Solved System Check on Vista SP2

steinson · Feb 1, 2012

Hi!

I got the system check malware on a Laptop from a friend of mine with Win Vista.
It appears, that all files were marked as "hidden" and that in the trojan appears in the auto boot. Hence, at every start of windows a lot of fake messages appeared.

Thus, I deactivated the (random) .exe in the auto boot which came from the trojan and restarted (otherwise the scan would not work, since the laptop is relatively old...). Then I followed your instructions. Disclosed you find the log-files.

Thanks in advance for helping me!

steinson

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.30.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
- :: MOBILE [administrator]

Protection: Enabled

31.01.2012 09:45:43
mbam-log-2012-01-31 (09-45-43).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 407221
Time elapsed: 2 hour(s), 36 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\tdx (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 8
C:\WINDOWS\System32\drivers\tdx.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\sfiGOoTHfvbW.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\-\AppData\Local\Temp\oleda0.99876541177765.exe (Trojan.Downloader.lb) -> Quarantined and deleted successfully.
C:\Users\-\AppData\Local\Temp\C60D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\-\AppData\Local\Temp\ZFGDGu3qodcrKe.exe.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\-\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\29e36f06-3b3105bf (Trojan.Downloader.lb) -> Quarantined and deleted successfully.
C:\Users\-\AppData\Roaming\ScanDisc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-01 10:54:11
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 FUJITSU_MHW2120BH rev.8918
Running: uw3b8evb.exe; Driver: C:\Users\-\AppData\Local\Temp\pxldypod.sys

---- System - GMER 1.0.15 ----

SSDT 88C86BFE ZwCreateSection
SSDT 88C86C08 ZwRequestWaitReplyPort
SSDT 88C86C03 ZwSetContextThread
SSDT 88C86C0D ZwSetSecurityObject
SSDT 88C86C12 ZwSystemDebugControl
SSDT 88C86B9F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 215 824C4998 4 Bytes [FE, 6B, C8, 88]
.text ntkrnlpa.exe!KeSetEvent + 539 824C4CBC 4 Bytes [08, 6C, C8, 88] {OR [EAX+ECX*8-0x78], CH}
.text ntkrnlpa.exe!KeSetEvent + 56D 824C4CF0 4 Bytes [03, 6C, C8, 88] {ADD EBP, [EAX+ECX*8-0x78]}
.text ntkrnlpa.exe!KeSetEvent + 5D1 824C4D54 4 Bytes [0D, 6C, C8, 88]
.text ntkrnlpa.exe!KeSetEvent + 619 824C4D9C 4 Bytes [12, 6C, C8, 88] {ADC CH, [EAX+ECX*8-0x78]}
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746C7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7471A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [746CBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746BF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746C75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746BE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [746F8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [746CDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746BFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746BFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746B71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7474CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [746EC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746BD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746B6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746B687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [746C2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b004c1b
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2da1b3
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2da1b3@001a1651965f 0x92 0xC0 0x6B 0xB2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b004c1b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2da1b3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2da1b3@001a1651965f 0x92 0xC0 0x6B 0xB2 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB315$\3117660392 0 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\bckfg.tmp 854 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\cfg.ini 335 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\L 0 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\L\vhtmwbun 72192 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\U 0 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB315$\3117660392\version 858 bytes
File C:\WINDOWS\$NtUninstallKB315$\473084469 0 bytes

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_29
Run by - at 10:55:17 on 2012-02-01
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1033.18.1015.197 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\Dwm.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHosttr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\MsOffice12\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\E_FATICCE.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://de.yahoo.com
mSearch Page =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\msoffice12\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: SciFinder Scholar Bar: {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uRun: [EPSON Stylus D120 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticce.exe /fu "c:\users\-\appdata\local\temp\E_S79B1.tmp" /EF "HKCU"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\msoffice12\office12\GrooveMonitor.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\-\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\msoffice12\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\newsho~1.lnk - c:\program files\usb_video_device\utility\remotetool\BDARemote.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{08b785c1-3893-4154-b53b-f5d341d0aaaa}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Nach Microsoft E&xel exportieren - c:\progra~1\msoffi~1\office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\icq7.5\ICQ.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\msoffi~1\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\msoffi~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldde-de.cab
DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} - hxxp://esupport.epson-europe.com/selftest/de/Prg/ESTPTest.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 172.17.7.254
TCP: Interfaces\{120F3131-73C0-4BED-89D1-6E0AFF34328A} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B6983C64-5A7E-48E1-B4E6-3E9C40E82CFE} : DhcpNameServer = 172.17.7.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\msoffice12\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\msoffice12\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli ASWLNPkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\-\appdata\roaming\mozilla\firefox\profiles\1xunj3qq.default\
FF - prefs.js: browser.startup.homepage - www.studivz.net
FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chem3d\npChem3DPlugin.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chemdraw\NPCDP32.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\-\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\-\appdata\roaming\move networks\plugins\071803000001\npqmp071803000001.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-26 36000]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-12-30 32000]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-25 74640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-30 20464]
.
=============== Created Last 30 ================
.
2012-01-30 09:25:49 -------- d-----w- c:\users\-\appdata\roaming\Malwarebytes
2012-01-30 09:25:38 -------- d-----w- c:\programdata\Malwarebytes
2012-01-30 09:25:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-30 09:25:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-27 17:34:23 288 ---ha-w- c:\users\-\appdata\roaming\372DCE54.reg
2012-01-27 17:06:52 -------- d-----w- c:\program files\iPod
2012-01-27 17:06:25 -------- d-----w- c:\program files\iTunes
2012-01-27 16:45:20 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b1c66e8a-c36b-4d77-8a3a-0be53e12c76f}\mpengine.dll
2012-01-19 16:47:12 -------- d--h--w- c:\users\-\appdata\local\{84DF0906-C790-4768-9C2B-2BED302D4F67}
2012-01-19 16:47:07 -------- d--h--w- c:\users\-\appdata\local\{361F1858-AF1A-4389-9AA7-6633F1CB56A4}
2012-01-18 17:26:51 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 17:26:51 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 17:26:50 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 17:26:50 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 17:26:50 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 17:26:49 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 19:44:29 -------- d--h--w- c:\users\-\appdata\local\{354A4C23-3911-4371-899D-DE20D2574000}
2012-01-17 19:44:18 -------- d--h--w- c:\users\-\appdata\local\{08678E77-2B6F-4744-85AA-FFF13E9EAB17}
2012-01-13 17:24:21 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-13 17:24:20 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-13 17:23:52 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-13 17:23:35 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-13 17:23:13 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-13 17:22:58 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-13 17:22:44 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-13 17:22:43 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-10 19:54:47 -------- d--h--w- c:\users\-\appdata\local\{99D2A15E-52AC-4F9B-BAE0-F98EC96D9B58}
2012-01-10 19:54:43 -------- d--h--w- c:\users\-\appdata\local\{934F61CF-849D-44F0-B4CF-7B4C97320B57}
2012-01-07 09:46:03 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-07 09:46:03 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-07 09:46:03 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-07 09:46:02 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
.
==================== Find3M ====================
.
2012-01-27 17:33:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-07 09:08:58 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
.
============= FINISH: 10:57:54,73 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume1
Install Date: 22.05.2007 01:13:50
System Uptime: 01.02.2012 09:38:03 (1 hours ago)
.
Motherboard: Hewlett-Packard | | 30A2
Processor: Intel(R) Celeron(R) M CPU 440 @ 1.86GHz | U10 | 1862/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 60 GiB total, 7,207 GiB free.
D: is FIXED (NTFS) - 40 GiB total, 26,693 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 11 GiB total, 4,872 GiB free.
G: is FIXED (NTFS) - 2 GiB total, 1,29 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP962: 30.01.2012 14:29:38 - Scheduled Checkpoint
RP963: 31.01.2012 13:04:56 - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.3
Agere Systems HDA Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Application Installer 4.00.B10
ArcSoft ShowBiz DVD 2
ASL_HS_Installer32
Avira Free Antivirus
Bing Bar
Bonjour
CambridgeSoft Activation Client
CambridgeSoft BioAssay 12.0
CambridgeSoft ChemBioOffice Ultra 2010
CambridgeSoft ChemScript 12.0
CambridgeSoft Desktop Inventory 12.0
CambridgeSoft ENotebook 12.0.1
Camera RAW Plug-In for EPSON Creativity Suite
Cisco Systems VPN Client 5.0.06.0110
CorelDRAW Essential Edition 3
D3DX10
DE
DivX Plus Web Player
Dropbox
EPSON-Drucker-Software
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan Assistant
EPSON Stylus C110_D120 Handbuch
EPSON Stylus C90_91_D92 Handbuch
Essential System Updates for Microsoft Windows Vista
Express Burn
Express Rip
Facebook Plug-In
Force 2.0
Free YouTube to Mp3 Converter version 3.2
GIMP 2.4.1
Google Gears
Google SketchUp 6
Google Toolbar for Internet Explorer
Google Update Helper
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Backup and Recovery Manager Installer
HP BIOS Configuration for ProtectTools
HP Credential Manager for ProtectTools
HP Customer Experience Enhancements
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Integrated Module with Bluetooth wireless technology 6.0.1.3100
HP MULTIPLE MODEM INSTALLER for VISTA
HP Notebook Accessories Product Tour
HP ProtectTools Security Manager 2.00 E4
HP Quick Launch Buttons 6.10 C1
HP Update
HP User Guide 0045
HP Wireless Assistant
iCloud
ICQ Toolbar
ICQ7.5
iDump (Freeware) Build:29
Intel(R) Graphics Media Accelerator Driver
InterVideo DVD Check
InterVideo WinDVD
iPod2PC 3.9.2
iTunes
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 29
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Junk Mail filter update
LightScribe 1.4.124.1
Malwarebytes Anti-Malware version 1.60.0.1800
MathType 6
MestReNova LITE 5.2.5-4731
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (German) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (German) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 (CSSQL05)
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
MobileMe Control Panel
Move Media Player
Mozilla Firefox 9.0.1 (x86 de)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nur Deinstallierung der CopyTrans Suite möglich.
OpenOffice.org 3.0
Origin85
OriginPro 8.5G
Picasa 3
PLT for Windows V7.1
Python 2.5
QuickTime
Recordpad
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Safari
SciFinder Scholar 2007
SciFinder Scholar Toolbar
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Skype Click to Call
Skype™ 5.5
Sonic Activation Module
SoundMAX
SoundTap
Spelling Dictionaries Support For Adobe Reader 8
STARWARS: The Battle of Endor version 2.1
STATISTICA 8.0.725.0 CS
STATISTICA CambridgeSoft Integration
STATNOVAPDF (novaPDF Professional Server 5.4 printer)
Switch Uninstall
Synaptics Pointing Device Driver
TeamViewer 5
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Uninstall 1.0.0.1
Update für Microsoft Office Excel 2007 Help (KB963678)
Update für Microsoft Office Outlook 2007 Help (KB963677)
Update für Microsoft Office Powerpoint 2007 Help (KB963669)
Update für Microsoft Office Word 2007 Help (KB963665)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update Manager
USB Audio/Video Driver
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6c
Vista Default Settings
WavePad Uninstall
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
WinRAR
WinZip 12.1
.
==== Event Viewer Messages From Past Week ========
.
30.01.2012 15:44:12, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
30.01.2012 15:44:07, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb avkmgr CSC DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr ssmdrv tdx Wanarpv6
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
30.01.2012 15:44:07, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
30.01.2012 15:44:05, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
30.01.2012 15:43:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
30.01.2012 15:43:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
30.01.2012 15:43:18, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
30.01.2012 15:43:12, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
30.01.2012 15:13:48, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
30.01.2012 10:25:58, Error: netbt [4307] - Initialization failed because the transport refused to open initial addresses.
30.01.2012 09:31:01, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
27.01.2012 19:07:01, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
27.01.2012 18:46:06, Error: Service Control Manager [7000] - The iPod-Dienst service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27.01.2012 18:46:00, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod-Dienst service to connect.
27.01.2012 18:46:00, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
01.02.2012 10:10:28, Error: Service Control Manager [7003] - The DHCP Client service depends the following service: Tdx. This service might not be installed.
01.02.2012 10:10:28, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
01.02.2012 09:41:14, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
01.02.2012 09:41:14, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
01.02.2012 09:41:14, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
01.02.2012 09:41:14, Error: Service Control Manager [7003] - The DNS Client service depends the following service: Tdx. This service might not be installed.
01.02.2012 09:41:14, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.
==== End Of File ===========================

Bobbye · Feb 1, 2012

Welcome to TechSpot! I'll be glad to help with the malware.

You do have a rogue security malware,. but I believe it comes from a different rogue due to your description of the .exe files. So let's do the following:

1. If the programs, icons, desktop, etc. appear to be 'missing', please run he following:
Download Unhide.exe and save to the desktop.

Double-click on Unhide.exe icon to run the program.
This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note 1: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue.
=========================================
2. This changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.
To fix you start here: Download a Registry file that will fix these changes.

Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
Double click the FixNCR.reg file
You should now be able to run the .exe files.

3. To end the processes that belong to the rogue program:
Please click on RKill

At the download page, click on Download now button for iExplore.exe download link and save to the desktop
Double click on the iExplore.exe icon
Please be patient- it may take a bit.
The black Window will close when through and you can continue.

Note: If you get a message that RKill is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKill as the malware programs will start again.
========================================
4. Update and rescan with Malwarebytes:

Select Perform Full Scan on the Scanner tab
Click on the Scan button.
When scan has finished, you will see this image:
Click on OK to close box and continue.
Click on the Show Results button.
Click on the Remove Selected button to remove all the listed malware.
At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

==============================
5. Now run Combofix- we will let this program remove some of the entries for us:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

Double click combofix.exe

& follow the prompts.
If prompted for Recovery Console, please allow.
Once installed, you should see a blue screen prompt that says:
- The Recovery Console was successfully installed.[/b]
- Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
- Note: No query will be made if the Recovery Console is already on the system.
.Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)
.Close any open browsers.
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=============================================
Note: If you have any problem with these scan, stop and let me know. Do not attempt a workaround.
Please leave logs for Mbam Full Scan, Combofix
===================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
File sharing programs should be uninstalled or disabled during the cleaning process..
Observe these:
[o] Don't follow directions given to someone else
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.

steinson · Feb 2, 2012

Hi Bobbye!

Thanks for the help!
I managed to unhide all files with the proposed tool. Furthermore the step with the new registry entries and rkill worked fine. The log of the subsequent mbam check lead to no alerts, but see by yourself:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.30.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
- :: MOBILE [administrator]

Protection: Enabled

01.02.2012 18:43:57
mbam-log-2012-02-01 (18-43-57).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 407227
Time elapsed: 2 hour(s), 47 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Unfortunately the ComboFix scan is not working for me. Although I deactivated Avira as well as the MBAM, the tool reminded me, that Avira was still running. Nevertheless I started - as you proposed - the scan. The tool suceeded in generating a new restoring point, but the scan would last forever. So I interrupted the scan after approx 24 hours. Any tips how to deal with it?

Thanks in advance!

steinson

Bobbye · Feb 4, 2012

Okay, give this a try for Combofix: If #1 works, you don't need to continue with #2.

NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode. If it won't run, go one to #2.

2. Delete Combofix file, download fresh one, but rename combofix.exe to
friday.exe BEFORE saving it to your desktop.
Do NOT run it yet.

3.See which one of the following runs. You do not need to download all three versions:
This is a slight variation on the RKill:
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, add the following:

Please download exeHelper by Raktor and save it to your desktop.

Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
A black window should pop up, press any key to close once the fix is completed.
A log file called exehelperlog.txt will be created and should open at the end of the scan)
A copy of that log will also be saved in the directory where you ran exeHelper.com
Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
(Directions courtesy bleeping computer)

4. With both RKill and exehelper on board:
Go right to the renamed (Combofix) and double click on friday.exe to run
If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

If successful, please leave RKill, Exehelper and Combofix logs.
If not successful, we will leave this for now and run a different scan.

Bobbye · Feb 4, 2012

Adding: whether you are able or not to run Combofix, you have 6 outdated versions of Java on the system that need to be removed. These are all vulnerabilities and will cause malware in the Java cache. Normally this would be done later, but I don't see ny reason to allow more malware in. Please run the following:

You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that
a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.

Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
===========================================
To clear the Java Plug-in cache:

[1]. Click Start > Control Panel.
[2]. Double-click the Java icon in the control panel.

The Java Control Panel appears.

[3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.

[4] Click Delete Files.The Delete Temporary Files dialog box appears.

[5]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com

steinson · Feb 6, 2012

Hi Bobbye!

Unfortunately I had no success. The rkill and exehelper tool ran succesfully, however the Combofix tool (even after doing all suggestions you have given) won't really work. The scan is running already for 12 hours again...
[Edit]
Good news. In the safe mode (after approx. 14 hours...) ComboFix finished and told me that it found rootkit activity in "C:\Documents and Settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe" and said it must now reboot. Which is already done. However, should I start the scan again?
[/Edit]

However I could get rid of the old Java files.

Any hints how to continue?

Thanks in advance!

steinson

Bobbye · Feb 6, 2012

Please search system for the log Combofix produced.

steinson · Feb 7, 2012

Hey!

The problem was (of course...) sitting in front of the screen ;-)
Due to the safe mode, the restart "killed" combofix. Hence I started the scan new from "normal mode". Now the scan ended successfully!

Here are the desired logs:

RKILL:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 06.02.2012 at 12:52:00.
Operating System: Windows Vista (TM) Business

Processes terminated by Rkill or while it was running:

C:\Windows\system32\WUDFHost.exe
C:\Users\-\Desktop\rkill.com

Rkill completed on 06.02.2012 at 12:52:12.

exehelper:

exeHelper by Raktor
Build 20100414
Run at 12:53:53 on 02/06/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

and ComboFix:

ComboFix 12-02-06.01 - - 07.02.2012 14:18:44.1.1 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1033.18.1015.410 [GMT 1:00]
ausgeführt von:: c:\users\-\Desktop\friday.exe.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\64dlls.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\Kernel32.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\localsys64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra73.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\swin32.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
c:\program files\Common Files\Uninstall
c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\system\GRID32.OCX
c:\windows\system\olepro32.dll
c:\windows\system\Stdole2.tlb
F:\Autorun.inf
.
c:\windows\system32\drivers\tdx.sys . . . fehlt!!
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-01-07 bis 2012-02-07 ))))))))))))))))))))))))))))))
.
.
2012-02-07 13:45 . 2012-02-07 13:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-07 13:45 . 2012-02-07 13:45 -------- d-----w- c:\users\Claudio\AppData\Local\temp
2012-02-07 13:05 . 2012-02-07 13:06 -------- d-----w- C:\ComboFix
2012-02-03 15:59 . 2008-01-19 05:55 71680 ----a-w- c:\windows\system32\tdx.sys
2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\users\-\AppData\Roaming\Malwarebytes
2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-30 09:25 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-27 17:34 . 2012-01-27 17:34 288 ----a-w- c:\users\-\AppData\Roaming\372DCE54.reg
2012-01-27 17:06 . 2012-01-27 17:06 -------- d-----w- c:\program files\iPod
2012-01-27 17:06 . 2012-01-27 17:09 -------- d-----w- c:\program files\iTunes
2012-01-18 17:26 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 17:26 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 17:26 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 17:26 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 17:26 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 17:26 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-13 17:24 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-13 17:24 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-13 17:23 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-13 17:23 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-13 17:23 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-13 17:22 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-13 17:22 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-13 17:22 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-06 11:47 . 2010-04-28 16:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-27 17:33 . 2011-05-25 13:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-06 04:19 . 2012-01-27 16:45 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B1C66E8A-C36B-4D77-8A3A-0BE53E12C76F}\mpengine.dll ERROR(0x00000005)
2012-01-06 04:19 . 2007-10-08 18:23 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
2011-12-09 07:35 . 2011-11-26 17:46 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-07 09:08 . 2009-10-03 11:27 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-23 13:37 . 2011-12-15 14:48 2043904 ----a-w- c:\windows\system32\win32k.sys
2012-01-07 09:46 . 2011-05-10 15:48 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-18 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-18 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-18 81920]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-11-14 139264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-23 17920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
"GrooveMonitor"="c:\program files\MsOffice12\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\MsOffice12\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
NewShortcut1.lnk - c:\program files\USB_video_device\Utility\RemoteTool\BDARemote.exe [N/A]
VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-2-20 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2012-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
.
2012-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
.
.
------- Zusätzlicher Suchlauf -------
.
mStart Page = hxxp://de.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MSOFFI~1\Office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
TCP: DhcpNameServer = 172.17.7.254
FF - ProfilePath -
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-HP Software Update - c:\program files\Hp\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-sfiGOoTHfvbW - c:\programdata\sfiGOoTHfvbW.exe
AddRemove-STARWARS: The Battle of Endor v2.1_is1 - c:\program files\STARWARS_TheBattleOfEndor_v21\unins000.exe
AddRemove-_{ADDBE07D-95B8-4789-9C76-187FFF9624B4} - c:\program files\Corel\CorelDRAW Essential Edition 3\Programs\MSILauncher {ADDBE07D-95B8-4789-9C76-187FFF9624B4}
AddRemove-{E8A602BF-C276-4DB2-A9FF-B4C30EA1CB7C}_is1 - c:\program files\iDump (Freeware)\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-07 14:56
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
.
c:\users\-\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$CSSQL05]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:CSSQL05"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(3692)
c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Adobe\Reader 8.0\Reader\viewerps.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conime.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-02-07 15:06:42 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-02-07 14:06
.
Vor Suchlauf: 8.030.580.736 bytes free
Nach Suchlauf: 9.844.678.656 bytes free
.
- - End Of File - - 873143EE87BF1C21EC4FE89761498FFC

Thanks for your patience! What are the next steps?

Bye,

steinson

Bobbye · Feb 7, 2012

Please note: I will be Offline on Wednesday, 2/8 and Thursday, 2/9. When I return on Friday, 2/10, I will pick up the oldest threads first.

Bobbye · Feb 10, 2012

Thank you for your patience.
Translation from German shows me a driver file is missing. So we need to see if it's somewhere else on the system: Am I correct> fehlt means missing?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
tdx.*
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
======================================
You may have a flash drive infection. (Drive F) These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Code:

File::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
DDS::
IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

Clearjavacache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================

Download the file TDSSKiller.zip and save to the desktop.
(If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
Double click on TDSSKiller.exe. to run the scan
When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
Select the action Quarantine to quarantine detected objects.
The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
After clicking Next, the utility applies selected actions and outputs the result. Save and post log.
A reboot is required after disinfection.

==============================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

Open the ESETOnlineScan
Skip to #4 to "Continue with the directions"

If you are using a browser other than Internet Explorer
Open Eset Smart Installer
[o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
[o] Double click on the desktop icon to run.
[o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
Continue with the directions.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

steinson · Feb 10, 2012

Hey, welcome back!

Yes, you translated completely right. "fehlt" is missing in English.
The missing file of course leads to trouble, since the file is important for the tcp/ip protocol I think - hence I cannot connect to the internet.

Regarding flash_disenfector:
The drive F: is not a flash drive! It is the recovery partition of the laptop...

Systemlook found the missing .tdx file - I just cannot post the log since I already run the combofix script which lasts again for hours. I will come back on sunday. Then hopefully the scan is done and I can give you the Systemlook log as well as the combofix log.

As already mentioned I cannot connect to the internet. Hence, the eset online scanner is no possibility in this case... Any hints?

bye,

steinson

steinson · Feb 10, 2012

Hey!

This time ComboFix was faster than before, hence here are already the logs:

Systemlook:

SystemLook 30.07.11 by jpshortstuff
Log created at 23:21 on 10/02/2012 by -
Administrator - Elevation successful

========== filefind ==========

Searching for "tdx.*"
C:\WINDOWS\System32\tdx.sys --a---- 71680 bytes [15:59 03/02/2012] [05:55 19/01/2008] D09276B1FAB033CE1D40DCBDF303D10F
C:\WINDOWS\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys --a---- 68096 bytes [08:57 02/11/2006] [08:57 02/11/2006] AB4FDE8AF4A0270A46A001C08CBCE1C2
C:\WINDOWS\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [20:29 06/06/2008] [05:55 19/01/2008] D09276B1FAB033CE1D40DCBDF303D10F

-= EOF =-

ComboFix:

ComboFix 12-02-06.01 - - 10.02.2012 23:49:07.2.1 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1033.18.1015.422 [GMT 1:00]
ausgeführt von:: c:\users\-\Desktop\friday.exe.exe
Benutzte Befehlsschalter :: c:\users\-\Desktop\CFscript.txt
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\64dlls.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\Kernel32.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\localsys64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra73.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\swin32.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
C:\friday.exe
c:\friday.exe\PEV.exe
c:\friday.exe\snapshot.00.dat
.
c:\windows\system32\drivers\tdx.sys . . . fehlt!!
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-01-10 bis 2012-02-10 ))))))))))))))))))))))))))))))
.
.
2012-02-10 23:15 . 2012-02-10 23:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-10 23:15 . 2012-02-10 23:15 -------- d-----w- c:\users\Claudio\AppData\Local\temp
2012-02-07 13:05 . 2012-02-07 13:06 -------- d-----w- C:\ComboFix
2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\users\-\AppData\Roaming\Malwarebytes
2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-30 09:25 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-27 17:34 . 2012-01-27 17:34 288 ----a-w- c:\users\-\AppData\Roaming\372DCE54.reg
2012-01-27 17:06 . 2012-01-27 17:06 -------- d-----w- c:\program files\iPod
2012-01-27 17:06 . 2012-01-27 17:09 -------- d-----w- c:\program files\iTunes
2012-01-18 17:26 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 17:26 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 17:26 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-13 17:24 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-13 17:23 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-13 17:23 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-13 17:22 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-06 11:47 . 2010-04-28 16:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-27 17:33 . 2011-05-25 13:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-06 04:19 . 2012-01-27 16:45 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B1C66E8A-C36B-4D77-8A3A-0BE53E12C76F}\mpengine.dll ERROR(0x00000005)
2012-01-06 04:19 . 2007-10-08 18:23 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
2011-12-09 07:35 . 2011-11-26 17:46 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-07 09:08 . 2009-10-03 11:27 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-25 15:59 . 2012-01-13 17:23 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37 . 2011-12-15 14:48 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-16 16:23 . 2012-01-18 17:26 377344 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 16:23 . 2012-01-18 17:26 72704 ----a-w- c:\windows\system32\secur32.dll
2011-11-16 16:23 . 2012-01-18 17:26 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-07 09:46 . 2011-05-10 15:48 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-18 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-18 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-18 81920]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-11-14 139264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-23 17920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
"GrooveMonitor"="c:\program files\MsOffice12\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\MsOffice12\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
NewShortcut1.lnk - c:\program files\USB_video_device\Utility\RemoteTool\BDARemote.exe [N/A]
VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-2-20 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
.
.
------- Zusätzlicher Suchlauf -------
.
mStart Page = hxxp://de.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MSOFFI~1\Office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
TCP: DhcpNameServer = 172.17.7.254
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-11 00:22
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$CSSQL05]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:CSSQL05"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(4028)
c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Adobe\Reader 8.0\Reader\viewerps.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conime.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\RacAgent.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-02-11 00:33:57 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-02-10 23:33
ComboFix2.txt 2012-02-07 14:06
.
Vor Suchlauf: 9.680.973.824 bytes free
Nach Suchlauf: 9.558.519.808 bytes free
.
- - End Of File - - BE2A2A2272AFE55CDAA448EAA96C375C

steinson · Feb 10, 2012

and finally TDSSkiller:

00:51:56.0264 1840 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57
00:51:57.0871 1840 ============================================================
00:51:57.0871 1840 Current date / time: 2012/02/11 00:51:57.0871
00:51:57.0871 1840 SystemInfo:
00:51:57.0871 1840
00:51:57.0871 1840 OS Version: 6.0.6002 ServicePack: 2.0
00:51:57.0871 1840 Product type: Workstation
00:51:57.0871 1840 ComputerName: MOBILE
00:51:57.0871 1840 UserName: -
00:51:57.0871 1840 Windows directory: C:\Windows
00:51:57.0871 1840 System windows directory: C:\Windows
00:51:57.0871 1840 Processor architecture: Intel x86
00:51:57.0871 1840 Number of processors: 1
00:51:57.0871 1840 Page size: 0x1000
00:51:57.0871 1840 Boot type: Normal boot
00:51:57.0871 1840 ============================================================
00:52:02.0364 1840 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3C91, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
00:52:02.0410 1840 \Device\Harddisk0\DR0:
00:52:02.0426 1840 MBR used
00:52:02.0426 1840 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x77587C1
00:52:02.0426 1840 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xC76B800, BlocksNum 0x150C000
00:52:02.0457 1840 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x7759000, BlocksNum 0x5012800
00:52:02.0457 1840 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0xDC79800, BlocksNum 0x31A800
00:52:02.0878 1840 Initialize success
00:52:02.0878 1840 ============================================================
00:52:19.0352 1724 ============================================================
00:52:19.0352 1724 Scan started
00:52:19.0352 1724 Mode: Manual;
00:52:19.0352 1724 ============================================================
00:52:26.0606 1724 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
00:52:26.0793 1724 ACPI - ok
00:52:27.0417 1724 ADIHdAudAddService (89216a0586b840693c06b13dd9f220b7) C:\Windows\system32\drivers\ADIHdAud.sys
00:52:27.0589 1724 ADIHdAudAddService - ok
00:52:28.0197 1724 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
00:52:28.0353 1724 adp94xx - ok
00:52:29.0539 1724 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
00:52:30.0225 1724 adpahci - ok
00:52:30.0834 1724 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
00:52:31.0005 1724 adpu160m - ok
00:52:31.0489 1724 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
00:52:31.0645 1724 adpu320 - ok
00:52:32.0191 1724 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\Windows\system32\drivers\Afc.sys
00:52:32.0331 1724 Afc - ok
00:52:32.0846 1724 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
00:52:33.0049 1724 AFD - ok
00:52:33.0844 1724 AgereSoftModem (2e3abaacbf547abbb5e73a504a56d05a) C:\Windows\system32\DRIVERS\AGRSM.sys
00:52:34.0734 1724 AgereSoftModem - ok
00:52:35.0295 1724 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
00:52:35.0436 1724 agp440 - ok
00:52:35.0919 1724 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
00:52:36.0013 1724 aic78xx - ok
00:52:36.0387 1724 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
00:52:36.0559 1724 aliide - ok
00:52:37.0120 1724 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
00:52:37.0230 1724 amdagp - ok
00:52:37.0542 1724 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
00:52:37.0682 1724 amdide - ok
00:52:38.0010 1724 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
00:52:38.0041 1724 AmdK7 - ok
00:52:38.0072 1724 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
00:52:38.0197 1724 AmdK8 - ok
00:52:39.0008 1724 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
00:52:39.0086 1724 arc - ok
00:52:39.0336 1724 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
00:52:39.0382 1724 arcsas - ok
00:52:39.0882 1724 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
00:52:39.0928 1724 AsyncMac - ok
00:52:40.0178 1724 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
00:52:40.0194 1724 atapi - ok
00:52:40.0459 1724 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\Windows\system32\DRIVERS\avgntflt.sys
00:52:40.0552 1724 avgntflt - ok
00:52:40.0942 1724 avipbb (475fbb85956534720858ae72010c0a43) C:\Windows\system32\DRIVERS\avipbb.sys
00:52:40.0974 1724 avipbb - ok
00:52:41.0052 1724 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\Windows\system32\DRIVERS\avkmgr.sys
00:52:41.0083 1724 avkmgr - ok
00:52:41.0613 1724 BCM43XV (509f672686af40f95859fde67108449b) C:\Windows\system32\DRIVERS\bcmwl6.sys
00:52:41.0832 1724 BCM43XV - ok
00:52:41.0878 1724 BCM43XX (509f672686af40f95859fde67108449b) C:\Windows\system32\DRIVERS\bcmwl6.sys
00:52:41.0878 1724 BCM43XX - ok
00:52:42.0144 1724 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
00:52:42.0206 1724 bcm4sbxp - ok
00:52:42.0362 1724 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
00:52:42.0393 1724 Beep - ok
00:52:42.0736 1724 blbdrive - ok
00:52:43.0017 1724 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
00:52:43.0048 1724 bowser - ok
00:52:43.0376 1724 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
00:52:43.0454 1724 BrFiltLo - ok
00:52:43.0750 1724 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
00:52:43.0750 1724 BrFiltUp - ok
00:52:43.0891 1724 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
00:52:43.0922 1724 Brserid - ok
00:52:44.0203 1724 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
00:52:44.0234 1724 BrSerWdm - ok
00:52:44.0328 1724 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
00:52:44.0390 1724 BrUsbMdm - ok
00:52:44.0686 1724 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
00:52:44.0733 1724 BrUsbSer - ok
00:52:44.0905 1724 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
00:52:44.0936 1724 BthEnum - ok
00:52:45.0170 1724 BTHMODEM (9a966a8e86d1771911ae34a20d11bff3) C:\Windows\system32\DRIVERS\bthmodem.sys
00:52:45.0217 1724 BTHMODEM - ok
00:52:45.0529 1724 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
00:52:45.0607 1724 BthPan - ok
00:52:45.0934 1724 BTHPORT (611ff3f2f095c8d4a6d4cfd9dcc09793) C:\Windows\system32\Drivers\BTHport.sys
00:52:46.0012 1724 BTHPORT - ok
00:52:46.0184 1724 BTHUSB (d330803eab2a15caec7f011f1d4cb30e) C:\Windows\system32\Drivers\BTHUSB.sys
00:52:46.0215 1724 BTHUSB - ok
00:52:46.0590 1724 btwaudio (4a28e7bd365377d0512b7ef8c7596d2c) C:\Windows\system32\drivers\btwaudio.sys
00:52:46.0636 1724 btwaudio - ok
00:52:47.0136 1724 btwavdt (5ffde57253d665067b0886612817eb11) C:\Windows\system32\drivers\btwavdt.sys
00:52:47.0214 1724 btwavdt - ok
00:52:47.0323 1724 btwrchid (ab07dc8b05c31a4f95fc73019be9db15) C:\Windows\system32\DRIVERS\btwrchid.sys
00:52:47.0370 1724 btwrchid - ok
00:52:47.0510 1724 catchme - ok
00:52:47.0760 1724 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
00:52:47.0838 1724 cdfs - ok
00:52:48.0072 1724 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
00:52:48.0150 1724 cdrom - ok
00:52:48.0696 1724 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
00:52:48.0758 1724 circlass - ok
00:52:49.0086 1724 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
00:52:49.0164 1724 CLFS - ok
00:52:49.0569 1724 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
00:52:49.0600 1724 CmBatt - ok
00:52:49.0881 1724 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
00:52:49.0928 1724 cmdide - ok
00:52:50.0162 1724 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
00:52:50.0240 1724 Compbatt - ok
00:52:50.0490 1724 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
00:52:50.0536 1724 crcdisk - ok
00:52:50.0739 1724 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
00:52:50.0817 1724 Crusoe - ok
00:52:51.0160 1724 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
00:52:51.0379 1724 CSC - ok
00:52:51.0722 1724 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
00:52:51.0816 1724 CVirtA - ok
00:52:52.0299 1724 CVPNDRVA (34c345aaf390c12ae6e51b75198e8564) C:\Windows\system32\Drivers\CVPNDRVA.sys
00:52:52.0377 1724 CVPNDRVA - ok
00:52:52.0814 1724 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
00:52:52.0908 1724 DfsC - ok
00:52:53.0266 1724 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
00:52:53.0344 1724 disk - ok
00:52:53.0625 1724 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\Windows\system32\DRIVERS\dne2000.sys
00:52:53.0625 1724 DNE - ok
00:52:53.0906 1724 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
00:52:53.0937 1724 drmkaud - ok
00:52:54.0374 1724 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
00:52:54.0436 1724 DXGKrnl - ok
00:52:54.0733 1724 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
00:52:54.0780 1724 E1G60 - ok
00:52:55.0107 1724 eabfiltr (e88b0cfcecf745211bba87f44f85d0dd) C:\Windows\system32\DRIVERS\eabfiltr.sys
00:52:55.0138 1724 eabfiltr - ok
00:52:55.0497 1724 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
00:52:55.0591 1724 Ecache - ok
00:52:55.0981 1724 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
00:52:56.0043 1724 elxstor - ok
00:52:56.0527 1724 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
00:52:56.0589 1724 exfat - ok
00:52:56.0823 1724 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
00:52:56.0964 1724 fastfat - ok
00:52:57.0276 1724 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
00:52:57.0307 1724 fdc - ok
00:52:57.0447 1724 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
00:52:57.0572 1724 FileInfo - ok
00:52:57.0837 1724 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
00:52:57.0884 1724 Filetrace - ok
00:52:58.0071 1724 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
00:52:58.0165 1724 flpydisk - ok
00:52:58.0446 1724 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
00:52:58.0508 1724 FltMgr - ok
00:52:58.0836 1724 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
00:52:58.0898 1724 Fs_Rec - ok
00:52:59.0070 1724 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
00:52:59.0132 1724 gagp30kx - ok
00:52:59.0491 1724 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
00:52:59.0553 1724 GEARAspiWDM - ok
00:53:00.0006 1724 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
00:53:00.0021 1724 HBtnKey - ok
00:53:00.0349 1724 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
00:53:00.0411 1724 HdAudAddService - ok
00:53:01.0285 1724 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
00:53:01.0425 1724 HDAudBus - ok
00:53:01.0706 1724 HidBth (fcb3f4be408f72c1bd81bcaba87fc22f) C:\Windows\system32\DRIVERS\hidbth.sys
00:53:01.0737 1724 HidBth - ok
00:53:01.0800 1724 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
00:53:01.0831 1724 HidIr - ok
00:53:02.0158 1724 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
00:53:02.0205 1724 HidUsb - ok
00:53:02.0985 1724 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
00:53:03.0157 1724 HpCISSs - ok
00:53:03.0874 1724 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
00:53:03.0999 1724 HSFHWAZL - ok
00:53:04.0701 1724 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
00:53:04.0795 1724 HSF_DPV - ok
00:53:05.0044 1724 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
00:53:05.0138 1724 HTTP - ok
00:53:05.0512 1724 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
00:53:05.0575 1724 i2omp - ok
00:53:05.0902 1724 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
00:53:05.0980 1724 i8042prt - ok
00:53:06.0386 1724 ialm (a4fba5b34e69e46315a7c5223a470a17) C:\Windows\system32\DRIVERS\igdkmd32.sys
00:53:06.0542 1724 ialm - ok
00:53:06.0854 1724 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
00:53:06.0979 1724 iaStorV - ok
00:53:07.0790 1724 igfx (a4fba5b34e69e46315a7c5223a470a17) C:\Windows\system32\DRIVERS\igdkmd32.sys
00:53:07.0806 1724 igfx - ok
00:53:08.0695 1724 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
00:53:08.0773 1724 iirsp - ok
00:53:09.0178 1724 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
00:53:09.0210 1724 intelide - ok
00:53:09.0272 1724 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
00:53:09.0272 1724 intelppm - ok
00:53:09.0678 1724 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
00:53:09.0724 1724 IpFilterDriver - ok
00:53:09.0880 1724 IpInIp - ok
00:53:10.0192 1724 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
00:53:10.0348 1724 IPMIDRV - ok
00:53:10.0848 1724 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
00:53:10.0926 1724 IPNAT - ok
00:53:11.0440 1724 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
00:53:11.0503 1724 IRENUM - ok
00:53:11.0955 1724 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
00:53:12.0033 1724 isapnp - ok
00:53:12.0236 1724 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
00:53:12.0252 1724 iScsiPrt - ok
00:53:12.0454 1724 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
00:53:12.0532 1724 iteatapi - ok
00:53:12.0782 1724 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
00:53:12.0829 1724 iteraid - ok
00:53:13.0032 1724 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
00:53:13.0063 1724 kbdclass - ok
00:53:13.0281 1724 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
00:53:13.0312 1724 kbdhid - ok
00:53:13.0671 1724 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
00:53:13.0734 1724 KSecDD - ok
00:53:14.0092 1724 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
00:53:14.0139 1724 lltdio - ok
00:53:14.0326 1724 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
00:53:14.0404 1724 LSI_FC - ok
00:53:14.0607 1724 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
00:53:14.0623 1724 LSI_SAS - ok
00:53:14.0826 1724 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
00:53:14.0888 1724 LSI_SCSI - ok
00:53:15.0153 1724 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
00:53:15.0216 1724 luafv - ok
00:53:15.0528 1724 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
00:53:15.0543 1724 MBAMProtector - ok
00:53:15.0808 1724 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
00:53:15.0840 1724 megasas - ok
00:53:16.0417 1724 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
00:53:16.0448 1724 Modem - ok
00:53:16.0900 1724 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
00:53:16.0916 1724 monitor - ok
00:53:17.0212 1724 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
00:53:17.0322 1724 mouclass - ok
00:53:17.0696 1724 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
00:53:17.0790 1724 mouhid - ok
00:53:18.0148 1724 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
00:53:18.0226 1724 MountMgr - ok
00:53:18.0601 1724 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
00:53:18.0632 1724 mpio - ok
00:53:18.0960 1724 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
00:53:19.0038 1724 mpsdrv - ok
00:53:19.0303 1724 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
00:53:19.0396 1724 Mraid35x - ok
00:53:19.0646 1724 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
00:53:19.0708 1724 MRxDAV - ok
00:53:20.0067 1724 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
00:53:20.0176 1724 mrxsmb - ok
00:53:20.0426 1724 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
00:53:20.0488 1724 mrxsmb10 - ok
00:53:20.0863 1724 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
00:53:20.0894 1724 mrxsmb20 - ok
00:53:21.0346 1724 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
00:53:21.0409 1724 msahci - ok
00:53:21.0768 1724 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
00:53:21.0846 1724 msdsm - ok
00:53:22.0204 1724 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
00:53:22.0251 1724 Msfs - ok
00:53:22.0610 1724 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
00:53:22.0657 1724 msisadrv - ok
00:53:22.0860 1724 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
00:53:22.0922 1724 MSKSSRV - ok
00:53:23.0296 1724 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
00:53:23.0312 1724 MSPCLOCK - ok
00:53:23.0655 1724 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
00:53:23.0686 1724 MSPQM - ok
00:53:23.0998 1724 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
00:53:24.0123 1724 MsRPC - ok
00:53:24.0529 1724 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
00:53:24.0560 1724 mssmbios - ok
00:53:24.0888 1724 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
00:53:24.0903 1724 MSTEE - ok
00:53:25.0278 1724 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
00:53:25.0356 1724 Mup - ok
00:53:25.0808 1724 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
00:53:25.0839 1724 NativeWifiP - ok
00:53:26.0307 1724 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
00:53:26.0354 1724 NDIS - ok
00:53:26.0775 1724 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
00:53:26.0822 1724 NdisTapi - ok
00:53:27.0228 1724 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
00:53:27.0290 1724 Ndisuio - ok
00:53:27.0649 1724 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
00:53:27.0680 1724 NdisWan - ok
00:53:27.0976 1724 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
00:53:28.0070 1724 NDProxy - ok
00:53:28.0444 1724 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
00:53:28.0507 1724 NetBIOS - ok
00:53:28.0944 1724 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
00:53:29.0037 1724 netbt - ok
00:53:29.0739 1724 NETw3v32 (acc6170d80c69e50145b370023b64ed3) C:\Windows\system32\DRIVERS\NETw3v32.sys
00:53:30.0348 1724 NETw3v32 - ok
00:53:32.0032 1724 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
00:53:32.0719 1724 nfrd960 - ok
00:53:34.0310 1724 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
00:53:34.0638 1724 Npfs - ok
00:53:35.0137 1724 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
00:53:35.0293 1724 nsiproxy - ok
00:53:36.0291 1724 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
00:53:36.0931 1724 Ntfs - ok
00:53:37.0586 1724 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
00:53:37.0680 1724 ntrigdigi - ok
00:53:38.0038 1724 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
00:53:38.0085 1724 Null - ok
00:53:38.0678 1724 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
00:53:38.0740 1724 nvraid - ok
00:53:39.0084 1724 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
00:53:39.0177 1724 nvstor - ok
00:53:39.0614 1724 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
00:53:39.0770 1724 nv_agp - ok
00:53:40.0300 1724 NwlnkFlt - ok
00:53:40.0893 1724 NwlnkFwd - ok
00:53:41.0829 1724 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
00:53:41.0845 1724 ohci1394 - ok
00:53:42.0984 1724 OVT511Plus (c5739be3a8eecdf951955a38e1741f45) C:\Windows\system32\Drivers\omcamvid.sys
00:53:43.0046 1724 OVT511Plus - ok
00:53:44.0871 1724 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
00:53:44.0965 1724 Parport - ok
00:53:45.0620 1724 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
00:53:45.0698 1724 partmgr - ok
00:53:46.0228 1724 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
00:53:46.0400 1724 Parvdm - ok
00:53:48.0163 1724 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
00:53:48.0459 1724 pci - ok
00:53:49.0255 1724 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
00:53:49.0941 1724 pciide - ok
00:53:50.0752 1724 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
00:53:51.0080 1724 pcmcia - ok
00:53:51.0876 1724 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
00:53:52.0172 1724 PEAUTH - ok
00:53:52.0671 1724 PersonalSecureDrive (e5de9f28c583c93339dd628447693468) C:\Windows\System32\drivers\psd.sys
00:53:52.0718 1724 PersonalSecureDrive - ok
00:53:53.0202 1724 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
00:53:53.0233 1724 PptpMiniport - ok
00:53:53.0326 1724 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
00:53:53.0389 1724 Processor - ok
00:53:53.0623 1724 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
00:53:53.0638 1724 PSched - ok
00:53:54.0091 1724 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
00:53:54.0200 1724 PxHelp20 - ok
00:53:54.0715 1724 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
00:53:54.0824 1724 ql2300 - ok
00:53:55.0136 1724 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
00:53:55.0183 1724 ql40xx - ok
00:53:55.0479 1724 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
00:53:55.0526 1724 QWAVEdrv - ok
00:53:56.0025 1724 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
00:53:56.0384 1724 R300 - ok
00:53:56.0649 1724 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
00:53:56.0680 1724 RasAcd - ok
00:53:56.0930 1724 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
00:53:56.0992 1724 Rasl2tp - ok
00:53:57.0445 1724 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
00:53:57.0554 1724 RasPppoe - ok
00:53:57.0975 1724 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
00:53:58.0053 1724 RasSstp - ok
00:53:58.0396 1724 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
00:53:58.0584 1724 rdbss - ok
00:53:58.0911 1724 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
00:53:58.0958 1724 RDPCDD - ok
00:53:59.0036 1724 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
00:53:59.0114 1724 rdpdr - ok
00:53:59.0395 1724 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
00:53:59.0426 1724 RDPENCDD - ok
00:53:59.0691 1724 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
00:53:59.0769 1724 RDPWD - ok
00:54:00.0066 1724 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
00:54:00.0253 1724 RFCOMM - ok
00:54:00.0627 1724 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
00:54:00.0690 1724 rspndr - ok
00:54:01.0033 1724 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
00:54:01.0126 1724 sbp2port - ok
00:54:01.0594 1724 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
00:54:01.0641 1724 secdrv - ok
00:54:01.0984 1724 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
00:54:02.0031 1724 Serenum - ok
00:54:02.0515 1724 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
00:54:02.0577 1724 Serial - ok
00:54:03.0014 1724 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
00:54:03.0061 1724 sermouse - ok
00:54:03.0357 1724 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
00:54:03.0404 1724 sffdisk - ok
00:54:03.0669 1724 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
00:54:03.0700 1724 sffp_mmc - ok
00:54:03.0794 1724 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
00:54:03.0810 1724 sffp_sd - ok
00:54:04.0262 1724 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
00:54:04.0293 1724 sfloppy - ok
00:54:04.0839 1724 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
00:54:04.0980 1724 sisagp - ok
00:54:05.0385 1724 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
00:54:05.0463 1724 SiSRaid2 - ok
00:54:05.0962 1724 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
00:54:06.0056 1724 SiSRaid4 - ok
00:54:06.0306 1724 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
00:54:06.0368 1724 Smb - ok
00:54:06.0508 1724 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
00:54:06.0586 1724 spldr - ok
00:54:06.0914 1724 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
00:54:06.0976 1724 srv - ok
00:54:07.0366 1724 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
00:54:07.0444 1724 srv2 - ok
00:54:07.0647 1724 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
00:54:07.0694 1724 srvnet - ok
00:54:07.0928 1724 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
00:54:07.0975 1724 ssmdrv - ok
00:54:08.0146 1724 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
00:54:08.0193 1724 swenum - ok
00:54:08.0365 1724 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
00:54:08.0412 1724 Symc8xx - ok
00:54:08.0817 1724 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
00:54:08.0942 1724 Sym_hi - ok
00:54:09.0394 1724 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
00:54:09.0426 1724 Sym_u3 - ok
00:54:10.0112 1724 SynTP (81cf7aa63bb3cca31e1d1944c0a45fc7) C:\Windows\system32\DRIVERS\SynTP.sys
00:54:10.0143 1724 SynTP - ok
00:54:10.0674 1724 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
00:54:10.0923 1724 Tcpip - ok
00:54:11.0422 1724 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
00:54:11.0438 1724 Tcpip6 - ok
00:54:11.0828 1724 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
00:54:11.0922 1724 tcpipreg - ok
00:54:12.0249 1724 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
00:54:12.0280 1724 TDPIPE - ok
00:54:12.0655 1724 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
00:54:12.0702 1724 TDTCP - ok
00:54:13.0045 1724 tdx - ok
00:54:13.0170 1724 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
00:54:13.0185 1724 TermDD - ok
00:54:13.0341 1724 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
00:54:13.0357 1724 tssecsrv - ok
00:54:13.0731 1724 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
00:54:13.0747 1724 tunmp - ok
00:54:14.0012 1724 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
00:54:14.0028 1724 tunnel - ok
00:54:14.0137 1724 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
00:54:14.0184 1724 uagp35 - ok
00:54:14.0496 1724 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
00:54:14.0558 1724 udfs - ok
00:54:14.0792 1724 UIUSys - ok
00:54:15.0104 1724 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
00:54:15.0229 1724 uliagpkx - ok
00:54:15.0759 1724 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
00:54:15.0978 1724 uliahci - ok
00:54:16.0446 1724 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
00:54:16.0602 1724 UlSata - ok
00:54:16.0804 1724 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
00:54:16.0851 1724 ulsata2 - ok
00:54:16.0914 1724 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
00:54:16.0945 1724 umbus - ok
00:54:17.0257 1724 USB28xxBGA (4c3180982abbc7cfa14dd21c0cbb1c22) C:\Windows\system32\DRIVERS\emBDA.sys
00:54:17.0319 1724 USB28xxBGA - ok
00:54:17.0428 1724 USB28xxOEM (49b03351781de98981df0814a15dc992) C:\Windows\system32\DRIVERS\emOEM.sys
00:54:17.0460 1724 USB28xxOEM - ok
00:54:17.0865 1724 usbccgp (8bd3ae150d97ba4e633c6c5c51b41ae1) C:\Windows\system32\drivers\usbccgp.sys
00:54:17.0928 1724 usbccgp - ok
00:54:18.0193 1724 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
00:54:18.0224 1724 usbcir - ok
00:54:18.0427 1724 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
00:54:18.0536 1724 usbehci - ok
00:54:18.0957 1724 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
00:54:18.0988 1724 usbhub - ok
00:54:19.0222 1724 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\DRIVERS\usbohci.sys
00:54:19.0254 1724 usbohci - ok
00:54:19.0363 1724 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
00:54:19.0394 1724 usbprint - ok
00:54:19.0612 1724 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
00:54:19.0644 1724 USBSTOR - ok
00:54:19.0800 1724 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
00:54:19.0831 1724 usbuhci - ok
00:54:20.0065 1724 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
00:54:20.0112 1724 vga - ok
00:54:20.0517 1724 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
00:54:20.0533 1724 VgaSave - ok
00:54:20.0829 1724 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
00:54:20.0860 1724 viaagp - ok
00:54:21.0079 1724 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
00:54:21.0126 1724 ViaC7 - ok
00:54:21.0406 1724 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
00:54:21.0438 1724 viaide - ok
00:54:21.0500 1724 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
00:54:21.0531 1724 volmgr - ok
00:54:21.0656 1724 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
00:54:21.0750 1724 volmgrx - ok
00:54:22.0249 1724 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
00:54:22.0264 1724 volsnap - ok
00:54:22.0608 1724 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
00:54:22.0639 1724 vsmraid - ok
00:54:22.0810 1724 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
00:54:22.0842 1724 WacomPen - ok
00:54:22.0998 1724 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
00:54:23.0029 1724 Wanarp - ok
00:54:23.0044 1724 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
00:54:23.0044 1724 Wanarpv6 - ok
00:54:23.0263 1724 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
00:54:23.0341 1724 Wd - ok
00:54:23.0824 1724 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
00:54:23.0918 1724 Wdf01000 - ok
00:54:24.0402 1724 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys
00:54:24.0448 1724 WimFltr - ok
00:54:25.0213 1724 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
00:54:25.0260 1724 winachsf - ok
00:54:25.0696 1724 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
00:54:25.0712 1724 WmiAcpi - ok
00:54:25.0884 1724 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
00:54:25.0915 1724 WpdUsb - ok
00:54:26.0227 1724 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
00:54:26.0274 1724 ws2ifsl - ok
00:54:26.0492 1724 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
00:54:26.0523 1724 WUDFRd - ok
00:54:26.0617 1724 MBR (0x1B8) (264850e33aebef8d6f4410c559f395cd) \Device\Harddisk0\DR0
00:54:29.0674 1724 \Device\Harddisk0\DR0 - ok
00:54:29.0706 1724 Boot (0x1200) (b1ce98d0301777a83d1ddea344c859ac) \Device\Harddisk0\DR0\Partition0
00:54:29.0706 1724 \Device\Harddisk0\DR0\Partition0 - ok
00:54:29.0737 1724 Boot (0x1200) (56cb6dbdf187ea772042ff78f9982cb4) \Device\Harddisk0\DR0\Partition1
00:54:29.0752 1724 \Device\Harddisk0\DR0\Partition1 - ok
00:54:29.0799 1724 Boot (0x1200) (ebdb089e7f3136ca49408c5e9c8ba739) \Device\Harddisk0\DR0\Partition2
00:54:29.0830 1724 \Device\Harddisk0\DR0\Partition2 - ok
00:54:29.0862 1724 Boot (0x1200) (b5f6bf8800421c4ea66c6e4b8761e605) \Device\Harddisk0\DR0\Partition3
00:54:29.0862 1724 \Device\Harddisk0\DR0\Partition3 - ok
00:54:29.0862 1724 ============================================================
00:54:29.0862 1724 Scan finished
00:54:29.0862 1724 ============================================================
00:54:29.0940 3944 Detected object count: 0
00:54:29.0940 3944 Actual detected object count: 0

As mentioned in my last post, now I think we should first fix the internet connection.
Am I right?

bye,

steinson

Bobbye · Feb 11, 2012

Okay, we're getting their. Please disable the security when you run the following. It was not disabled when you run the scan(s):
Avira Desktop *Enabled
SP: Avira Desktop *Enabled
========================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Code:

File::
c:\users\-\AppData\Roaming\372DCE54.reg
Folder::
FileLook::
c:\program files\USB_video_device\Utility\RemoteTool\BDARemote.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
Clearjavacache::

FCopy::
C:\WINDOWS\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys | C:\WINDOWS\System32\tdx.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Delightful! Translation of 'Restore Point was created from German to English:
""New point of re-establishment was provided."

steinson · Feb 12, 2012

Hi Bobbye!

I am confused about the status of the virus scanner, since I deactivated it (exactly in the way which is described here: http://www.bleepingcomputer.com/forums/topic114351.html]).
I even tried to stop the corresponding processes via the taskmanager. But even this didn't work out... Although I am not exactly sure if I ran the taskmanager with administrative rights...

Any guess how I could really deactivate AVIRA? Or should I perform the scan in the safe mode of windows?

Thanks in advance!

bye,

steinson

Bobbye · Feb 12, 2012

Do the fix in Safe Mode with Networking.

steinson · Feb 13, 2012

Hi Bobbye!

Although I did the fix in the safe mode (with networking) avira was running anyway... (see log). Nevertheless networking is working again, since the missing tdx.sys file was re-established.

Here's the log of Combofix:

ComboFix 12-02-06.01 - - 13.02.2012 13:25:20.3.1 - x86 NETWORK
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1033.18.1015.405 [GMT 1:00]
ausgeführt von:: c:\users\-\Desktop\friday.exe.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
- REDUZIERTER FUNKTIONALITÄTSMODUS -
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\tdx.sys fehlte
Kopie von - c:\windows\System32\tdx.sys wurde wiederhergestellt
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-01-13 bis 2012-02-13 ))))))))))))))))))))))))))))))
.
.
2012-02-13 12:28 . 2012-02-13 12:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-13 12:28 . 2012-02-13 12:28 -------- d-----w- c:\users\Claudio\AppData\Local\temp
2012-02-13 12:28 . 2008-01-19 05:55 71680 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\users\-\AppData\Roaming\Malwarebytes
2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-30 09:25 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-27 17:06 . 2012-01-27 17:06 -------- d-----w- c:\program files\iPod
2012-01-27 17:06 . 2012-01-27 17:09 -------- d-----w- c:\program files\iTunes
2012-01-18 17:26 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 17:26 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 17:26 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 17:26 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 17:26 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-06 11:47 . 2010-04-28 16:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-27 17:33 . 2011-05-25 13:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-06 04:19 . 2012-01-27 16:45 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B1C66E8A-C36B-4D77-8A3A-0BE53E12C76F}\mpengine.dll ERROR(0x00000005)
2012-01-06 04:19 . 2007-10-08 18:23 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
2011-12-09 07:35 . 2011-11-26 17:46 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-07 09:08 . 2009-10-03 11:27 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-25 15:59 . 2012-01-13 17:23 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37 . 2011-12-15 14:48 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 20:23 . 2012-01-13 17:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47 . 2012-01-13 17:23 66560 ----a-w- c:\windows\system32\packager.dll
2011-11-16 16:23 . 2012-01-18 17:26 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-07 09:46 . 2011-05-10 15:48 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-18 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-18 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-18 81920]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-11-14 139264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-23 17920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
"GrooveMonitor"="c:\program files\MsOffice12\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\MsOffice12\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
NewShortcut1.lnk - c:\program files\USB_video_device\Utility\RemoteTool\BDARemote.exe [N/A]
VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-2-20 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
.
.
------- Zusätzlicher Suchlauf -------
.
mStart Page = hxxp://de.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MSOFFI~1\Office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
TCP: DhcpNameServer = 172.17.7.254
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-13 13:31
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$CSSQL05]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:CSSQL05"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(2952)
c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conime.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\HEWLET~1\Shared\HPQTOA~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\system32\DllHost.exe
c:\program files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-02-13 13:42:21 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-02-13 12:41
ComboFix2.txt 2012-02-13 12:02
ComboFix3.txt 2012-02-10 23:33
ComboFix4.txt 2012-02-07 14:06
.
Vor Suchlauf: 10.577.760.256 bytes free
Nach Suchlauf: 9.456.726.016 bytes free
.
- - End Of File - - 914AF0218224B621D5FA81D7C551E51A

This seems to be good progress. What next?

bye,

steinson

Bobbye · Feb 13, 2012

About this Running: c:\windows\system32\RacAgent.exe

Here is some information about RacAgent.exe:

It is a hidden scheduled task
RACAgent runs when you start the computer. This scheduled task also runs every hour after you start the computer.
This task is a Microsoft Reliability Analysis task that processes events that impact system reliability data.
It calculates the Stability Index shown in the System Stability Chart over the lifetime of the system.
Reference for info to read: http://technet.microsoft.com/en-us/library/cc766393(WS.10).aspx

Note: I skipped using Vista and was not familiar with this process. I could not find information about whether it needs to run and/or whether the information is of any use>> or if it's being collected by Microsoft.
=======================================
Regarding Avira: I think what is causing the scans to say it's running is because there is a Scheduled Task running. I can stop that is needed.
=======================================
Since the internet connection has been restored, please go ahead and run the Eset scan.

The system is looking good. Are there any remaining problems that we havn't resolved?

steinson · Feb 14, 2012

I skipped using Vista either, but as I told you, it is the laptop of a friend of mine... So I have to deal with it.
According to this link here: http://social.technet.microsoft.com.../thread/6208301e-6017-4025-9236-31537b8dd657/
RacAgent.exe is a Reliability Monitor of Microsoft. Hence, it is ok that it runs, I think. In fact it would be really easy to stop it...
The AVIRA task do not bother me either...

Up to now the ESET Scan is running, but not yet finished.
However in the meantime I would like to discuss another issue. All Files on all drives are marked as "read-only". I already tried to reset that (by hand as well as by a short script), but up to now without success. Any suggestions?

Thanks in advance!

bye,

steinson

Bobbye · Feb 14, 2012

The Read Only attribute may have been caused by the malware. There are ways to change that, but there is some risk. There is also a difference in Red Only for a File and R/O for a Folder.Let's wait until we know the system is clean- then we can address the issue.

Please post Eset log when ready.

steinson · Feb 14, 2012

Hey!

Good news. The scan just finished and reported, that no threats were found!

So let us switch to the Read-only problem!

Thanks in advance!

steinson

Bobbye · Feb 15, 2012

All Files on all drives are marked as "read-only"

This is a very broad statement:
1. Is it really all of the files you try to open?
2. Cold it be .exe files only?
3. Are any folders marked 'read only'?
4. When did the 'read only' attribute begin?
5. Please give me a couple of examples of the 'files marked 'read only'.

steinson · Feb 20, 2012

Hi!

Sorry, for the long response time... But I had to go on a rapid business-trip.
I carefully checked the laptop again, regarding the "read-only issue":

1. /3. All folders on all drives are marked as "read-only". As far as I know this is common for folders in Windows Vista. Files on the drives D:\, F:\ and G:\ are fine, they can be accessed. But all files on the drive C:\ are marked as "read-only". Of course I didn't look at all files but I did several spot tests.
2. The "read-only" tag for the files on C:\ is not only persistent for .exe files or restricted to a specific sort of files. It is just there for all files and folders on C:\
4. I am not exactly sure when it started, but I think it was already there as we started with the disinfection.
5. Examples are very easy in this case...
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\-\Music\Lifehouse\No Name Face\07 Simon.wma
C:\Intel\Logs\IntelGFX.log
C:\WINDOWS\zip.exe

(I could give you many more of course...)

bye,

steinson

Bobbye · Feb 20, 2012

All Files on all drives are marked as "read-only". I already tried to reset that (by hand as well as by a short script), but up to now without success.

All folders on all drives are marked as "read-only". As far as I know this is common for folders in Windows Vista. Files on the drives D:\, F:\ and G:\ are fine, they can be accessed. But all files on the drive C:\ are marked as "read-only". Of course I didn't look at all files but I did several spot tests.

Sorry, but I need to pin you down on this. You have mentioned the 'read only' attribute for both files and for folders. There is a difference. For instance, 2 of the examples you gave me are files:
These are the executable for the process.

This file is the executable for the Firefox browser: C:\Program Files\Mozilla Firefox\firefox.exe. The folder for it would be Mozilla Firefox if you looked in your list of programs using Windows Explorer> If you clicked on the Mozilla Firefox folder, the contents would then show. In this case, firefox.exe would be the process you would click on to launch

It looks like Firefox is running- how do you launch it?
-----------------------------------------------------
Questions:

Are you logged in to administrator account? You may not have the privileges if you are logged onto the administrator's account
Did you make any changes on the computer? (other than what malware caused)
Did you create the Read-only file?
What message are you getting while changing the Read-only attribute?
Were you able to change the attributes earlier in your computer?

According to Microsoft:

This is perfectly normal. The Read Only attribute normally only applies to files not folders. Windows normally ignores this attribute for folders.

http://support.microsoft.com/kb/326549/

steinson · Feb 21, 2012

Hey Bobbye!

Sometimes the solution is really easy... Sorry for bothering with this stuff.
I was just logged in into the wrong account. With the "normal" account everything is fine! No problems with accessing files etc.

Hence I think everything is fine now. The laptop is behaving very well and I updated already all the software.

Thanks for your patience and help!

bye,
steinson

Solved System Check on Vista SP2

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 16,313 +36

Posts: 13 +0

Posts: 13 +0

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Similar threads