Sign in to follow this  
arminsch

Issues C:\windows\system32\wsnpoem\audio.dll

Recommended Posts

Adaware SE found

 

Win32.backdoor.agent

Win32.Trojandownloader.agent

 

and showed the message that

 

C:\windows\system32\wsnpoem\audio.dll

C:\windows\system32\wsnpoem\ video.dll

 

could not be removed

 

 

what can I do? any help would be appreciated.

 

this is the logfile:

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Freitag, 28. September 2007 18:38:17

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R193 24.09.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):26 total references

Win32.Backdoor.Agent(TAC index:10):4 total references

Win32.TrojanDownloader.Agent(TAC index:10):5 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

28.09.2007 18:38:22 - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Armin\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Armin\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\mediaplayer\medialibraryui

Description : last selected node in the microsoft windows media player media library

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\mediaplayer\player\recentfilelist

Description : list of recently used files in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\mediaplayer\player\settings

Description : last open directory used in jasc paint shop pro

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\mediaplayer\preferences

Description : last cd record path used in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\microsoft management console\recent file list

Description : list of recent snap-ins used in the microsoft management console

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru

Description : list of recent documents opened by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list

Description : list of recent files opened using wordpad

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\realnetworks\realplayer\6.0\preferences

Description : list of recent skins in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\realnetworks\realplayer\6.0\preferences

Description : list of recent clips in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\realnetworks\realplayer\6.0\preferences

Description : last login time in realplayer

 

 

MRU List Object Recognized!

Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1214440339-179605362-1801674531-1003\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 616

ThreadCreationTime : 28.09.2007 14:48:24

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 672

ThreadCreationTime : 28.09.2007 14:48:30

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 696

ThreadCreationTime : 28.09.2007 14:48:32

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 744

ThreadCreationTime : 28.09.2007 14:48:35

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 756

ThreadCreationTime : 28.09.2007 14:48:35

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 996

ThreadCreationTime : 28.09.2007 14:48:39

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1064

ThreadCreationTime : 28.09.2007 14:48:40

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1108

ThreadCreationTime : 28.09.2007 14:48:41

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1212

ThreadCreationTime : 28.09.2007 14:48:41

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1264

ThreadCreationTime : 28.09.2007 14:48:41

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1344

ThreadCreationTime : 28.09.2007 14:48:44

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:12 [umxcfg.exe]

FilePath : C:\Program Files\Common Files\PFShared\

ProcessID : 1400

ThreadCreationTime : 28.09.2007 14:48:44

BasePriority : Normal

FileVersion : 6.0.0.28

ProductVersion : 6.0

ProductName : Tiny Firewall

CompanyName : Tiny Software, Inc.

FileDescription : Tiny Configuration Engine

InternalName : UmxCfg.exe

LegalCopyright : Copyright © Tiny Software, Inc.

OriginalFilename : UmxCfg.exe

 

#:13 [umxpol.exe]

FilePath : C:\Program Files\Common Files\PFShared\

ProcessID : 1424

ThreadCreationTime : 28.09.2007 14:48:45

BasePriority : Normal

FileVersion : 6, 0, 0, 1

ProductVersion : 6, 0, 0, 0

ProductName : Tiny Firewall

CompanyName : Tiny Software Inc.

FileDescription : TF Policy Manager Service

InternalName : UmxPol

LegalCopyright : Copyright © 2002-2004 Tiny Software Inc.

OriginalFilename : UmxPol.EXE

 

#:14 [umxagent.exe]

FilePath : C:\Program Files\Tiny Firewall Pro\

ProcessID : 1460

ThreadCreationTime : 28.09.2007 14:48:47

BasePriority : Normal

FileVersion : 6.0.0.44

ProductVersion : 6.0

ProductName : Tiny Firewall

CompanyName : Tiny Software, Inc.

FileDescription : Tiny Event Manager

InternalName : UmxAgent

LegalCopyright : Copyright © Tiny Software, Inc.

OriginalFilename : UmxAgent.EXE

 

#:15 [umxtray.exe]

FilePath : C:\Program Files\Tiny Firewall Pro\

ProcessID : 1480

ThreadCreationTime : 28.09.2007 14:48:47

BasePriority : Normal

FileVersion : 6.0.0.34

ProductVersion : 6.0

ProductName : Tiny Firewall

CompanyName : Tiny Software, Inc.

FileDescription : Tiny Tray Icon

InternalName : UmxTray

LegalCopyright : Copyright © Tiny Software, Inc.

OriginalFilename : UmxTray.exe

 

#:16 [a2service.exe]

FilePath : D:\progr\a-squared Free\

ProcessID : 1564

ThreadCreationTime : 28.09.2007 14:48:48

BasePriority : Normal

FileVersion : 3.0.0.345

ProductVersion : 3.0.0.0

ProductName : a-squared

CompanyName : Emsi Software GmbH

FileDescription : a-squared Service

InternalName : a2service

LegalCopyright : © 2003-2007 Emsi Software GmbH

OriginalFilename : a2service.exe

 

#:17 [igdctrl.exe]

FilePath : C:\Program Files\FRITZ!DSL\

ProcessID : 1600

ThreadCreationTime : 28.09.2007 14:48:48

BasePriority : Normal

FileVersion : 1.00.01.2004

ProductVersion : 1.00.01.2004

ProductName : AVM IGD Service

CompanyName : AVM Berlin

FileDescription : AVM IGD Service

InternalName : igdctrl

LegalCopyright : © AVM Berlin 2004-2005

OriginalFilename : igdctrl.exe

 

#:18 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1616

ThreadCreationTime : 28.09.2007 14:48:48

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:19 [btwdins.exe]

FilePath : C:\Program Files\WIDCOMM\Bluetooth Software\bin\

ProcessID : 1652

ThreadCreationTime : 28.09.2007 14:48:48

BasePriority : Normal

FileVersion : 1.4.2 Build 10

ProductVersion : 1.4.2 Build 10

ProductName : Bluetooth Software 1.4.2 Build 10

CompanyName : WIDCOMM, Inc.

FileDescription : Bluetooth Support Server

InternalName : BTWDIns

LegalCopyright : Copyright WIDCOMM, Inc. 2000-2003.

OriginalFilename : BTWDIns.EXE

 

#:20 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 1672

ThreadCreationTime : 28.09.2007 14:48:48

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:21 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 1776

ThreadCreationTime : 28.09.2007 14:48:49

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:22 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 1800

ThreadCreationTime : 28.09.2007 14:48:49

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:23 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 1824

ThreadCreationTime : 28.09.2007 14:48:49

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:24 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 1848

ThreadCreationTime : 28.09.2007 14:48:50

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:25 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 1872

ThreadCreationTime : 28.09.2007 14:48:50

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:26 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 1896

ThreadCreationTime : 28.09.2007 14:48:50

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:27 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 1920

ThreadCreationTime : 28.09.2007 14:48:50

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:28 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 2032

ThreadCreationTime : 28.09.2007 14:48:50

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:29 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 192

ThreadCreationTime : 28.09.2007 14:48:50

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:30 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 240

ThreadCreationTime : 28.09.2007 14:48:50

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:31 [clipinc-server.exe]

FilePath : d:\Progr\ClipInc\Server\

ProcessID : 296

ThreadCreationTime : 28.09.2007 14:48:50

BasePriority : Normal

FileVersion : 3.00a (243)

ProductVersion : 3.00a (243)

ProductName : ClipInc. Server

FileDescription : ClipInc. Server

InternalName : ClipInc

LegalCopyright : Copyright © 2003, 2007 Tobit Software

OriginalFilename : clipinc-server.exe

 

#:32 [ntrtscan.exe]

FilePath : C:\Program Files\OfficeScan NT\

ProcessID : 408

ThreadCreationTime : 28.09.2007 14:48:51

BasePriority : Normal

FileVersion : 7.0.0.1160

ProductVersion : 7.0

ProductName : Trend Micro OfficeScan

CompanyName : Trend Micro Inc.

FileDescription : Ntrtscan.exe

LegalCopyright : Copyright © 1999-2005 Trend Micro Incorporated. All rights reserved.

LegalTrademarks : Copyright © Trend Micro Inc.

 

#:33 [slserv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 496

ThreadCreationTime : 28.09.2007 14:48:54

BasePriority : Normal

FileVersion : 2.80.00(24Apr2000)

ProductVersion : 2.80.00

ProductName : Modem

FileDescription : User-Level Modem Service

InternalName : slserv

LegalCopyright : Copyright © 1999-2000

OriginalFilename : slserv.exe

 

#:34 [tmlisten.exe]

FilePath : C:\Program Files\OfficeScan NT\

ProcessID : 552

ThreadCreationTime : 28.09.2007 14:48:54

BasePriority : Normal

FileVersion : 7.0.0.1160

ProductVersion : 7.0

ProductName : Trend Micro OfficeScan

CompanyName : Trend Micro Inc.

LegalCopyright : Copyright © 1999-2005 Trend Micro Incorporated. All rights reserved.

LegalTrademarks : Copyright © Trend Micro Inc.

 

#:35 [umxlu.exe]

FilePath : C:\Program Files\Common Files\PFShared\

ProcessID : 600

ThreadCreationTime : 28.09.2007 14:48:55

BasePriority : Normal

FileVersion : 6.0.0.13

ProductVersion : 6.0

ProductName : Tiny Firewall

CompanyName : Tiny Software, Inc.

FileDescription : Live Update Monitor

InternalName : umxlu.exe

LegalCopyright : Copyright © Tiny Software, Inc.

OriginalFilename : umxlu.exe

 

#:36 [pdsched.exe]

FilePath : C:\Program Files\Raxco\PerfectDisk\

ProcessID : 372

ThreadCreationTime : 28.09.2007 14:48:56

BasePriority : Normal

FileVersion : 7, 0, 0, 35

ProductVersion : 7, 0, 0, 35

ProductName : PDSched Module

CompanyName : Raxco Software, Inc.

FileDescription : PDSched Module

InternalName : PDSched

LegalCopyright : Copyright © 2004

OriginalFilename : PDSched.exe

 

#:37 [ofcpfwsvc.exe]

FilePath : C:\Program Files\OfficeScan NT\

ProcessID : 1164

ThreadCreationTime : 28.09.2007 14:48:57

BasePriority : Normal

FileVersion : 7.0.0.1160

ProductVersion : 7.0

ProductName : Trend Micro OfficeScan

CompanyName : Trend Micro Inc.

FileDescription : OfcPfwSvc

InternalName : OfcPfwSvc

LegalCopyright : Copyright © 1999-2005 Trend Micro Incorporated. All rights reserved.

LegalTrademarks : Copyright © Trend Micro Inc.

OriginalFilename : OfcPfwSvc.exe

Comments : OFC PFW Service

 

#:38 [htfd19.exe]

FilePath : C:\WINDOWS\TEMP\

ProcessID : 2088

ThreadCreationTime : 28.09.2007 14:49:10

BasePriority : Normal

 

 

#:39 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 2192

ThreadCreationTime : 28.09.2007 14:49:22

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:40 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 2736

ThreadCreationTime : 28.09.2007 14:50:09

BasePriority : Normal

FileVersion : 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)

ProductVersion : 6.00.2900.3156

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:41 [jusched.exe]

FilePath : C:\Program Files\Java\j2re1.4.2_06\bin\

ProcessID : 3244

ThreadCreationTime : 28.09.2007 14:51:15

BasePriority : Normal

 

 

#:42 [rundll32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3252

ThreadCreationTime : 28.09.2007 14:51:15

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Run a DLL as an App

InternalName : rundll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : RUNDLL.EXE

 

#:43 [vm_sti.exe]

FilePath : C:\WINDOWS\

ProcessID : 3380

ThreadCreationTime : 28.09.2007 14:51:21

BasePriority : Normal

FileVersion : 4, 2, 610, 4

ProductVersion : 4, 2, 610, 4

ProductName : BIGDOG

CompanyName : BIGDOG

FileDescription : BIGDOG

InternalName : BIGDOG

LegalCopyright : Copyright 2002

LegalTrademarks : BIGDOG

OriginalFilename : BigDog.exe

Comments : For Windows XP only

 

#:44 [pccntmon.exe]

FilePath : C:\Program Files\OfficeScan NT\

ProcessID : 3456

ThreadCreationTime : 28.09.2007 14:51:23

BasePriority : Normal

FileVersion : 7.0.0.1160

ProductVersion : 7.0

ProductName : Trend Micro OfficeScan

CompanyName : Trend Micro Inc.

FileDescription : I/O Monitor

InternalName : PCCNTMON

LegalCopyright : Copyright © 1999-2005 Trend Micro Incorporated. All rights reserved.

LegalTrademarks : Copyright © Trend Micro Inc.

OriginalFilename : PCCNTMON.EXE

 

#:45 [winpatrol.exe]

FilePath : C:\PROGRA~1\BILLPS~1\WINPAT~1\

ProcessID : 3512

ThreadCreationTime : 28.09.2007 14:51:26

BasePriority : Normal

FileVersion : 10, 0, 3, 0

ProductVersion : 10.0.3.0

ProductName : WinPatrol Monitor

CompanyName : BillP Studios

FileDescription : WinPatrol System Monitor

InternalName : WinPatrol Monitor

LegalCopyright : Copyright © 1997- 2006 BillP Studios

OriginalFilename : Scotty

Comments : Let Scotty the Windows Watchdog patrol your system.

 

#:46 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3540

ThreadCreationTime : 28.09.2007 14:51:27

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:47 [msnmsgr.exe]

FilePath : C:\Program Files\MSN Messenger\

ProcessID : 3728

ThreadCreationTime : 28.09.2007 14:51:40

BasePriority : Normal

FileVersion : 8.1.0178.00

ProductVersion : 8.1.0178

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Messenger

InternalName : msnmsgr.exe

LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.

OriginalFilename : msnmsgr.exe

 

#:48 [ditto.exe]

FilePath : C:\Program Files\Ditto\

ProcessID : 3740

ThreadCreationTime : 28.09.2007 14:51:41

BasePriority : Normal

FileVersion : 2, 6, 5, 0

ProductVersion : 2, 6, 5, 0

ProductName : Ditto

FileDescription : Ditto

InternalName : CP_Main

LegalCopyright : Copyright © 2003

OriginalFilename : Ditto

 

#:49 [winmanager.exe]

FilePath : C:\Program Files\PC-TV\WinManager\

ProcessID : 3752

ThreadCreationTime : 28.09.2007 14:51:45

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : WinManager Application

FileDescription : WinManager MFC Application

InternalName : WinManager

LegalCopyright : Copyright © 2002

OriginalFilename : WinManager.EXE

 

#:50 [fwebprot.exe]

FilePath : C:\Program Files\FRITZ!DSL\

ProcessID : 3892

ThreadCreationTime : 28.09.2007 14:51:52

BasePriority : Normal

 

 

#:51 [ymsgr_tray.exe]

FilePath : C:\PROGRA~1\Yahoo!\MESSEN~1\

ProcessID : 3908

ThreadCreationTime : 28.09.2007 14:51:52

BasePriority : Normal

FileVersion : 8,1,0,0

ProductVersion : 8,1,0,0

ProductName : Yahoo! Messenger

CompanyName : Yahoo! Inc.

FileDescription : Yahoo! Messenger Tray

LegalCopyright : © 1998-2006 Yahoo! Inc. All rights reserved.

 

#:52 [stcenter.exe]

FilePath : C:\Program Files\FRITZ!DSL\

ProcessID : 3984

ThreadCreationTime : 28.09.2007 14:51:57

BasePriority : Normal

FileVersion : 1.0.0.3

ProductVersion : 1.0.0.3

ProductName : FRITZ!DSL

CompanyName : AVM Berlin

FileDescription : FRITZ!DSL Startcenter

InternalName : Startcenter

OriginalFilename : Stcenter.exe

 

#:53 [winword.exe]

FilePath : C:\Program Files\Microsoft Office\Office\

ProcessID : 3084

ThreadCreationTime : 28.09.2007 15:03:54

BasePriority : Normal

 

 

#:54 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3040

ThreadCreationTime : 28.09.2007 15:04:12

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:55 [mp3gaingui.exe]

FilePath : D:\progr\MP3Gain\

ProcessID : 1188

ThreadCreationTime : 28.09.2007 15:33:57

BasePriority : Normal

FileVersion : 1.02.0005

ProductVersion : 1.02.0005

ProductName : MP3Gain GUI

CompanyName : Snelg Enterprises

FileDescription : MP3Gain GUI

InternalName : MP3GainGUI

LegalCopyright : Copyright © 2001-2004 Glen Sawyer

OriginalFilename : MP3GainGUI.exe

 

#:56 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 2676

ThreadCreationTime : 28.09.2007 15:39:29

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

#:57 [hh.exe]

FilePath : C:\WINDOWS\

ProcessID : 5332

ThreadCreationTime : 28.09.2007 15:39:57

BasePriority : Normal

FileVersion : 5.2.3790.2453 (srv03_sp1_gdr.050525-1542)

ProductVersion : 5.2.3790.2453

ProductName : HTML Help

CompanyName : Microsoft Corporation

FileDescription : Microsoft® HTML Help Executable

InternalName : HH 1.41

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : HH.exe

 

#:58 [iexplore.exe]

FilePath : C:\Program Files\Internet Explorer\

ProcessID : 5800

ThreadCreationTime : 28.09.2007 15:40:32

BasePriority : Normal

FileVersion : 7.00.6000.16512 (vista_gdr.070625-1522)

ProductVersion : 7.00.6000.16512

ProductName : Windows® Internet Explorer

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : IEXPLORE.EXE

 

#:59 [wlloginproxy.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\Windows Live\

ProcessID : 5952

ThreadCreationTime : 28.09.2007 15:40:39

BasePriority : Normal

FileVersion : 4.100.313.1

ProductVersion : 4.100.313.1

ProductName : Microsoft® Windows Live Login Helper

CompanyName : Microsoft Corporation

FileDescription : WLLoginProxy.exe

InternalName : WLLoginProxy

LegalCopyright : Copyright © 1995-2006 Microsoft Corporation.

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation.

OriginalFilename : WLLoginProxy.exe

 

#:60 [firefox.exe]

FilePath : C:\Program Files\Mozilla Firefox\

ProcessID : 3596

ThreadCreationTime : 28.09.2007 15:44:36

BasePriority : Normal

 

 

#:61 [pccnt.exe]

FilePath : C:\Program Files\OfficeScan NT\

ProcessID : 828

ThreadCreationTime : 28.09.2007 16:04:28

BasePriority : Normal

FileVersion : 7.0.0.1160

ProductVersion : 7.0

ProductName : Trend Micro OfficeScan

CompanyName : Trend Micro Inc.

FileDescription : PCCNT

InternalName : PCCNT

LegalCopyright : Copyright © 1999-2005 Trend Micro Incorporated. All rights reserved.

LegalTrademarks : Copyright © Trend Micro Inc.

OriginalFilename : PCCNT.EXE

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 26

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.Backdoor.Agent Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Virus

Comment : "{f710fa10-2031-3106-8872-93a2b5c5c620}"

Rootkey : HKEY_USERS

Object : .DEFAULT\software\microsoft\windows\currentversion\explorer

Value : {f710fa10-2031-3106-8872-93a2b5c5c620}

 

Win32.Backdoor.Agent Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Virus

Comment : "{f710fa10-2031-3106-8872-93a2b5c5c620}"

Rootkey : HKEY_USERS

Object : S-1-5-18\software\microsoft\windows\currentversion\explorer

Value : {f710fa10-2031-3106-8872-93a2b5c5c620}

 

Win32.TrojanDownloader.Agent Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Virus

Comment : "{02ffac45-0b10-5633-4296-1801f1a36678}"

Rootkey : HKEY_USERS

Object : .DEFAULT\\software\microsoft\windows\currentversion\explorer

Value : {02ffac45-0b10-5633-4296-1801f1a36678}

 

Win32.TrojanDownloader.Agent Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Virus

Comment : "{02ffac45-0b10-5633-4296-1801f1a36678}"

Rootkey : HKEY_USERS

Object : S-1-5-18\\software\microsoft\windows\currentversion\explorer

Value : {02ffac45-0b10-5633-4296-1801f1a36678}

 

Win32.TrojanDownloader.Agent Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Virus

Comment : "{f710fa10-2031-3106-8872-93a2b5c5c620}"

Rootkey : HKEY_USERS

Object : .DEFAULT\\software\microsoft\windows\currentversion\explorer

Value : {f710fa10-2031-3106-8872-93a2b5c5c620}

 

Win32.TrojanDownloader.Agent Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Virus

Comment : "{f710fa10-2031-3106-8872-93a2b5c5c620}"

Rootkey : HKEY_USERS

Object : S-1-5-18\\software\microsoft\windows\currentversion\explorer

Value : {f710fa10-2031-3106-8872-93a2b5c5c620}

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 6

Objects found so far: 32

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 32

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 32

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 32

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 32

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

3 entries scanned.

New critical objects:0

Objects found so far: 32

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.Backdoor.Agent Object Recognized!

Type : File

Data : audio.dll

TAC Rating : 10

Category : Virus

Comment :

Object : C:\WINDOWS\system32\wsnpoem\

 

 

 

Win32.Backdoor.Agent Object Recognized!

Type : File

Data : video.dll

TAC Rating : 10

Category : Virus

Comment :

Object : C:\WINDOWS\system32\wsnpoem\

 

 

 

Win32.TrojanDownloader.Agent Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Virus

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows nt\currentversion\network

Value : uid

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 3

Objects found so far: 35

 

19:25:42 Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:47:20.859

Objects scanned:186047

Objects identified:9

Objects ignored:0

New critical objects:9

Share this post


Link to post
Share on other sites

Hi,

 

* Download Trend Micro Hijack Thisâ„¢

Doubleclick the HJTInstall.exe to start it.

By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

HijackThis will open after install. Press the Scan button below.

This will start the scan and open a log.

Copy and paste the contents of the log in your next reply.

Share this post


Link to post
Share on other sites

Hi

 

This is the logfile of Hijackthis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:07:20, on 01.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\PFShared\UmxCfg.exe

C:\Program Files\Common Files\PFShared\UmxPol.exe

C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

C:\Program Files\Tiny Firewall Pro\UmxTray.exe

D:\progr\a-squared Free\a2service.exe

C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

C:\Program Files\OfficeScan NT\ntrtscan.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\OfficeScan NT\tmlisten.exe

C:\Program Files\Common Files\PFShared\umxlu.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

C:\WINDOWS\TEMP\IECD10.EXE

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\OfficeScan NT\pccntmon.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Ditto\Ditto.exe

C:\Program Files\PC-TV\WinManager\WinManager.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\FRITZ!DSL\FwebProt.exe

C:\Program Files\FRITZ!DSL\StCenter.EXE

D:\progr\Winamp\winamp.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

D:\progr\Reader\AcroRd32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

d:\Progr\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {7C7A8947-5935-4430-AC0E-E7D04697414E} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {CD9B7762-DFBC-42B1-BB30-02A78287B456} - (no file)

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe

O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe

O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv

O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm

O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim

O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing)

O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe

O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 002 (ClipInc002) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 003 (ClipInc003) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 004 (ClipInc004) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 005 (ClipInc005) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 006 (ClipInc006) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 007 (ClipInc007) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 008 (ClipInc008) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 009 (ClipInc009) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 010 (ClipInc010) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 011 (ClipInc011) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 012 (ClipInc012) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe

O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe

O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe

 

--

End of file - 11839 bytes

Share this post


Link to post
Share on other sites

Hi,

 

You have two Firewalls installed. The trendmicro Firewall and Tiny Firewall. NEVER install more than one Firewall, because you can have a LOT of problems.

 

Also, I see the Trendmicro Office version installed. Is this a computer owned by a Company or used for work? Please let me know in your next reply, because this is really important.

Share this post


Link to post
Share on other sites
Hi,

 

You have two Firewalls installed. The trendmicro Firewall and Tiny Firewall. NEVER install more than one Firewall, because you can have a LOT of problems.

 

Also, I see the Trendmicro Office version installed. Is this a computer owned by a Company or used for work? Please let me know in your next reply, because this is really important.

 

 

Hi

 

Thanks for your reply.

I am surprised. I do have Tiny, but I didn’t know about Trendmicro. I don’t find it. I searched the programm folders, and I have done a system search. I don’t find Trendmicro, not even Trendmicro Office.

It is a private PC, no company.

Share this post


Link to post
Share on other sites

Well, it's present and installed though...

 

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

 

So basically, you thought that there was no Antivirus either installed?

 

Anyway, I don't know now what you are going to do, uninstall Tiny or uninstall Trendmicro. But if you uninstall Trendmicro, you have to install another Antivirus instead.

 

I guess, since you're not even aware that Trenmicro is installed (OfficeScan), it's better to uninstall it... because I am pretty sure it hasn't been updated in ages either.

 

Then install Avira Antivirus: http://www.free-av.com/

 

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Share this post


Link to post
Share on other sites
Well, it's present and installed though...

 

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

 

So basically, you thought that there was no Antivirus either installed?

 

Anyway, I don't know now what you are going to do, uninstall Tiny or uninstall Trendmicro. But if you uninstall Trendmicro, you have to install another Antivirus instead.

 

I guess, since you're not even aware that Trenmicro is installed (OfficeScan), it's better to uninstall it... because I am pretty sure it hasn't been updated in ages either.

 

Then install Avira Antivirus: http://www.free-av.com/

 

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

 

Hi

 

I have some better info for you now. My anti-virus program is Trend Micro Office scan.

I didn’t remember the name, that’s why I didn’t find it, but when you mentioned anti virus, I remembered it. But it understand that it is an antivirus program, no firewall! I update it regularly, and sometimes I do a hard drive scan, and it does search for viruses.

 

Before I wrote to you, I did an antivirus scan, which was negative (no log file). But I understand that AV-programs don’t detect the kind of spy- and malware that AdAware detects.

 

So my firewall is Tiny, and my AV program is Trend Micro Office scan. So I suppose I don’t need to uninstall Trend Micro and install Avira instead, what do you think?

Share this post


Link to post
Share on other sites

Hi, it contains a Firewall though:

 

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

 

So this means you have to uninstall your Tiny firewall, because more than 1 Firewall installed may cause a lot of problems.

 

Then, * Download Combofix to your desktop.

 

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

 

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

 

* Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites
Hi, it contains a Firewall though:

 

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

 

So this means you have to uninstall your Tiny firewall, because more than 1 Firewall installed may cause a lot of problems.

 

Then, * Download Combofix to your desktop.

 

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

 

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

 

* Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

 

Hi

 

Out of interest, I tried to find out some info about the configuration of my OfficeScan firewall, but I couldn’t see anything in the OfficeScan client console. So I read the OfficeScan Client Help. I found something confusing: The help reads that the client console displays following tabs:

 

- scan

- Scan Results

- Enterprise Client Firewall

- Mail Scan

- Log Report

- Toolbox

 

But my client console only displays: scan, Scan Results and Log Report.

 

To somebody like me, who doesn’t understand anything about this, it seems that this might be something like a “lean versionâ€, as the client console doesn’t display anything about a firewall. Are you positively sure that my PC has an ENABLED firewall?

 

 

Meanwhile I have disabled Tiny.

 

Here is the Combofix file:

 

ComboFix 07-10-03.7 - Armin 2007-10-03 20:52:33.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.61 [GMT 2:00]

Running from: C:\Documents and Settings\Armin\My Documents\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\U.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))

.

 

2007-10-03 20:46 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-03 07:04 298,420 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat

2007-09-29 10:26 <DIR> d-------- C:\Documents and Settings\Armin\.imgseek

2007-09-24 08:28 335,872 --a------ C:\WINDOWS\system32\m4atag.dll

2007-09-22 18:18 <DIR> d-------- C:\Documents and Settings\Armin\.thumbnails

2007-09-22 10:38 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Mp3tag

2007-09-20 20:01 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Desktop Sidebar

2007-09-19 12:38 <DIR> d-------- C:\Program Files\PC Inspector File Recovery

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-03 20:50 --------- d-------- C:\Documents and Settings\Armin\Application Data\Ditto

2007-10-03 07:04 --------- d-------- C:\Program Files\OfficeScan NT

2007-10-02 19:26 18910 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k

2007-10-02 19:25 --------- d-------- C:\Documents and Settings\Armin\Application Data\FRITZ!

2007-09-29 15:29 --------- d-------- C:\Program Files\Common Files\Buhl Data Service

2007-09-21 18:30 --------- d-------- C:\Program Files\Mozilla Thunderbird

2007-09-19 12:38 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-09-05 19:52 --------- d-------- C:\Documents and Settings\Armin\Application Data\OpenOffice.org2

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2005-02-03 14:16 1312768 --a------ C:\Program Files\no23_Recorder.exe

2001-11-23 06:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cmaudio"="cmicnfg.cpl" []

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 20:26]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]

"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-07-01 19:52]

"OfficeScanNT Monitor"="C:\Program Files\OfficeScan NT\pccntmon.exe" [2005-08-31 15:21]

"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2006-08-15 14:01]

"Adobe Reader Speed Launcher"="D:\progr\Reader\Reader_sl.exe" [2007-05-11 03:06]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

"Ditto"="C:\Program Files\Ditto\Ditto.exe" [2005-11-01 22:06]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16]

 

C:\Documents and Settings\Armin\Start Menu\Programs\Startup\

FRITZ!DSL Protect.lnk - C:\Program Files\FRITZ!DSL\FwebProt.exe [2006-03-03 13:14:48]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"=0 (0x0)

"SynchronousUserGroupPolicy"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"=1 (0x1)

"NoResolveSearch"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"=0 (0x0)

"NoRecentDocsHistory"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

UmxWnp.Dll 2004-07-20 13:44 73793 C:\WINDOWS\system32\UmxWNP.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=UmxSbxExw.dll

 

R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys

R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys

R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys

R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys

R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys

R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys

R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys

R1 uigxrdr;uigxrdr;C:\WINDOWS\system32\DRIVERS\uigxrdr.sys

R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys

R2 ClipInc001;ClipInc 001;d:\Progr\ClipInc\Server\ClipInc-Server.exe 001

R2 ClipInc002;ClipInc 002;d:\Progr\ClipInc\Server\ClipInc-Server.exe 002

R2 ClipInc003;ClipInc 003;d:\Progr\ClipInc\Server\ClipInc-Server.exe 003

R2 ClipInc004;ClipInc 004;d:\Progr\ClipInc\Server\ClipInc-Server.exe 004

R2 ClipInc005;ClipInc 005;d:\Progr\ClipInc\Server\ClipInc-Server.exe 005

R2 ClipInc006;ClipInc 006;d:\Progr\ClipInc\Server\ClipInc-Server.exe 006

R2 ClipInc007;ClipInc 007;d:\Progr\ClipInc\Server\ClipInc-Server.exe 007

R2 ClipInc008;ClipInc 008;d:\Progr\ClipInc\Server\ClipInc-Server.exe 008

R2 ClipInc009;ClipInc 009;d:\Progr\ClipInc\Server\ClipInc-Server.exe 009

R2 ClipInc010;ClipInc 010;d:\Progr\ClipInc\Server\ClipInc-Server.exe 010

R2 ClipInc011;ClipInc 011;d:\Progr\ClipInc\Server\ClipInc-Server.exe 011

R2 ClipInc012;ClipInc 012;d:\Progr\ClipInc\Server\ClipInc-Server.exe 012

R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys

R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys

R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys

R2 ntrtscan;OfficeScanNT RealTime Scan;C:\Program Files\OfficeScan NT\ntrtscan.exe

R2 PDSched;PDScheduler;"C:\Program Files\Raxco\PerfectDisk\PDSched.exe"

R2 tmlisten;OfficeScanNT Listener;C:\Program Files\OfficeScan NT\tmlisten.exe

R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\OfficeScan NT\TmPreFlt.sys

R2 UmxAgent;FW Event Manager;"C:\Program Files\Tiny Firewall Pro\UmxAgent.exe"

R2 UmxCfg;FW Configuration Interpreter;"C:\Program Files\Common Files\PFShared\UmxCfg.exe"

R2 UmxLU;FW Live Update;"C:\Program Files\Common Files\PFShared\umxlu.exe"

R2 UmxPol;FW Policy Manager;"C:\Program Files\Common Files\PFShared\UmxPol.exe"

R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys

R3 UDTTUSB;USBDTT - USB DVB-T adapter Driver;C:\WINDOWS\system32\Drivers\UDTTcap.sys

S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys

S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys

S3 UDTTLOAD;UDTTLOAD;C:\WINDOWS\system32\DRIVERS\UDTTload.sys

S3 UmxUTA;FW User to IP Address Translation;"C:\Program Files\Tiny Firewall Pro\umxuta.exe"

S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0adf85e6-b261-11da-b62f-000b6a7c7073}]

AutoRun\command- F:\preinst.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afab3585-bb1c-11da-b64c-000b6a7c7073}]

AutoRun\command- F:\preinst.exe

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-03 20:57:53

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-10-03 21:00:23

C:\ComboFix-quarantined-files.txt ... 2007-10-03 21:00

.

--- E O F ---

 

 

And the Hijackthis file:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:05:04, on 03.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\PFShared\UmxCfg.exe

C:\Program Files\Common Files\PFShared\UmxPol.exe

C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

C:\Program Files\Tiny Firewall Pro\UmxTray.exe

D:\progr\a-squared Free\a2service.exe

C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

C:\Program Files\OfficeScan NT\ntrtscan.exe

C:\Program Files\OfficeScan NT\tmlisten.exe

C:\Program Files\Common Files\PFShared\umxlu.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\OfficeScan NT\pccntmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Ditto\Ditto.exe

C:\Program Files\PC-TV\WinManager\WinManager.exe

C:\Program Files\FRITZ!DSL\FwebProt.exe

C:\Program Files\FRITZ!DSL\StCenter.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

D:\progr\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {7C7A8947-5935-4430-AC0E-E7D04697414E} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {CD9B7762-DFBC-42B1-BB30-02A78287B456} - (no file)

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe

O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe

O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv

O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm

O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim

O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing)

O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe

O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 002 (ClipInc002) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 003 (ClipInc003) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 004 (ClipInc004) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 005 (ClipInc005) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 006 (ClipInc006) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 007 (ClipInc007) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 008 (ClipInc008) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 009 (ClipInc009) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 010 (ClipInc010) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 011 (ClipInc011) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 012 (ClipInc012) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe

O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe

O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe

 

--

End of file - 11543 bytes

Share this post


Link to post
Share on other sites

Hi,

 

About the Officescan - it is indeed confusing since it does have this service present:

 

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

 

And you can't find it anywhere in the Officescan console? Anyway, if you don't have any problems with it, no real slowdown while browsing or errors, then you should be OK.

By the way, is your Officescan still able to update? Because I see this version is from 2005, so you had to renew it every year in order to make sure it's up to date.

If not, then maybe it's time to consider another Antivirus instead - a free one.. Because it appears that the officescan is quite confusing for you as well. Anyway, let me know in your next reply.

 

Also, I see ClipInc installed. I assume you use this program? I wonder why it uses so many different services and why it runs so many instances of it in your taskmanager - this may cause an extra slowdown. I assume it's a buggy program...

 

Anyway, do next please..

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

File::

C:\WINDOWS\system32\ntos.exe

 

Folder::

C:\windows\system32\wsnpoem

 

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C7A8947-5935-4430-AC0E-E7D04697414E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD9B7762-DFBC-42B1-BB30-02A78287B456}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Share this post


Link to post
Share on other sites
Hi,

 

About the Officescan - it is indeed confusing since it does have this service present:

 

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

 

And you can't find it anywhere in the Officescan console? Anyway, if you don't have any problems with it, no real slowdown while browsing or errors, then you should be OK.

By the way, is your Officescan still able to update? Because I see this version is from 2005, so you had to renew it every year in order to make sure it's up to date.

If not, then maybe it's time to consider another Antivirus instead - a free one.. Because it appears that the officescan is quite confusing for you as well. Anyway, let me know in your next reply.

 

Also, I see ClipInc installed. I assume you use this program? I wonder why it uses so many different services and why it runs so many instances of it in your taskmanager - this may cause an extra slowdown. I assume it's a buggy program...

 

Anyway, do next please..

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

 

Hi

 

Nothing happens when I try to open C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

 

I update OfficeScan every week from the icon in the tray bar, but it might be just the AV program, I don’t know.

 

Perhaps it is better to uninstall OfficeScan, enable Tiny firewall and install, perhaps, AntiVir. What do you think?

 

I didn’t use ClipInc for ages, but I would like to use it in the future again. But if it is a buggy program I can uninstall it. Should I?

 

By the way, after rebooting, Microsoft firewall went into action and tried to block a startup program.

 

 

Here are the log files:

ComboFix 07-10-03.7 - Armin 2007-10-05 18:47:17.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.31 [GMT 2:00]

Script execution time was exceeded on script "C:\ComboFix\osid.vbs".

Script execution was terminated.

Running from: C:\Documents and Settings\Armin\My Documents\ComboFix.exe

Command switches used :: C:\Documents and Settings\Armin\My Documents\CFScript.txt

* Created a new restore point

 

FILE::

C:\WINDOWS\system32\ntos.exe

.

 

((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 )))))))))))))))))))))))))))))))

.

 

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\SiteAdvisor

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

2007-10-05 07:28 298,420 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat

2007-10-03 20:46 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-29 10:26 <DIR> d-------- C:\Documents and Settings\Armin\.imgseek

2007-09-24 08:28 335,872 --a------ C:\WINDOWS\system32\m4atag.dll

2007-09-22 18:18 <DIR> d-------- C:\Documents and Settings\Armin\.thumbnails

2007-09-22 10:38 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Mp3tag

2007-09-20 20:01 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Desktop Sidebar

2007-09-19 12:38 <DIR> d-------- C:\Program Files\PC Inspector File Recovery

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-05 18:37 --------- d-------- C:\Documents and Settings\Armin\Application Data\Ditto

2007-10-05 14:44 --------- d-------- C:\Program Files\OfficeScan NT

2007-10-04 21:52 18910 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k

2007-10-03 21:12 --------- d-------- C:\Documents and Settings\Armin\Application Data\FRITZ!

2007-09-29 15:29 --------- d-------- C:\Program Files\Common Files\Buhl Data Service

2007-09-21 18:30 --------- d-------- C:\Program Files\Mozilla Thunderbird

2007-09-19 12:38 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-09-05 19:52 --------- d-------- C:\Documents and Settings\Armin\Application Data\OpenOffice.org2

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2005-02-03 14:16 1312768 --a------ C:\Program Files\no23_Recorder.exe

2001-11-23 06:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

 

((((((((((((((((((((((((((((( [email protected]_20.59.09,81 )))))))))))))))))))))))))))))))))))))))))

.

----a-w 16,384 2007-10-05 05:29:35 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

----a-w 32,768 2007-10-05 05:29:35 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

----a-w 32,768 2007-10-05 05:29:35 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

----a-w 16,384 2007-10-03 05:05:49 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

----a-w 32,768 2007-10-03 05:05:49 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

----a-w 32,768 2007-10-03 05:05:49 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cmaudio"="cmicnfg.cpl" []

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 20:26]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]

"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-07-01 19:52]

"OfficeScanNT Monitor"="C:\Program Files\OfficeScan NT\pccntmon.exe" [2005-08-31 15:21]

"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2006-08-15 14:01]

"Adobe Reader Speed Launcher"="D:\progr\Reader\Reader_sl.exe" [2007-05-11 03:06]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

"Ditto"="C:\Program Files\Ditto\Ditto.exe" [2005-11-01 22:06]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16]

 

C:\Documents and Settings\Armin\Start Menu\Programs\Startup\

FRITZ!DSL Protect.lnk - C:\Program Files\FRITZ!DSL\FwebProt.exe [2006-03-03 13:14:48]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"=0 (0x0)

"SynchronousUserGroupPolicy"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"=1 (0x1)

"NoResolveSearch"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"=0 (0x0)

"NoRecentDocsHistory"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

UmxWnp.Dll 2004-07-20 13:44 73793 C:\WINDOWS\system32\UmxWNP.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=UmxSbxExw.dll

 

R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys

R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys

R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys

R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys

R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys

R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys

R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys

R1 uigxrdr;uigxrdr;C:\WINDOWS\system32\DRIVERS\uigxrdr.sys

R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys

R2 ClipInc001;ClipInc 001;d:\Progr\ClipInc\Server\ClipInc-Server.exe 001

R2 ClipInc002;ClipInc 002;d:\Progr\ClipInc\Server\ClipInc-Server.exe 002

R2 ClipInc003;ClipInc 003;d:\Progr\ClipInc\Server\ClipInc-Server.exe 003

R2 ClipInc004;ClipInc 004;d:\Progr\ClipInc\Server\ClipInc-Server.exe 004

R2 ClipInc005;ClipInc 005;d:\Progr\ClipInc\Server\ClipInc-Server.exe 005

R2 ClipInc006;ClipInc 006;d:\Progr\ClipInc\Server\ClipInc-Server.exe 006

R2 ClipInc007;ClipInc 007;d:\Progr\ClipInc\Server\ClipInc-Server.exe 007

R2 ClipInc008;ClipInc 008;d:\Progr\ClipInc\Server\ClipInc-Server.exe 008

R2 ClipInc009;ClipInc 009;d:\Progr\ClipInc\Server\ClipInc-Server.exe 009

R2 ClipInc010;ClipInc 010;d:\Progr\ClipInc\Server\ClipInc-Server.exe 010

R2 ClipInc011;ClipInc 011;d:\Progr\ClipInc\Server\ClipInc-Server.exe 011

R2 ClipInc012;ClipInc 012;d:\Progr\ClipInc\Server\ClipInc-Server.exe 012

R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys

R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys

R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys

R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\OfficeScan NT\TmPreFlt.sys

R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys

R3 UDTTUSB;USBDTT - USB DVB-T adapter Driver;C:\WINDOWS\system32\Drivers\UDTTcap.sys

S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys

S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys

S3 UDTTLOAD;UDTTLOAD;C:\WINDOWS\system32\DRIVERS\UDTTload.sys

S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0adf85e6-b261-11da-b62f-000b6a7c7073}]

AutoRun\command- F:\preinst.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afab3585-bb1c-11da-b64c-000b6a7c7073}]

AutoRun\command- F:\preinst.exe

 

.

**************************************************************************

 

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-05 19:00:41

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-10-05 19:07:13

C:\ComboFix-quarantined-files.txt ... 2007-10-05 19:06

C:\ComboFix2.txt ... 2007-10-03 21:00

.

--- E O F ---

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:12:25, on 05.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\PFShared\UmxCfg.exe

C:\Program Files\Common Files\PFShared\UmxPol.exe

C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

C:\Program Files\Tiny Firewall Pro\UmxTray.exe

D:\progr\a-squared Free\a2service.exe

C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

d:\Progr\ClipInc\Server\ClipInc-Server.exe

C:\Program Files\OfficeScan NT\ntrtscan.exe

C:\Program Files\OfficeScan NT\tmlisten.exe

C:\Program Files\Common Files\PFShared\umxlu.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\OfficeScan NT\pccntmon.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Ditto\Ditto.exe

C:\Program Files\PC-TV\WinManager\WinManager.exe

C:\Program Files\FRITZ!DSL\FwebProt.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\FRITZ!DSL\StCenter.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\TEMP\UZ5E2A.EXE

D:\progr\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe

O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe

O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv

O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm

O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim

O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing)

O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe

O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 002 (ClipInc002) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 003 (ClipInc003) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 004 (ClipInc004) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 005 (ClipInc005) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 006 (ClipInc006) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 007 (ClipInc007) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 008 (ClipInc008) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 009 (ClipInc009) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 010 (ClipInc010) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 011 (ClipInc011) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: ClipInc 012 (ClipInc012) - Unknown owner - d:\Progr\ClipInc\Server\ClipInc-Server.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe

O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe

O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe

 

--

End of file - 11233 bytes

Share this post


Link to post
Share on other sites

Hi,

 

By the way, after rebooting, Microsoft firewall went into action and tried to block a startup program.
Microsoft Firewall? I actually don't think this was Microsoft Firewall though - because that one should be disabled since you have Tiny Firewall installed.

What program exactly gave that alert? Can you also tell it to NOT block the startup program? Because I think it blocked the regscript we used in Combofix to get rid of the ntos.exe under the userinit value.

 

So check and fix next entry in HijackThis:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

 

If ANY program displays an alert afterwards and tries to block this change, make sure it isn't blocked, but allow it, because when it is blocked again, it will restore above entry in HijackThis again.

 

Perhaps it is better to uninstall OfficeScan, enable Tiny firewall and install, perhaps, AntiVir. What do you think?
Yes, sounds like a good idea.

 

I didn’t use ClipInc for ages, but I would like to use it in the future again. But if it is a buggy program I can uninstall it. Should I?
I appears to be buggy, because of the fact that it uses so many different services for the same. Not sure if it's supposed to be that way. You can uninstall it and reinstall it again afterwards when you decide to use it again. Maybe there will be an updated version in a meanwhile...

 

Then, * Go to start > run and copy and paste next command in the field:

 

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

 

Also do next.. Please perform this online scan: Kaspersky Webscan

1. Read the Requirements and Privacy statement, then select "Accept"

2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.

4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"

5. When the download is complete it will say ready, click "Next"

6. Select a target to scan: Click on "My Computer"

7. When the scan is complete choose to save the results as "Save as Text"

8. Post the Kaspersky scan results in your next reply.

Share this post


Link to post
Share on other sites
Hi,

 

Microsoft Firewall? I actually don't think this was Microsoft Firewall though - because that one should be disabled since you have Tiny Firewall installed.

What program exactly gave that alert? Can you also tell it to NOT block the startup program? Because I think it blocked the regscript we used in Combofix to get rid of the ntos.exe under the userinit value.

 

So check and fix next entry in HijackThis:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

 

If ANY program displays an alert afterwards and tries to block this change, make sure it isn't blocked, but allow it, because when it is blocked again, it will restore above entry in HijackThis again.

 

Yes, sounds like a good idea.

 

I appears to be buggy, because of the fact that it uses so many different services for the same. Not sure if it's supposed to be that way. You can uninstall it and reinstall it again afterwards when you decide to use it again. Maybe there will be an updated version in a meanwhile...

 

Then, * Go to start > run and copy and paste next command in the field:

 

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Also do next.. Please perform this online scan: Kaspersky Webscan

1. Read the Requirements and Privacy statement, then select "Accept"

2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.

4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"

5. When the download is complete it will say ready, click "Next"

6. Select a target to scan: Click on "My Computer"

7. When the scan is complete choose to save the results as "Save as Text"

8. Post the Kaspersky scan results in your next reply.

 

Hi

 

AntiVir has found the Trojan

TR/Spy.Zbot.R

on C:\windows\system32\ntos.exe

I have checked “deny accessâ€, but the message popped up again several times. Should I delete it next time?

 

I have fixed F2, but it still appears in Hijackthis.

 

Here is the Kaperski log, below the Hijackthis log:

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Monday, October 08, 2007 7:45:20 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.93.1

Kaspersky Anti-Virus database last update: 8/10/2007

Kaspersky Anti-Virus database records: 429223

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

D:\

E:\

 

Scan Statistics:

Total number of scanned objects: 64159

Number of viruses found: 0

Number of infected objects: 0

Number of suspicious objects: 0

Duration of the scan process: 02:08:53

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\LOGFILES\Upd-2007-10-08-17-16-19.log Object is locked skipped

C:\Documents and Settings\Armin\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\cert8.db Object is locked skipped

C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\history.dat Object is locked skipped

C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\key3.db Object is locked skipped

C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\parent.lock Object is locked skipped

C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Armin\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Armin\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jp4pr6t.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\History\History.IE5\MSHist012007100820071009\index.dat Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~DF1D4E.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~DF83E9.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~DF8C40.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~DF9BF4.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~DFB0F9.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~DFB287.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~DFBDC7.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~DFD8CC.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~WRF0000.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temp\~WRS0005.tmp Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Armin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Armin\My Documents\gra.doc Object is locked skipped

C:\Documents and Settings\Armin\My Documents\My x\Finanz\Konto\DAB\DAB Argy.doc Object is locked skipped

C:\Documents and Settings\Armin\My Documents\My x\Finanz\Konto\US_ImmoBubbleExpress[1].pdf Object is locked skipped

C:\Documents and Settings\Armin\My Documents\neu.doc Object is locked skipped

C:\Documents and Settings\Armin\My Documents\neu3.doc Object is locked skipped

C:\Documents and Settings\Armin\My Documents\~$neu3a.doc Object is locked skipped

C:\Documents and Settings\Armin\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Armin\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\FRITZ!DSL\access\access.lock Object is locked skipped

C:\Program Files\Tiny Firewall Pro\Log71008_001.xml Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{9318B114-C941-45FF-A468-28D8D29F0A9F}\RP293\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{1409F9D2-56C0-4AC5-B6E8-2C0F9349F360}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{9318B114-C941-45FF-A468-28D8D29F0A9F}\RP293\change.log Object is locked skipped

 

Scan process completed.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:32:03, on 08.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\PFShared\UmxCfg.exe

C:\Program Files\Common Files\PFShared\UmxPol.exe

C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

C:\Program Files\Tiny Firewall Pro\UmxTray.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

D:\progr\a-squared Free\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Common Files\PFShared\umxlu.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\VM_STI.EXE

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Ditto\Ditto.exe

C:\Program Files\PC-TV\WinManager\WinManager.exe

C:\Program Files\FRITZ!DSL\FwebProt.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\FRITZ!DSL\StCenter.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

D:\progr\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe

O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe

O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv

O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm

O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim

O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing)

O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe

O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe

O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe

 

--

End of file - 9738 bytes

Share this post


Link to post
Share on other sites

Hi,

 

I have checked “deny access”, but the message popped up again several times. Should I delete it next time?
Yes, you should delete it.

 

It may be better if you perform next step instead..

 

* Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:
     
    C:\WINDOWS\system32\ntos.exe
    C:\windows\system32\wsnpoem
     
     
     
  • Then click the red Moveit! button below.
  • Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.

Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.

 

Then, after reboot, go to next folder: C:\_OTMoveIt\MovedFiles and search for the log: ********_******.log (the * stands for date and time) and post the contents of it in your next reply.

 

Also, after you performed above and after reboot, check and fix next entry in HijackThis again:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

 

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Reboot once again and post a new HijackThislog in your next reply.

Share this post


Link to post
Share on other sites
Hi,

 

Yes, you should delete it.

 

It may be better if you perform next step instead..

 

* Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:
     
    C:\WINDOWS\system32\ntos.exe
    C:\windows\system32\wsnpoem
  • Then click the red Moveit! button below.
  • Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.

Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.

 

Then, after reboot, go to next folder: C:\_OTMoveIt\MovedFiles and search for the log: ********_******.log (the * stands for date and time) and post the contents of it in your next reply.

 

Also, after you performed above and after reboot, check and fix next entry in HijackThis again:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

 

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Reboot once again and post a new HijackThislog in your next reply.

 

Hi

 

Thanks a lot for your help. There is no more AntiVir alert. :o

 

Here are the logs you asked me for:

 

File/Folder not found.

File/Folder C:\WINDOWS\system32\ntos.exe not found.

Folder move failed. C:\windows\system32\wsnpoem scheduled to be moved on reboot.

 

Created on 10.09.2007 09:24:34

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:46:13, on 09.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\PFShared\UmxCfg.exe

C:\Program Files\Common Files\PFShared\UmxPol.exe

C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

C:\Program Files\Tiny Firewall Pro\UmxTray.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\Explorer.EXE

D:\progr\a-squared Free\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Common Files\PFShared\umxlu.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\VM_STI.EXE

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Ditto\Ditto.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\PC-TV\WinManager\WinManager.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\FRITZ!DSL\FwebProt.exe

C:\Program Files\FRITZ!DSL\StCenter.EXE

D:\progr\Winamp\winamp.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\svchost.exe

D:\progr\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe

O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe

O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv

O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm

O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim

O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing)

O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe

O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe

O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe

 

--

End of file - 9910 bytes

Share this post


Link to post
Share on other sites

Hi,

 

Did you reboot after you used OTMoveIT?

Because this is important.

 

Check and fix next entry in HijackThis again:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

 

Please make sure that none of your Security programs which are running in the background prevent the deletion of that key, so in case any of your scanners display an alert after you fixed above entry in HijackThis, make sure you allow the change and don't let it block it.

 

Then let me know in your next reply if above entry stays away, because this is important...

Share this post


Link to post
Share on other sites
Hi,

 

Did you reboot after you used OTMoveIT?

Because this is important.

 

Check and fix next entry in HijackThis again:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

 

Please make sure that none of your Security programs which are running in the background prevent the deletion of that key, so in case any of your scanners display an alert after you fixed above entry in HijackThis, make sure you allow the change and don't let it block it.

 

Then let me know in your next reply if above entry stays away, because this is important...

 

Hi

 

Unfortunately the trojan reappeared. And my PC is not very stable (sometimes veryslow, so there must be going on something in the background, and sometimes non-responding programs) :wub:

 

Yes I did reboot, as you told me.

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe doesn’t go away from Hijackthis, even though I don’t see it in Windows Explorer.

Share this post


Link to post
Share on other sites

Then the infection is still present...

Not sure why it always comes back since we deleted the related folder and file...

 

Can you download Combofix again from the same link I posted previously? (one of my first posts)

Then run combofix and post the log in your next reply.

Share this post


Link to post
Share on other sites
Then the infection is still present...

Not sure why it always comes back since we deleted the related folder and file...

 

Can you download Combofix again from the same link I posted previously? (one of my first posts)

Then run combofix and post the log in your next reply.

 

Hi

 

Here is the Combofix log

 

ComboFix 07-10-09.3 - Armin 2007-10-09 19:09:47.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.90 [GMT 2:00]

Running from: C:\Documents and Settings\Armin\My Documents\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))

.

 

2007-10-09 17:37 298,420 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat

2007-10-08 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-10-08 13:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-10-07 22:13 <DIR> d-------- C:\Program Files\Avira

2007-10-07 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\SiteAdvisor

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

2007-10-03 20:46 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-29 10:26 <DIR> d-------- C:\Documents and Settings\Armin\.imgseek

2007-09-24 08:28 335,872 --a------ C:\WINDOWS\system32\m4atag.dll

2007-09-22 18:18 <DIR> d-------- C:\Documents and Settings\Armin\.thumbnails

2007-09-22 10:38 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Mp3tag

2007-09-20 20:01 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Desktop Sidebar

2007-09-19 12:38 <DIR> d-------- C:\Program Files\PC Inspector File Recovery

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-09 17:02 --------- d-----w C:\Documents and Settings\Armin\Application Data\Ditto

2007-10-09 15:36 18,910 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k

2007-10-09 13:50 --------- d-----w C:\Documents and Settings\Armin\Application Data\FRITZ!

2007-10-08 10:44 --------- d---a-w C:\Program Files\OfficeScan NT

2007-09-29 13:29 --------- d-----w C:\Program Files\Common Files\Buhl Data Service

2007-09-21 16:30 --------- d-----w C:\Program Files\Mozilla Thunderbird

2007-09-19 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-09-05 17:52 --------- d-----w C:\Documents and Settings\Armin\Application Data\OpenOffice.org2

2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll

2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2005-02-03 12:16 1,312,768 ----a-w C:\Program Files\no23_Recorder.exe

2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cmaudio"="cmicnfg.cpl" []

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]

"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-07-01 19:52]

"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2006-08-15 14:01]

"Adobe Reader Speed Launcher"="D:\progr\Reader\Reader_sl.exe" [2007-05-11 03:06]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

"Ditto"="C:\Program Files\Ditto\Ditto.exe" [2005-11-01 22:06]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"=0 (0x0)

"SynchronousUserGroupPolicy"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"=1 (0x1)

"NoResolveSearch"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"=0 (0x0)

"NoRecentDocsHistory"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

UmxWnp.Dll 2004-07-20 13:44 73793 C:\WINDOWS\system32\UmxWNP.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=UmxSbxExw.dll

 

R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys

R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys

R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys

R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys

R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys

R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys

R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys

R1 uigxrdr;uigxrdr;C:\WINDOWS\system32\DRIVERS\uigxrdr.sys

R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys

R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys

R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys

R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys

R2 PDSched;PDScheduler;"C:\Program Files\Raxco\PerfectDisk\PDSched.exe"

R2 UmxAgent;FW Event Manager;"C:\Program Files\Tiny Firewall Pro\UmxAgent.exe"

R2 UmxCfg;FW Configuration Interpreter;"C:\Program Files\Common Files\PFShared\UmxCfg.exe"

R2 UmxLU;FW Live Update;"C:\Program Files\Common Files\PFShared\umxlu.exe"

R2 UmxPol;FW Policy Manager;"C:\Program Files\Common Files\PFShared\UmxPol.exe"

R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys

R3 UDTTUSB;USBDTT - USB DVB-T adapter Driver;C:\WINDOWS\system32\Drivers\UDTTcap.sys

S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys

S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys

S3 UDTTLOAD;UDTTLOAD;C:\WINDOWS\system32\DRIVERS\UDTTload.sys

S3 UmxUTA;FW User to IP Address Translation;"C:\Program Files\Tiny Firewall Pro\umxuta.exe"

S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0adf85e6-b261-11da-b62f-000b6a7c7073}]

AutoRun\command - F:\preinst.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afab3585-bb1c-11da-b64c-000b6a7c7073}]

AutoRun\command - F:\preinst.exe

 

.

**************************************************************************

 

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-09 19:43:29

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

C:\WINDOWS\system32\wsnpoem

 

scan completed successfully

hidden files: 1

 

**************************************************************************

.

Completion time: 2007-10-09 19:56:57

C:\ComboFix-quarantined-files.txt ... 2007-10-05 19:06

C:\ComboFix2.txt ... 2007-10-05 19:07

C:\ComboFix3.txt ... 2007-10-03 21:00

.

--- E O F ---

Share this post


Link to post
Share on other sites

Ok; let's give this another try...

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

KILLALL::

 

File::

C:\WINDOWS\system32\ntos.exe

 

Folder::

C:\windows\system32\wsnpoem

 

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Share this post


Link to post
Share on other sites
Ok; let's give this another try...

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

 

Hi

 

Unforunately the Trojan is still there. AntiVir also found 2 heuristic malwares:

C:\Documents and Settings\Armin\My Documents\ComboFix.exe

C:\ComboFix\setpath.cfexe

 

I sent the 3 into quarantine.

 

Is there anything else I can do?

:mellow:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:06, on 2007-10-11

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\PFShared\UmxCfg.exe

C:\Program Files\Common Files\PFShared\UmxPol.exe

C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

C:\Program Files\Tiny Firewall Pro\UmxTray.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

D:\progr\a-squared Free\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Common Files\PFShared\umxlu.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\VM_STI.EXE

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Ditto\Ditto.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\PC-TV\WinManager\WinManager.exe

C:\Program Files\FRITZ!DSL\FwebProt.exe

C:\Program Files\FRITZ!DSL\StCenter.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe

D:\progr\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe

O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe

O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv

O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm

O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim

O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing)

O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe

O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe

O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe

 

--

End of file - 9857 bytes

Share this post


Link to post
Share on other sites
Unforunately the Trojan is still there. AntiVir also found 2 heuristic malwares:

C:\Documents and Settings\Armin\My Documents\ComboFix.exe

C:\ComboFix\setpath.cfexe

No wonder Combofix fails here to remove it, Avira is deleting Combofix including some components Combofix uses.

I actually already posted in one of my first posts that you had to disable any scanner that was flagging Combofix as malicious. Because Combofix may not get deleted, otherwise your problem may not be solved.

 

Anyway, create the CFScript again as I instructed in my previous post.

Disable your Avira.

Then RE-download Combofix from the same link again and save it to your desktop.

 

Then, * Reboot into Safe Mode`: ( without networking support !)

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.

Choose Safe Mode from the menu that will appear and press Enter.

 

In windows Safe mode, drag the CFScript you created previously into Combofix.exe

This will start Combofix again.

 

Let it finish and let it reboot.

 

Back in normal mode, post a new HijackThislog together with the log from Combofix.

 

In case Avira displays any alert after reboot, choose to IGNORE!

Share this post


Link to post
Share on other sites
No wonder Combofix fails here to remove it, Avira is deleting Combofix including some components Combofix uses.

I actually already posted in one of my first posts that you had to disable any scanner that was flagging Combofix as malicious. Because Combofix may not get deleted, otherwise your problem may not be solved.

 

Anyway, create the CFScript again as I instructed in my previous post.

Disable your Avira.

Then RE-download Combofix from the same link again and save it to your desktop.

 

Then, * Reboot into Safe Mode`: ( without networking support !)

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.

Choose Safe Mode from the menu that will appear and press Enter.

 

In windows Safe mode, drag the CFScript you created previously into Combofix.exe

This will start Combofix again.

 

Let it finish and let it reboot.

 

Back in normal mode, post a new HijackThislog together with the log from Combofix.

 

In case Avira displays any alert after reboot, choose to IGNORE!

 

Sorry about the misunderstanding about Combofix and AntiVir. There was no alert while I ran AnitVir. I only noticed this later when I did a manual system scan with AntiVir.

 

Unfortunataly I cannot boot in safe mode. It starts booting in safe mode, but then it continues booting in normal mode. I tried it several times (safe mode and safe mode with prompt), it is always the same. The boot process switched into normal mode after the user had to be chosen, but I didn’t click anything, the boot process just swiched automatically.

I have run Combofix anyway, after disabling AntiVir, but I still have problems with slow or non responding programs.

 

Here are the Hijackthis and Combofix logs:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:05:29, on 12.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\PFShared\UmxCfg.exe

C:\Program Files\Common Files\PFShared\UmxPol.exe

C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

C:\Program Files\Tiny Firewall Pro\UmxTray.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

D:\progr\a-squared Free\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Common Files\PFShared\umxlu.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\VM_STI.EXE

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Ditto\Ditto.exe

C:\Program Files\PC-TV\WinManager\WinManager.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\GMX\GMX Upload-Manager\DAVSRV.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

D:\progr\Winamp\winamp.exe

D:\progr\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe

O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe

O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv

O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm

O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim

O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing)

O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe

O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe

O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe

 

--

End of file - 9865 bytes

 

ComboFix 07-10-12.1 - Armin 2007-10-12 6:44:06.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT 2:00]

Running from: C:\Documents and Settings\Armin\My Documents\ComboFix.exe

Command switches used :: C:\Documents and Settings\Armin\Desktop\[email protected][email protected][email protected]

* Created a new restore point

 

FILE::

C:\WINDOWS\system32\ntos.exe

.

 

((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))

.

 

2007-10-12 06:37 298,420 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat

2007-10-09 10:58 <DIR> d-------- C:\Program Files\Java

2007-10-09 10:58 <DIR> d-------- C:\Program Files\Common Files\Java

2007-10-08 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-10-08 13:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-10-07 22:13 <DIR> d-------- C:\Program Files\Avira

2007-10-07 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\SiteAdvisor

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor

2007-10-05 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

2007-10-03 20:46 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-29 10:26 <DIR> d-------- C:\Documents and Settings\Armin\.imgseek

2007-09-24 08:28 335,872 --a------ C:\WINDOWS\system32\m4atag.dll

2007-09-22 18:18 <DIR> d-------- C:\Documents and Settings\Armin\.thumbnails

2007-09-22 10:38 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Mp3tag

2007-09-20 20:01 <DIR> d-------- C:\Documents and Settings\Armin\Application Data\Desktop Sidebar

2007-09-19 12:38 <DIR> d-------- C:\Program Files\PC Inspector File Recovery

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-12 04:40 --------- d-----w C:\Documents and Settings\Armin\Application Data\Ditto

2007-10-12 04:34 18,910 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k

2007-10-12 04:34 --------- d-----w C:\Documents and Settings\Armin\Application Data\FRITZ!

2007-10-08 10:44 --------- d---a-w C:\Program Files\OfficeScan NT

2007-09-29 13:29 --------- d-----w C:\Program Files\Common Files\Buhl Data Service

2007-09-21 16:30 --------- d-----w C:\Program Files\Mozilla Thunderbird

2007-09-19 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-09-05 17:52 --------- d-----w C:\Documents and Settings\Armin\Application Data\OpenOffice.org2

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll

2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2005-02-03 12:16 1,312,768 ----a-w C:\Program Files\no23_Recorder.exe

2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

 

((((((((((((((((((((((((((((( [email protected]_19.48.31,56 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-08-20 10:02:09 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\advpack.dll

+ 2007-08-20 10:02:11 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\dxtrans.dll

+ 2007-08-20 10:02:09 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\extmgr.dll

+ 2007-08-20 10:02:09 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\icardie.dll

+ 2007-08-17 10:12:34 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ie4uinit.exe

+ 2007-08-20 10:02:09 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieakeng.dll

+ 2007-08-20 10:02:09 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieaksie.dll

+ 2007-08-17 07:29:55 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieakui.dll

+ 2007-04-17 09:28:12 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieapfltr.dat

+ 2007-08-20 10:02:09 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieapfltr.dll

+ 2007-08-20 10:02:09 387,584 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iedkcs32.dll

+ 2007-08-20 10:02:10 6,066,176 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieframe.dll

+ 2007-08-20 10:02:10 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iernonce.dll

+ 2007-08-20 10:02:10 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iertutil.dll

+ 2007-08-17 10:12:35 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\ieudinit.exe

+ 2007-08-17 10:12:49 625,152 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe

+ 2007-08-20 10:02:10 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\jsproxy.dll

+ 2007-08-20 10:02:10 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\msfeeds.dll

+ 2007-08-20 10:02:10 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\msfeedsbs.dll

+ 2007-08-20 10:02:11 3,592,192 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\mshtml.dll

+ 2007-08-20 10:02:11 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\mshtmled.dll

+ 2007-08-20 10:02:11 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\msrating.dll

+ 2007-08-20 10:02:11 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\mstime.dll

+ 2007-08-20 10:02:11 102,400 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\occache.dll

+ 2007-08-20 10:02:11 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\url.dll

+ 2007-08-20 10:02:11 1,161,728 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\urlmon.dll

+ 2007-08-20 10:02:11 232,960 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\webcheck.dll

+ 2007-08-20 10:02:11 825,344 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll

+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\spmsg.dll

+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\spuninst.exe

+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\update\spcustom.dll

+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe

+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\update\updspapi.dll

+ 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\$hf_mig$\KB941202\SP2QFE\inetcomm.dll

+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spmsg.dll

+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spuninst.exe

+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\spcustom.dll

+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\update.exe

+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\updspapi.dll

+ 2004-08-03 22:56:46 581,120 -c----w C:\WINDOWS\$NtUninstallKB933729$\rpcrt4.dll

+ 2005-10-12 23:12:26 213,216 -c----w C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe

+ 2005-10-12 23:12:33 371,424 -c----w C:\WINDOWS\$NtUninstallKB933729$\spuninst\updspapi.dll

+ 2007-03-09 11:28:00 248,320 -c----w C:\WINDOWS\$NtUninstallKB933729$\xpsp3res.dll

+ 2007-05-16 15:12:02 683,520 -c----w C:\WINDOWS\$NtUninstallKB941202$\inetcomm.dll

+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe

+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB941202$\spuninst\updspapi.dll

+ 2007-06-27 14:34:51 124,928 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\advpack.dll

+ 2006-10-17 10:57:50 214,528 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\dxtrans.dll

+ 2007-06-27 14:34:51 132,608 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\extmgr.dll

+ 2006-10-17 10:58:20 61,952 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\icardie.dll

+ 2007-06-27 08:27:04 63,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ie4uinit.exe

+ 2007-06-27 14:34:51 153,088 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakeng.dll

+ 2007-06-27 14:34:51 230,400 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieaksie.dll

+ 2007-06-27 07:00:33 161,792 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakui.dll

+ 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieapfltr.dll

+ 2007-06-27 14:34:51 384,512 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iedkcs32.dll

+ 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieframe.dll

+ 2007-06-27 14:34:55 44,544 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iernonce.dll

+ 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iertutil.dll

+ 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieudinit.exe

+ 2007-06-27 08:27:30 625,152 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iexplore.exe

+ 2007-06-27 14:34:56 27,648 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\jsproxy.dll

+ 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msfeeds.dll

+ 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msfeedsbs.dll

+ 2007-07-19 06:59:59 3,583,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mshtml.dll

+ 2007-06-27 14:34:57 477,696 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mshtmled.dll

+ 2007-06-27 14:34:58 193,024 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msrating.dll

+ 2007-06-27 14:34:58 671,232 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mstime.dll

+ 2007-06-27 14:34:58 102,400 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\occache.dll

+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe

+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\updspapi.dll

+ 2007-06-27 14:34:58 105,984 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\url.dll

+ 2007-06-27 14:34:58 1,152,000 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\urlmon.dll

+ 2007-06-27 14:34:59 232,960 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\webcheck.dll

+ 2007-06-27 14:34:59 823,808 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll

+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\rpcrt4.dll

+ 2007-06-13 06:53:14 115,712 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\xpsp3res.dll

+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\rpcrt4.dll

+ 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\xpsp3res.dll

+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spmsg.dll

+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spuninst.exe

+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\spcustom.dll

+ 2005-10-12 23:12:28 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\update.exe

+ 2005-10-12 23:12:33 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\updspapi.dll

+ 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\advpack.dll

+ 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\dxtrans.dll

+ 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\extmgr.dll

+ 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\icardie.dll

+ 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ie4uinit.exe

+ 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieakeng.dll

+ 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieaksie.dll

+ 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieakui.dll

+ 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieapfltr.dll

+ 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\iedkcs32.dll

+ 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieframe.dll

+ 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\iernonce.dll

+ 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\iertutil.dll

+ 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\ieudinit.exe

+ 2007-08-17 10:21:21 625,152 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\iexplore.exe

+ 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\jsproxy.dll

+ 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\msfeeds.dll

+ 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\msfeedsbs.dll

+ 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\mshtml.dll

+ 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\mshtmled.dll

+ 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\msrating.dll

+ 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\mstime.dll

+ 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\occache.dll

+ 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\url.dll

+ 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\urlmon.dll

+ 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\webcheck.dll

+ 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2gdr\wininet.dll

+ 2007-08-20 10:02:09 124,928 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\advpack.dll

+ 2007-08-20 10:02:11 214,528 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\dxtrans.dll

+ 2007-08-20 10:02:09 132,608 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\extmgr.dll

+ 2007-08-20 10:02:09 63,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\icardie.dll

+ 2007-08-17 10:12:34 70,656 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ie4uinit.exe

+ 2007-08-20 10:02:09 153,088 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieakeng.dll

+ 2007-08-20 10:02:09 230,400 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieaksie.dll

+ 2007-08-17 07:29:55 161,792 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieakui.dll

+ 2007-04-17 09:28:12 2,455,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieapfltr.dat

+ 2007-08-20 10:02:09 383,488 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieapfltr.dll

+ 2007-08-20 10:02:09 387,584 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\iedkcs32.dll

+ 2007-08-20 10:02:10 6,066,176 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieframe.dll

+ 2007-08-20 10:02:10 44,544 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\iernonce.dll

+ 2007-08-20 10:02:10 267,776 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\iertutil.dll

+ 2007-08-17 10:12:35 13,824 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\ieudinit.exe

+ 2007-08-17 10:12:49 625,152 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\iexplore.exe

+ 2007-08-20 10:02:10 27,648 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\jsproxy.dll

+ 2007-08-20 10:02:10 459,264 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\msfeeds.dll

+ 2007-08-20 10:02:10 52,224 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\msfeedsbs.dll

+ 2007-08-20 10:02:11 3,592,192 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\mshtml.dll

+ 2007-08-20 10:02:11 478,208 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\mshtmled.dll

+ 2007-08-20 10:02:11 193,024 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\msrating.dll

+ 2007-08-20 10:02:11 671,232 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\mstime.dll

+ 2007-08-20 10:02:11 102,400 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\occache.dll

+ 2007-08-20 10:02:11 105,984 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\url.dll

+ 2007-08-20 10:02:11 1,161,728 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\urlmon.dll

+ 2007-08-20 10:02:11 232,960 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\webcheck.dll

+ 2007-08-20 10:02:11 825,344 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\sp2qfe\wininet.dll

+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\spmsg.dll

+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\spuninst.exe

+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\update\spcustom.dll

+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\update\update.exe

+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\6915af3cf644e553ca6da8ed6ca50d4f\update\updspapi.dll

+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2gdr\inetcomm.dll

+ 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2qfe\inetcomm.dll

+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spmsg.dll

+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spuninst.exe

+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\spcustom.dll

+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\update.exe

+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\updspapi.dll

- 2007-06-27 14:34:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll

+ 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll

- 2007-10-09 15:38:29 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2007-10-12 04:38:04 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2007-10-09 15:38:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2007-10-12 04:38:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2007-10-09 15:38:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-10-12 04:38:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2007-06-27 14:34:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll

+ 2007-08-20 10:04:34 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll

- 2006-10-17 10:57:50 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll

+ 2007-08-20 10:04:34 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll

- 2007-06-27 14:34:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll

+ 2007-08-20 10:04:34 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll

+ 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll

- 2007-06-27 08:27:04 63,488 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe

+ 2007-08-17 10:20:54 63,488 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe

- 2007-06-27 14:34:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll

+ 2007-08-20 10:04:34 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll

- 2007-06-27 14:34:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll

+ 2007-08-20 10:04:35 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll

- 2007-06-27 07:00:33 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll

+ 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll

- 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll

+ 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll

- 2007-06-27 14:34:51 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll

+ 2007-08-20 10:04:35 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll

- 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll

+ 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll

- 2007-06-27 14:34:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll

+ 2007-08-20 10:04:38 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll

- 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll

+ 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll

- 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe

+ 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe

- 2007-06-27 08:27:30 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe

+ 2007-08-17 10:21:21 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe

- 2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll

+ 2007-08-21 06:15:44 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll

- 2007-06-27 14:34:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll

+ 2007-08-20 10:04:39 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll

- 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll

+ 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll

- 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll

+ 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll

- 2007-07-19 06:59:59 3,583,488 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll

+ 2007-08-20 10:04:41 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll

- 2007-06-27 14:34:57 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll

+ 2007-08-20 10:04:41 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll

- 2007-06-27 14:34:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll

+ 2007-08-20 10:04:41 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll

- 2007-06-27 14:34:58 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll

+ 2007-08-20 10:04:42 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll

- 2007-06-27 14:34:58 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll

+ 2007-08-20 10:04:42 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll

- 2004-08-03 22:56:46 581,120 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll

+ 2007-07-09 13:16:16 582,656 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll

- 2007-06-27 14:34:58 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll

+ 2007-08-20 10:04:42 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll

- 2007-06-27 14:34:58 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll

+ 2007-08-20 10:04:42 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll

- 2007-06-27 14:34:59 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll

+ 2007-08-20 10:04:42 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll

- 2007-06-27 14:34:59 823,808 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll

+ 2007-08-20 10:04:43 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll

- 2007-09-07 10:05:12 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys

+ 2007-10-10 17:33:46 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys

- 2006-10-17 10:57:50 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll

+ 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll

- 2007-06-27 14:34:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll

+ 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll

- 2006-10-17 10:58:20 61,952 ------w C:\WINDOWS\system32\icardie.dll

+ 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll

- 2007-06-27 08:27:04 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe

+ 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe

- 2007-06-27 14:34:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll

+ 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll

- 2007-06-27 14:34:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll

+ 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll

- 2007-06-27 07:00:33 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll

+ 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll

- 2007-06-27 14:34:51 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll

+ 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll

- 2007-06-27 14:34:51 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll

+ 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll

- 2007-06-27 14:34:55 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll

+ 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll

- 2007-06-27 14:34:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll

+ 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll

- 2007-06-27 14:34:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll

+ 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll

- 2007-06-27 08:27:05 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe

+ 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe

- 2007-06-27 14:34:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll

+ 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll

- 2007-09-05 17:50:44 17,474,680 ----a-w C:\WINDOWS\system32\MRT.exe

+ 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe

- 2007-06-27 14:34:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll

+ 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll

- 2007-06-27 14:34:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll

+ 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll

- 2007-07-19 06:59:59 3,583,488 ----a-w C:\WINDOWS\system32\mshtml.dll

+ 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll

- 2007-06-27 14:34:57 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll

+ 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll

- 2007-06-27 14:34:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll

+ 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\system32\msrating.dll

- 2007-06-27 14:34:58 671,232 ----a-w C:\WINDOWS\system32\mstime.dll

+ 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll

- 2007-06-27 14:34:58 102,400 ----a-w C:\WINDOWS\system32\occache.dll

+ 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\system32\occache.dll

- 2004-08-03 22:56:46 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll

+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll

- 2007-06-27 14:34:58 105,984 ----a-w C:\WINDOWS\system32\url.dll

+ 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll

- 2007-06-27 14:34:58 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll

+ 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll

- 2007-06-27 14:34:59 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll

+ 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll

- 2007-06-27 14:34:59 823,808 ----a-w C:\WINDOWS\system32\wininet.dll

+ 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll

- 2007-03-09 11:28:00 248,320 ----a-w C:\WINDOWS\system32\xpsp3res.dll

+ 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cmaudio"="cmicnfg.cpl" []

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]

"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-07-01 19:52]

"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2006-08-15 14:01]

"Adobe Reader Speed Launcher"="D:\progr\Reader\Reader_sl.exe" [2007-05-11 03:06]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 19:33]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

"Ditto"="C:\Program Files\Ditto\Ditto.exe" [2005-11-01 22:06]

 

C:\Documents and Settings\Armin\Start Menu\Programs\Startup\

FRITZ!DSL Protect.lnk - C:\Program Files\FRITZ!DSL\FwebProt.exe [2006-03-03 13:14:48]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-05-10 20:04:16]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"=0 (0x0)

"SynchronousUserGroupPolicy"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"=1 (0x1)

"NoResolveSearch"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"=0 (0x0)

"NoRecentDocsHistory"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

UmxWnp.Dll 2004-07-20 13:44 73793 C:\WINDOWS\system32\UmxWNP.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=UmxSbxExw.dll

 

R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys

R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys

R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys

R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys

R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys

R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys

R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys

R1 uigxrdr;uigxrdr;C:\WINDOWS\system32\DRIVERS\uigxrdr.sys

R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys

R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys

R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys

R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys

R2 UmxCfg;FW Configuration Interpreter;"C:\Program Files\Common Files\PFShared\UmxCfg.exe"

R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys

R3 UDTTUSB;USBDTT - USB DVB-T adapter Driver;C:\WINDOWS\system32\Drivers\UDTTcap.sys

S2 PDSched;PDScheduler;"C:\Program Files\Raxco\PerfectDisk\PDSched.exe"

S2 UmxAgent;FW Event Manager;"C:\Program Files\Tiny Firewall Pro\UmxAgent.exe"

S2 UmxLU;FW Live Update;"C:\Program Files\Common Files\PFShared\umxlu.exe"

S2 UmxPol;FW Policy Manager;"C:\Program Files\Common Files\PFShared\UmxPol.exe"

S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys

S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys

S3 UDTTLOAD;UDTTLOAD;C:\WINDOWS\system32\DRIVERS\UDTTload.sys

S3 UmxUTA;FW User to IP Address Translation;"C:\Program Files\Tiny Firewall Pro\umxuta.exe"

S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0adf85e6-b261-11da-b62f-000b6a7c7073}]

AutoRun\command - F:\preinst.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afab3585-bb1c-11da-b64c-000b6a7c7073}]

AutoRun\command - F:\preinst.exe

 

.

**************************************************************************

 

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-12 06:48:20

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

C:\WINDOWS\system32\ntos.exe

C:\WINDOWS\system32\wsnpoem

IPC error: 2 The system cannot find the file specified.

scan completed successfully

hidden files: 2

 

**************************************************************************

.

Completion time: 2007-10-12 6:50:05

C:\ComboFix-quarantined-files.txt ... 2007-10-05 19:06

C:\ComboFix2.txt ... 2007-10-10 13:13

C:\ComboFix3.txt ... 2007-10-09 19:58

.

--- E O F ---

Share this post


Link to post
Share on other sites

Looks like this is one of the new variants which is injected in every running process.

 

Let's try another tool..

 

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Copy next text present in the quotebox below and paste it in the View/edit script Window:
     
    Files to delete:
    C:\WINDOWS\system32\ntos.exe
    C:\windows\system32\wsnpoem\audio.dll
    C:\windows\system32\wsnpoem\video.dll
     
    Folders to delete:
    C:\WINDOWS\system32\wsnpoem

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
     
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

3. The Avenger will automatically do the following:

  • Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, briefly open a black command window on your desktop, this is normal.
  • After the restart, create a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

After reboot, you should get an error.. don't worry about that error.

 

Then, in HijackThis, fix next entry again.

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

 

4. Please copy/paste the content of avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Share this post


Link to post
Share on other sites

Yesterday I thought it was successful, but today my PC was messed up again.

I did a manual system scan with Antivir. It found Avenger\backup (I chose: ignore) and TR/Spy.Agent.42496 (I chose: quarantaine). I noticed that name and location of this Trojan is different from the previous one.

Was it a mistake not to disable AV for Avenger? Should I run it again after disabling AV?

I also did an Adaware scan. It found again BackdoorAgent and TrojanDownloader.

 

Here are the logs:

 

 

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\uscgksla

 

*******************

 

Script file located at: \??\C:\Program Files\iuyypfji.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

File C:\WINDOWS\system32\ntos.exe deleted successfully.

File C:\windows\system32\wsnpoem\audio.dll deleted successfully.

File C:\windows\system32\wsnpoem\video.dll deleted successfully.

Folder C:\WINDOWS\system32\wsnpoem deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:00:11, on 13.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\PFShared\UmxCfg.exe

C:\Program Files\Common Files\PFShared\UmxPol.exe

C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

C:\Program Files\Tiny Firewall Pro\UmxTray.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\Explorer.EXE

D:\progr\a-squared Free\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\VM_STI.EXE

C:\WINDOWS\system32\slserv.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

C:\Program Files\Common Files\PFShared\umxlu.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Ditto\Ditto.exe

C:\Program Files\PC-TV\WinManager\WinManager.exe

C:\Program Files\FRITZ!DSL\FwebProt.exe

C:\Program Files\FRITZ!DSL\StCenter.EXE

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\WINDOWS\system32\svchost.exe

D:\progr\TV\Aopen Digital TV.exe

D:\progr\TV\CaptureData.exe

D:\progr\TV\PlayProgram.exe

C:\Program Files\Common Files\PFShared\SyncEvnt.exe

D:\progr\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\progr\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe

O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe

O8 - Extra context menu item: eBay Powersuche - http://www.webtip.ch/cgi-bin/buyertools/button.pl?adv

O8 - Extra context menu item: eBay Produktsuche - D:\progr\Buyertools Reminder15\SearchEbay.htm

O8 - Extra context menu item: eBay Startseite - http://www.webtip.ch/cgi-bin/buyertools/button.pl?heim

O8 - Extra context menu item: Mein eBay - http://www.webtip.ch/cgi-bin/buyertools/button.pl?mein

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - D:\progr\Buyertools Reminder15\ReminderIE.exe (file missing)

O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\progr\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: FW Event Manager (UmxAgent) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe

O23 - Service: FW Configuration Interpreter (UmxCfg) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe

O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe

O23 - Service: FW Policy Manager (UmxPol) - Tiny Software Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

O23 - Service: FW User to IP Address Translation (UmxUTA) - Tiny Software, Inc. - C:\Program Files\Tiny Firewall Pro\umxuta.exe

 

--

End of file - 9577 bytes

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this