19 . 2008-10-16 12:08 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
    2012-06-02 13:19 . 2009-10-17 14:26 577048 ----a-w- h:\windows\system32\wuapi.dll
    2012-06-02 13:19 . 2009-10-17 14:26 1933848 ----a-w- h:\windows\system32\wuaueng.dll
    2012-05-31 13:22 . 2007-07-27 12:00 604160 ----a-w- h:\windows\system32\crypt32.dll
    2012-05-16 15:07 . 2007-07-27 12:00 916992 ----a-w- h:\windows\system32\wininet.dll
    2012-05-15 13:56 . 2007-07-27 12:00 1863296 ----a-w- h:\windows\system32\win32k.sys
    2012-05-11 14:40 . 2007-07-27 12:00 43520 ----a-w- h:\windows\system32\licmgr10.dll
    2012-05-11 14:40 . 2007-07-27 12:00 1469440 ------w- h:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2007-07-27 12:00 385024 ----a-w- h:\windows\system32\html.iec
    2012-05-05 03:14 . 2007-07-27 12:00 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
    2012-05-05 03:14 . 2004-08-04 00:50 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2009-10-17 14:24 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
    2002-11-19 23:01 . 2006-02-17 15:51 28672 ----a-w- h:\programme\opera\program\plugins\PlugDef.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-05_17.07.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-07-06 18:21 . 2012-07-06 18:21 16384 h:\windows\temp\Perflib_Perfdata_5f0.dat
    - 2007-07-27 12:00 . 2012-07-05 16:54 67740 h:\windows\system32\perfc009.dat
    + 2007-07-27 12:00 . 2012-07-06 18:22 67740 h:\windows\system32\perfc009.dat
    - 2007-07-27 12:00 . 2012-07-05 16:54 48036 h:\windows\system32\perfc007.dat
    + 2007-07-27 12:00 . 2012-07-06 18:22 48036 h:\windows\system32\perfc007.dat
    + 2007-07-27 12:00 . 2012-07-06 18:22 432784 h:\windows\system32\perfh009.dat
    - 2007-07-27 12:00 . 2012-07-05 16:54 432784 h:\windows\system32\perfh009.dat
    - 2007-07-27 12:00 . 2012-07-05 16:54 316246 h:\windows\system32\perfh007.dat
    + 2007-07-27 12:00 . 2012-07-06 18:22 316246 h:\windows\system32\perfh007.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 121528 ----a-w- h:\programme\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TBPanel"="h:\programme\Vtune\TBPanel.exe" [2009-05-12 2158592]
    "AdobeBridge"="I:\adobecs5.5\Adobe Bridge CS5.1\Bridge.exe" [2011-03-02 12008296]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-27 208952]
    "MSPY2002"="h:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-07-27 59392]
    "PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
    "PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "Adobe Reader Speed Launcher"="I:\reader\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="h:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Trojancheck 6 Guard"="h:\programme\Trojancheck 6\tcguard.exe" [2002-11-14 590336]
    "ISUSPM Startup"="h:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
    "ISUSScheduler"="h:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
    "AdobeAAMUpdater-1.0"="h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
    "SwitchBoard"="h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="h:\programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "Adobe Acrobat Speed Launcher"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
    "Acrobat Assistant 8.0"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
    "avast"="h:\programme\Alwil Software\Avast5\avastUI.exe" [2012-07-03 4273976]
    "SunJavaUpdateSched"="h:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
    "NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
    "nwiz"="h:\programme\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
    "Malwarebytes' Anti-Malware"="I:\malwarebytes' anti-malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Gamma Loader.lnk]
    path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk
    backup=h:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
    .
    [HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HP Digital Imaging Monitor.lnk]
    path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\HP Digital Imaging Monitor.lnk
    backup=h:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
    path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
    backup=h:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AshSnap]
    2011-04-01 07:10 1528176 ----a-w- I:\ashampoo snap 4\ashsnap.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-04-28 22:15 136176 ----atw- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-11-21 02:10 3293184 ----a-w- h:\programme\Google\Google Talk\googletalk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2010-11-22 13:20 2736128 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 02:22 1695232 ------w- h:\programme\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 09:17 421888 ----a-w- I:\quicktime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2010-05-13 14:12 26192168 ----a-r- I:\skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AntiVirService"=2 (0x2)
    "AntiVirSchedulerService"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "I:\\mIRC\\mirc.exe"=
    "I:\\DC++\\DCPlusPlus.exe"=
    "I:\\Trillian\\trillian.exe"=
    "I:\\Azureus\\Azureus.exe"=
    "h:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
    "h:\\Programme\\VideoLAN\\VLC\\vlc.exe"=
    "h:\\Dokumente und Einstellungen\\Korcas\\Lokale Einstellungen\\Anwendungsdaten\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "h:\\Programme\\Vuze\\Azureus.exe"=
    "I:\\Skype\\Plugin Manager\\skypePM.exe"=
    "I:\\Skype\\Phone\\Skype.exe"=
    "h:\\Programme\\Opera\\opera.exe"=
    "h:\\Programme\\Google\\Google Talk\\googletalk.exe"=
    "I:\\AdobeCS5.5\\Adobe Flash Builder 4.5\\FlashBuilder.exe"=
    "h:\\Programme\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
    "h:\\Programme\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
    "I:\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
    "I:\\Opera\\opera.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "7935:TCP"= 7935:TCP:Adobe Flash Builder 4.5
    .
    R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [11.11.2011 08:24 12112]
    R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [11.11.2011 08:24 202928]
    R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [11.11.2011 08:24 113776]
    R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [25.02.2012 10:54 18544]
    R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [11.11.2011 08:24 721000]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [28.12.2010 19:32 353688]
    R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [25.06.2011 09:41 9600]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [28.12.2010 19:32 21256]
    R2 avast! Firewall;avast! Firewall;h:\programme\Alwil Software\Avast5\afwServ.exe [11.11.2011 08:24 133912]
    R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [04.07.2012 18:32 654408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [06.03.2012 23:02 2214504]
    R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [18.10.2009 21:34 4497704]
    R2 WTouchService;WTouch Service;h:\programme\WTouch\WTouchService.exe [18.10.2009 21:35 113448]
    R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [04.07.2012 18:32 22344]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [20.12.2009 20:00 1381632]
    R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [18.10.2009 21:34 16168]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01.04.2012 17:06 250056]
    S3 appliandMP;appliandMP;h:\windows\system32\DRIVERS\appliand.sys --> h:\windows\system32\DRIVERS\appliand.sys [?]
    S3 SwitchBoard;SwitchBoard;h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe [19.02.2010 13:37 517096]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-11-22 13:18 451872 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-06 h:\windows\Tasks\AdobeAAMUpdater-1.0-GREYBOX-Korcas.job
    - h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-26 06:46]
    .
    2012-07-06 h:\windows\Tasks\avast! Emergency Update.job
    - h:\programme\Alwil Software\Avast5\AvastEmUpdate.exe [2012-06-30 16:21]
    .
    2012-07-06 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003Core.job
    - h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
    .
    2012-07-06 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003UA.job
    - h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: An vorhandene PDF-Datei anfügen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: In Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Linkziel in Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-06 20:21
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\0b\06\0c\17\03\1e?"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1876)
    h:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    h:\programme\WTouch\WTouchUser.exe
    h:\programme\Alwil Software\Avast5\AvastSvc.exe
    h:\programme\Java\jre6\bin\jqs.exe
    h:\programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
    h:\programme\BurnAware Professional\nmsaccessu.exe
    h:\windows\system32\nvsvc32.exe
    h:\windows\system32\wdfmgr.exe
    h:\windows\SOUNDMAN.EXE
    h:\windows\system32\RunDLL32.exe
    h:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-06 20:24:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-06 18:24
    ComboFix2.txt 2012-07-06 03:46
    ComboFix3.txt 2012-07-05 17:10
    .
    Pre-Run: 8 Verzeichnis(se), 13.641.576.448 Bytes frei
    Post-Run: 9 Verzeichnis(se), 14.554.411.008 Bytes frei
    .
    - - End Of File - - E6E1D65D21DCF2FD1B70F11486A22326
    4. Here the CK Scan Log:

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11.INAARK
    ----- EOF -----

    I hope I did everything correctly, this time around.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.