arminsch

Members
  • Content Count

    20
  • Joined

  • Last visited

Community Reputation

0 Neutral

About arminsch

  • Rank
    Member
  1. Hi miekiemoes It tends to be slightly better now. I can cope with it for a while and buy a new PC next year. Again, thanks a lot for your patient help!
  2. Deckard's System Scanner v20071014.68 Run by Armin on 2007-10-25 22:15:39 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 3 Restore Point(s) -- 3: 2007-10-25 20:15:52 UTC - RP309 - Deckard's System Scanner Restore Point 2: 2007-10-23 12:31:13 UTC - RP308 - Removed Tiny Firewall Pro 6.0 1: 2007-10-12 04:42:42 UTC - RP307 - ComboFix created restore point Backed up registry hives. Performed disk cleanup. Total Physical Memory: 256 MiB (512 MiB recommended). System Drive C: has 1.41 GiB (less than 15%) free. -- HijackThis (run as Armin.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:16:50, on 25.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe D:\progr\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\FRITZ!DSL\IGDCTRL.EXE C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Ditto\Ditto.exe C:\Program Files\PC-TV\WinManager\WinManager.exe C:\Program Files\FRITZ!DSL\FwebProt.exe C:\Program Files\FRITZ!DSL\StCenter.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Armin\My Documents\dss.exe D:\progr\Trend Micro\HijackThis\Armin.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing) O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 8571 bytes -- HijackThis Fixed Entries (D:\progr\Trend Micro\HijackThis\backups\) --------- backup-20071008-104214-654 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, backup-20071009-093940-368 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, backup-20071009-172040-751 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, backup-20071009-172129-903 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, backup-20071013-185924-949 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, backup-20071020-185918-567 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe backup-20071020-185935-992 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe backup-20071020-190009-967 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe backup-20071020-220011-925 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe backup-20071020-220025-143 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 RecAgent - c:\windows\system32\drivers\recagent.sys <Not Verified; ; Modem> R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sr (System Restore Filter Driver) - c:\windows\\systemroot\system32\drivers\sr.sys (file missing) R1 moufiltr (Mouse Filter Driver) - c:\windows\system32\drivers\moufiltr.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver> R1 uigxrdr - c:\windows\system32\drivers\uigxrdr.sys <Not Verified; GMX GmbH; GMX Upload-Manager> R1 UsbFltr (WayTechUSBFilterDriver) - c:\windows\system32\drivers\usbfltr.sys <Not Verified; Waytech Development, Inc.; Keyboard> R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 10> R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9> R3 Mtlmnt5 - c:\windows\system32\drivers\mtlmnt5.sys <Not Verified; ; Modem> R3 Slntamr (NetoDragon AMR_PCI Driver) - c:\windows\system32\drivers\slntamr.sys <Not Verified; ; Modem> R3 SlWdmSup - c:\windows\system32\drivers\slwdmsup.sys <Not Verified; ; Modem> R3 UDTTUSB (USBDTT - USB DVB-T adapter Driver) - c:\windows\system32\drivers\udttcap.sys <Not Verified; TwinHan Technology; TwinHan VP7041> R3 ZSMC301b (VIMICRO USB PC Camera) - c:\windows\system32\drivers\usbvm31b.sys <Not Verified; VM; > S3 catchme - c:\docume~1\armin\locals~1\temp\catchme.sys (file missing) S3 Mtlstrm - c:\windows\system32\drivers\mtlstrm.sys <Not Verified; ; Modem> S3 NtMtlFax - c:\windows\system32\drivers\ntmtlfax.sys <Not Verified; ; Modem> S3 SlNtHal - c:\windows\system32\drivers\slnthal.sys <Not Verified; ; Modem> S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys (file missing) S3 UDTTLOAD - c:\windows\system32\drivers\udttload.sys <Not Verified; TwinHan Technology; TwinHan VP7041> S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 AntiVirScheduler (AntiVir PersonalEdition Classic Planer) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler> R2 AVM IGD CTRL Service - c:\program files\fritz!dsl\igdctrl.exe <Not Verified; AVM Berlin; AVM IGD Service> R2 PDSched (PDScheduler) - "c:\program files\raxco\perfectdisk\pdsched.exe" <Not Verified; Raxco Software, Inc.; PDSched Module> R2 SLService (SmartLinkService) - slserv.exe <Not Verified; ; Modem> S3 de_serv (AVM FRITZ!web Routing Service) - c:\program files\common files\avm\de_serv.exe <Not Verified; AVM Berlin; AVM Rocky> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Files created between 2007-09-25 and 2007-10-25 ----------------------------- 2007-10-23 14:49:15 0 d-------- C:\Documents and Settings\Armin\Application Data\Comodo 2007-10-23 14:48:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo 2007-10-23 14:44:10 0 d-------- C:\Program Files\Comodo 2007-10-18 14:34:26 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-10-09 10:58:29 0 d-------- C:\Program Files\Java 2007-10-09 10:58:26 0 d-------- C:\Program Files\Common Files\Java 2007-10-08 13:33:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-08 13:32:25 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-07 22:13:36 0 d-------- C:\Program Files\Avira 2007-10-07 22:13:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2007-10-05 07:56:49 0 d-------- C:\Documents and Settings\Armin\Application Data\SiteAdvisor 2007-10-05 07:56:49 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2007-10-05 07:56:49 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2007-09-29 10:26:25 0 d-------- C:\Documents and Settings\Armin\.imgseek -- Find3M Report --------------------------------------------------------------- 2007-10-25 22:11:16 0 d-------- C:\Documents and Settings\Armin\Application Data\Ditto 2007-10-25 18:14:25 0 d-------- C:\Documents and Settings\Armin\Application Data\FRITZ! 2007-10-23 14:31:37 0 d-------- C:\Program Files\Tiny Firewall Pro 2007-10-21 15:18:56 0 d-------- C:\Documents and Settings\Armin\Application Data\OpenOffice.org2 2007-10-09 10:58:26 0 d-------- C:\Program Files\Common Files 2007-10-08 12:44:03 0 d-a------ C:\Program Files\OfficeScan NT 2007-09-29 15:29:30 0 d-------- C:\Program Files\Common Files\Buhl Data Service 2007-09-22 12:12:24 0 d-------- C:\Documents and Settings\Armin\Application Data\Mp3tag 2007-09-21 18:30:35 0 d-------- C:\Program Files\Mozilla Thunderbird 2007-09-20 23:30:04 0 d-------- C:\Documents and Settings\Armin\Application Data\Desktop Sidebar 2007-09-19 12:38:20 0 d-------- C:\Program Files\PC Inspector File Recovery 2007-09-19 12:38:17 0 d--h----- C:\Program Files\InstallShield Installation Information -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cmaudio"="cmicnfg.cpl" [] "BluetoothAuthenticationAgent"="bthprops.cpl" [04.08.2004 00:56 C:\WINDOWS\system32\bthprops.cpl] "BigDogPath"="C:\WINDOWS\VM_STI.exe" [01.07.2005 19:52] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [10.10.2007 19:33] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 01:11] "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [23.10.2007 14:44] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:56] C:\Documents and Settings\Armin\Start Menu\Programs\Startup\ FRITZ!DSL Protect.lnk - C:\Program Files\FRITZ!DSL\FwebProt.exe [03.03.2006 13:14:48] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"=0 (0x0) "SynchronousUserGroupPolicy"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"=1 (0x1) "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"=0 (0x0) "NoRecentDocsHistory"=1 (0x1) "NoLowDiskSpaceChecks"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0adf85e6-b261-11da-b62f-000b6a7c7073}] AutoRun\command- F:\preinst.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afab3585-bb1c-11da-b64c-000b6a7c7073}] AutoRun\command- F:\preinst.exe -- End of Deckard's System Scanner: finished at 2007-10-25 22:17:29 ------------
  3. Good to know that the problems are probably not caused by malware. I have removed Yahoo, MSM, ditto and PC-tv from the startup programs. But I don’t understand about a-sqared. I don’t see it in the startup section with Ccleaner, and I was never aware it is a startup program. And don’t I need Fritz!DSL for giong online? By the way, my PC is 2 years old with 256 Mb RAM. Since the scan hidden files are shown. I have set it back. Comodo always displays frightening messages that I don’t understand, like Winamp.exe is loading browseui.dll which can be used by keyloggers or that FF is trying to use winword.exe to OLE automation, that can be used for hijaking. Shall I always allow everything? Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: AMD Sempron 2400+ Percentage of Memory in Use: 69% Physical Memory (total/avail): 255.48 MiB / 78.83 MiB Pagefile Memory (total/avail): 618.71 MiB / 319.36 MiB Virtual Memory (total/avail): 2047.88 MiB / 1936.64 MiB C: is Fixed (NTFS) - 14.65 GiB total, 1.41 GiB free. D: is Fixed (NTFS) - 61.67 GiB total, 36.93 GiB free. E: is CDROM (No Media) \\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 76.33 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 14.65 GiB - C: \PARTITION1 - Extended w/Extended Int 13 - 61.67 GiB - D: -- Security Center ------------------------------------------------------------- AUOptions is set to notify before download. Windows Internal Firewall is disabled. FirstRunDisabled is set. FW: COMODO Firewall Pro v2.3.035 (COMODO) AV: Avira AntiVir PersonalEdition v 7.0.0.114 (Avira GmbH) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\Ditto\\Ditto.exe"="C:\\Program Files\\Ditto\\Ditto.exe:*:Disabled:Ditto" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Armin\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=ARMIN-PC ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Armin LOGONSERVER=\\ARMIN-PC NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0801 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Armin\LOCALS~1\Temp TMP=C:\DOCUME~1\Armin\LOCALS~1\Temp USERDOMAIN=ARMIN-PC USERNAME=Armin USERPROFILE=C:\Documents and Settings\Armin windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Armin (admin) Guy (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83021AC3-086F-4B77-ACCD-1BD7C9AB211E}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 2 Find MP3 --> "C:\Program Files\2 Find MP3\unins000.exe" 5star GameTuner --> MsiExec.exe /X{4D5D8C8A-9D4F-40AB-0001-D315B54D68CA} a-squared Free 3.0 --> "D:\progr\a-squared Free\unins000.exe" Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.0 - Deutsch --> MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A81000000003} Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log AOpen Digital TV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C19DBE5E-712E-4F02-8380-ECEDD951B374}\setup.exe" -l0x9 ArtRage 2.2 Free --> "D:\progr\ArtRage 2 Free\unins000.exe" Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe" AusLogics Disk Defrag --> "C:\Program Files\AusLogics Disk Defrag\unins000.exe" Avalanche --> MsiExec.exe /X{680FF5A3-524F-11D8-9E00-0004769EEFEB} Avira AntiVir PersonalEdition Classic --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE AVM FRITZ!DSL --> C:\WINDOWS\IsUn0407.exe -f"C:\Program Files\FRITZ!DSL\WebUnins.isu" -c"C:\Program Files\FRITZ!DSL\Webunins.dll" C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln D-SAT5 5.0 --> C:\Program Files\D\D-Sat5\SETUP.EXE PWSIREMOVE DasTelefonbuch. Alles in einem. Berlin 2005/2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBD18519-8A81-4019-A7DD-CC8F5DD0A4F6}\setup.exe" Digimax Master --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}\Setup.exe" -l0x9 -removeonly Ditto 2.6.5.0 --> "C:\Program Files\Ditto\unins000.exe" EPSON-Drucker-Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\SETUP.EXE" -l0x7 uninst EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\Setup.exe" -l0x9 -UnInstall EPSON PhotoQuicker3.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65F5B7AF-3363-11D7-BB6B-00018021113F}\SETUP.EXE" -l0x7 uninst EPSON PhotoStarter3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C48817E7-AA05-4151-A99D-1E1E550CE801}\SETUP.EXE" -l0x7 uninst EPSON PRINT Image Framer Tool2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59ED4-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x7 anything EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\SETUP.EXE" -l0x7 Uninstall EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x7 -anything ESCX3600 Referenzhandbuch --> C:\Program Files\EPSON\TPMANUAL\ESCX3600\REF_G\DOCUNINS.EXE ESCX3600 Softwarehandbuch --> C:\Program Files\EPSON\TPMANUAL\ESCX3600\PQU_G\DOCUNINS.EXE FaxTalk Communicator 4.5 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FaxTalk Communicator\Uninst.isu" -c"C:\Program Files\FaxTalk Communicator\FTUnInUt.dll" Foto-Mosaik 4.1.0 --> d:\Progr\Foto-Mosaik\unins000.exe FRITZ!Box --> C:\Program Files\FRITZ!Box\install.exe -d GelbeSeiten Für Berlin 2005/2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4245A9F8-1907-4223-9343-64E5CA02E0C0}\setup.exe" GMX Upload-Manager --> C:\Program Files\GMX\GMX Upload-Manager\uninst.exe Goldgräber --> C:\Program Files\Goldgräber\dhuninstall.exe Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\101\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly HijackThis 2.0.2 --> "d:\Progr\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Incomedia WebSite X5 Evolution --> C:\WINDOWS\system32\iwpsetup.exe Uninst /Evolution /DE /D:\progr\WebsiteEvolution IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe Java 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030} JuicedDemo --> MsiExec.exe /X{D6E74815-64BA-4C3B-BCE0-B9CAC80BFBDF} Jä[email protected] Version 1.02.8 --> "C:\Program Files\phonostar\unins000.exe" Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe Labtec Mouse Software 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77E6239B-BF3B-496B-9634-2AC9589B61BB}\Setup.exe" -l0x0009 Last.fm 1.1.3.0 --> "C:\Program Files\Last.fm\unins000.exe" Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe MAGIX Filme für unterwegs e-version (D) --> D:\progr\Magix\instslct.exe MAGIX Online Druck Service (D) --> D:\progr\Online_Druck_Service\instslct.exe Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Mozilla Firefox (2.0.0.8) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Mozilla Thunderbird (1.0.6) --> C:\WINDOWS\UninstallThunderbird.exe /ua "1.0.6 (de)" mp3Tag 5.7 --> "d:\Progr\mp3Tag 5\unins000.exe" Mp3tag v2.39 --> d:\Progr\Mp3tag\Mp3tagUninstall.EXE MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL NeroVision Express 2 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL NetoDragon 56K Voice Modem --> C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove OpenOffice.org 2.0 --> MsiExec.exe /I{33D6723B-DE6B-4E86-A6BC-CD1F3E42DD26} Optical Mousemate V1.0 --> C:\PROGRA~1\OPTICA~1\UNINSTAL.EXE Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan PC Inspector File Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9 PerfectDisk --> MsiExec.exe /I{C190CB55-817E-4713-84F4-0BBB8961CED9} Picasa 2 --> "D:\progr\Picasa2\Uninstall.exe" PIF DESIGNER2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7BD0A2D8-4EA0-43C6-BDF8-DDA87B8031C6}\SETUP.EXE" -l0x7 anything QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 S500/S600 USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{514DF7BB-D192-417C-BB60-58BF1FD34253}\Setup.exe" anything Samsung PC Studio PIM & File Manager 2.0 --> MsiExec.exe /I{489C0D77-F99B-4975-92C1-0ED07F5EB979} ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\SETUP.EXE" ADDREMOVEDLG Sphairon USB Wireless LAN Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1692C91-2400-4223-BD5E-69AB99C84C64}\setup.exe" -l0x7 -removeonly Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" SpywareBlaster v3.5.1 --> "d:\Progr\SpywareBlaster\unins000.exe" Tux Paint (remove only) --> "C:\Program Files\TuxPaint\uninstall.exe" TV-Browser 2.5 --> C:\Program Files\TV-Browser\Uninstall.exe TweakNow RegCleaner --> "C:\Program Files\TweakNow RegCleaner\unins000.exe" Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u Virtual Earth 3D (Beta) --> MsiExec.exe /X{619B8475-0F48-41B7-A370-5147F7092989} Visualizer Photo Resize --> MsiExec.exe /I{838F0053-8744-4B63-8819-CC44C06308AC} VP-Hotline --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Citron\VP-Hotline\Uninst.isu" WebEye --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03B20126-F3C2-11D5-A6D2-00C026001DCA}\Setup.exe" -l0x9 WIDCOMM Bluetooth Software --> MsiExec.exe /X{FE90E9E7-A158-4687-8853-DF677A939A61} Winamp (remove only) --> "D:\progr\Winamp\UninstWA.exe" Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe" Windows Live Messenger --> MsiExec.exe /I{279DB581-239C-4E13-97F8-0F48E40BE75C} Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7} Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\Yinsthelper.dll Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG -- Application Event Log ------------------------------------------------------- Event Record #/Type167424 / Success Event Submitted/Written: 10/25/2007 04:22:46 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type167406 / Success Event Submitted/Written: 10/24/2007 05:12:56 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type167391 / Success Event Submitted/Written: 10/24/2007 00:38:02 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type167373 / Warning Event Submitted/Written: 10/23/2007 05:06:33 PM Event ID/Source: 1524 / Userenv Event Description: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. Event Record #/Type167370 / Success Event Submitted/Written: 10/23/2007 03:07:18 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type77478 / Warning Event Submitted/Written: 10/25/2007 10:11:41 PM Event ID/Source: 18 / avgntflt Event Description: TIMEOUT<System> C:\...ion Data\Ditto\DittoDB.mdb Event Record #/Type77477 / Warning Event Submitted/Written: 10/25/2007 10:10:54 PM Event ID/Source: 18 / avgntflt Event Description: TIMEOUT<Ditto.exe> C:\... Data\Ditto\DittoDB.mdb Event Record #/Type77474 / Warning Event Submitted/Written: 10/25/2007 08:47:57 PM Event ID/Source: 1003 / Dhcp Event Description: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000B6A7C7073. The following error occurred: %%1223. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server. Event Record #/Type77472 / Warning Event Submitted/Written: 10/25/2007 08:47:41 PM Event ID/Source: 1003 / Dhcp Event Description: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000B6A7C7073. The following error occurred: %%1223. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server. Event Record #/Type77469 / Warning Event Submitted/Written: 10/25/2007 08:27:18 PM / 10/25/2007 08:27:19 PM Event ID/Source: 240 / Win32k Event Description: A request to suspend power was denied by Aopen Digital T. -- End of Deckard's System Scanner: finished at 2007-10-25 22:17:29 ------------
  4. It appears that my performance problems are related with being online, but I don’t usually boot the PC, and then work on it for hours without at least sometimes going online. But to check it, I have done it once, and there were no problems. But the problems are not restricted to online work or to the browser. For example, I am online for a while, go offline, then work with a word document, and notice that sometimes it takes 30 seconds to respond. Or when I want to open or close another program, it responds slowly or not at all. I have also checked the CPU usage during the “waiting timeâ€: it is not high. And it is not browser-specific, I tried FF and IE. I have installed Comodo, but same problem. By the way, Comodo asks me all the time if I want to allow this or that program. I always click “yesâ€, is that right? Do you have any other idea? If yes, it’s great, if not, I buy another computer next year.
  5. thanks for addressing my performance problem again. Perhaps it is even a little more than just a bad performance. Let me give you a bit more info first: before the trojan occurred a few weeks ago, everything was fine, so I assume th problem may be related to the trojan or with anything I have done since. After booting, the PC starts fine, but after a while, be it 1 or 3 hours, it tends to get slow. Switching tabs or windows can take up to 30 seconds. Not every time I switch windows, but more and more often it takes so long. At some point I just have to reboot. It really looks like something is going on in the background, just like with the trojan problem before. By the way, I use Firefox, hardly ever IE. Basically, I have done the things you advised on your web site. I have removed winpatrol, but HJT cannot fix google updater. A few days ago, I have done a system scan with Avira. Nothing was found. Yesterday I did it again, and it found 2 issues: C:\Documents and Settings\Armin\Local Settings\Temporary Internet Files\Content.IE5\U2K4R6LX\SecIEZone[1].hta [FUND] Enthält Erkennungsmuster des HTML-Scriptvirus HTML/Zones.Gen C:\WINDOWS\system32\ActiveScan\pskavs.dll [FUND] Enthält Erkennungsmuster des Windows-Virus W95/Blumblebee.1738
  6. Hi miekiemoes After some days of surfing I can say that trojan problem is probably fixed, but it is still not like before. The performance is really bad since this incident, switching between tabs and windows can take very long. But don’t worry, as long as there is no security issue, it is not such a big problem. I really appreciate your help to fix the trojan. Also thank you for giving me the links for safety and other tips. Perhaps that can help me to improve the performance. Just one question: the trojan is still in Antivir’s quarantine. Shall I leave it there?
  7. Hi I have done the things you asked me to do, but I didn’t clear the passwords in Firefox, if that is ok (I find it convenient for less important passwords, though I don’t save banking passwords). It is a bit like last time: The first session after the fix was fine, the second session was slow. But nothing found with Antivir (except avenger). Here is the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:49:13, on 15.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Firewall Pro\UmxAgent.exe C:\Program Files\Tiny Firewall Pro\UmxTray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe D:\progr\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\FRITZ!DSL\IGDCTRL.EXE C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\VM_STI.EXE C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Ditto\Ditto.exe C:\Program Files\PC-TV\WinManager\WinManager.exe C:\Program Files\FRITZ!DSL\FwebProt.exe C:\Program Files\FRITZ!DSL\StCenter.EXE D:\progr\TV\Aopen Digital TV.exe D:\progr\TV\CaptureData.exe D:\progr\TV\PlayProgram.exe D:\progr\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing) O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe -- End of file - 9404 bytes
  8. Yesterday I thought it was successful, but today my PC was messed up again. I did a manual system scan with Antivir. It found Avenger\backup (I chose: ignore) and TR/Spy.Agent.42496 (I chose: quarantaine). I noticed that name and location of this Trojan is different from the previous one. Was it a mistake not to disable AV for Avenger? Should I run it again after disabling AV? I also did an Adaware scan. It found again BackdoorAgent and TrojanDownloader. Here are the logs: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\uscgksla ******************* Script file located at: \??\C:\Program Files\iuyypfji.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\ntos.exe deleted successfully. File C:\windows\system32\wsnpoem\audio.dll deleted successfully. File C:\windows\system32\wsnpoem\video.dll deleted successfully. Folder C:\WINDOWS\system32\wsnpoem deleted successfully. Completed script processing. ******************* Finished! Terminate. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:00:11, on 13.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Firewall Pro\UmxAgent.exe C:\Program Files\Tiny Firewall Pro\UmxTray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE D:\progr\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\FRITZ!DSL\IGDCTRL.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\VM_STI.EXE C:\WINDOWS\system32\slserv.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Ditto\Ditto.exe C:\Program Files\PC-TV\WinManager\WinManager.exe C:\Program Files\FRITZ!DSL\FwebProt.exe C:\Program Files\FRITZ!DSL\StCenter.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\WINDOWS\system32\svchost.exe D:\progr\TV\Aopen Digital TV.exe D:\progr\TV\CaptureData.exe D:\progr\TV\PlayProgram.exe C:\Program Files\Common Files\PFShared\SyncEvnt.exe D:\progr\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing) O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe -- End of file - 9577 bytes
  9. Sorry about the misunderstanding about Combofix and AntiVir. There was no alert while I ran AnitVir. I only noticed this later when I did a manual system scan with AntiVir. Unfortunataly I cannot boot in safe mode. It starts booting in safe mode, but then it continues booting in normal mode. I tried it several times (safe mode and safe mode with prompt), it is always the same. The boot process switched into normal mode after the user had to be chosen, but I didn’t click anything, the boot process just swiched automatically. I have run Combofix anyway, after disabling AntiVir, but I still have problems with slow or non responding programs. Here are the Hijackthis and Combofix logs: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:05:29, on 12.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Firewall Pro\UmxAgent.exe C:\Program Files\Tiny Firewall Pro\UmxTray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe D:\progr\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\Explorer.EXE C:\Program Files\FRITZ!DSL\IGDCTRL.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\VM_STI.EXE C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Ditto\Ditto.exe C:\Program Files\PC-TV\WinManager\WinManager.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\GMX\GMX Upload-Manager\DAVSRV.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\MSN Messenger\usnsvc.exe D:\progr\Winamp\winamp.exe D:\progr\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing) O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe -- End of file - 9865 bytes ComboFix 07-10-12.1 - Armin 2007-10-12 6:44:06.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT 2:00] Running from: C:\Documents and Settings\Armin\My Documents\ComboFix.exe Command switches used :: C:\Documents and Settings\Armin\Desktop\[email protected][email protected][email protected] * Created a new restore point FILE:: C:\WINDOWS\system32\ntos.exe . ((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 ))))))))))))))))))))))))))))))) . 2007-10-12 06:37 298,420 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat 2007-10-09 10:58 <DIR> d-------- C:\Program Files\Java 2007-10-09 10:58 <DIR> d-------- C:\Program Files\Common Files\Java 2007-10-08 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-08 13:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-07 22:13 <DIR> d-------- C:\Program Files\Avira 2007-10-07 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\SiteAdvisor 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2007-10-03 20:46 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-29 10:26 <DIR> d-------- C:\Documents and Settings\Armin\.imgseek 2007-09-24 08:28 335,872 --a------ C:\WINDOWS\system32\m4atag.dll 2007-09-22 18:18 <DIR> d-------- C:\Documents and Settings\Armin\.thumbnails 2007-09-22 10:38 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Mp3tag 2007-09-20 20:01 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Desktop Sidebar 2007-09-19 12:38 <DIR> d-------- C:\Program Files\PC Inspector File Recovery . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-12 04:40 --------- d-----w C:\Documents and Settings\Armin\Application Data\Ditto 2007-10-12 04:34 18,910 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k 2007-10-12 04:34 --------- d-----w C:\Documents and Settings\Armin\Application Data\FRITZ! 2007-10-08 10:44 --------- d---a-w C:\Program Files\OfficeScan NT 2007-09-29 13:29 --------- d-----w C:\Program Files\Common Files\Buhl Data Service 2007-09-21 16:30 --------- d-----w C:\Program Files\Mozilla Thunderbird 2007-09-19 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-09-05 17:52 --------- d-----w C:\Documents and Settings\Armin\Application Data\OpenOffice.org2 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2005-02-03 12:16 1,312,768 ----a-w C:\Program Files\no23_Recorder.exe 2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((( [email protected]_19.48.31,56 ))))))))))))))))))))))))))))))))))))))))) . + 2007-08-20 10:02:09 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\advpack.dll + 2007-08-20 10:02:11 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\dxtrans.dll + 2007-08-20 10:02:09 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\extmgr.dll + 2007-08-20 10:02:09 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\icardie.dll + 2007-08-17 10:12:34 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ie4uinit.exe + 2007-08-20 10:02:09 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieakeng.dll + 2007-08-20 10:02:09 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieaksie.dll + 2007-08-17 07:29:55 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieakui.dll + 2007-04-17 09:28:12 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieapfltr.dat + 2007-08-20 10:02:09 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieapfltr.dll + 2007-08-20 10:02:09 387,584 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iedkcs32.dll + 2007-08-20 10:02:10 6,066,176 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieframe.dll + 2007-08-20 10:02:10 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iernonce.dll + 2007-08-20 10:02:10 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iertutil.dll + 2007-08-17 10:12:35 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieudinit.exe + 2007-08-17 10:12:49 625,152 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe + 2007-08-20 10:02:10 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\jsproxy.dll + 2007-08-20 10:02:10 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\msfeeds.dll + 2007-08-20 10:02:10 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\msfeedsbs.dll + 2007-08-20 10:02:11 3,592,192 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\mshtml.dll + 2007-08-20 10:02:11 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\mshtmled.dll + 2007-08-20 10:02:11 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\msrating.dll + 2007-08-20 10:02:11 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\mstime.dll + 2007-08-20 10:02:11 102,400 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\occache.dll + 2007-08-20 10:02:11 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\url.dll + 2007-08-20 10:02:11 1,161,728 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\urlmon.dll + 2007-08-20 10:02:11 232,960 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\webcheck.dll + 2007-08-20 10:02:11 825,344 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\spmsg.dll + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\spuninst.exe + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\update\spcustom.dll + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\update\updspapi.dll + 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\$hf_mig$\KB941202\SP2QFE\inetcomm.dll + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spmsg.dll + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spuninst.exe + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\spcustom.dll + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\update.exe + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\updspapi.dll + 2004-08-03 22:56:46 581,120 -c----w C:\WINDOWS\$NtUninstallKB933729$\rpcrt4.dll + 2005-10-12 23:12:26 213,216 -c----w C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe + 2005-10-12 23:12:33 371,424 -c----w C:\WINDOWS\$NtUninstallKB933729$\spuninst\updspapi.dll + 2007-03-09 11:28:00 248,320 -c----w C:\WINDOWS\$NtUninstallKB933729$\xpsp3res.dll + 2007-05-16 15:12:02 683,520 -c----w C:\WINDOWS\$NtUninstallKB941202$\inetcomm.dll + 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB941202$\spuninst\updspapi.dll + 2007-06-27 14:34:51 124,928 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\advpack.dll + 2006-10-17 10:57:50 214,528 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\dxtrans.dll + 2007-06-27 14:34:51 132,608 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\extmgr.dll + 2006-10-17 10:58:20 61,952 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\icardie.dll + 2007-06-27 08:27:04 63,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ie4uinit.exe + 2007-06-27 14:34:51 153,088 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakeng.dll + 2007-06-27 14:34:51 230,400 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieaksie.dll + 2007-06-27 07:00:33 161,792 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakui.dll + 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieapfltr.dll + 2007-06-27 14:34:51 384,512 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iedkcs32.dll + 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieframe.dll + 2007-06-27 14:34:55 44,544 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iernonce.dll + 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iertutil.dll + 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieudinit.exe + 2007-06-27 08:27:30 625,152 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iexplore.exe + 2007-06-27 14:34:56 27,648 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\jsproxy.dll + 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msfeeds.dll + 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msfeedsbs.dll + 2007-07-19 06:59:59 3,583,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mshtml.dll + 2007-06-27 14:34:57 477,696 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mshtmled.dll + 2007-06-27 14:34:58 193,024 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msrating.dll + 2007-06-27 14:34:58 671,232 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mstime.dll + 2007-06-27 14:34:58 102,400 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\occache.dll + 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\updspapi.dll + 2007-06-27 14:34:58 105,984 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\url.dll + 2007-06-27 14:34:58 1,152,000 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\urlmon.dll + 2007-06-27 14:34:59 232,960 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\webcheck.dll + 2007-06-27 14:34:59 823,808 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll + 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\rpcrt4.dll + 2007-06-13 06:53:14 115,712 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\xpsp3res.dll + 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\rpcrt4.dll + 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\xpsp3res.dll + 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spmsg.dll + 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spuninst.exe + 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\spcustom.dll + 2005-10-12 23:12:28 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\update.exe + 2005-10-12 23:12:33 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\updspapi.dll + 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\advpack.dll + 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\dxtrans.dll + 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\extmgr.dll + 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\icardie.dll + 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ie4uinit.exe + 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieakeng.dll + 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieaksie.dll + 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieakui.dll + 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieapfltr.dll + 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\iedkcs32.dll + 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieframe.dll + 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\iernonce.dll + 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\iertutil.dll + 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieudinit.exe + 2007-08-17 10:21:21 625,152 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\iexplore.exe + 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\jsproxy.dll + 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\msfeeds.dll + 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\msfeedsbs.dll + 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\mshtml.dll + 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\mshtmled.dll + 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\msrating.dll + 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\mstime.dll + 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\occache.dll + 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\url.dll + 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\urlmon.dll + 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\webcheck.dll + 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\wininet.dll + 2007-08-20 10:02:09 124,928 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\advpack.dll + 2007-08-20 10:02:11 214,528 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\dxtrans.dll + 2007-08-20 10:02:09 132,608 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\extmgr.dll + 2007-08-20 10:02:09 63,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\icardie.dll + 2007-08-17 10:12:34 70,656 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ie4uinit.exe + 2007-08-20 10:02:09 153,088 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieakeng.dll + 2007-08-20 10:02:09 230,400 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieaksie.dll + 2007-08-17 07:29:55 161,792 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieakui.dll + 2007-04-17 09:28:12 2,455,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieapfltr.dat + 2007-08-20 10:02:09 383,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieapfltr.dll + 2007-08-20 10:02:09 387,584 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\iedkcs32.dll + 2007-08-20 10:02:10 6,066,176 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieframe.dll + 2007-08-20 10:02:10 44,544 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\iernonce.dll + 2007-08-20 10:02:10 267,776 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\iertutil.dll + 2007-08-17 10:12:35 13,824 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieudinit.exe + 2007-08-17 10:12:49 625,152 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\iexplore.exe + 2007-08-20 10:02:10 27,648 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\jsproxy.dll + 2007-08-20 10:02:10 459,264 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\msfeeds.dll + 2007-08-20 10:02:10 52,224 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\msfeedsbs.dll + 2007-08-20 10:02:11 3,592,192 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\mshtml.dll + 2007-08-20 10:02:11 478,208 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\mshtmled.dll + 2007-08-20 10:02:11 193,024 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\msrating.dll + 2007-08-20 10:02:11 671,232 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\mstime.dll + 2007-08-20 10:02:11 102,400 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\occache.dll + 2007-08-20 10:02:11 105,984 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\url.dll + 2007-08-20 10:02:11 1,161,728 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\urlmon.dll + 2007-08-20 10:02:11 232,960 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\webcheck.dll + 2007-08-20 10:02:11 825,344 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\wininet.dll + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\spmsg.dll + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\spuninst.exe + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\update\spcustom.dll + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\update\update.exe + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\update\updspapi.dll + 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2gdr\inetcomm.dll + 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2qfe\inetcomm.dll + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spmsg.dll + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spuninst.exe + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\spcustom.dll + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\update.exe + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\updspapi.dll - 2007-06-27 14:34:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll + 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll - 2007-10-09 15:38:29 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2007-10-12 04:38:04 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2007-10-09 15:38:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2007-10-12 04:38:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2007-10-09 15:38:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2007-10-12 04:38:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2007-06-27 14:34:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll + 2007-08-20 10:04:34 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll - 2006-10-17 10:57:50 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll + 2007-08-20 10:04:34 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll - 2007-06-27 14:34:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll + 2007-08-20 10:04:34 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll + 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll - 2007-06-27 08:27:04 63,488 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe + 2007-08-17 10:20:54 63,488 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe - 2007-06-27 14:34:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll + 2007-08-20 10:04:34 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll - 2007-06-27 14:34:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll + 2007-08-20 10:04:35 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll - 2007-06-27 07:00:33 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll + 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll - 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll + 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll - 2007-06-27 14:34:51 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll + 2007-08-20 10:04:35 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll - 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll + 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll - 2007-06-27 14:34:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll + 2007-08-20 10:04:38 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll - 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll + 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll - 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe + 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe - 2007-06-27 08:27:30 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe + 2007-08-17 10:21:21 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe - 2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll + 2007-08-21 06:15:44 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll - 2007-06-27 14:34:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll + 2007-08-20 10:04:39 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll - 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll + 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll - 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll + 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll - 2007-07-19 06:59:59 3,583,488 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll + 2007-08-20 10:04:41 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll - 2007-06-27 14:34:57 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll + 2007-08-20 10:04:41 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll - 2007-06-27 14:34:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll + 2007-08-20 10:04:41 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll - 2007-06-27 14:34:58 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll + 2007-08-20 10:04:42 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll - 2007-06-27 14:34:58 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll + 2007-08-20 10:04:42 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll - 2004-08-03 22:56:46 581,120 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll + 2007-07-09 13:16:16 582,656 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll - 2007-06-27 14:34:58 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll + 2007-08-20 10:04:42 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll - 2007-06-27 14:34:58 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll + 2007-08-20 10:04:42 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll - 2007-06-27 14:34:59 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll + 2007-08-20 10:04:42 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll - 2007-06-27 14:34:59 823,808 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll + 2007-08-20 10:04:43 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll - 2007-09-07 10:05:12 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys + 2007-10-10 17:33:46 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys - 2006-10-17 10:57:50 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll + 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll - 2007-06-27 14:34:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll + 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll - 2006-10-17 10:58:20 61,952 ------w C:\WINDOWS\system32\icardie.dll + 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll - 2007-06-27 08:27:04 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe + 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe - 2007-06-27 14:34:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll + 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll - 2007-06-27 14:34:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll + 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll - 2007-06-27 07:00:33 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll + 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll - 2007-06-27 14:34:51 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll + 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll - 2007-06-27 14:34:51 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll + 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll - 2007-06-27 14:34:55 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll + 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll - 2007-06-27 14:34:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll + 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll - 2007-06-27 14:34:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll + 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll - 2007-06-27 08:27:05 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe + 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe - 2007-06-27 14:34:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll + 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll - 2007-09-05 17:50:44 17,474,680 ----a-w C:\WINDOWS\system32\MRT.exe + 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe - 2007-06-27 14:34:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll + 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll - 2007-06-27 14:34:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll + 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll - 2007-07-19 06:59:59 3,583,488 ----a-w C:\WINDOWS\system32\mshtml.dll + 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll - 2007-06-27 14:34:57 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll + 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll - 2007-06-27 14:34:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll + 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\system32\msrating.dll - 2007-06-27 14:34:58 671,232 ----a-w C:\WINDOWS\system32\mstime.dll + 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll - 2007-06-27 14:34:58 102,400 ----a-w C:\WINDOWS\system32\occache.dll + 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\system32\occache.dll - 2004-08-03 22:56:46 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll + 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll - 2007-06-27 14:34:58 105,984 ----a-w C:\WINDOWS\system32\url.dll + 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll - 2007-06-27 14:34:58 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll + 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll - 2007-06-27 14:34:59 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll + 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll - 2007-06-27 14:34:59 823,808 ----a-w C:\WINDOWS\system32\wininet.dll + 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll - 2007-03-09 11:28:00 248,320 ----a-w C:\WINDOWS\system32\xpsp3res.dll + 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cmaudio"="cmicnfg.cpl" [] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl] "BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-07-01 19:52] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2006-08-15 14:01] "Adobe Reader Speed Launcher"="D:\progr\Reader\Reader_sl.exe" [2007-05-11 03:06] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 19:33] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55] "Ditto"="C:\Program Files\Ditto\Ditto.exe" [2005-11-01 22:06] C:\Documents and Settings\Armin\Start Menu\Programs\Startup\ FRITZ!DSL Protect.lnk - C:\Program Files\FRITZ!DSL\FwebProt.exe [2006-03-03 13:14:48] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"=0 (0x0) "SynchronousUserGroupPolicy"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"=1 (0x1) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"=0 (0x0) "NoRecentDocsHistory"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 2004-07-20 13:44 73793 C:\WINDOWS\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=UmxSbxExw.dll R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys R1 uigxrdr;uigxrdr;C:\WINDOWS\system32\DRIVERS\uigxrdr.sys R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys R2 UmxCfg;FW Configuration Interpreter;"C:\Program Files\Common Files\PFShared\UmxCfg.exe" R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys R3 UDTTUSB;USBDTT - USB DVB-T adapter Driver;C:\WINDOWS\system32\Drivers\UDTTcap.sys S2 PDSched;PDScheduler;"C:\Program Files\Raxco\PerfectDisk\PDSched.exe" S2 UmxAgent;FW Event Manager;"C:\Program Files\Tiny Firewall Pro\UmxAgent.exe" S2 UmxLU;FW Live Update;"C:\Program Files\Common Files\PFShared\umxlu.exe" S2 UmxPol;FW Policy Manager;"C:\Program Files\Common Files\PFShared\UmxPol.exe" S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys S3 UDTTLOAD;UDTTLOAD;C:\WINDOWS\system32\DRIVERS\UDTTload.sys S3 UmxUTA;FW User to IP Address Translation;"C:\Program Files\Tiny Firewall Pro\umxuta.exe" S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0adf85e6-b261-11da-b62f-000b6a7c7073}] AutoRun\command - F:\preinst.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afab3585-bb1c-11da-b64c-000b6a7c7073}] AutoRun\command - F:\preinst.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-12 06:48:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\ntos.exe C:\WINDOWS\system32\wsnpoem IPC error: 2 The system cannot find the file specified. scan completed successfully hidden files: 2 ************************************************************************** . Completion time: 2007-10-12 6:50:05 C:\ComboFix-quarantined-files.txt ... 2007-10-05 19:06 C:\ComboFix2.txt ... 2007-10-10 13:13 C:\ComboFix3.txt ... 2007-10-09 19:58 . --- E O F ---
  10. Hi Unforunately the Trojan is still there. AntiVir also found 2 heuristic malwares: C:\Documents and Settings\Armin\My Documents\ComboFix.exe C:\ComboFix\setpath.cfexe I sent the 3 into quarantine. Is there anything else I can do? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 08:06, on 2007-10-11 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Firewall Pro\UmxAgent.exe C:\Program Files\Tiny Firewall Pro\UmxTray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe D:\progr\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\FRITZ!DSL\IGDCTRL.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\VM_STI.EXE C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Ditto\Ditto.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\PC-TV\WinManager\WinManager.exe C:\Program Files\FRITZ!DSL\FwebProt.exe C:\Program Files\FRITZ!DSL\StCenter.EXE C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe D:\progr\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing) O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe -- End of file - 9857 bytes
  11. Hi Here is the Combofix log ComboFix 07-10-09.3 - Armin 2007-10-09 19:09:47.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.90 [GMT 2:00] Running from: C:\Documents and Settings\Armin\My Documents\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 ))))))))))))))))))))))))))))))) . 2007-10-09 17:37 298,420 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat 2007-10-08 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-08 13:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-07 22:13 <DIR> d-------- C:\Program Files\Avira 2007-10-07 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\SiteAdvisor 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2007-10-03 20:46 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-29 10:26 <DIR> d-------- C:\Documents and Settings\Armin\.imgseek 2007-09-24 08:28 335,872 --a------ C:\WINDOWS\system32\m4atag.dll 2007-09-22 18:18 <DIR> d-------- C:\Documents and Settings\Armin\.thumbnails 2007-09-22 10:38 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Mp3tag 2007-09-20 20:01 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Desktop Sidebar 2007-09-19 12:38 <DIR> d-------- C:\Program Files\PC Inspector File Recovery . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-09 17:02 --------- d-----w C:\Documents and Settings\Armin\Application Data\Ditto 2007-10-09 15:36 18,910 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k 2007-10-09 13:50 --------- d-----w C:\Documents and Settings\Armin\Application Data\FRITZ! 2007-10-08 10:44 --------- d---a-w C:\Program Files\OfficeScan NT 2007-09-29 13:29 --------- d-----w C:\Program Files\Common Files\Buhl Data Service 2007-09-21 16:30 --------- d-----w C:\Program Files\Mozilla Thunderbird 2007-09-19 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-09-05 17:52 --------- d-----w C:\Documents and Settings\Armin\Application Data\OpenOffice.org2 2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2005-02-03 12:16 1,312,768 ----a-w C:\Program Files\no23_Recorder.exe 2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cmaudio"="cmicnfg.cpl" [] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl] "BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-07-01 19:52] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2006-08-15 14:01] "Adobe Reader Speed Launcher"="D:\progr\Reader\Reader_sl.exe" [2007-05-11 03:06] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55] "Ditto"="C:\Program Files\Ditto\Ditto.exe" [2005-11-01 22:06] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"=0 (0x0) "SynchronousUserGroupPolicy"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"=1 (0x1) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"=0 (0x0) "NoRecentDocsHistory"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 2004-07-20 13:44 73793 C:\WINDOWS\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=UmxSbxExw.dll R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys R1 uigxrdr;uigxrdr;C:\WINDOWS\system32\DRIVERS\uigxrdr.sys R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys R2 PDSched;PDScheduler;"C:\Program Files\Raxco\PerfectDisk\PDSched.exe" R2 UmxAgent;FW Event Manager;"C:\Program Files\Tiny Firewall Pro\UmxAgent.exe" R2 UmxCfg;FW Configuration Interpreter;"C:\Program Files\Common Files\PFShared\UmxCfg.exe" R2 UmxLU;FW Live Update;"C:\Program Files\Common Files\PFShared\umxlu.exe" R2 UmxPol;FW Policy Manager;"C:\Program Files\Common Files\PFShared\UmxPol.exe" R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys R3 UDTTUSB;USBDTT - USB DVB-T adapter Driver;C:\WINDOWS\system32\Drivers\UDTTcap.sys S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys S3 UDTTLOAD;UDTTLOAD;C:\WINDOWS\system32\DRIVERS\UDTTload.sys S3 UmxUTA;FW User to IP Address Translation;"C:\Program Files\Tiny Firewall Pro\umxuta.exe" S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0adf85e6-b261-11da-b62f-000b6a7c7073}] AutoRun\command - F:\preinst.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afab3585-bb1c-11da-b64c-000b6a7c7073}] AutoRun\command - F:\preinst.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-09 19:43:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\wsnpoem scan completed successfully hidden files: 1 ************************************************************************** . Completion time: 2007-10-09 19:56:57 C:\ComboFix-quarantined-files.txt ... 2007-10-05 19:06 C:\ComboFix2.txt ... 2007-10-05 19:07 C:\ComboFix3.txt ... 2007-10-03 21:00 . --- E O F ---
  12. Hi Unfortunately the trojan reappeared. And my PC is not very stable (sometimes veryslow, so there must be going on something in the background, and sometimes non-responding programs) Yes I did reboot, as you told me. F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe doesn’t go away from Hijackthis, even though I don’t see it in Windows Explorer.
  13. Hi Thanks a lot for your help. There is no more AntiVir alert. Here are the logs you asked me for: File/Folder not found. File/Folder C:\WINDOWS\system32\ntos.exe not found. Folder move failed. C:\windows\system32\wsnpoem scheduled to be moved on reboot. Created on 10.09.2007 09:24:34 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:46:13, on 09.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Firewall Pro\UmxAgent.exe C:\Program Files\Tiny Firewall Pro\UmxTray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE D:\progr\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\FRITZ!DSL\IGDCTRL.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\VM_STI.EXE C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Ditto\Ditto.exe C:\WINDOWS\System32\alg.exe C:\Program Files\PC-TV\WinManager\WinManager.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\FRITZ!DSL\FwebProt.exe C:\Program Files\FRITZ!DSL\StCenter.EXE D:\progr\Winamp\winamp.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe D:\progr\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing) O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe -- End of file - 9910 bytes
  14. Hi AntiVir has found the Trojan TR/Spy.Zbot.R on C:\windows\system32\ntos.exe I have checked “deny accessâ€, but the message popped up again several times. Should I delete it next time? I have fixed F2, but it still appears in Hijackthis. Here is the Kaperski log, below the Hijackthis log: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, October 08, 2007 7:45:20 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.1 Kaspersky Anti-Virus database last update: 8/10/2007 Kaspersky Anti-Virus database records: 429223 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 64159 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 02:08:53 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\LOGFILES\Upd-2007-10-08-17-16-19.log Object is locked skipped C:\Documents and Settings\Armin\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\cert8.db Object is locked skipped C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\history.dat Object is locked skipped C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\key3.db Object is locked skipped C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\parent.lock Object is locked skipped C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\search.sqlite Object is locked skipped C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Armin\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Armin\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Armin\Local Settings\History\History.IE5\MSHist012007100820071009\index.dat Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~DF1D4E.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~DF83E9.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~DF8C40.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~DF9BF4.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~DFB0F9.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~DFB287.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~DFBDC7.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~DFD8CC.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~WRF0000.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temp\~WRS0005.tmp Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Armin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Armin\My Documents\gra.doc Object is locked skipped C:\Documents and Settings\Armin\My Documents\My x\Finanz\Konto\DAB\DAB Argy.doc Object is locked skipped C:\Documents and Settings\Armin\My Documents\My x\Finanz\Konto\US_ImmoBubbleExpress[1].pdf Object is locked skipped C:\Documents and Settings\Armin\My Documents\neu.doc Object is locked skipped C:\Documents and Settings\Armin\My Documents\neu3.doc Object is locked skipped C:\Documents and Settings\Armin\My Documents\~$neu3a.doc Object is locked skipped C:\Documents and Settings\Armin\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Armin\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\FRITZ!DSL\access\access.lock Object is locked skipped C:\Program Files\Tiny Firewall Pro\Log71008_001.xml Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{9318B114-C941-45FF-A468-28D8D29F0A9F}\RP293\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{1409F9D2-56C0-4AC5-B6E8-2C0F9349F360}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{9318B114-C941-45FF-A468-28D8D29F0A9F}\RP293\change.log Object is locked skipped Scan process completed. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:32:03, on 08.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Firewall Pro\UmxAgent.exe C:\Program Files\Tiny Firewall Pro\UmxTray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe D:\progr\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\FRITZ!DSL\IGDCTRL.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\VM_STI.EXE C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Ditto\Ditto.exe C:\Program Files\PC-TV\WinManager\WinManager.exe C:\Program Files\FRITZ!DSL\FwebProt.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\FRITZ!DSL\StCenter.EXE C:\Program Files\Microsoft Office\Office\WINWORD.EXE D:\progr\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing) O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe -- End of file - 9738 bytes
  15. Hi Nothing happens when I try to open C:\Program Files\OfficeScan NT\OfcPfwSvc.exe I update OfficeScan every week from the icon in the tray bar, but it might be just the AV program, I don’t know. Perhaps it is better to uninstall OfficeScan, enable Tiny firewall and install, perhaps, AntiVir. What do you think? I didn’t use ClipInc for ages, but I would like to use it in the future again. But if it is a buggy program I can uninstall it. Should I? By the way, after rebooting, Microsoft firewall went into action and tried to block a startup program. Here are the log files: ComboFix 07-10-03.7 - Armin 2007-10-05 18:47:17.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.31 [GMT 2:00] Script execution time was exceeded on script "C:\ComboFix\osid.vbs". Script execution was terminated. Running from: C:\Documents and Settings\Armin\My Documents\ComboFix.exe Command switches used :: C:\Documents and Settings\Armin\My Documents\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\ntos.exe . ((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 ))))))))))))))))))))))))))))))) . 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\SiteAdvisor 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2007-10-05 07:28 298,420 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat 2007-10-03 20:46 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-29 10:26 <DIR> d-------- C:\Documents and Settings\Armin\.imgseek 2007-09-24 08:28 335,872 --a------ C:\WINDOWS\system32\m4atag.dll 2007-09-22 18:18 <DIR> d-------- C:\Documents and Settings\Armin\.thumbnails 2007-09-22 10:38 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Mp3tag 2007-09-20 20:01 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Desktop Sidebar 2007-09-19 12:38 <DIR> d-------- C:\Program Files\PC Inspector File Recovery . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-05 18:37 --------- d-------- C:\Documents and Settings\Armin\Application Data\Ditto 2007-10-05 14:44 --------- d-------- C:\Program Files\OfficeScan NT 2007-10-04 21:52 18910 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k 2007-10-03 21:12 --------- d-------- C:\Documents and Settings\Armin\Application Data\FRITZ! 2007-09-29 15:29 --------- d-------- C:\Program Files\Common Files\Buhl Data Service 2007-09-21 18:30 --------- d-------- C:\Program Files\Mozilla Thunderbird 2007-09-19 12:38 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-09-05 19:52 --------- d-------- C:\Documents and Settings\Armin\Application Data\OpenOffice.org2 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2005-02-03 14:16 1312768 --a------ C:\Program Files\no23_Recorder.exe 2001-11-23 06:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((( [email protected]_20.59.09,81 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 16,384 2007-10-05 05:29:35 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-10-05 05:29:35 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ----a-w 32,768 2007-10-05 05:29:35 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ----a-w 16,384 2007-10-03 05:05:49 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-10-03 05:05:49 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ----a-w 32,768 2007-10-03 05:05:49 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cmaudio"="cmicnfg.cpl" [] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 20:26] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl] "BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-07-01 19:52] "OfficeScanNT Monitor"="C:\Program Files\OfficeScan NT\pccntmon.exe" [2005-08-31 15:21] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2006-08-15 14:01] "Adobe Reader Speed Launcher"="D:\progr\Reader\Reader_sl.exe" [2007-05-11 03:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55] "Ditto"="C:\Program Files\Ditto\Ditto.exe" [2005-11-01 22:06] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16] C:\Documents and Settings\Armin\Start Menu\Programs\Startup\ FRITZ!DSL Protect.lnk - C:\Program Files\FRITZ!DSL\FwebProt.exe [2006-03-03 13:14:48] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"=0 (0x0) "SynchronousUserGroupPolicy"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"=1 (0x1) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"=0 (0x0) "NoRecentDocsHistory"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 2004-07-20 13:44 73793 C:\WINDOWS\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=UmxSbxExw.dll R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys R1 uigxrdr;uigxrdr;C:\WINDOWS\system32\DRIVERS\uigxrdr.sys R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys R2 ClipInc001;ClipInc 001;d:\Progr\ClipInc\Server\ClipInc-Server.exe 001 R2 ClipInc002;ClipInc 002;d:\Progr\ClipInc\Server\ClipInc-Server.exe 002 R2 ClipInc003;ClipInc 003;d:\Progr\ClipInc\Server\ClipInc-Server.exe 003 R2 ClipInc004;ClipInc 004;d:\Progr\ClipInc\Server\ClipInc-Server.exe 004 R2 ClipInc005;ClipInc 005;d:\Progr\ClipInc\Server\ClipInc-Server.exe 005 R2 ClipInc006;ClipInc 006;d:\Progr\ClipInc\Server\ClipInc-Server.exe 006 R2 ClipInc007;ClipInc 007;d:\Progr\ClipInc\Server\ClipInc-Server.exe 007 R2 ClipInc008;ClipInc 008;d:\Progr\ClipInc\Server\ClipInc-Server.exe 008 R2 ClipInc009;ClipInc 009;d:\Progr\ClipInc\Server\ClipInc-Server.exe 009 R2 ClipInc010;ClipInc 010;d:\Progr\ClipInc\Server\ClipInc-Server.exe 010 R2 ClipInc011;ClipInc 011;d:\Progr\ClipInc\Server\ClipInc-Server.exe 011 R2 ClipInc012;ClipInc 012;d:\Progr\ClipInc\Server\ClipInc-Server.exe 012 R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\OfficeScan NT\TmPreFlt.sys R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys R3 UDTTUSB;USBDTT - USB DVB-T adapter Driver;C:\WINDOWS\system32\Drivers\UDTTcap.sys S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys S3 UDTTLOAD;UDTTLOAD;C:\WINDOWS\system32\DRIVERS\UDTTload.sys S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0adf85e6-b261-11da-b62f-000b6a7c7073}] AutoRun\command- F:\preinst.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afab3585-bb1c-11da-b64c-000b6a7c7073}] AutoRun\command- F:\preinst.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-05 19:00:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-05 19:07:13 C:\ComboFix-quarantined-files.txt ... 2007-10-05 19:06 C:\ComboFix2.txt ... 2007-10-03 21:00 . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:12:25, on 05.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Firewall Pro\UmxAgent.exe C:\Program Files\Tiny Firewall Pro\UmxTray.exe D:\progr\a-squared Free\a2service.exe C:\Program Files\FRITZ!DSL\IGDCTRL.EXE C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe d:\Progr\ClipInc\Server\ClipInc-Server.exe C:\Program Files\OfficeScan NT\ntrtscan.exe C:\Program Files\OfficeScan NT\tmlisten.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\Program Files\OfficeScan NT\OfcPfwSvc.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\OfficeScan NT\pccntmon.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Ditto\Ditto.exe C:\Program Files\PC-TV\WinManager\WinManager.exe C:\Program Files\FRITZ!DSL\FwebProt.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\FRITZ!DSL\StCenter.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\TEMP\UZ5E2A.EXE D:\progr\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing) O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 002 (ClipInc002) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 003 (ClipInc003) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 004 (ClipInc004) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 005 (ClipInc005) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 006 (ClipInc006) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 007 (ClipInc007) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 008 (ClipInc008) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 009 (ClipInc009) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 010 (ClipInc010) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 011 (ClipInc011) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: ClipInc 012 (ClipInc012) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe -- End of file - 11233 bytes