Solved Infected with Win64:Sirefef-A, Win32:Sirefef-PF and Win32:Atraps-PF - Windows XP SP3

[Korcas]

Hello all,

given the symptoms of Sirefef-A, I'm surprised that googling actually brought up this Forum, and not a number of junk-links.

I have spent some time reading other topics, both here, and on the avast forums, about the Sirefef Virus variations, and since everyone says not to use the fixes that other users were given, I decided to post my issues too.

The trouble started when I had my PC running overnight on Sunday, something I rarely do. The next morning when I got back to it, everything was pretty much frozen, so I had to close myself out of every program running. Since then, I have had problems to get my main broswer (Opera) to start, as it froze up with every startup.

I then tried to copy the folder from my H drive, which is rather small with its 30 gig, believing that it was a memory issue, but I got the error E/A 1450, saying there were no system resources available.

I then just installed a new version of Opera on another drive, and deleted the original installation from H, hoping that fixed it. But being paranoid as I am, I started a virus scan, and got a couple of results.

Ever since that first virus scan, I have had Avast warn me of threats about every ten to twenty minutes, those threats being Win64:Sirefef-A, Win32:Atraps-PF and Win32:Malware-gen, all of them being triggered by the Explorer.exe. According to Avast, these items are stored in my user data, but have immediately been quarantined by Avast.

I tried removing Sirefef-PF via Avast, but found out that it's linked to my desktop.ini, so I couldn't delete it. Since then, Avast has also found it in system recovery files.

I'm running Windows XP with Service Pack 3, I have Avast with a purchased full license as my virus guard. I did not notice any other memory problems, other than the Opera freezing, my Google results have not seemed in any way weird.

All of the viruses have been moved to quarantine, the quarantined files have not been deleted.

What can I do, what programs should I used to get rid of it, what logs need to be posted? I have a 1 gig USB stick at my disposal, will that be enough?

In terms of logs, all I have is a Hijack This Log, I hope that helps for a first glimpse. I'll post it on the next post.

 

[Korcas]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 07:27:26, on 04.07.2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Programme\WTouch\WTouchService.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Programme\Alwil Software\Avast5\afwServ.exe
H:\Programme\WTouch\WTouchUser.exe
H:\Programme\Alwil Software\Avast5\AvastSvc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\svchost.exe
H:\Programme\AskBarDis\bar\bin\AskService.exe
H:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe
H:\Programme\Java\jre6\bin\jqs.exe
H:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Programme\FreePDF_XP\fpassist.exe
H:\Programme\BurnAware Professional\nmsaccessu.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe
H:\Programme\Trojancheck 6\tcguard.exe
H:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\Pen_Tablet.exe
H:\WINDOWS\system32\wdfmgr.exe
H:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrotray.exe
H:\Programme\Alwil Software\Avast5\avastUI.exe
H:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
H:\WINDOWS\system32\RunDLL32.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Programme\Internet Explorer\IEXPLORE.EXE
I:\AdobeCS5.5\Adobe Bridge CS5.1\Bridge.exe
H:\WINDOWS\System32\alg.exe
H:\Programme\Internet Explorer\IEXPLORE.EXE
H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
I:\Opera\opera.exe
I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
H:\Dokumente und Einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Google Talk Plugin\googletalkplugin.exe
H:\Dokumente und Einstellungen\Korcas\Desktop\HiJackThis204.exe
H:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - H:\Programme\Vuze_Remote\prxtbVuz2.dll
R3 - URLSearchHook: uTorrentBar_DE Toolbar - {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - H:\Programme\uTorrentBar_DE\prxtbuTor.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - I:\AdobeCS5.5\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - H:\Programme\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - H:\Programme\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - H:\Programme\Vuze_Remote\prxtbVuz2.dll
O2 - BHO: uTorrentBar_DE - {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - H:\Programme\uTorrentBar_DE\prxtbuTor.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - H:\Programme\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: FreeRIP.com Toolbar - {081230F8-EA50-42A9-983C-D22ABC2EED3B} - H:\Programme\FreeRIP3\toolband.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - I:\AdobeCS5.5\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - H:\Programme\Vuze_Remote\prxtbVuz2.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - H:\Programme\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: uTorrentBar_DE Toolbar - {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - H:\Programme\uTorrentBar_DE\prxtbuTor.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] H:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FreePDF Assistant] H:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "H:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Trojancheck 6 Guard] H:\Programme\Trojancheck 6\tcguard.exe
O4 - HKLM\..\Run: [ISUSPM Startup] H:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "H:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "H:\Programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "H:\Programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [avast] "H:\Programme\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] H:\Programme\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [mobtus] rundll32.exe "H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\mobtus.dll",BuildNotificationPackage
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] "H:\Programme\Alwil Software\Avast5\aswRegSvr.exe" "H:\Programme\Alwil Software\Avast5\AhAScr.dll"
O4 - HKLM\..\RunOnce: [aswasOutExt.dll] "H:\Programme\Alwil Software\Avast5\aswRegSvr.exe" "H:\Programme\Alwil Software\Avast5\asOutExt.dll"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TBPanel] H:\Programme\Vtune\TBPanel.exe /A
O4 - HKCU\..\Run: [AshSnap] I:\Ashampoo Snap 4\ashsnap.exe
O4 - HKCU\..\Run: [Google Update] "H:\Dokumente und Einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EPSON P50 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFFE.EXE /FU "H:\DOKUME~1\Korcas\LOKALE~1\Temp\E_S35EF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [AdobeBridge] "I:\AdobeCS5.5\Adobe Bridge CS5.1\Bridge.exe" -stealth
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-21-436374069-1757981266-725345543-1004\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = I:\MS Office\Office\OSA9.EXE
O8 - Extra context menu item: &FreeRIP Search - res://H:\Programme\FreeRIP3\toolband.dll/MENUSEARCH.HTM
O8 - Extra context menu item: An vorhandene PDF-Datei anfügen - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Linkziel an vorhandene PDF-Datei anhängen - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Linkziel in Adobe PDF konvertieren - res://H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - H:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - H:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - H:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: ASKService - Unknown owner - H:\Programme\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - H:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: avast! Antivirus - AVAST Software - H:\Programme\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - H:\Programme\Alwil Software\Avast5\afwServ.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: NMSAccessU - Unknown owner - H:\Programme\BurnAware Professional\nmsaccessu.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - H:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - H:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - H:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - H:\Programme\WTouch\WTouchService.exe
--
End of file - 12238 bytes

 

[Bobbye]

Before we make an assumption that Sirefef has taken over the system, I'd like to point this out:

You are using several file sharing programs> at least Vuze and uTorrent. And the Ask.com entries are plentiful. So these will all have to be considered.

HijackThis isn't used to screen for malware, so please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
==================================
The additional logs will give me more information about what's running on the system.

Please don't use the file sharing programs while I am helping you and don't use any other cleaning or scanning programs unless I direct you to do so.

 

[Korcas]

Yeah, I had been considering to clean up the ask.com things recently, actually. Unfortunately sometimes Vuze and uTorrent become necessary, but they are rarely used. None of the programs will be in use while we work this issue out, I promise that.

Will I have to turn off any of my virus or trojan protection, while running the preliminary steps? Will be getting home in about two hours, so I'll try to post as much as I can tonight!

Thank you for taking on my case!

 

[Bobbye]

Will I have to turn off any of my virus or trojan protection, while running the preliminary

GMER is the only one of the preliminary scans that instructs you to disable the AV.

 

[Korcas]

Okay, done with scanning, time for the logs:

Malwarebytes Anti-Malware (Test) 1.61.0.1400
www.malwarebytes.org

Datenbank Version: v2012.07.04.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Korcas :: GREYBOX [Administrator]

Schutz: Aktiviert

04.07.2012 18:32:59
mbam-log-2012-07-04 (18-32-59).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 223719
Laufzeit: 3 Minute(n), 35 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
h:\windows\assembly\gac\desktop.ini (Trojan.0access) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

 

[Korcas]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-07-04 19:00:28
Windows 5.1.2600 Service Pack 3 Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T0L0-17 WDC_WD20EARS-00MVWB0 rev.51.0AB51
Running: 0ot1m6o7.exe; Driver: H:\DOKUME~1\Korcas\LOKALE~1\Temp\kwldqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB02E8162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB02E7FCD]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB0390744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

 

[Korcas]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Korcas at 19:04:54 on 2012-07-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.2165 [GMT 2:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled*
.
============== Running Processes ===============
.
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
H:\Programme\WTouch\WTouchService.exe
svchost.exe
svchost.exe
H:\Programme\Alwil Software\Avast5\afwServ.exe
H:\Programme\WTouch\WTouchUser.exe
H:\Programme\Alwil Software\Avast5\AvastSvc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
svchost.exe
H:\Programme\AskBarDis\bar\bin\AskService.exe
H:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe
H:\Programme\Java\jre6\bin\jqs.exe
H:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
I:\Malwarebytes' Anti-Malware\mbamservice.exe
H:\Programme\BurnAware Professional\nmsaccessu.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\WINDOWS\system32\Pen_Tablet.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Programme\FreePDF_XP\fpassist.exe
H:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
I:\AdobeCS5.5\Acrobat 10.0\Acrobat\Acrotray.exe
H:\Programme\Alwil Software\Avast5\avastUI.exe
H:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
H:\WINDOWS\system32\RunDLL32.exe
I:\Malwarebytes' Anti-Malware\mbamgui.exe
H:\WINDOWS\system32\ctfmon.exe
I:\Opera\opera.exe
I:\Opera\pluginwrapper\opera_plugin_wrapper.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
uURLSearchHooks: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - I:\adobecs5.5\adobe contribute cs5.1\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - h:\programme\askbardis\bar\bin\askBar.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\programme\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - h:\programme\alwil software\avast5\aswWebRepIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
BHO: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - h:\programme\askbardis\bar\bin\askBar.dll
TB: FreeRIP.com Toolbar: {081230f8-ea50-42a9-983c-d22abc2eed3b} - h:\programme\freerip3\toolband.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - I:\adobecs5.5\adobe contribute cs5.1\plugins\ieplugin\contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - h:\programme\alwil software\avast5\aswWebRepIE.dll
TB: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
EB: Ask Toolbar Quick View: {b0de3308-5d5a-470d-81b9-634fc078393b} - h:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [TBPanel] h:\programme\vtune\TBPanel.exe /A
uRun: [AshSnap] I:\ashampoo snap 4\ashsnap.exe
uRun: [Google Update] "h:\dokumente und einstellungen\korcas\lokale einstellungen\anwendungsdaten\google\update\GoogleUpdate.exe" /c
uRun: [EPSON P50 Series] h:\windows\system32\spool\drivers\w32x86\3\e_fatiffe.exe /fu "h:\dokume~1\korcas\lokale~1\temp\E_S35EF.tmp" /EF "HKCU"
uRun: [AdobeBridge] "I:\adobecs5.5\adobe bridge cs5.1\Bridge.exe" -stealth
mRun: [IMJPMIG8.1] "h:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] h:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [FreePDF Assistant] h:\programme\freepdf_xp\fpassist.exe
mRun: [Adobe Reader Speed Launcher] "I:\reader\reader\Reader_sl.exe"
mRun: [Adobe ARM] "h:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"
mRun: [Trojancheck 6 Guard] h:\programme\trojancheck 6\tcguard.exe
mRun: [ISUSPM Startup] h:\progra~1\gemein~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "h:\programme\gemeinsame dateien\installshield\updateservice\issch.exe" -start
mRun: [AdobeAAMUpdater-1.0] "h:\programme\gemeinsame dateien\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] h:\programme\gemeinsame dateien\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "h:\programme\gemeinsame dateien\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "I:\adobecs5.5\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "I:\adobecs5.5\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [avast] "h:\programme\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "h:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] h:\programme\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Malwarebytes' Anti-Malware] "I:\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] h:\windows\system32\CTFMON.EXE
StartupFolder: h:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~1.lnk - h:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: h:\dokume~1\alluse~1\startm~1\progra~1\autost~1\micros~1.lnk - I:\ms office\office\OSA9.EXE
IE: &FreeRIP Search - h:\programme\freerip3\toolband.dll/MENUSEARCH.HTM
IE: An vorhandene PDF-Datei anfügen - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - h:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\programme\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: Interfaces\{DD995B81-4F4E-4A09-8784-27B622190A54} : DhcpNameServer = 192.168.178.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\gemein~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "h:\programme\gemeinsame dateien\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [2011-11-11 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [2011-11-11 202928]
R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [2011-11-11 113776]
R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [2012-2-25 18544]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2011-11-11 721000]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [2010-12-28 353688]
R1 avgio;avgio;I:\avira\antivir desktop\avgio.sys [2009-10-17 11608]
R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [2011-6-25 9600]
R2 ASKService;ASKService;h:\programme\askbardis\bar\bin\AskService.exe [2009-10-18 464264]
R2 ASKUpgrade;ASKUpgrade;h:\programme\askbardis\bar\bin\ASKUpgrade.exe [2009-10-18 234888]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [2010-12-28 21256]
R2 avast! Antivirus;avast! Antivirus;h:\programme\alwil software\avast5\AvastSvc.exe [2010-12-28 44808]
R2 avast! Firewall;avast! Firewall;h:\programme\alwil software\avast5\afwServ.exe [2011-11-11 133912]
R2 avgntflt;avgntflt;h:\windows\system32\drivers\avgntflt.sys [2009-10-17 56816]
R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [2012-7-4 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\nvidia corporation\nvidia updatus\daemonu.exe [2012-3-6 2214504]
R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [2009-10-18 4497704]
R2 WTouchService;WTouch Service;h:\programme\wtouch\WTouchService.exe [2009-10-18 113448]
R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [2012-7-4 22344]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [2009-12-20 1381632]
R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [2009-10-18 16168]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 250056]
S3 appliandMP;appliandMP;h:\windows\system32\drivers\appliand.sys --> h:\windows\system32\drivers\appliand.sys [?]
S3 SwitchBoard;SwitchBoard;h:\programme\gemeinsame dateien\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S4 AntiVirSchedulerService;Avira AntiVir Planer;I:\avira\antivir desktop\sched.exe [2009-10-17 108289]
S4 AntiVirService;Avira AntiVir Guard;I:\avira\antivir desktop\avguard.exe [2009-10-17 185089]
.
=============== Created Last 30 ================
.
2012-07-04 16:32:16 -------- d-----w- h:\dokumente und einstellungen\korcas\anwendungsdaten\Malwarebytes
2012-07-04 16:32:06 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
2012-07-04 16:32:06 -------- d-----w- h:\dokumente und einstellungen\all users\anwendungsdaten\Malwarebytes
2012-07-03 05:16:29 -------- d-----w- h:\windows\system32\wbem\repository\FS
2012-07-03 05:16:29 -------- d-----w- h:\windows\system32\wbem\Repository
2012-06-14 02:47:36 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
.
==================== Find3M ====================
.
2012-07-03 16:21:53 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21:53 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
2012-07-03 16:21:53 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
2012-07-03 16:21:52 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
2012-07-03 16:21:32 41224 ----a-w- h:\windows\avastSS.scr
2012-07-02 02:27:17 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-02 02:27:17 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
2012-06-02 13:19:38 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:38 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19:38 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
2012-06-02 13:19:34 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19:28 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
2012-05-31 13:22:01 604160 ----a-w- h:\windows\system32\crypt32.dll
2012-05-16 15:07:03 916992 ----a-w- h:\windows\system32\wininet.dll
2012-05-15 13:56:00 1863296 ----a-w- h:\windows\system32\win32k.sys
2012-05-11 14:40:24 43520 ----a-w- h:\windows\system32\licmgr10.dll
2012-05-11 14:40:24 1469440 ------w- h:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- h:\windows\system32\html.iec
2012-05-05 03:14:31 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
2012-05-05 03:14:31 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:30 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
2012-04-26 08:31:56 273344 ----a-w- h:\windows\system32\nvdrsdb1.bin
2012-04-26 08:31:56 1 ----a-w- h:\windows\system32\nvdrssel.bin
2012-04-26 08:31:55 273344 ----a-w- h:\windows\system32\nvdrsdb0.bin
.
============= FINISH: 19:05:03,43 ===============

 

[Korcas]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 17.10.2009 16:31:13
System Uptime: 04.07.2012 18:38:40 (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M4A785D-M PRO
Processor: AMD Phenom(tm) II X4 945 Processor | AM2 | 3008/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 1863 GiB total, 23,253 GiB free.
D: is CDROM (UDF)
E: is CDROM (UDF)
G: is FIXED (NTFS) - 932 GiB total, 43,371 GiB free.
H: is FIXED (NTFS) - 29 GiB total, 12,628 GiB free.
I: is FIXED (NTFS) - 49 GiB total, 29,807 GiB free.
J: is FIXED (NTFS) - 853 GiB total, 42,579 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP933: 15.06.2012 19:31:32 - Systemprüfpunkt
RP934: 17.06.2012 00:31:49 - Systemprüfpunkt
RP935: 18.06.2012 23:23:22 - Systemprüfpunkt
RP936: 20.06.2012 06:20:54 - Systemprüfpunkt
RP937: 22.06.2012 05:49:29 - Systemprüfpunkt
RP938: 23.06.2012 13:16:41 - Systemprüfpunkt
RP939: 27.06.2012 23:40:15 - Systemprüfpunkt
RP940: 30.06.2012 02:38:40 - Systemprüfpunkt
RP941: 01.07.2012 03:04:48 - Systemprüfpunkt
RP942: 03.07.2012 07:07:26 - Systemprüfpunkt
RP943: 03.07.2012 08:19:52 - Wiederherstellungsvorgang
.
==== Installed Programs ======================
.
µTorrent
3D??????
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe AIR
Adobe Community Help
Adobe Content Viewer
Adobe Creative Suite 5.5 Master Collection
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Media Player
Adobe Photoshop 7.0
Adobe Reader 9.4.0 - Deutsch
Adobe Widget Browser
Applian Director
Ashampoo Snap 4.2.0
avast! Internet Security
Avira AntiVir Personal - Free Antivirus
AVM FRITZ!Box Dokumentation
Badaboom 1.2.0.87
Bamboo
BufferChm
BurnAware Professional 2.3.1 cracked by minimaL
CanoScan LiDE 100 Scanner Driver
CdCoverCreator 2.5.2
CDisplay 1.8
Combined Community Codec Pack 2011-07-30
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DreamerRO's 10.11
EPSON P50 Series Printer Uninstall
Epson Print CD
Epson Stylus Photo P50_T50 Handbuch
eSupportQFolder
FILEminimizer Pictures
Foxit Reader 5.0
Free Windows Registry Cleaner 2.0
FreePDF (Remove only)
FreeRIP v3.30
Google Talk (remove only)
Google Talk Plugin
GPL Ghostscript 8.71
Hotfix für Windows XP (KB2158563)
Hotfix für Windows XP (KB2443685)
Hotfix für Windows XP (KB2570791)
Hotfix für Windows XP (KB2633952)
Hotfix für Windows XP (KB952287)
Hotfix für Windows XP (KB961118)
Hotfix für Windows XP (KB970653-v3)
Hotfix für Windows XP (KB976098-v2)
Hotfix für Windows XP (KB979306)
Hotfix für Windows XP (KB981793)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
HP Deskjet 3900 series
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
HPDeskjet3900Series
IPS Wizard
ips XP 1.11.2600
ISODisk 1.1
Java Auto Updater
Java(TM) 6 Update 30
JDownloader
LightScribe Applications
LightScribe System Software
Logitech Harmony Remote Software
Malwarebytes Anti-Malware Version 1.61.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
mIRC
MKVtoolnix 4.0.0
NVIDIA Grafiktreiber 275.33
NVIDIA Install Application
NVIDIA nView 135.85
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA Systemsteuerung 275.33
NVIDIA Update 1.3.5
NVIDIA Update Components
Opera 12.00
PDF Settings CS5
pdfsam
PS3 Media Server
PxMergeModule
QuickTime
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
RedMon - Redirection Port Monitor
Replay Video Capture
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Sicherheitsupdate für Microsoft Windows (KB2564958)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2183461)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2360131)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2416400)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2482017)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2497640)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2510531)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2530548)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2544521)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2559049)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2586448)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2618444)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2647516)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2675157)
Sicherheitsupdate für Windows Internet Explorer 8 (KB2699988)
Sicherheitsupdate für Windows Internet Explorer 8 (KB971961)
Sicherheitsupdate für Windows Internet Explorer 8 (KB974455)
Sicherheitsupdate für Windows Internet Explorer 8 (KB976325)
Sicherheitsupdate für Windows Internet Explorer 8 (KB978207)
Sicherheitsupdate für Windows Internet Explorer 8 (KB981332)
Sicherheitsupdate für Windows Internet Explorer 8 (KB982381)
Sicherheitsupdate für Windows Media Player (KB2378111)
Sicherheitsupdate für Windows Media Player (KB952069)
Sicherheitsupdate für Windows Media Player (KB954155)
Sicherheitsupdate für Windows Media Player (KB968816)
Sicherheitsupdate für Windows Media Player (KB973540)
Sicherheitsupdate für Windows Media Player (KB975558)
Sicherheitsupdate für Windows Media Player (KB978695)
Sicherheitsupdate für Windows Media Player (KB979402)
Sicherheitsupdate für Windows XP (KB2079403)
Sicherheitsupdate für Windows XP (KB2115168)
Sicherheitsupdate für Windows XP (KB2121546)
Sicherheitsupdate für Windows XP (KB2160329)
Sicherheitsupdate für Windows XP (KB2229593)
Sicherheitsupdate für Windows XP (KB2259922)
Sicherheitsupdate für Windows XP (KB2279986)
Sicherheitsupdate für Windows XP (KB2286198)
Sicherheitsupdate für Windows XP (KB2296011)
Sicherheitsupdate für Windows XP (KB2296199)
Sicherheitsupdate für Windows XP (KB2347290)
Sicherheitsupdate für Windows XP (KB2360937)
Sicherheitsupdate für Windows XP (KB2387149)
Sicherheitsupdate für Windows XP (KB2393802)
Sicherheitsupdate für Windows XP (KB2412687)
Sicherheitsupdate für Windows XP (KB2419632)
Sicherheitsupdate für Windows XP (KB2423089)
Sicherheitsupdate für Windows XP (KB2436673)
Sicherheitsupdate für Windows XP (KB2440591)
Sicherheitsupdate für Windows XP (KB2443105)
Sicherheitsupdate für Windows XP (KB2476490)
Sicherheitsupdate für Windows XP (KB2476687)
Sicherheitsupdate für Windows XP (KB2478960)
Sicherheitsupdate für Windows XP (KB2478971)
Sicherheitsupdate für Windows XP (KB2479628)
Sicherheitsupdate für Windows XP (KB2479943)
Sicherheitsupdate für Windows XP (KB2481109)
Sicherheitsupdate für Windows XP (KB2483185)
Sicherheitsupdate für Windows XP (KB2485376)
Sicherheitsupdate für Windows XP (KB2485663)
Sicherheitsupdate für Windows XP (KB2503658)
Sicherheitsupdate für Windows XP (KB2503665)
Sicherheitsupdate für Windows XP (KB2506212)
Sicherheitsupdate für Windows XP (KB2506223)
Sicherheitsupdate für Windows XP (KB2507618)
Sicherheitsupdate für Windows XP (KB2507938)
Sicherheitsupdate für Windows XP (KB2508272)
Sicherheitsupdate für Windows XP (KB2508429)
Sicherheitsupdate für Windows XP (KB2509553)
Sicherheitsupdate für Windows XP (KB2511455)
Sicherheitsupdate für Windows XP (KB2524375)
Sicherheitsupdate für Windows XP (KB2535512)
Sicherheitsupdate für Windows XP (KB2536276-v2)
Sicherheitsupdate für Windows XP (KB2536276)
Sicherheitsupdate für Windows XP (KB2544893-v2)
Sicherheitsupdate für Windows XP (KB2544893)
Sicherheitsupdate für Windows XP (KB2555917)
Sicherheitsupdate für Windows XP (KB2562937)
Sicherheitsupdate für Windows XP (KB2566454)
Sicherheitsupdate für Windows XP (KB2567053)
Sicherheitsupdate für Windows XP (KB2567680)
Sicherheitsupdate für Windows XP (KB2570222)
Sicherheitsupdate für Windows XP (KB2570947)
Sicherheitsupdate für Windows XP (KB2584146)
Sicherheitsupdate für Windows XP (KB2585542)
Sicherheitsupdate für Windows XP (KB2592799)
Sicherheitsupdate für Windows XP (KB2598479)
Sicherheitsupdate für Windows XP (KB2603381)
Sicherheitsupdate für Windows XP (KB2618451)
Sicherheitsupdate für Windows XP (KB2619339)
Sicherheitsupdate für Windows XP (KB2620712)
Sicherheitsupdate für Windows XP (KB2621440)
Sicherheitsupdate für Windows XP (KB2624667)
Sicherheitsupdate für Windows XP (KB2631813)
Sicherheitsupdate für Windows XP (KB2633171)
Sicherheitsupdate für Windows XP (KB2639417)
Sicherheitsupdate für Windows XP (KB2641653)
Sicherheitsupdate für Windows XP (KB2646524)
Sicherheitsupdate für Windows XP (KB2647518)
Sicherheitsupdate für Windows XP (KB2653956)
Sicherheitsupdate für Windows XP (KB2659262)
Sicherheitsupdate für Windows XP (KB2660465)
Sicherheitsupdate für Windows XP (KB2661637)
Sicherheitsupdate für Windows XP (KB2676562)
Sicherheitsupdate für Windows XP (KB2685939)
Sicherheitsupdate für Windows XP (KB2686509)
Sicherheitsupdate für Windows XP (KB2695962)
Sicherheitsupdate für Windows XP (KB2707511)
Sicherheitsupdate für Windows XP (KB2709162)
Sicherheitsupdate für Windows XP (KB923561)
Sicherheitsupdate für Windows XP (KB941569)
Sicherheitsupdate für Windows XP (KB946648)
Sicherheitsupdate für Windows XP (KB950762)
Sicherheitsupdate für Windows XP (KB950974)
Sicherheitsupdate für Windows XP (KB951066)
Sicherheitsupdate für Windows XP (KB951376-v2)
Sicherheitsupdate für Windows XP (KB951748)
Sicherheitsupdate für Windows XP (KB952004)
Sicherheitsupdate für Windows XP (KB952954)
Sicherheitsupdate für Windows XP (KB954459)
Sicherheitsupdate für Windows XP (KB955069)
Sicherheitsupdate für Windows XP (KB956572)
Sicherheitsupdate für Windows XP (KB956744)
Sicherheitsupdate für Windows XP (KB956802)
Sicherheitsupdate für Windows XP (KB956803)
Sicherheitsupdate für Windows XP (KB956844)
Sicherheitsupdate für Windows XP (KB957097)
Sicherheitsupdate für Windows XP (KB958644)
Sicherheitsupdate für Windows XP (KB958687)
Sicherheitsupdate für Windows XP (KB958869)
Sicherheitsupdate für Windows XP (KB959426)
Sicherheitsupdate für Windows XP (KB960225)
Sicherheitsupdate für Windows XP (KB960803)
Sicherheitsupdate für Windows XP (KB960859)
Sicherheitsupdate für Windows XP (KB961371-v2)
Sicherheitsupdate für Windows XP (KB961501)
Sicherheitsupdate für Windows XP (KB968537)
Sicherheitsupdate für Windows XP (KB969059)
Sicherheitsupdate für Windows XP (KB969947)
Sicherheitsupdate für Windows XP (KB970238)
Sicherheitsupdate für Windows XP (KB970430)
Sicherheitsupdate für Windows XP (KB971468)
Sicherheitsupdate für Windows XP (KB971486)
Sicherheitsupdate für Windows XP (KB971557)
Sicherheitsupdate für Windows XP (KB971633)
Sicherheitsupdate für Windows XP (KB971657)
Sicherheitsupdate für Windows XP (KB971961)
Sicherheitsupdate für Windows XP (KB972270)
Sicherheitsupdate für Windows XP (KB973354)
Sicherheitsupdate für Windows XP (KB973507)
Sicherheitsupdate für Windows XP (KB973525)
Sicherheitsupdate für Windows XP (KB973869)
Sicherheitsupdate für Windows XP (KB973904)
Sicherheitsupdate für Windows XP (KB974112)
Sicherheitsupdate für Windows XP (KB974318)
Sicherheitsupdate für Windows XP (KB974392)
Sicherheitsupdate für Windows XP (KB974455)
Sicherheitsupdate für Windows XP (KB974571)
Sicherheitsupdate für Windows XP (KB975025)
Sicherheitsupdate für Windows XP (KB975467)
Sicherheitsupdate für Windows XP (KB975560)
Sicherheitsupdate für Windows XP (KB975561)
Sicherheitsupdate für Windows XP (KB975562)
Sicherheitsupdate für Windows XP (KB975713)
Sicherheitsupdate für Windows XP (KB977165)
Sicherheitsupdate für Windows XP (KB977816)
Sicherheitsupdate für Windows XP (KB977914)
Sicherheitsupdate für Windows XP (KB978037)
Sicherheitsupdate für Windows XP (KB978251)
Sicherheitsupdate für Windows XP (KB978262)
Sicherheitsupdate für Windows XP (KB978338)
Sicherheitsupdate für Windows XP (KB978542)
Sicherheitsupdate für Windows XP (KB978601)
Sicherheitsupdate für Windows XP (KB978706)
Sicherheitsupdate für Windows XP (KB979309)
Sicherheitsupdate für Windows XP (KB979482)
Sicherheitsupdate für Windows XP (KB979559)
Sicherheitsupdate für Windows XP (KB979683)
Sicherheitsupdate für Windows XP (KB979687)
Sicherheitsupdate für Windows XP (KB980195)
Sicherheitsupdate für Windows XP (KB980218)
Sicherheitsupdate für Windows XP (KB980232)
Sicherheitsupdate für Windows XP (KB980436)
Sicherheitsupdate für Windows XP (KB981322)
Sicherheitsupdate für Windows XP (KB981852)
Sicherheitsupdate für Windows XP (KB981957)
Sicherheitsupdate für Windows XP (KB981997)
Sicherheitsupdate für Windows XP (KB982132)
Sicherheitsupdate für Windows XP (KB982214)
Sicherheitsupdate für Windows XP (KB982665)
Sicherheitsupdate für Windows XP (KB982802)
Skype™ 4.2
SolutionCenter
Status
TrayApp
Trojancheck 6
UnderCoverXP 1.23
Update für Windows Internet Explorer 8 (KB973874)
Update für Windows Internet Explorer 8 (KB976662)
Update für Windows Internet Explorer 8 (KB976749)
Update für Windows Internet Explorer 8 (KB980182)
Update für Windows XP (KB2141007)
Update für Windows XP (KB2345886)
Update für Windows XP (KB2467659)
Update für Windows XP (KB2541763)
Update für Windows XP (KB2607712)
Update für Windows XP (KB2616676)
Update für Windows XP (KB2641690)
Update für Windows XP (KB2718704)
Update für Windows XP (KB951978)
Update für Windows XP (KB955759)
Update für Windows XP (KB967715)
Update für Windows XP (KB968389)
Update für Windows XP (KB971029)
Update für Windows XP (KB971737)
Update für Windows XP (KB973687)
Update für Windows XP (KB973815)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
uTorrentBar_DE Toolbar
Video Padlock
VLC media player 1.1.9
Vtune 7.5
Vuze
Vuze Remote Toolbar
Vuze Toolbar
WebFldrs XP
WebReg
WebTablet IE Plugin
WebTablet Netscape Plugin
Winamp
Windows Feature Pack für die Speicherung (32-Bit) - IMAPI-Update für Blu-Ray
Windows Feature Pack für die Speicherung (32-Bit) - Smartcardtreiber
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR
XnView 1.97
.
==== Event Viewer Messages From Past Week ========
.
04.07.2012 19:01:34, error: Dhcp [1002] - Die IP-Adresslease 192.168.2.104 für die Netzwerkkarte mit der Netzwerkadresse 90E6BA06D472 wurde durch den DHCP-Server 192.168.2.1 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet).
04.07.2012 18:39:34, error: sr [1] - Beim Verarbeiten der Datei "" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC0000001" aufgetreten. Die Volumeüberwachung wurde angehalten.
03.07.2012 08:19:52, error: sr [1] - Beim Verarbeiten der Datei "greybox.err" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC000009A" aufgetreten. Die Volumeüberwachung wurde angehalten.
03.07.2012 07:59:02, error: Service Control Manager [7000] - Der Dienst "Windows Installer" wurde aufgrund folgenden Fehlers nicht gestartet: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen.
03.07.2012 07:09:03, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
03.07.2012 07:09:03, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
03.07.2012 07:09:03, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.VC90.CRT fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
03.07.2012 07:09:03, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\system32\TAPI32.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
03.07.2012 07:09:03, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\System32\cscui.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
03.07.2012 07:09:03, error: SideBySide [59] - Generate Activation Context ist für H:\PROGRA~1\ALWILS~1\Avast5\1031\Base.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
03.07.2012 07:08:48, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
03.07.2012 07:08:48, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.VC90.CRT fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
03.07.2012 07:08:48, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\System32\cscui.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
03.07.2012 07:08:48, error: SideBySide [59] - Generate Activation Context ist für H:\PROGRA~1\ALWILS~1\Avast5\1031\Base.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
03.07.2012 07:07:26, error: sr [1] - Beim Verarbeiten der Datei "3590660602868218.tmp" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC000009A" aufgetreten. Die Volumeüberwachung wurde angehalten.
03.07.2012 06:52:18, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
03.07.2012 06:52:18, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\system32\shimgvw.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
03.07.2012 06:52:00, error: Service Control Manager [7000] - Der Dienst "Windows Installer" wurde aufgrund folgenden Fehlers nicht gestartet: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen.
03.07.2012 06:52:00, error: DCOM [10005] - Bei DCOM ist der Fehler "%1450" aufgetreten, als der Dienst "MSIServer" mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {000C101C-0000-0000-C000-000000000046}
03.07.2012 06:51:45, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.Windows.Common-Controls fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
03.07.2012 06:51:45, error: SideBySide [59] - Generate Activation Context ist für H:\WINDOWS\System32\wiadefui.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
03.07.2012 06:51:44, error: SideBySide [59] - Resolve Partial Assembly ist für Microsoft.VC90.CRT fehlgeschlagen. Referenzfehlermeldung: Nicht genügend Systemressourcen, um den angeforderten Dienst auszuführen. .
03.07.2012 06:51:44, error: SideBySide [59] - Generate Activation Context ist für H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .
.
==== End Of File ===========================

 

[Korcas]

Sorry for the german in there, unfortunately I'm running the german edition of XP. If you need translations, I'll help you out!

 

[Korcas]

After the initial scannings and logs, and Malwarebytes deleting the one infected file, I can say that Avast is no longer detecting any sort of infected files every couple of minutes. I still have a ton of files in quarantine with Avast, but will do nothing with them until further advised.

 

[Bobbye]

I think you have misunderstood this:

H drive, which is rather small with its 30 gig, believing that it was a memory issue, but I got the error E/A 1450, saying there were no system resources available.

You've mixed up hard drive size with RAM> to simplify:
The hard drive is where the programs, files, folders, drivers, etc. occupy 'space.'

[H: is FIXED (NTFS) - 29 GiB total, 12,628 GiB free.

The above shows that Drive H is of an approximate 29GB. Of this, approximately 126GB or about 43% is free, Ideally, you should work as close as possible to keeping 80% free.

Going one step further, out of the 3726GB totals for Drives C, G, H, I and J, there is only about 4% of free space!
--------------------------------
When you run the program or open the files to use, then you are using 'memory' or RAM. A message telling you there are no resources available means that all the RAM is in use. To find how much RAM is installed:
Control Panel> System> the General tab of the System Properties will open and the RAM figure will be on lower right.

Random Access Memory or RAM is a form of data storage that can be accessed randomly at any time, in any order and from any physical location.

But there is X amount of RAM installed. The more processes running, the more RAM in use. If the use is at capacity, there won't be any more resources available.

To free up the RAM, some processes need to be closed and/or a reboot might help.
----------------------------------------------------
Where the RAM is going> running processes:
1. Two antivirus programs: Avira/Avast. You should only have one. Multiple AV make the system more vulnerable and slow the system down.
Please remove one of the AV programs and reboot the computer when finished.

2. Multiple file sharing Toolbars (TB) and Browser Helper Objects(BHO)
Vuze Remote Toolbar> TB, BHO
uTorrentBar_DE Toolbar> TB, BHO

3. Foistware:
AskBar> TB, BHO
Ask Toolbar Quick View
FreeRIP.com Toolbar

4. Two PDF Readers:
FreePDF Assistant
Adobe Reader

I know you didn't come here for a lesson on the system, but take what I said as a Warning. If you decide not to have any of the above, I can remove most after you run Combofix.
==================================
I'd like you to run Combofix and the online Eset Virus scan. Please be sure to follow the directions for each so that we get the best results possible.

Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------

• 
  Download Combofix from HERE or HEREand save to the desktop
  • Double click combofix.exe & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    

    The Recovery Console was successfully installed.

  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• Close any open browsers.
• Before you run the Combofix scan, please disable any security software you have running.
  (If you need help with this, please see HERE)
• Click on Yes, to continue scanning for malware
• If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1o not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
======================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
4. Continue with the directions.
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Please leave both logs in your next reply.

 

[Korcas]

I thank you for your continued assistance. I won't have the time to run the advised programs before I get back from work tonight, but I will post the logs as soon as I have them. I took tomorrow off, so hopefully we'll be able to finish the cleanup by then.

As for the issues with several virus programs, toolbars and the like, I would love some help with getting rid of these, once we're done cleaning. I actually used to run Avira, instead of Avast, but since Avira failed to protect, hell, even notify me of some issues, I dumped it, and went for Avast, instead. I haven't run Avira in ages, but I guess it still takes up resources. I mainly kept it around for its easy to access boot sector scanning.

Which program would you advise I keep? Or should I go for a new virus protection alltogether? So far, I'm really satisfied with Avast.

I'll keep you posted on the logs, as soon as I can!

 

[Korcas]

Another thing. I have no idea if I'm handling Avast correctly, right now. As mentioned in my first post, there are several infected items in my Avast container, quarantined away. Should I list all these things, too, or can we consider these blocked/solved? Should I delete the entries from quarantine before I take any new steps?

Also, sometimes I hear the clicking sound from Windows, something that only appears on my system when Internet Explorer is being used, without IE even being open or running at the moment. Does this have anything to do with a possible infection?

 

[Bobbye]

No problem. Post the logs when you can.

It's okay to change your antivirus program- but you can't just abandon it! It should be uninstalled. If you want n evaluation between Avira and Avast, I suggest choosing Avast. We stopped recommending Avira when they started bundling junk with the download- did I tell you that?

Please check with Avira Support for uninstall directions.

Avast Support says this:

The avast! Virus Chest is a safe and completely isolated place, or a 'quarantine' area in other words, for storing potentially harmful files away from the rest of the operating system.

Their idea of leaving them in the chest is based on the possibility that a file may have been removed erroneously. Once it's deleted, it's gone, but it can be restored from the chest.
To delete files in the Virus Chest:Open Avast> Maintenance> Virus Chest>
Right-click on the desired file (or highlighted multiple files) in the contents table on the VIRUS CHEST screen and select 'Delete' from the context menu:

(Image from Avast Support)
When asked to confirm> Choose Yes.
===================================
About the 'clicking' sound> usually any 'sound' caused by malware is music in the background. I don't know what a 'clicking' sound is like! But you have all the sounds in the Control Panel> Sounds & Audio> Sounds tab: you can preview the sound by highlighting the sound line, then Preview. If you haven't changed the sounds, you should be able to find what the 'clicking' sound means. Patience on this because you're actually going to be working backwards on the sound!

 

[Korcas]

Okay here we go. I uninstalled Avira, as advised, then ran ComboFix, here is the log:

ComboFix 12-07-05.03 - Korcas 05.07.2012 19:01:55.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.1969 [GMT 2:00]
Running from: h:\dokumente und einstellungen\Korcas\Desktop\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\dokumente und einstellungen\All Users\Anwendungsdaten\F2BDD61C-7F20-44BD-A1DB-F510E492AB22
h:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
h:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
h:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
h:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\FFSJ
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\FFSJ\FFSJ.cfg
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\1.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\2229.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\2260.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\4489.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\450.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\a.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\b.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\c.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\d.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\e.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\f.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\g.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\h.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\I.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\j.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\k.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\l.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\m.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\mru.xml
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\n.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\o.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\p.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\q.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\r.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\s.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\t.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\u.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\v.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\w.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\wlu.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\x.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\y.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\z.txt
h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Tempals_inst.exe
h:\dokumente und einstellungen\Korcas\Recent\Thumbs.db
h:\dokumente und einstellungen\Korcas\WINDOWS
h:\windows\system32\dllcache\dlimport.exe
h:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
.
.
2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\Korcas\Anwendungsdaten\Malwarebytes
2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2012-07-04 16:32 . 2012-04-04 13:56 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
2012-07-03 05:16 . 2012-07-03 05:16 -------- d-----w- h:\windows\system32\wbem\Repository
2012-06-14 02:47 . 2012-05-11 14:40 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2010-12-28 17:32 54232 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-02-25 08:54 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
2012-07-03 16:21 . 2011-11-11 06:24 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-11-11 06:24 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
2012-07-03 16:21 . 2010-12-28 17:32 21256 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2010-12-28 17:32 353688 ----a-w- h:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2010-12-28 17:32 35928 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2010-12-28 17:32 97608 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2012-07-03 16:21 . 2010-12-28 17:32 89624 ----a-w- h:\windows\system32\drivers\aswmon.sys
2012-07-03 16:21 . 2011-11-11 06:24 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
2012-07-03 16:21 . 2010-12-28 17:32 25256 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2012-07-03 16:21 . 2010-12-28 17:32 41224 ----a-w- h:\windows\avastSS.scr
2012-07-03 16:21 . 2010-12-28 17:32 227648 ----a-w- h:\windows\system32\aswBoot.exe
2012-07-02 02:27 . 2012-04-01 15:06 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
2012-07-02 02:27 . 2011-07-01 18:33 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 13:19 . 2009-10-17 14:26 329240 ----a-w- h:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2009-10-17 14:26 210968 ----a-w- h:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2009-10-17 14:26 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2008-10-16 12:07 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19 . 2009-10-17 14:26 53784 ----a-w- h:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2009-10-17 14:26 35864 ----a-w- h:\windows\system32\wups.dll
2012-06-02 13:19 . 2008-10-16 12:09 45080 ----a-w- h:\windows\system32\wups2.dll
2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2007-07-27 12:00 97304 ----a-w- h:\windows\system32\cdm.dll
2012-06-02 13:19 . 2008-10-16 12:08 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2009-10-17 14:26 577048 ----a-w- h:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2009-10-17 14:26 1933848 ----a-w- h:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2007-07-27 12:00 604160 ----a-w- h:\windows\system32\crypt32.dll
2012-05-16 15:07 . 2007-07-27 12:00 916992 ----a-w- h:\windows\system32\wininet.dll
2012-05-15 13:56 . 2007-07-27 12:00 1863296 ----a-w- h:\windows\system32\win32k.sys
2012-05-11 14:40 . 2007-07-27 12:00 43520 ----a-w- h:\windows\system32\licmgr10.dll
2012-05-11 14:40 . 2007-07-27 12:00 1469440 ------w- h:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2007-07-27 12:00 385024 ----a-w- h:\windows\system32\html.iec
2012-05-05 03:14 . 2007-07-27 12:00 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2004-08-04 00:50 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-10-17 14:24 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
2002-11-19 23:01 . 2006-02-17 15:51 28672 ----a-w- h:\programme\opera\program\plugins\PlugDef.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
"{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49 176936 ----a-w- h:\programme\Vuze_Remote\prxtbVuz2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
2011-05-09 08:49 176936 ----a-w- h:\programme\uTorrentBar_DE\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "h:\programme\FreeRIP3\toolband.dll" [2009-10-16 282624]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
"{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "h:\programme\FreeRIP3\toolband.dll" [2009-10-16 282624]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
"{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- h:\programme\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="h:\programme\Vtune\TBPanel.exe" [2009-05-12 2158592]
"AshSnap"="I:\ashampoo snap 4\ashsnap.exe" [2011-04-01 1528176]
"AdobeBridge"="I:\adobecs5.5\Adobe Bridge CS5.1\Bridge.exe" [2011-03-02 12008296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-27 208952]
"MSPY2002"="h:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-07-27 59392]
"PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Adobe Reader Speed Launcher"="I:\reader\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="h:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Trojancheck 6 Guard"="h:\programme\Trojancheck 6\tcguard.exe" [2002-11-14 590336]
"ISUSPM Startup"="h:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="h:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"AdobeAAMUpdater-1.0"="h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"SwitchBoard"="h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="h:\programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Acrobat Speed Launcher"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
"avast"="h:\programme\Alwil Software\Avast5\avastUI.exe" [2012-07-03 4273976]
"SunJavaUpdateSched"="h:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"nwiz"="h:\programme\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"Malwarebytes' Anti-Malware"="I:\malwarebytes' anti-malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
Adobe Gamma Loader.lnk - h:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-18 113664]
Microsoft Office.lnk - I:\ms office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HP Digital Imaging Monitor.lnk]
path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\HP Digital Imaging Monitor.lnk
backup=h:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-28 22:15 136176 ----atw- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-11-21 02:10 3293184 ----a-w- h:\programme\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-11-22 13:20 2736128 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:22 1695232 ------w- h:\programme\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 09:17 421888 ----a-w- I:\quicktime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 14:12 26192168 ----a-r- I:\skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\mIRC\\mirc.exe"=
"I:\\DC++\\DCPlusPlus.exe"=
"I:\\Trillian\\trillian.exe"=
"I:\\Azureus\\Azureus.exe"=
"h:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
"h:\\Programme\\VideoLAN\\VLC\\vlc.exe"=
"h:\\Dokumente und Einstellungen\\Korcas\\Lokale Einstellungen\\Anwendungsdaten\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"h:\\Programme\\Vuze\\Azureus.exe"=
"I:\\Skype\\Plugin Manager\\skypePM.exe"=
"I:\\Skype\\Phone\\Skype.exe"=
"h:\\Programme\\Opera\\opera.exe"=
"h:\\Programme\\Google\\Google Talk\\googletalk.exe"=
"I:\\AdobeCS5.5\\Adobe Flash Builder 4.5\\FlashBuilder.exe"=
"h:\\Programme\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"h:\\Programme\\uTorrent\\uTorrent.exe"=
"h:\\Programme\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"I:\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"I:\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7935:TCP"= 7935:TCP:Adobe Flash Builder 4.5
.
R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [11.11.2011 08:24 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [11.11.2011 08:24 202928]
R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [11.11.2011 08:24 113776]
R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [25.02.2012 10:54 18544]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [11.11.2011 08:24 721000]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [28.12.2010 19:32 353688]
R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [25.06.2011 09:41 9600]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [28.12.2010 19:32 21256]
R2 avast! Firewall;avast! Firewall;h:\programme\Alwil Software\Avast5\afwServ.exe [11.11.2011 08:24 133912]
R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [04.07.2012 18:32 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [06.03.2012 23:02 2214504]
R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [18.10.2009 21:34 4497704]
R2 WTouchService;WTouch Service;h:\programme\WTouch\WTouchService.exe [18.10.2009 21:35 113448]
R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [04.07.2012 18:32 22344]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [20.12.2009 20:00 1381632]
R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [18.10.2009 21:34 16168]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01.04.2012 17:06 250056]
S3 appliandMP;appliandMP;h:\windows\system32\DRIVERS\appliand.sys --> h:\windows\system32\DRIVERS\appliand.sys [?]
S3 SwitchBoard;SwitchBoard;h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe [19.02.2010 13:37 517096]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 13:18 451872 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-03 h:\windows\Tasks\AdobeAAMUpdater-1.0-GREYBOX-Korcas.job
- h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-26 06:46]
.
2012-07-05 h:\windows\Tasks\avast! Emergency Update.job
- h:\programme\Alwil Software\Avast5\AvastEmUpdate.exe [2012-06-30 16:21]
.
2012-07-01 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003Core.job
- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
.
2012-07-05 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003UA.job
- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &FreeRIP Search - h:\programme\FreeRIP3\toolband.dll/MENUSEARCH.HTM
IE: An vorhandene PDF-Datei anfügen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-avgnt - I:\avira\AntiVir Desktop\avgnt.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - h:\programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-HP Software Update - h:\programme\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-NeroFilterCheck - h:\programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
AddRemove-AVMFBox - h:\programme\FRITZ!Box\install.exe
AddRemove-GPL Ghostscript 8.71 - h:\programme\gs\uninstgs.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-05 19:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0b\06\0c\17\03\1e?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2136)
h:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
h:\programme\WTouch\WTouchUser.exe
h:\programme\Alwil Software\Avast5\AvastSvc.exe
h:\programme\Java\jre6\bin\jqs.exe
h:\programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
h:\programme\BurnAware Professional\nmsaccessu.exe
h:\windows\system32\nvsvc32.exe
h:\windows\system32\wdfmgr.exe
h:\windows\SOUNDMAN.EXE
h:\windows\system32\RunDLL32.exe
h:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-07-05 19:10:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-05 17:10
.
Pre-Run: 6 Verzeichnis(se), 13.851.844.608 Bytes frei
Post-Run: 8 Verzeichnis(se), 14.704.447.488 Bytes frei
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A31F85C7F21765BC37021AC404FC8B31

 

[Korcas]

Now the ESET scan has left me a bit worried, since it actually found three more infected files that nothing else seemed to have picked up? Here the log:

H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\58ad53fc-4f1e2865 Java/Exploit.CVE-2012-0507.CM trojan
H:\System Volume Information\_restore{3B94F78F-1988-441F-AAF2-6781DE5D1F65}\RP943\A0167282.ini Win32/Sirefef.EZ trojan
H:\System Volume Information\_restore{3B94F78F-1988-441F-AAF2-6781DE5D1F65}\RP943\A0167293.dll a variant of Win32/Medfos.AM trojan

All three of these still exist, as I unchecked the threat removal as advised.

I also emptied my Avast Container. So far Avast has not detected any new files trying to invade.

 

[Bobbye]

Your heavy use of file sharing programs will assure that you have a constant supply of malware! Consider removing all or most of the following:
DCPlusPlus
Trillian
Azureus/Vuze
uTorrent
mIRC
=============================================
Toolbars and browser helper objects are being removed:
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

KillAll::
File::
DDS::
uStart Page = about:blank
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
uURLSearchHooks: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - h:\programme\askbardis\bar\bin\askBar.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
BHO: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - h:\programme\askbardis\bar\bin\askBar.dll
TB: FreeRIP.com Toolbar: {081230f8-ea50-42a9-983c-d22abc2eed3b} - h:\programme\freerip3\toolband.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\programme\vuze_remote\prxtbVuz2.dll
TB: uTorrentBar_DE Toolbar: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - h:\programme\utorrentbar_de\prxtbuTor.dll
EB: Ask Toolbar Quick View: {b0de3308-5d5a-470d-81b9-634fc078393b} - h:\windows\system32\shdocvw.dll
IE: &FreeRIP Search - h:\programme\freerip3\toolband.dll/MENUSEARCH.H
 
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
"{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"=-
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{081230F8-EA50-42A9-983C-D22ABC2EED3B}"=-
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
"{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"=-
[HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{081230F8-EA50-42A9-983C-D22ABC2EED3B}"=-
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"=-
"{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2}"=-
[HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"
"AntiVirSchedulerService"
 
Clearjavacache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
There is only only new entry in the Eset log. The 2 processes in System Volume are restore points. They are no longer activve in the system. I will have you set a new clean restore point and drop the old ones at the end of cleaning.
Please download OTMovit by Old Timerand save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files
  H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\58ad53fc-4f1e2865 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================================
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=======================================
Please leave the new Combofix log (after running the script), OTM log and CK Scan in your next reply.

 

[Korcas]

Okay, I ran into a few problems, but first one the filesharing programs.

mIRC and Trillian are only used for chatting, mIRC for IRC, and Trillian for AIM and IRC. Unfortunately these are necessary, since a lot of friends and colleagues use them to stay in touch with me. DCPlusPlus can go, I've only used it once or twice in the past. Same for uTorrent. Vuze, unfortunately, is sometimes a necessity, as I'm in the fansubbing scene, and we sometimes need to swap files for quality checking and the like. But I'm absolutely up for doing a cleanup of non-necessary files, once we've solved the infection issues.

Now for the issues I ran into:

ComboFix:

1st try: Crashed when trying to scan, had to reboot.
2nd try: It believed avast was still active, even though I closed the real time protection. Did still run without any noticeable problems afterwards.

Here the Log:

ComboFix 12-07-05.04 - Korcas 06.07.2012 5:41.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.2554 [GMT 2:00]
Running from: h:\dokumente und einstellungen\Korcas\Desktop\ComboFix.exe
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
.
.
2012-07-05 17:12 . 2012-07-05 17:12 -------- d-----w- h:\programme\ESET
2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\Korcas\Anwendungsdaten\Malwarebytes
2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2012-07-04 16:32 . 2012-04-04 13:56 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
2012-07-03 05:16 . 2012-07-03 05:16 -------- d-----w- h:\windows\system32\wbem\Repository
2012-06-14 02:47 . 2012-05-11 14:40 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2010-12-28 17:32 54232 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-02-25 08:54 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
2012-07-03 16:21 . 2011-11-11 06:24 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-11-11 06:24 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
2012-07-03 16:21 . 2010-12-28 17:32 21256 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2010-12-28 17:32 353688 ----a-w- h:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2010-12-28 17:32 35928 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2010-12-28 17:32 97608 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2012-07-03 16:21 . 2010-12-28 17:32 89624 ----a-w- h:\windows\system32\drivers\aswmon.sys
2012-07-03 16:21 . 2011-11-11 06:24 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
2012-07-03 16:21 . 2010-12-28 17:32 25256 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2012-07-03 16:21 . 2010-12-28 17:32 41224 ----a-w- h:\windows\avastSS.scr
2012-07-03 16:21 . 2010-12-28 17:32 227648 ----a-w- h:\windows\system32\aswBoot.exe
2012-07-02 02:27 . 2012-04-01 15:06 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
2012-07-02 02:27 . 2011-07-01 18:33 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 13:19 . 2009-10-17 14:26 329240 ----a-w- h:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2009-10-17 14:26 210968 ----a-w- h:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2009-10-17 14:26 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2008-10-16 12:07 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19 . 2009-10-17 14:26 53784 ----a-w- h:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2009-10-17 14:26 35864 ----a-w- h:\windows\system32\wups.dll
2012-06-02 13:19 . 2008-10-16 12:09 45080 ----a-w- h:\windows\system32\wups2.dll
2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2007-07-27 12:00 97304 ----a-w- h:\windows\system32\cdm.dll
2012-06-02 13:19 . 2008-10-16 12:08 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2009-10-17 14:26 577048 ----a-w- h:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2009-10-17 14:26 1933848 ----a-w- h:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2007-07-27 12:00 604160 ----a-w- h:\windows\system32\crypt32.dll
2012-05-16 15:07 . 2007-07-27 12:00 916992 ----a-w- h:\windows\system32\wininet.dll
2012-05-15 13:56 . 2007-07-27 12:00 1863296 ----a-w- h:\windows\system32\win32k.sys
2012-05-11 14:40 . 2007-07-27 12:00 43520 ----a-w- h:\windows\system32\licmgr10.dll
2012-05-11 14:40 . 2007-07-27 12:00 1469440 ------w- h:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2007-07-27 12:00 385024 ----a-w- h:\windows\system32\html.iec
2012-05-05 03:14 . 2007-07-27 12:00 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2004-08-04 00:50 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-10-17 14:24 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
2002-11-19 23:01 . 2006-02-17 15:51 28672 ----a-w- h:\programme\opera\program\plugins\PlugDef.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-05_17.07.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-06 03:37 . 2012-07-06 03:37 16384 h:\windows\Temp\Perflib_Perfdata_5ac.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 67740 h:\windows\system32\perfc009.dat
+ 2007-07-27 12:00 . 2012-07-06 03:42 67740 h:\windows\system32\perfc009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 48036 h:\windows\system32\perfc007.dat
+ 2007-07-27 12:00 . 2012-07-06 03:42 48036 h:\windows\system32\perfc007.dat
+ 2007-07-27 12:00 . 2012-07-06 03:42 432784 h:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 432784 h:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 316246 h:\windows\system32\perfh007.dat
+ 2007-07-27 12:00 . 2012-07-06 03:42 316246 h:\windows\system32\perfh007.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
"{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49 176936 ----a-w- h:\programme\Vuze_Remote\prxtbVuz2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
2011-05-09 08:49 176936 ----a-w- h:\programme\uTorrentBar_DE\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "h:\programme\FreeRIP3\toolband.dll" [2009-10-16 282624]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
"{c840e246-6b95-475e-9bd7-caa1c7eca9f2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "h:\programme\FreeRIP3\toolband.dll" [2009-10-16 282624]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "h:\programme\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
"{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2}"= "h:\programme\uTorrentBar_DE\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- h:\programme\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="h:\programme\Vtune\TBPanel.exe" [2009-05-12 2158592]
"AshSnap"="I:\ashampoo snap 4\ashsnap.exe" [2011-04-01 1528176]
"AdobeBridge"="I:\adobecs5.5\Adobe Bridge CS5.1\Bridge.exe" [2011-03-02 12008296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-27 208952]
"MSPY2002"="h:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-07-27 59392]
"PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Adobe Reader Speed Launcher"="I:\reader\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="h:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Trojancheck 6 Guard"="h:\programme\Trojancheck 6\tcguard.exe" [2002-11-14 590336]
"ISUSPM Startup"="h:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="h:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"AdobeAAMUpdater-1.0"="h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"SwitchBoard"="h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="h:\programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Acrobat Speed Launcher"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
"avast"="h:\programme\Alwil Software\Avast5\avastUI.exe" [2012-07-03 4273976]
"SunJavaUpdateSched"="h:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"nwiz"="h:\programme\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"Malwarebytes' Anti-Malware"="I:\malwarebytes' anti-malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
Adobe Gamma Loader.lnk - h:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-18 113664]
Microsoft Office.lnk - I:\ms office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HP Digital Imaging Monitor.lnk]
path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\HP Digital Imaging Monitor.lnk
backup=h:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-28 22:15 136176 ----atw- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-11-21 02:10 3293184 ----a-w- h:\programme\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-11-22 13:20 2736128 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:22 1695232 ------w- h:\programme\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 09:17 421888 ----a-w- I:\quicktime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 14:12 26192168 ----a-r- I:\skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\mIRC\\mirc.exe"=
"I:\\DC++\\DCPlusPlus.exe"=
"I:\\Trillian\\trillian.exe"=
"I:\\Azureus\\Azureus.exe"=
"h:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
"h:\\Programme\\VideoLAN\\VLC\\vlc.exe"=
"h:\\Dokumente und Einstellungen\\Korcas\\Lokale Einstellungen\\Anwendungsdaten\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"h:\\Programme\\Vuze\\Azureus.exe"=
"I:\\Skype\\Plugin Manager\\skypePM.exe"=
"I:\\Skype\\Phone\\Skype.exe"=
"h:\\Programme\\Opera\\opera.exe"=
"h:\\Programme\\Google\\Google Talk\\googletalk.exe"=
"I:\\AdobeCS5.5\\Adobe Flash Builder 4.5\\FlashBuilder.exe"=
"h:\\Programme\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"h:\\Programme\\uTorrent\\uTorrent.exe"=
"h:\\Programme\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"I:\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"I:\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7935:TCP"= 7935:TCP:Adobe Flash Builder 4.5
.
R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [11.11.2011 08:24 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [11.11.2011 08:24 202928]
R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [11.11.2011 08:24 113776]
R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [25.02.2012 10:54 18544]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [11.11.2011 08:24 721000]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [28.12.2010 19:32 353688]
R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [25.06.2011 09:41 9600]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [28.12.2010 19:32 21256]
R2 avast! Firewall;avast! Firewall;h:\programme\Alwil Software\Avast5\afwServ.exe [11.11.2011 08:24 133912]
R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [04.07.2012 18:32 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [06.03.2012 23:02 2214504]
R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [18.10.2009 21:34 4497704]
R2 WTouchService;WTouch Service;h:\programme\WTouch\WTouchService.exe [18.10.2009 21:35 113448]
R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [04.07.2012 18:32 22344]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [20.12.2009 20:00 1381632]
R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [18.10.2009 21:34 16168]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01.04.2012 17:06 250056]
S3 appliandMP;appliandMP;h:\windows\system32\DRIVERS\appliand.sys --> h:\windows\system32\DRIVERS\appliand.sys [?]
S3 SwitchBoard;SwitchBoard;h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe [19.02.2010 13:37 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 13:18 451872 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-06 h:\windows\Tasks\AdobeAAMUpdater-1.0-GREYBOX-Korcas.job
- h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-26 06:46]
.
2012-07-06 h:\windows\Tasks\avast! Emergency Update.job
- h:\programme\Alwil Software\Avast5\AvastEmUpdate.exe [2012-06-30 16:21]
.
2012-07-01 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003Core.job
- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
.
2012-07-06 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003UA.job
- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &FreeRIP Search - h:\programme\FreeRIP3\toolband.dll/MENUSEARCH.HTM
IE: An vorhandene PDF-Datei anfügen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-06 05:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0b\06\0c\17\03\1e?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3140)
h:\windows\system32\webcheck.dll
.
Completion time: 2012-07-06 05:46:48
ComboFix-quarantined-files.txt 2012-07-06 03:46
ComboFix2.txt 2012-07-05 17:10
.
Pre-Run: 7 Verzeichnis(se), 14.700.904.448 Bytes frei
Post-Run: 8 Verzeichnis(se), 14.683.389.952 Bytes frei
.
- - End Of File - - 361D037A7FC2B4BDE323D6525A0BDB78

 

[Korcas]

OTL issues:

1st: Crashed the first time and MBAM encountered an error. CLosed MBAM protection since. (I probably should uninstall MBAM real time protection, should I not?) Had to reboot the machine.
2nd: Pressed MoveIt! and the desktop disappeared, OTL froze, had to reboot again, as there was no indication of anything currently being in process
3rd: Took the machine to safe mode and ran the script, everything worked out. Here the log:

All processes killed
========== FILES ==========
H:\Dokumente und Einstellungen\Korcas\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\58ad53fc-4f1e2865 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes

User: Korcas
->Temp folder emptied: 773388 bytes
->Temporary Internet Files folder emptied: 8552582 bytes
->Java cache emptied: 353491 bytes
->Opera cache emptied: 199118 bytes
->Flash cache emptied: 373285 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 131206 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10,00 mb


OTM by OldTimer - Version 3.1.21.0 log created on 07062012_060729

 

[Korcas]

Absolutely no issues with CKScanner.

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.WPAPLR
----- EOF -----

 

[Korcas]

A question on the side. Is it safe for me, at this point, to log into my e-mail account from this machine? I changed my password at work and haven't logged into my mail on this computer so far. So I'm wondering if I should hook something else up, or if I can check my mails on here.

 

[Bobbye]

NOTE: you need to shut down an other running programs while you run the scans. I think either you don't have enough RAM installed or one of the RAM chips is bad. What you are describing for the crashes makes this a strong possibility.
I suspect the problem you're having are due to the state of the system which I outlined previously You have a great number of processes starting on boot, then running in the background, using system resources. None need to start on boot and can be accessed from the Programs menu when needed. They include:

Adobe Gamma Loader
Microsoft Office.
Digital Imaging Monitor
Google Talk
MSN Messenger.
QuickTime Task

NONE of these need to start on boot!

To remove entries from the Startup Menu using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
  
  
• Click on Selective Startup
• Choose the Startup tab:
  
  
  
  All images courtesy NetSquirrel
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
• Uncheck any processes you do not need to start on boot.
  [o] Leave any processes for Avast
  [o] If you are on a laptop and there is a process for the touchpad like 'Appoint', leave that.
  [o] Uncheck everything else
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
=============================
Is there some reason you did not run the script I gave you for Combofix? The entries are still present. It includes script for removing:

Vuze Remote Toolbar:
uTorrentBar_DE Toolbar:
Ask Toolbar:
FreeRIP.com Toolbar:

============================================
Please do this and give me the figure:

To find how much RAM is installed:
Control Panel> System> the General tab of the System Properties will open and the RAM figure will be on lower right.
==============================================
You can go to Add/Remove Programs and uninstall these:
AskBar> TB, BHO
Ask Toolbar Quick View
FreeRIP.com Toolbar
Adobe Reader: You have another program for PDF. The Adobe program is bloated with a lot of junk you don't need.

Then use Windows Explorer to access Computer> Local Drive> Programs> Find the program folder for each uninstall program and do a right click> Delete.

You may include any of the File Sharing programs in this.
==============================================
Rerun Combofix with the script.
==============================================
Run the CK Scanner as instructed.
==============================================
In next reply:
1. Tell me how much RAM is installed.
2. Tell me which programs you have uninstalled so I can remove 'left-over' entry-if any.
3. Leave the NEW Combofix log from AFTER you run the script.
4. Leave the CK Scan log.
==============================================
To clarify:
I had you run OTMovIt. You referred to a different program, one that I have not had you run, twice:

OTL issues:
2nd: Pressed MoveIt! and the desktop disappeared, OTL froze,

If you have OTL on your desktop also, please remove it.
=============================
Please note: When you leave a log, leave the entire log with the heading. That has information in it that I need. For instance, you have no header on OTM- you start with File.

 

[Korcas]

Oh, sorry. I actually meant OTM. I have left the log in the reply, is there still something missing? Because that's all I got. I followed the steps you gave me for Combofix, pulled the script into the program and had it run. However, the first time around it froze up, so I started the program a second time, by double clicking on Combofix, was that wrong?

I removed the unnecessary parts from the autorun, at least as far as I could Identify them, and will reboot now, will update you on the next steps once that is done.

 

[Korcas]

Okay, here we go. I hope Combofix actually worked the way it was intended to this time..
1. According to the System properties, there are 3.25 Gigabytes of RAM installed. Physically I have 4 Gigabytes of RAM, but AFAIK Windows XP can only use 3.25.
2. I removed the following programms from the system, using the Microsoft Software removal: uTorrent, uTorrent Toolbar, Vuze Toolbar. Unfortunately I cannot find entries for the ask toolbar, and DC++.
3. I had to run Combofix twice, it froze on "Scanning for Infected Files" on the normal desktop. Left it running like that for half an hour, but nothing happened. So I created the script again, and copied it into ComboFix in Safemode, that apparently worked. Here the Log:
ComboFix 12-07-06.02 - Korcas 06.07.2012 20:15:22.3.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.3327.2890 [GMT 2:00]
Running from: h:\dokumente und einstellungen\Korcas\Desktop\ComboFix.exe
Command switches used :: h:\dokumente und einstellungen\Korcas\Desktop\CFScript.txt
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\1.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\a.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\b.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\c.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\d.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\e.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\f.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\g.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\h.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\I.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\j.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\k.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\l.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\m.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\mru.xml
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\n.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\o.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\p.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\q.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\r.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\s.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\t.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\u.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\v.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\w.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\wlu.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\x.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\y.txt
h:\dokumente und einstellungen\Korcas\Anwendungsdaten\PriceGong\Data\z.txt
h:\programme\freerip3\toolband.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
.
.
2012-07-06 03:49 . 2012-07-06 03:49 -------- d-----w- H:\_OTM
2012-07-05 17:12 . 2012-07-05 17:12 -------- d-----w- h:\programme\ESET
2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\Korcas\Anwendungsdaten\Malwarebytes
2012-07-04 16:32 . 2012-07-04 16:32 -------- d-----w- h:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2012-07-04 16:32 . 2012-04-04 13:56 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
2012-07-03 05:16 . 2012-07-03 05:16 -------- d-----w- h:\windows\system32\wbem\Repository
2012-06-14 02:47 . 2012-05-11 14:40 521728 -c----w- h:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2010-12-28 17:32 54232 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-02-25 08:54 18544 ----a-w- h:\windows\system32\drivers\aswKbd.sys
2012-07-03 16:21 . 2011-11-11 06:24 721000 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-11-11 06:24 202928 ----a-w- h:\windows\system32\drivers\aswNdis2.sys
2012-07-03 16:21 . 2010-12-28 17:32 21256 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2010-12-28 17:32 353688 ----a-w- h:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2010-12-28 17:32 35928 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2010-12-28 17:32 97608 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2012-07-03 16:21 . 2010-12-28 17:32 89624 ----a-w- h:\windows\system32\drivers\aswmon.sys
2012-07-03 16:21 . 2011-11-11 06:24 113776 ----a-w- h:\windows\system32\drivers\aswFW.sys
2012-07-03 16:21 . 2010-12-28 17:32 25256 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2012-07-03 16:21 . 2010-12-28 17:32 41224 ----a-w- h:\windows\avastSS.scr
2012-07-03 16:21 . 2010-12-28 17:32 227648 ----a-w- h:\windows\system32\aswBoot.exe
2012-07-02 02:27 . 2012-04-01 15:06 426184 ----a-w- h:\windows\system32\FlashPlayerApp.exe
2012-07-02 02:27 . 2011-07-01 18:33 70344 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 13:19 . 2009-10-17 14:26 329240 ----a-w- h:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2009-10-17 14:26 210968 ----a-w- h:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2009-10-17 14:26 219160 ----a-w- h:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2008-10-16 12:07 18456 ----a-w- h:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19 . 2009-10-17 14:26 53784 ----a-w- h:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2009-10-17 14:26 35864 ----a-w- h:\windows\system32\wups.dll
2012-06-02 13:19 . 2008-10-16 12:09 45080 ----a-w- h:\windows\system32\wups2.dll
2012-06-02 13:19 . 2008-10-16 12:08 15896 ----a-w- h:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2007-07-27 12:00 97304 ----a-w- h:\windows\system32\cdm.dll
2012-06-02 13:19 . 2008-10-16 12:08 23576 ----a-w- h:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2009-10-17 14:26 577048 ----a-w- h:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2009-10-17 14:26 1933848 ----a-w- h:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2007-07-27 12:00 604160 ----a-w- h:\windows\system32\crypt32.dll
2012-05-16 15:07 . 2007-07-27 12:00 916992 ----a-w- h:\windows\system32\wininet.dll
2012-05-15 13:56 . 2007-07-27 12:00 1863296 ----a-w- h:\windows\system32\win32k.sys
2012-05-11 14:40 . 2007-07-27 12:00 43520 ----a-w- h:\windows\system32\licmgr10.dll
2012-05-11 14:40 . 2007-07-27 12:00 1469440 ------w- h:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2007-07-27 12:00 385024 ----a-w- h:\windows\system32\html.iec
2012-05-05 03:14 . 2007-07-27 12:00 2150912 ----a-w- h:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2004-08-04 00:50 2029056 ----a-w- h:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-10-17 14:24 139656 ----a-w- h:\windows\system32\drivers\rdpwd.sys
2002-11-19 23:01 . 2006-02-17 15:51 28672 ----a-w- h:\programme\opera\program\plugins\PlugDef.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-05_17.07.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-06 18:21 . 2012-07-06 18:21 16384 h:\windows\temp\Perflib_Perfdata_5f0.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 67740 h:\windows\system32\perfc009.dat
+ 2007-07-27 12:00 . 2012-07-06 18:22 67740 h:\windows\system32\perfc009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 48036 h:\windows\system32\perfc007.dat
+ 2007-07-27 12:00 . 2012-07-06 18:22 48036 h:\windows\system32\perfc007.dat
+ 2007-07-27 12:00 . 2012-07-06 18:22 432784 h:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 432784 h:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2012-07-05 16:54 316246 h:\windows\system32\perfh007.dat
+ 2007-07-27 12:00 . 2012-07-06 18:22 316246 h:\windows\system32\perfh007.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- h:\programme\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="h:\programme\Vtune\TBPanel.exe" [2009-05-12 2158592]
"AdobeBridge"="I:\adobecs5.5\Adobe Bridge CS5.1\Bridge.exe" [2011-03-02 12008296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-27 208952]
"MSPY2002"="h:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-07-27 59392]
"PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Adobe Reader Speed Launcher"="I:\reader\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="h:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Trojancheck 6 Guard"="h:\programme\Trojancheck 6\tcguard.exe" [2002-11-14 590336]
"ISUSPM Startup"="h:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="h:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"AdobeAAMUpdater-1.0"="h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"SwitchBoard"="h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="h:\programme\Gemeinsame Dateien\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Acrobat Speed Launcher"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="I:\adobecs5.5\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
"avast"="h:\programme\Alwil Software\Avast5\avastUI.exe" [2012-07-03 4273976]
"SunJavaUpdateSched"="h:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"nwiz"="h:\programme\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"Malwarebytes' Anti-Malware"="I:\malwarebytes' anti-malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Gamma Loader.lnk]
path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk
backup=h:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HP Digital Imaging Monitor.lnk]
path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\HP Digital Imaging Monitor.lnk
backup=h:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\H:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=h:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=h:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AshSnap]
2011-04-01 07:10 1528176 ----a-w- I:\ashampoo snap 4\ashsnap.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-28 22:15 136176 ----atw- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-11-21 02:10 3293184 ----a-w- h:\programme\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-11-22 13:20 2736128 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:22 1695232 ------w- h:\programme\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 09:17 421888 ----a-w- I:\quicktime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 14:12 26192168 ----a-r- I:\skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\mIRC\\mirc.exe"=
"I:\\DC++\\DCPlusPlus.exe"=
"I:\\Trillian\\trillian.exe"=
"I:\\Azureus\\Azureus.exe"=
"h:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
"h:\\Programme\\VideoLAN\\VLC\\vlc.exe"=
"h:\\Dokumente und Einstellungen\\Korcas\\Lokale Einstellungen\\Anwendungsdaten\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"h:\\Programme\\Vuze\\Azureus.exe"=
"I:\\Skype\\Plugin Manager\\skypePM.exe"=
"I:\\Skype\\Phone\\Skype.exe"=
"h:\\Programme\\Opera\\opera.exe"=
"h:\\Programme\\Google\\Google Talk\\googletalk.exe"=
"I:\\AdobeCS5.5\\Adobe Flash Builder 4.5\\FlashBuilder.exe"=
"h:\\Programme\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"h:\\Programme\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"I:\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"I:\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7935:TCP"= 7935:TCP:Adobe Flash Builder 4.5
.
R0 aswNdis;avast! Firewall NDIS Filter Service;h:\windows\system32\drivers\aswNdis.sys [11.11.2011 08:24 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;h:\windows\system32\drivers\aswNdis2.sys [11.11.2011 08:24 202928]
R1 aswFW;avast! TDI Firewall driver;h:\windows\system32\drivers\aswFW.sys [11.11.2011 08:24 113776]
R1 aswKbd;aswKbd;h:\windows\system32\drivers\aswKbd.sys [25.02.2012 10:54 18544]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [11.11.2011 08:24 721000]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [28.12.2010 19:32 353688]
R1 ISODisk;ISODisk;h:\windows\system32\drivers\ISODisk.sys [25.06.2011 09:41 9600]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [28.12.2010 19:32 21256]
R2 avast! Firewall;avast! Firewall;h:\programme\Alwil Software\Avast5\afwServ.exe [11.11.2011 08:24 133912]
R2 MBAMService;MBAMService;I:\malwarebytes' anti-malware\mbamservice.exe [04.07.2012 18:32 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [06.03.2012 23:02 2214504]
R2 TabletServicePen;TabletServicePen;h:\windows\system32\Pen_Tablet.exe [18.10.2009 21:34 4497704]
R2 WTouchService;WTouch Service;h:\programme\WTouch\WTouchService.exe [18.10.2009 21:35 113448]
R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [04.07.2012 18:32 22344]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;h:\windows\system32\drivers\viahduaa.sys [20.12.2009 20:00 1381632]
R3 wacmoumonitor;Wacom Mode Helper;h:\windows\system32\drivers\wacmoumonitor.sys [18.10.2009 21:34 16168]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01.04.2012 17:06 250056]
S3 appliandMP;appliandMP;h:\windows\system32\DRIVERS\appliand.sys --> h:\windows\system32\DRIVERS\appliand.sys [?]
S3 SwitchBoard;SwitchBoard;h:\programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe [19.02.2010 13:37 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 13:18 451872 ----a-w- h:\programme\Gemeinsame Dateien\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-06 h:\windows\Tasks\AdobeAAMUpdater-1.0-GREYBOX-Korcas.job
- h:\programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-26 06:46]
.
2012-07-06 h:\windows\Tasks\avast! Emergency Update.job
- h:\programme\Alwil Software\Avast5\AvastEmUpdate.exe [2012-06-30 16:21]
.
2012-07-06 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003Core.job
- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
.
2012-07-06 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1757981266-725345543-1003UA.job
- h:\dokumente und einstellungen\Korcas\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-04-28 22:15]
.
.
------- Supplementary Scan -------
.
IE: An vorhandene PDF-Datei anfügen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - h:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-06 20:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0b\06\0c\17\03\1e?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1876)
h:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
h:\programme\WTouch\WTouchUser.exe
h:\programme\Alwil Software\Avast5\AvastSvc.exe
h:\programme\Java\jre6\bin\jqs.exe
h:\programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
h:\programme\BurnAware Professional\nmsaccessu.exe
h:\windows\system32\nvsvc32.exe
h:\windows\system32\wdfmgr.exe
h:\windows\SOUNDMAN.EXE
h:\windows\system32\RunDLL32.exe
h:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-07-06 20:24:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-06 18:24
ComboFix2.txt 2012-07-06 03:46
ComboFix3.txt 2012-07-05 17:10
.
Pre-Run: 8 Verzeichnis(se), 13.641.576.448 Bytes frei
Post-Run: 9 Verzeichnis(se), 14.554.411.008 Bytes frei
.
- - End Of File - - E6E1D65D21DCF2FD1B70F11486A22326
4. Here the CK Scan Log:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.INAARK
----- EOF -----

I hope I did everything correctly, this time around.