[Resolved] WIN32 PWS Lineage indicated by Microsoft

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Resolved] WIN32 PWS Lineage indicated by Microsoft, HJT list below

Options

Alpha2m1 View Member Profile	Nov 10 2008, 01:46 AM Post #1
New Member Group: Authentic Member Posts: 11 Joined: 9-November 08 From: Ingolstadt/Bavaria, Germany Member No.: 82,318 Operating System: Vista Home Premium 32b	Hello, here is my requested HJT overview. Problem: MS indicated "virus found: WIN32 PWS Lineage" But all scanners and antivirus-progs/anti-malware didn´t found anything like this. Notice, that I´ve installed several malware hunters now (yesterday). Maybe someone could have a look upon this, I´ve made some notice at the right side ( -> .... ). Logfile of HijackThis v1.99.1 Scan saved at 08:03:23, on 10.11.2008 Platform: Unknown Windows (WinNT 6.00.1904) -> its VISTA 32bit, all updated MSIE: Internet Explorer v7.00 (7.00.6000.16757) -> but not in use, Mozilla firefox 3.03 updated is my favorite Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\csrss.exe C:\Windows\system32\wininit.exe C:\Windows\system32\csrss.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\lsm.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\spoolsv.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe C:\Windows\System32\rundll32.exe C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NortonAntiBot.exe C:\Program Files\a-squared Anti-Malware\a2guard.exe C:\Windows\System32\rundll32.exe -> I´ve read, that this may be the running virus C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Hardcopy\hardcopy.exe C:\Windows\system32\svchost.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABMonitor.exe C:\Program Files\a-squared Anti-Malware\a2service.exe C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Windows\system32\svchost.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe C:\Windows\System32\svchost.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\svchost.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [recinfo395] c:\RecInfo\RecInfo.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe" O4 - HKLM\..\Run: [NortonAntiBot] "C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60 O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Hardcopy.LNK = C:\Program Files\Hardcopy\hardcopy.exe O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\scieplugin.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll O11 - Options group: [INTERNATIONAL] International* O13 - Gopher Prefix: O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partne...can_unicode.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/The%20Race/Images/stg_drm.ocx -> strange! I´ve uninstalled this game O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/The%20Race/Images/armhelper.ocx -> again, this has nothing to do here, its gone O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\r3hook.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: klogon - C:\Windows\system32\klogon.dll O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Kaspersky Personal Security Suite V (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe" -r (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: SymantecAntiBotAgent - Unknown owner - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe" SymantecAntiBotAgent (file missing) O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) The "(file missing)" above can be a result of malware-running jobs. They may have seen those steps for bad and deleted or blocked them. For examlpe there is no more update for Spyware doctor possible today (but done yesterday) Thanks for help. Michael

LDTate View Member Profile	Nov 19 2008, 04:48 PM Post #2
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Stay with this topic until I give you the all clean post. You might want to print these instructions out. 1. These tools MUST be run from the executable. (.exe) 2. With Admin Rights (Right click, choose "Run as Administrator") Please download ATF Cleaner by Atribune. Download - ATF Cleaner Right-click ATF-Cleaner.exe and select "Run as administrator" to run the program. Under Main choose: Select All Click the Empty Selected button. (If you use FireFox or the Opera browser To keep saved passwords, click No at the prompt.) It's normal after running ATF cleaner that the PC will be slower to boot the first time or two. Then: Please download Malwarebytes' Anti-Malware to your desktop. Right-click mbam-setup.exe, select "Run as administrator" and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Also "copy/paste" a new HijackThis log file into this thread.

Alpha2m1 View Member Profile	Nov 21 2008, 05:15 AM Post #3
New Member Group: Authentic Member Posts: 11 Joined: 9-November 08 From: Ingolstadt/Bavaria, Germany Member No.: 82,318 Operating System: Vista Home Premium 32b	Look at this, its the new version of HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:24:02, on 21.11.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16757) Boot mode: Normal Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\csrss.exe C:\Windows\system32\wininit.exe C:\Windows\system32\csrss.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\spoolsv.exe C:\Windows\System32\rundll32.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe C:\Program Files\a-squared Anti-Malware\a2guard.exe C:\Windows\System32\rundll32.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NortonAntiBot.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Hardcopy\hardcopy.exe C:\Windows\system32\svchost.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABMonitor.exe C:\Program Files\a-squared Anti-Malware\a2service.exe C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\Windows\system32\svchost.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\svchost.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [recinfo395] c:\RecInfo\RecInfo.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe" O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60 O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [NortonAntiBot] "C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - Global Startup: Hardcopy.LNK = C:\Program Files\Hardcopy\hardcopy.exe O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\scieplugin.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O13 - Gopher Prefix: O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partne...can_unicode.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/The%20Race/Images/stg_drm.ocx O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/The%20Race/Images/armhelper.ocx O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\r3hook.dll C:\Windows\system32\guard32.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Kaspersky Personal Security Suite V (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: JetDrive WindowsClosingService - Unknown owner - C:\Windows\System32\WindowsClosingService (file missing) O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: SymantecAntiBotAgent - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe -- End of file - 10466 bytes and this is MWB Malwarebytes' Anti-Malware 1.30 Datenbank Version: 1414 Windows 6.0.6000 21.11.2008 11:09:55 mbam-log-2008-11-21 (11-09-55).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 48308 Laufzeit: 2 minute(s), 50 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) Seems, nothing has been found. Thanks, Michael This post has been edited by Alpha2m1: Nov 21 2008, 05:18 AM

LDTate View Member Profile	Nov 22 2008, 08:11 AM Post #4
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	1. This tool MUST be run from the executable. (.exe) 2. With Admin Rights (Right click, choose "Run as Administrator") Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. "copy/paste" a new HijackThis log file into this thread as well. Notes: 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 3. Combofix prevents autorun of ALL** CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. Give it atleast 20-30 minutes to finish if needed. Also please describe how your computer behaves at the moment.

Alpha2m1 View Member Profile	Nov 23 2008, 09:20 AM Post #5
New Member Group: Authentic Member Posts: 11 Joined: 9-November 08 From: Ingolstadt/Bavaria, Germany Member No.: 82,318 Operating System: Vista Home Premium 32b	Hello LDTate, I ve proceed as you told me, closed all sec Progs before, and started as Admin. Below are the logs. After ending ComboFix and saving the log, I tried a restart. But: Blue screen, "INVALIDE_KERNEL_HANDLE" . OK Cold start. It takes twice as long as normal, but system seems to run well. Strange: the IE symbol is an the desktop, but I ve deleted it, cause I m using firefox. Using the browser to get online, it seems, that IE tried to take the part of standard browser. I "repaired" this, firefox is again my standard browser. So, here are the logs: ComboFix 08-11-22.01 - Mixalis 2008-11-23 15:10:45.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.1168 [GMT 1:00] ausgeführt von:: c:\users\Mixalis\Desktop\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\Mixalis\AppData\Roaming\.# c:\windows\system32\MSINET.oca c:\windows\system32\system\ . ((((((((((((((((((((((( Dateien erstellt von 2008-10-23 bis 2008-11-23 )))))))))))))))))))))))))))))) . 2008-11-21 21:03 . 2008-11-21 21:03 <DIR> d-------- c:\program files\Bluefish Games 2008-11-21 20:56 . 2008-11-21 21:02 <DIR> d-------- c:\program files\RivaTuner v2.10 2008-11-21 11:23 . 2008-11-21 11:23 <DIR> d-------- c:\program files\Trend Micro 2008-11-19 21:16 . 2008-11-19 21:16 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\Symantec 2008-11-19 11:45 . 2008-11-19 11:46 <DIR> d-------- c:\program files\JetDrive DeFrag2009 2008-11-19 11:45 . 2008-11-18 14:50 9,216 --a------ c:\windows\System32\WindowsClosingService.exe 2008-11-14 09:03 . 2008-11-14 09:30 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\Spyware Terminator 2008-11-14 09:03 . 2008-11-14 09:31 <DIR> d-------- c:\users\All Users\Spyware Terminator 2008-11-14 09:03 . 2008-11-14 09:31 <DIR> d-------- c:\programdata\Spyware Terminator 2008-11-14 09:03 . 2008-11-14 09:30 <DIR> d-------- c:\program files\Spyware Terminator 2008-11-14 09:03 . 2008-11-14 09:03 141,312 --a------ c:\windows\System32\drivers\sp_rsdrv2.sys 2008-11-14 08:56 . 2008-11-14 08:56 <DIR> d-------- c:\program files\WinPcap 2008-11-13 10:26 . 2008-09-10 04:25 1,341,440 --a------ c:\windows\System32\msxml6.dll 2008-11-13 10:26 . 2008-09-05 05:48 1,194,496 --a------ c:\windows\System32\msxml3.dll 2008-11-13 10:26 . 2008-08-27 01:48 211,968 --a------ c:\windows\System32\drivers\mrxsmb10.sys 2008-11-13 10:26 . 2008-09-10 04:21 2,048 --a------ c:\windows\System32\msxml6r.dll 2008-11-13 10:26 . 2008-09-05 05:45 2,048 --a------ c:\windows\System32\msxml3r.dll 2008-11-12 11:21 . 1999-03-23 01:12 299,520 --a------ c:\windows\uninst.exe 2008-11-11 22:56 . 2008-11-11 22:56 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\Comodo 2008-11-11 22:56 . 2008-11-12 08:13 <DIR> d-------- c:\users\All Users\comodo 2008-11-11 22:56 . 2008-11-12 08:13 <DIR> d-------- c:\programdata\comodo 2008-11-11 22:56 . 2008-11-11 22:56 <DIR> d-------- c:\program files\COMODO 2008-11-11 22:56 . 2008-11-18 19:19 143,096 --a------ c:\windows\System32\guard32.dll 2008-11-11 22:56 . 2008-11-18 19:19 97,808 --a------ c:\windows\System32\drivers\cmdguard.sys 2008-11-11 22:56 . 2008-11-18 19:19 25,104 --a------ c:\windows\System32\drivers\cmdhlp.sys 2008-11-10 21:41 . 2008-11-10 21:41 <DIR> d-------- c:\users\All Users\Intenium 2008-11-10 21:41 . 2008-11-10 21:41 <DIR> d-------- c:\programdata\Intenium 2008-11-10 07:59 . 2008-11-10 07:59 <DIR> d-------- c:\program files\ERUNT 2008-11-09 21:05 . 2008-11-09 21:05 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\SUPERAntiSpyware.com 2008-11-09 21:05 . 2008-11-09 21:05 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com 2008-11-09 21:05 . 2008-11-09 21:05 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com 2008-11-09 21:05 . 2008-11-09 21:05 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-09 19:08 . 2008-11-09 19:55 <DIR> d-------- c:\users\Mixalis\DoctorWeb 2008-11-09 17:27 . 2008-11-09 17:27 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\Malwarebytes 2008-11-09 17:27 . 2008-11-09 17:27 <DIR> d-------- c:\users\All Users\Malwarebytes 2008-11-09 17:27 . 2008-11-09 17:27 <DIR> d-------- c:\programdata\Malwarebytes 2008-11-09 17:27 . 2008-11-09 19:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-09 17:27 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys 2008-11-09 17:27 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys 2008-11-09 17:17 . 2007-12-10 14:53 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys 2008-11-09 17:17 . 2007-12-10 14:53 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys 2008-11-09 17:17 . 2008-11-09 17:22 42,376 --a------ c:\windows\System32\drivers\ikfilesec.sys 2008-11-09 17:17 . 2007-12-10 14:53 29,576 --a------ c:\windows\System32\drivers\kcom.sys 2008-11-09 17:16 . 2008-11-09 17:16 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\PC Tools 2008-11-09 17:16 . 2008-11-10 00:15 <DIR> d-------- c:\program files\Spyware Doctor 2008-11-09 16:53 . 2008-11-19 14:55 <DIR> d-------- c:\program files\a-squared Anti-Malware 2008-11-09 16:23 . 2008-11-09 16:23 <DIR> d-------- c:\program files\Panda Security 2008-11-09 16:23 . 2008-06-19 17:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys 2008-11-09 16:22 . 2008-11-09 16:22 <DIR> d-------- c:\windows\System32\Kaspersky Lab 2008-11-08 22:09 . 2008-11-08 22:10 <DIR> d-------- c:\users\All Users\Lavasoft 2008-11-08 22:09 . 2008-11-08 22:10 <DIR> d-------- c:\programdata\Lavasoft 2008-11-08 22:09 . 2008-11-08 22:09 <DIR> d-------- c:\program files\Lavasoft 2008-11-08 19:58 . 2008-11-09 00:47 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy 2008-11-08 19:58 . 2008-11-09 00:47 <DIR> d-------- c:\programdata\Spybot - Search & Destroy 2008-11-08 19:58 . 2008-11-08 20:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-08 19:50 . 2008-11-09 21:03 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-08 19:43 . 2008-11-08 19:43 <DIR> d-------- C:\fsaua.data 2008-11-08 16:33 . 2008-11-08 16:33 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\Meridian93 2008-11-08 16:33 . 2008-11-08 16:33 <DIR> d-------- c:\users\All Users\Meridian93 2008-11-08 16:33 . 2008-11-08 16:33 <DIR> d-------- c:\programdata\Meridian93 2008-11-08 15:34 . 2008-11-08 15:34 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\ScreenSeven 2008-11-08 15:27 . 2008-11-08 15:27 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\BinarySense 2008-11-08 15:27 . 2008-11-08 15:27 <DIR> d-------- c:\program files\zoneLINK 2008-11-08 15:07 . 2008-11-08 15:07 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\klickTel 2008-11-08 15:07 . 2008-11-08 15:08 157 --a------ c:\windows\ktel.ini 2008-11-08 15:05 . 2008-11-08 15:05 <DIR> d-------- c:\program files\klickTel 2008-11-08 15:04 . 2008-11-08 15:04 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\InstallShield 2008-11-08 14:17 . 2008-11-08 14:17 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\Ahead 2008-11-06 22:39 . 2008-11-06 22:39 4 --a------ c:\windows\visualwarlab.dat 2008-11-06 22:38 . 2008-11-10 10:17 <DIR> d-------- c:\program files\DEUTSCHLAND SPIELT 2008-11-06 20:22 . 2008-11-09 18:15 <DIR> d-------- c:\program files\DAEMON Tools Toolbar 2008-11-06 20:18 . 2008-11-06 20:18 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\DAEMON Tools 2008-11-06 20:18 . 2008-11-06 20:19 717,296 --a------ c:\windows\System32\drivers\sptd.sys 2008-11-06 12:35 . 2008-11-06 12:35 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\HDD Thermometer 2008-11-06 12:35 . 2008-11-06 12:35 <DIR> d-------- c:\users\All Users\HDD Thermometer 2008-11-06 12:35 . 2008-11-06 12:35 <DIR> d-------- c:\programdata\HDD Thermometer 2008-11-05 19:15 . 2008-11-05 19:19 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\schober.com business CD 2008-11-05 19:14 . 2008-11-05 19:47 <DIR> d-------- c:\program files\Schober Firmenadressen CD 2008-11-05 19:14 . 2008-11-05 19:47 72 --a------ c:\windows\RETRIEVE.INI 2008-11-02 14:57 . 2008-11-02 14:57 <DIR> d-------- c:\program files\HotHotSoftwareFullVersion 2008-11-02 14:57 . 2000-07-16 16:20 185,856 --a------ c:\windows\System32\Bmp2Jpeg.dll 2008-11-02 14:57 . 2000-07-15 00:00 101,888 --a------ c:\windows\System32\VB6STKIT.DLL 2008-11-02 11:19 . 2008-11-02 11:19 <DIR> d-------- c:\program files\Secunia 2008-11-01 16:04 . 2008-11-01 16:05 <DIR> d-------- c:\windows\System32\Adobe 2008-10-31 13:04 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\System32\D3DX9_37.dll 2008-10-31 13:04 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\System32\d3dx9_35.dll 2008-10-31 13:04 . 2007-05-16 16:45 3,497,832 --a------ c:\windows\System32\d3dx9_34.dll 2008-10-31 13:04 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\System32\d3dx9_33.dll 2008-10-31 13:04 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\System32\d3dx9_32.dll 2008-10-31 13:04 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\System32\d3dx9_31.dll 2008-10-31 13:04 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\System32\d3dx9_26.dll 2008-10-31 13:04 . 2007-04-04 18:53 81,768 --a------ c:\windows\System32\xinput1_3.dll 2008-10-31 12:58 . 2008-10-31 12:58 <DIR> d-------- c:\program files\Common Files\SWF Studio 2008-10-31 12:58 . 2008-10-31 13:01 <DIR> d-------- C:\FIFA 09 Demo 2008-10-29 21:07 . 2008-10-29 21:07 165,376 --a------ c:\windows\System32\drivers\atksgt.sys 2008-10-29 21:07 . 2008-10-29 21:07 18,048 --a------ c:\windows\System32\drivers\lirsgt.sys 2008-10-29 21:00 . 2008-08-12 04:29 441,856 --a------ c:\windows\System32\win32spl.dll 2008-10-29 21:00 . 2008-08-12 04:29 37,376 --a------ c:\windows\System32\printcom.dll 2008-10-29 20:57 . 2008-11-10 09:54 <DIR> d-------- c:\program files\Frogster 2008-10-27 09:04 . 2008-10-27 09:04 7,808 --a------ c:\windows\System32\drivers\psi_mf.sys 2008-10-25 12:16 . 2008-10-25 12:16 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\cerasus.media 2008-10-25 11:18 . 2008-10-25 11:19 <DIR> d-------- c:\users\Mixalis\AppData\Roaming\GlarySoft 2008-10-25 11:17 . 2008-10-25 16:34 <DIR> d-------- c:\program files\Absolute Uninstaller 2008-10-25 11:05 . 2008-10-25 11:05 <DIR> d-------- c:\users\All Users\Ashampoo 2008-10-25 11:05 . 2008-10-25 11:05 <DIR> d-------- c:\programdata\Ashampoo . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-23 14:13 27,933,728 --sha-w c:\windows\system32\drivers\fidbox.dat 2008-11-23 14:02 --------- d-----w c:\programdata\Kaspersky Lab 2008-11-22 17:46 376,220 --sha-w c:\windows\system32\drivers\fidbox.idx 2008-11-21 20:10 --------- d-----w c:\programdata\MumboJumbo 2008-11-19 20:13 --------- d-----w c:\programdata\Downloaded Installations 2008-11-14 07:50 --------- d-----w c:\program files\Java 2008-11-13 09:31 --------- d-----w c:\programdata\Microsoft Help 2008-11-11 22:04 --------- d---a-w c:\programdata\TEMP 2008-11-10 09:19 --------- d-----w c:\program files\Oberon Media 2008-11-10 09:11 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-09 22:06 --------- d-----w c:\program files\Advanced Audio Recorder 2008-11-08 18:04 --------- d-----w c:\program files\Windows Live Safety Center 2008-11-06 21:22 --------- d-----w c:\program files\FlightGear 2008-11-06 21:15 --------- d-----w c:\program files\Microsoft Games 2008-11-05 18:55 --------- d-----w c:\program files\Paint.NET 2008-11-02 12:06 --------- d-----w c:\programdata\Symantec 2008-11-02 10:24 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-10-31 12:07 1,550 ----a-w c:\windows\System32\ealregsnapshot1.reg 2008-10-26 16:16 --------- d-----w c:\program files\flatster 2008-10-25 10:05 --------- d-----w c:\program files\Ashampoo 2008-10-24 12:43 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-16 16:43 --------- d-----w c:\program files\Windows Mail 2008-10-16 14:44 --------- d-----w c:\program files\Allzeit Atomzeit 2008-10-15 19:01 --------- d-----w c:\program files\Hardcopy 2008-10-11 16:31 --------- d-----w c:\program files\Teorex 2008-10-10 18:31 --------- d-----w c:\program files\Electronic Arts 2008-10-09 10:08 --------- d-----w c:\program files\Jewel Master 2008-10-05 19:40 --------- d-----w c:\users\Mixalis\AppData\Roaming\Zylom 2008-10-04 14:51 --------- d-----w c:\program files\Playrix Games 2008-10-03 22:01 --------- d-----w c:\programdata\Apple Computer 2008-10-03 22:01 --------- d-----w c:\program files\QuickTime 2008-10-03 22:01 --------- d-----w c:\program files\Common Files\Apple 2008-10-03 21:59 --------- d-----w c:\programdata\Apple 2008-10-03 21:59 --------- d-----w c:\program files\Apple Software Update 2008-10-03 15:29 --------- d-----w c:\programdata\MythPeople 2008-10-03 13:42 --------- d-----w c:\programdata\Enkord 2008-10-03 13:41 --------- d-----w c:\program files\Common Files\Oberon Media 2008-10-03 13:09 --------- d-----w c:\users\Mixalis\AppData\Roaming\Oberon Media 2008-10-03 12:56 --------- d-----w c:\programdata\HipSoft 2008-10-03 12:26 --------- d-----w c:\programdata\Alawar Stargaze 2008-10-03 11:24 --------- d-----w c:\programdata\SecretsOfOlympus 2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll 2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll 2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll 2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe 2008-10-01 15:10 --------- d-----w c:\users\Mixalis\AppData\Roaming\7Wonders 2008-10-01 08:48 --------- d-----w c:\program files\Enlarger PRO 2008-10-01 08:27 --------- d-----w c:\programdata\Hagel Technologies 2008-10-01 08:27 --------- d-----w c:\program files\Photo Collage Maker 2008-10-01 08:26 --------- d-----w c:\program files\PhotonFX 2008-10-01 08:24 --------- d-----w c:\program files\MorphBuster 2008-10-01 08:14 --------- d-----w c:\program files\nobox.de 2008-09-30 15:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll 2008-09-28 17:08 --------- d-----w c:\programdata\Space Ewe Software 2008-09-28 17:08 --------- d-----w c:\program files\Glory Zone 2008-09-27 17:49 --------- d-----w c:\users\Mixalis\AppData\Roaming\ubi.com 2008-09-27 17:49 --------- d-----w c:\program files\ubi.com 2008-09-27 17:49 --------- d-----w c:\program files\Ubi Soft 2008-09-27 17:49 --------- d-----w c:\program files\Common Files\PocketSoft 2008-09-27 17:40 --------- d-----w c:\program files\Speedpyramid 2008-09-27 17:39 737,280 ----a-w c:\windows\iun6002.exe 2008-09-27 17:26 --------- d-----w c:\program files\Paradox Interactive 2008-09-27 17:11 81,920 ----a-w c:\windows\System32\OpenAL32.dll 2008-09-27 17:11 221,184 ----a-w c:\windows\System32\wrap_oal.dll 2008-09-27 15:43 --------- d-----w c:\users\Mixalis\AppData\Roaming\MiniDm 2008-09-27 15:43 --------- d-----w c:\program files\IEPro 2008-09-27 07:43 --------- d-----w c:\users\Mixalis\AppData\Roaming\SpinTop 2008-09-27 07:43 --------- d-----w c:\programdata\TheRace_dev 2008-09-26 17:53 --------- d-----w c:\users\Mixalis\AppData\Roaming\JewelMatch2 2008-09-20 01:13 2,029,568 ----a-w c:\windows\System32\win32k.sys 2008-09-18 04:27 3,506,744 ----a-w c:\windows\System32\ntkrnlpa.exe 2008-09-18 04:27 3,472,952 ----a-w c:\windows\System32\ntoskrnl.exe 2008-09-03 03:56 74,752 ----a-w c:\windows\System32\newdev.exe 2008-09-03 03:56 465,408 ----a-w c:\windows\System32\newdev.dll 2008-07-12 19:42 174 --sha-w c:\program files\desktop.ini 2008-05-20 20:07 0 ----a-w c:\users\Mixalis\AppData\Roaming\wklnhst.dat . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . Hinweis leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-05-04 1232896] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-01 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-01 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-01 81920] "recinfo395"="c:\recinfo\RecInfo.exe" [2007-10-23 2764800] "a-squared"="c:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2008-11-09 2780816] "COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-18 1796856] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "NortonAntiBot"="c:\program files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" [2008-09-08 1378840] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Hardcopy.LNK - c:\program files\Hardcopy\hardcopy.exe [2008-10-15 1282048] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoResolveSearch"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\r3hook.dll c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{5CFA28CB-2258-4178-8DFD-712A8623EE1B}"= UDP:c:\program files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe:FSCLBaseUpdaterService.exe "{5CE77E06-8C76-4B19-9AF2-36EE81133B33}"= TCP:c:\program files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe:FSCLBaseUpdaterService.exe "{07B682B5-BA73-4FD0-9271-5CEAE7273BFF}"= TCP:6004\|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{C02FBAFF-D75B-4158-8593-24C74559A969}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{5ECDF67A-CAD7-4136-96A4-7C1F730AFD27}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{B1FA897E-18C0-450D-852C-639ED094E4FF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{4DE054DE-5414-4735-81BE-9BF99429F94A}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{C62E80B8-A1F9-452A-B294-1ABC47A0A4C3}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722\|UDP:%SystemRoot%\system32\svchost.exe\|Svc=DFSR:Allow inbound TCP traffic\| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "c:\\Program Files\\IEPro\\MiniDM.exe"= c:\program files\IEPro\MiniDM.exe::Enabled:MiniDM R0 AtiPcie;ATI PCI Express (3GIO) Filter;c:\windows\system32\DRIVERS\AtiPcie.sys [2007-11-08 8192] R0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys [2008-08-23 40464] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-09 28544] R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-11-11 97808] R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-11 25104] R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2007-01-25 20760] R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-09-19 95888] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-09-19 41680] R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler;c:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [2006-12-08 204800] R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-05-04 113896] S2 JetDrive WindowsClosingService;JetDrive WindowsClosingService;c:\windows\System32\WindowsClosingService [] S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-05-17 464384] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064] S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-10-27 7808] S3 ZD1211BU(Wireless);54M USB Wireless Adapter Driver(Wireless);c:\windows\system32\DRIVERS\zd1211Bu.sys [2008-07-01 477696] S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2007-11-07 131616] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Newly Created Service* - CATCHME Newly Created Service - PROCEXP90 . Inhalt des "geplante Tasks" Ordners 2008-11-19 c:\windows\Tasks\JetDrive Schedule.job - c:\program files\jetdrive defrag2009\JetDrive.exe [2008-11-18 14:53] . . ------- Zusätzlicher Suchlauf ------- . FireFox -: Profile - c:\users\Mixalis\AppData\Roaming\Mozilla\Firefox\Profiles\x75dcob2.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.web.de FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-23 15:13:51 Windows 6.0.6000 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************ . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- Prozess: c:\windows\system32\winlogon.exe -> c:\windows\system32\guard32.dll Prozess: c:\windows\system32\lsass.exe -> c:\windows\system32\guard32.dll . Zeit der Fertigstellung: 2008-11-23 15:14:50 ComboFix-quarantined-files.txt 2008-11-23 14:14:47 Vor Suchlauf: 32 Verzeichnis(se), 160.630.767.616 Bytes frei Nach Suchlauf: 32 Verzeichnis(se), 161,195,548,672 Bytes frei 311 --- E O F --- 2008-11-13 20:10:29 WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:18:15, on 23.11.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16757) Boot mode: Normal Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\csrss.exe C:\Windows\system32\wininit.exe C:\Windows\system32\csrss.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\lsm.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\spoolsv.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe C:\Windows\system32\svchost.exe C:\Program Files\a-squared Anti-Malware\a2service.exe C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\Windows\system32\svchost.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\System32\rundll32.exe C:\Program Files\a-squared Anti-Malware\a2guard.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NortonAntiBot.exe C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Hardcopy\hardcopy.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABMonitor.exe C:\Windows\system32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Users\Mixalis\Desktop\AntiVirenKits\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [recinfo395] c:\RecInfo\RecInfo.exe O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60 O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [NortonAntiBot] "C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Hardcopy.LNK = C:\Program Files\Hardcopy\hardcopy.exe O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\scieplugin.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O13 - Gopher Prefix: O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partne...can_unicode.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/The%20Race/Images/stg_drm.ocx O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/The%20Race/Images/armhelper.ocx O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\r3hook.dll C:\Windows\system32\guard32.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Kaspersky Personal Security Suite V (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite V\avp.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: JetDrive WindowsClosingService - Unknown owner - C:\Windows\System32\WindowsClosingService (file missing) O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: SymantecAntiBotAgent - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe -- End of file - 9829 bytes Thanks a lot, Michael