| |
| |||||||
Log-Analyse und Auswertung: Viren oder zu wenig Arbeitsspeicher?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
07.12.2009, 07:31
| #1 |
 |  Viren oder zu wenig Arbeitsspeicher? Hi, ich bin gerade dabei das Notebook von einer Freundin, die sich nicht wirklich mit PCs auskennt, aufzuraeumen. Betriebssystem ist Vista. Prozessor: 2 Gigahertz. 1024 MB Arbeitsspeicher. Das System ist sehr langsam. Ich gehe davon aus, dass da jede Menge Viren drauf sind. Schliesslich war da Norton drauf. Das habe ich deinstalliert und Antivir draufgepackt. ein vollstaendiger systemcheck hat allerdings keine Treffer gehabt. Nachdem ich diverse Autostartprogramme und unnuetzen Kram rausgeschmissen habe laeuft das System etwas besser. Es ist jedoch immer noch erbaermlich. Meine Frage ist nun, ob das an Viren liegt, oder daran, dass 1 GB Arbeitsspeicher etwas wenig ist fuer Vista. Hier das HijackThis-Logfile: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:21:04 PM, on 06/12/2009 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v8.00 (8.00.6001.18828) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\DellTPad\Apoint.exe C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Windows\System32\WLTRAY.EXE C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe C:\Program Files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wuauclt.exe C:\Users\mobagher\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080720 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080720 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS security services\pkR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [TELUS_McciTrayApp] C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe O4 - HKLM\..\Run: [TelusWCC_McciTrayApp] C:\Program Files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe" O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Picture Motion Browser Medien-Prüfung.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe O4 - Global Startup: AutorunsDisabled O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe O23 - Service: lxdx_device - - C:\Windows\system32\lxdxcoms.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: TELUS security services (Radialpoint Security Services) - TELUS - C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe O23 - Service: TELUS security services Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS security services\Fws.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9997 bytes Peter |
|
07.12.2009, 08:00
| #2 |
| | Viren oder zu wenig Arbeitsspeicher? So mittlerweile hat Avira ein paar Mal Alarm geschlagen. Immer war es folgender Virus:
__________________TR/Crypt.XPACK.Gen2 Im Verzeichnis: C:\Windows\winsxs\Temp\PendingRenames\29e088dd0977ca01340900006813900e.x86_microsoft-windows-shlwapi_31bf3856ad364e35_6.0.6001.18000_none_f9d9b204a4aeeb4a_shlwapi.dll_1eec0a2e Merkwuerdig ist auch, dass das Windowsupdate seit mittlerweile einer Stunde versucht das Servicepack 1 zu installieren. Der Prozess scheint noch nicht beendet zu sein, obwohl der Balken zu 100% geladen ist. Ich habe das Gefuehl, dass das ein richtiger Seuchen-PC ist. |
|
07.12.2009, 09:59
| #3 |
| | Viren oder zu wenig Arbeitsspeicher? Nun ist mir noch etwas aufgefallen. Der Taskmanager zeigt eine Speicherauslastung von ueber 800 MB an. Dabei laeuft nur der Browser. Und wenn ich bei Prozessen die Zahlen addiere (Schaetzwert) dann komme ich nicht mal auf 200MB. Da scheint also irgendwas im Hintergrund zu sein, oder wie muss ich das deuten. Waere schoen, wenn jemand ne Idee hat. Und sei es nur die Bestaetigung, dass ich das System neu aufsetzen muss.
__________________Ab und an bleibt uebrigens das Bild stehen und es dauert dann bis zu ner Minute, bis es wieder weiter geht. |
|
07.12.2009, 10:08
| #4 |
  | Viren oder zu wenig Arbeitsspeicher? Hi, 1GB ist definitiv zu wenig für Vista. Weiterhin musst du im Taskmanager auf "Prozesse aller Benutzer anzeigen" klicken... Malwarebytes Antimalware (MAM) Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html Fullscan und alles bereinigen lassen! Log posten. RSIT Random's System Information Tool (RSIT) von random/random liest Systemdetails aus und erstellt ein aussagekräftiges Logfile. * Lade Random's System Information Tool (RSIT) herunter http://filepony.de/download-rsit/ * speichere es auf Deinem Desktop. * Starte mit Doppelklick die RSIT.exe. * Klicke auf Continue, um die Nutzungsbedingungen zu akzeptieren. * Wenn Du HijackThis nicht installiert hast, wird RSIT das für Dich herunterladen und installieren. * In dem Fall bitte auch die Nutzungsbedingungen von Trend Micro (http://de.trendmicro.com/de/home) für HJT akzeptieren "I accept". * Wenn Deine Firewall fragt, bitte RSIT erlauben, ins Netz zu gehen. * Der Scan startet automatisch, RSIT checkt nun einige wichtige System-Bereiche und produziert Logfiles als Analyse-Grundlage. * Wenn der Scan beendet ist, werden zwei Logfiles erstellt und in Deinem Editor geöffnet. * Bitte poste den Inhalt von C:\rsit\log.txt und C:\rsit\info.txt (<= minimiert) hier in den Thread. Gmer: http://www.trojaner-board.de/74908-anleitung-gmer-rootkit-scanner.html Den Downloadlink findest Du links oben (www.gmer.net/files), dort dann auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken). Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. Ist dieser beendet, wähle Copy und füge den Bericht ein. chris
__________________  Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden  ) |
|
08.12.2009, 01:42
| #5 |
| | Viren oder zu wenig Arbeitsspeicher? So nun habe ich alles gemacht. Was bedeuten die Ergebnisse? MAM hatte keine Treffer: Code:
ATTFilter Malwarebytes' Anti-Malware 1.42
Datenbank Version: 3312
Windows 6.0.6000
Internet Explorer 8.0.6001.18828
07/12/2009 3:40:47 PM
mbam-log-2009-12-07 (15-40-47).txt
Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 215925
Laufzeit: 1 hour(s), 8 minute(s), 51 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Log: Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by mobagher at 2009-12-07 15:43:06 Microsoft® Windows Vista™ Home Basic System drive C: has 78 GB (77%) free of 102 GB Total RAM: 1013 MB (24% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:43:26 PM, on 07/12/2009 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v8.00 (8.00.6001.18828) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\DellTPad\Apoint.exe C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Windows\System32\WLTRAY.EXE C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe C:\Program Files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Windows\system32\conime.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\mobagher\Desktop\RSIT.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\mobagher\Downloads\mobagher.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080720 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080720 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS security services\pkR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [TELUS_McciTrayApp] C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe O4 - HKLM\..\Run: [TelusWCC_McciTrayApp] C:\Program Files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe" O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Picture Motion Browser Medien-Prüfung.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe O4 - Global Startup: AutorunsDisabled O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe O23 - Service: lxdx_device - - C:\Windows\system32\lxdxcoms.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: TELUS security services (Radialpoint Security Services) - TELUS - C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe O23 - Service: TELUS security services Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS security services\Fws.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 10275 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] &Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}] Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2008-06-13 266240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}] PopKill Class - C:\Program Files\TELUS\TELUS security services\pkR.dll [2008-12-09 55536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-05 256112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-11-27 764912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}] Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-09-05 458736] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}] CBrowserHelperObject Object - C:\Program Files\Dell\BAE\BAE.dll [2006-11-09 98304] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936] {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2008-06-13 266240] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-05 256112] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-07-20 1006264] "ECenter"=C:\Dell\E-Center\EULALauncher.exe [2008-02-28 17920] "Apoint"=C:\Program Files\DellTPad\Apoint.exe [2008-05-04 167936] "SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [2007-11-12 405504] "IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-03-05 141848] "HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-03-05 166424] "Persistence"=C:\Windows\system32\igfxpers.exe [2008-03-05 133656] "IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-03-21 174872] "Broadcom Wireless Manager UI"=C:\Windows\system32\WLTRAY.exe [2008-05-16 3444736] "dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2008-03-11 16384] "PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2007-12-21 184320] "TELUS_McciTrayApp"=C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe [2007-10-07 1462272] "TelusWCC_McciTrayApp"=C:\Program Files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe [2006-03-10 543232] "DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792] "lxdxmon.exe"=C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe [2008-06-13 668328] "lxdxamon"=C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe [2008-06-13 16040] "FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2008-06-13 320168] "avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-12-03 429392] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-20 68856] "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-11-02 201728] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup AutorunsDisabled Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe C:\Users\mobagher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Picture Motion Browser Medien-Prüfung.lnk - C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist] C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2008-07-20 10536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\Windows\system32\igfxdev.dll [2008-03-05 200704] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] ======File associations====== .js - edit - C:\Windows\System32\Notepad.exe %1 .js - open - C:\Windows\System32\WScript.exe "%1" %* ======List of files/folders created in the last 1 months====== 2009-12-07 15:43:06 ----D---- C:\rsit 2009-12-07 14:30:40 ----D---- C:\Users\mobagher\AppData\Roaming\Malwarebytes 2009-12-07 14:30:30 ----D---- C:\ProgramData\Malwarebytes 2009-12-07 14:30:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2009-12-07 00:10:55 ----D---- C:\PerfLogs 2009-12-06 23:13:37 ----D---- C:\8400c5623fc3a6d97efd9cd826 2009-12-06 21:32:01 ----D---- C:\Program Files\HijackThis 2009-12-06 20:29:38 ----A---- C:\Windows\system32\occache.dll 2009-12-06 20:29:37 ----A---- C:\Windows\system32\msfeedsbs.dll 2009-12-06 20:29:37 ----A---- C:\Windows\system32\msfeeds.dll 2009-12-06 20:29:37 ----A---- C:\Windows\system32\jsproxy.dll 2009-12-06 20:29:37 ----A---- C:\Windows\system32\iepeers.dll 2009-12-06 20:29:36 ----A---- C:\Windows\system32\ieui.dll 2009-12-06 20:29:36 ----A---- C:\Windows\system32\iesetup.dll 2009-12-06 20:29:35 ----A---- C:\Windows\system32\wininet.dll 2009-12-06 20:29:35 ----A---- C:\Windows\system32\msfeedssync.exe 2009-12-06 20:29:35 ----A---- C:\Windows\system32\iernonce.dll 2009-12-06 20:29:35 ----A---- C:\Windows\system32\ie4uinit.exe 2009-12-06 20:29:32 ----A---- C:\Windows\system32\ieUnatt.exe 2009-12-06 20:29:32 ----A---- C:\Windows\system32\iesysprep.dll 2009-12-06 20:29:32 ----A---- C:\Windows\system32\iertutil.dll 2009-12-06 20:29:32 ----A---- C:\Windows\system32\iedkcs32.dll 2009-12-06 20:29:30 ----A---- C:\Windows\system32\urlmon.dll 2009-12-06 20:29:29 ----A---- C:\Windows\system32\ieframe.dll 2009-12-06 20:29:27 ----A---- C:\Windows\system32\mshtml.dll 2009-12-06 20:26:59 ----A---- C:\Windows\system32\mshtmled.dll 2009-12-06 20:26:59 ----A---- C:\Windows\system32\icardie.dll 2009-12-06 20:26:58 ----A---- C:\Windows\system32\msls31.dll 2009-12-06 20:26:58 ----A---- C:\Windows\system32\mshtmler.dll 2009-12-06 20:26:58 ----A---- C:\Windows\system32\corpol.dll 2009-12-06 20:26:58 ----A---- C:\Windows\system32\admparse.dll 2009-12-06 20:26:56 ----A---- C:\Windows\system32\imgutil.dll 2009-12-06 20:26:56 ----A---- C:\Windows\system32\ieakeng.dll 2009-12-06 20:26:56 ----A---- C:\Windows\system32\dxtrans.dll 2009-12-06 20:26:56 ----A---- C:\Windows\system32\dxtmsft.dll 2009-12-06 20:26:55 ----A---- C:\Windows\system32\licmgr10.dll 2009-12-06 20:26:55 ----A---- C:\Windows\system32\inseng.dll 2009-12-06 20:26:54 ----A---- C:\Windows\system32\webcheck.dll 2009-12-06 20:26:54 ----A---- C:\Windows\system32\msrating.dll 2009-12-06 20:26:54 ----A---- C:\Windows\system32\ieaksie.dll 2009-12-06 20:26:53 ----A---- C:\Windows\system32\WinFXDocObj.exe 2009-12-06 20:26:53 ----A---- C:\Windows\system32\wextract.exe 2009-12-06 20:26:53 ----A---- C:\Windows\system32\mstime.dll 2009-12-06 20:26:53 ----A---- C:\Windows\system32\ieakui.dll 2009-12-06 20:26:52 ----A---- C:\Windows\system32\pngfilt.dll 2009-12-06 20:26:52 ----A---- C:\Windows\system32\ieapfltr.dll 2009-12-06 20:26:52 ----A---- C:\Windows\system32\advpack.dll 2009-12-06 20:26:51 ----A---- C:\Windows\system32\vbscript.dll 2009-12-06 20:26:51 ----A---- C:\Windows\system32\url.dll 2009-12-06 20:26:51 ----A---- C:\Windows\system32\jscript.dll 2009-12-06 20:26:45 ----A---- C:\Windows\system32\SetIEInstalledDate.exe 2009-12-06 20:26:45 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe 2009-12-06 20:26:45 ----A---- C:\Windows\system32\PDMSetup.exe 2009-12-06 20:26:45 ----A---- C:\Windows\system32\mshta.exe 2009-12-06 20:26:45 ----A---- C:\Windows\system32\iexpress.exe 2009-12-06 20:05:47 ----D---- C:\Users\mobagher\AppData\Roaming\Mozilla 2009-12-06 20:05:14 ----D---- C:\Program Files\Mozilla Firefox 2009-12-06 18:31:42 ----N---- C:\Windows\system32\MpSigStub.exe 2009-12-06 18:15:34 ----D---- C:\ProgramData\Avira 2009-12-06 18:15:34 ----D---- C:\Program Files\Avira 2009-12-06 16:01:58 ----A---- C:\Windows\system32\tzres.dll 2009-12-06 15:31:05 ----A---- C:\Windows\system32\msxml6.dll 2009-12-06 15:31:05 ----A---- C:\Windows\system32\msxml3.dll 2009-12-06 15:31:04 ----A---- C:\Windows\system32\msxml6r.dll 2009-12-06 15:31:04 ----A---- C:\Windows\system32\msxml3r.dll 2009-11-13 17:43:33 ----A---- C:\Windows\system32\WSDApi.dll 2009-11-13 17:18:07 ----A---- C:\Windows\system32\wups2.dll 2009-11-13 17:18:06 ----A---- C:\Windows\system32\wucltux.dll 2009-11-13 17:18:06 ----A---- C:\Windows\system32\wuaueng.dll 2009-11-13 17:18:06 ----A---- C:\Windows\system32\wuauclt.exe 2009-11-13 17:17:22 ----A---- C:\Windows\system32\wups.dll 2009-11-13 17:17:22 ----A---- C:\Windows\system32\wudriver.dll 2009-11-13 17:17:22 ----A---- C:\Windows\system32\wuapi.dll 2009-11-13 17:16:47 ----A---- C:\Windows\system32\wuwebv.dll 2009-11-13 17:16:46 ----A---- C:\Windows\system32\wuapp.exe ======List of files/folders modified in the last 1 months====== 2009-12-07 15:43:23 ----D---- C:\Windows\Prefetch 2009-12-07 15:43:16 ----D---- C:\Windows\Temp 2009-12-07 15:32:57 ----D---- C:\Windows\tracing 2009-12-07 14:30:33 ----D---- C:\Windows\system32\drivers 2009-12-07 14:30:30 ----HD---- C:\ProgramData 2009-12-07 14:30:29 ----RD---- C:\Program Files 2009-12-07 14:21:38 ----D---- C:\Windows\System32 2009-12-07 14:21:37 ----D---- C:\Windows\inf 2009-12-07 14:21:37 ----A---- C:\Windows\system32\PerfStringBackup.INI 2009-12-07 14:18:50 ----D---- C:\Windows\winsxs 2009-12-07 14:18:37 ----D---- C:\Program Files\Internet Explorer 2009-12-07 14:18:33 ----SHD---- C:\Windows\Installer 2009-12-07 14:17:04 ----SHD---- C:\System Volume Information 2009-12-07 01:09:06 ----D---- C:\Windows\system32\catroot 2009-12-07 00:44:13 ----D---- C:\Windows\system32\config 2009-12-07 00:43:26 ----D---- C:\Windows\Tasks 2009-12-07 00:43:26 ----D---- C:\Windows\system32\spool 2009-12-07 00:43:24 ----D---- C:\Windows\system32\CodeIntegrity 2009-12-07 00:43:24 ----D---- C:\Windows\system32\catroot2 2009-12-07 00:43:23 ----D---- C:\Windows 2009-12-07 00:43:23 ----D---- C:\Program Files\DellTPad 2009-12-07 00:43:11 ----D---- C:\Windows\registration 2009-12-07 00:33:57 ----D---- C:\Program Files\Windows Sidebar 2009-12-07 00:33:57 ----D---- C:\Program Files\Windows Media Player 2009-12-07 00:33:57 ----D---- C:\Program Files\Windows Mail 2009-12-07 00:33:57 ----D---- C:\Program Files\Windows Collaboration 2009-12-07 00:33:57 ----D---- C:\Program Files\Windows Calendar 2009-12-07 00:33:57 ----D---- C:\Program Files\Movie Maker 2009-12-07 00:33:56 ----D---- C:\Windows\system32\ko-KR 2009-12-07 00:33:56 ----D---- C:\Windows\system32\da-DK 2009-12-07 00:33:56 ----D---- C:\Windows\system32\com 2009-12-07 00:33:56 ----D---- C:\Windows\servicing 2009-12-07 00:33:56 ----D---- C:\Windows\PolicyDefinitions 2009-12-07 00:33:56 ----D---- C:\Windows\MSAgent 2009-12-07 00:33:56 ----D---- C:\Windows\L2Schemas 2009-12-07 00:33:56 ----D---- C:\Windows\IME 2009-12-07 00:33:56 ----D---- C:\Windows\DigitalLocker 2009-12-07 00:33:56 ----D---- C:\Program Files\Windows Photo Gallery 2009-12-07 00:33:56 ----D---- C:\Program Files\Windows Defender 2009-12-07 00:33:56 ----D---- C:\Program Files\Common Files\System 2009-12-07 00:33:55 ----D---- C:\Windows\system32\it-IT 2009-12-07 00:33:55 ----D---- C:\Windows\system32\en-US 2009-12-07 00:33:55 ----D---- C:\Windows\system32\el-GR 2009-12-07 00:33:55 ----D---- C:\Windows\system32\de-DE 2009-12-07 00:33:53 ----D---- C:\Windows\system32\sysprep 2009-12-07 00:33:53 ----D---- C:\Windows\system32\sv-SE 2009-12-07 00:33:53 ----D---- C:\Windows\system32\SLUI 2009-12-07 00:33:53 ----D---- C:\Windows\system32\setup 2009-12-07 00:33:53 ----D---- C:\Windows\system32\ru-RU 2009-12-07 00:33:53 ----D---- C:\Windows\system32\pt-PT 2009-12-07 00:33:53 ----D---- C:\Windows\system32\oobe 2009-12-07 00:33:53 ----D---- C:\Windows\system32\ias 2009-12-07 00:33:53 ----D---- C:\Windows\system32\hu-HU 2009-12-07 00:33:53 ----D---- C:\Windows\system32\he-IL 2009-12-07 00:33:53 ----D---- C:\Windows\system32\fr-FR 2009-12-07 00:33:53 ----D---- C:\Windows\system32\fi-FI 2009-12-07 00:33:53 ----D---- C:\Windows\system32\cs-CZ 2009-12-07 00:33:53 ----D---- C:\Windows\system32\AdvancedInstallers 2009-12-07 00:33:52 ----D---- C:\Windows\system32\zh-TW 2009-12-07 00:33:52 ----D---- C:\Windows\system32\zh-CN 2009-12-07 00:33:52 ----D---- C:\Windows\system32\tr-TR 2009-12-07 00:33:52 ----D---- C:\Windows\system32\ro-RO 2009-12-07 00:33:52 ----D---- C:\Windows\system32\pl-PL 2009-12-07 00:33:52 ----D---- C:\Windows\system32\nl-NL 2009-12-07 00:33:52 ----D---- C:\Windows\system32\nb-NO 2009-12-07 00:33:52 ----D---- C:\Windows\system32\manifeststore 2009-12-07 00:33:52 ----D---- C:\Windows\system32\ja-JP 2009-12-07 00:33:52 ----D---- C:\Windows\system32\es-ES 2009-12-07 00:33:52 ----D---- C:\Windows\system32\en 2009-12-07 00:33:52 ----D---- C:\Windows\system32\ar-SA 2009-12-07 00:33:51 ----D---- C:\Windows\system32\pt-BR 2009-12-07 00:33:51 ----D---- C:\Windows\system32\migwiz 2009-12-07 00:33:42 ----D---- C:\Windows\AppPatch 2009-12-07 00:11:08 ----D---- C:\Windows\Boot 2009-12-06 22:10:58 ----D---- C:\Program Files\Common Files\Symantec Shared 2009-12-06 22:10:50 ----D---- C:\ProgramData\Symantec 2009-12-06 20:35:11 ----D---- C:\Windows\system32\migration 2009-12-06 20:30:52 ----D---- C:\Windows\Debug 2009-12-06 18:37:48 ----D---- C:\Program Files\Common Files 2009-11-14 03:04:47 ----A---- C:\Windows\win.ini 2009-11-13 17:05:28 ----SD---- C:\Users\mobagher\AppData\Roaming\Microsoft ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608] R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-03-30 96104] R1 kl1;kl1; C:\Windows\system32\DRIVERS\kl1.sys [2008-06-26 112144] R1 KLIF;Kaspersky Lab Driver; C:\Windows\system32\DRIVERS\klif.sys [2008-06-26 147984] R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520] R1 StarOpen;StarOpen; C:\Windows\system32\drivers\StarOpen.sys [2007-02-20 5632] R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-07-28 55656] R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672] R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-09-06 39936] R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-09-06 42496] R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-09-06 37376] R2 RPSKT;Security Services Driver (x86); C:\Windows\system32\DRIVERS\rp_skt32.sys [2008-04-24 53192] R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192] R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP/Vista; C:\Windows\system32\DRIVERS\Apfiltr.sys [2008-05-04 164400] R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2008-05-16 1044984] R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-07-20 14208] R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-02 986624] R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-11-02 206848] R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-03-05 2016256] R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service; C:\Windows\system32\drivers\IntcHdmi.sys [2008-03-05 111616] R3 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-09-07 18304] R3 RPPKT;Radialpoint Filter (x86); C:\Windows\system32\DRIVERS\rp_pkt32.sys [2007-04-19 48384] R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-07-20 82432] R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-11-12 330240] R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-02 659968] R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-07-20 11264] R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2007-09-28 278528] S3 BCM42RLY;BCM42RLY; C:\Windows\system32\drivers\BCM42RLY.sys [] S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632] S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-01 200704] S3 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-09-07 19712] S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [] S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [] S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [] S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192] S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888] S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016] S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-01 2028032] S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2006-11-02 35328] S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AESTFilters;Andrea ST Filters Service; C:\Windows\system32\aestsrv.exe [2007-11-12 73728] R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089] R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-03-21 355096] R2 lxdx_device;lxdx_device; C:\Windows\system32\lxdxcoms.exe [2008-02-27 594600] R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [2008-02-27 98984] R2 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [2007-09-26 303104] R2 PDAgent;PDAgent; C:\Program Files\Raxco\PerfectDisk\PDAgent.exe [2008-04-28 414984] R2 RP_FWS;TELUS security services Firewall; C:\Program Files\TELUS\TELUS security services\Fws.exe [2008-12-09 363248] R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968] R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2007-11-12 102400] R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\Windows\System32\WLTRYSVC.EXE [2008-05-16 24064] R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560] R3 PDEngine;PDEngine; C:\Program Files\Raxco\PerfectDisk\PDEngine.exe [2008-04-28 738568] S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2008-07-20 16680] S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-14 182768] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 Radialpoint Security Services;TELUS security services; C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe [2008-12-09 97520] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328] S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240] S4 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-06 30192] -----------------EOF----------------- Code:
ATTFilter info.txt logfile of random's system information tool 1.06 2009-12-07 15:43:37
======Uninstall list======
-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\InstallShield Installation Information\{36C41D70-56F5-4E2B-81DA-6BEB7502D7A1}\setup.exe -runfromtemp -l0x0007 -removeonly
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
Cisco EAP-FAST Module-->MsiExec.exe /I{BF53252E-4AB2-4C7F-A0FD-6100755745E3}
Cisco LEAP Module-->MsiExec.exe /I{76F9CF97-FC4B-4E20-B363-D127C888448F}
Cisco PEAP Module-->MsiExec.exe /I{4E5386F5-C0F6-4532-A54A-374865AEAB71}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000fz.inf
Dell Getting Started Guide-->MsiExec.exe /I{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell Touchpad-->C:\Program Files\DellTPad\Uninstap.exe ADDREMOVE
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
EDocs-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}\setup.exe"
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
GoToAssist 8.0.0.514-->C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
HijackThis 2.0.2-->"C:\Users\mobagher\Downloads\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lexmark 3600-4600 Series-->C:\Program Files\Lexmark 3600-4600 Series\Install\x86\Uninst.exe
Lexmark Fax Solutions-->C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
Lexmark Toolbar-->regsvr32.exe /s /u "C:\Program Files\Lexmark Toolbar\toolband.dll"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaDirect-->C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110407-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (3.5.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Music, Photos & Videos Launcher-->MsiExec.exe /I{D7769185-9A7C-48D4-8874-5388743A1DE2}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
OutlookAddinSetup-->MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
PerfectDisk-->MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
Picture Package Music Transfer-->C:\Program Files\InstallShield Installation Information\{CE2121C6-C94D-4A73-8EA4-6943F33EE335}\setup.exe -runfromtemp -l0x0007 -removeonly
Product Documentation Launcher-->MsiExec.exe /I{89CEAE14-DD0F-448E-9554-15781EC9DB24}
QuickSet-->MsiExec.exe /I{4B6AD248-D3BF-426A-8D64-847288154F13}
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE-->C:\ProgramData\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
RPS Ad Blocker-->MsiExec.exe /I{F6C5EB4A-3EE9-4CEE-B1A8-FFC4DE530CD3}
RPS AntiFraud-->MsiExec.exe /I{C02708B9-5BDD-4C65-98D0-A6C0865D6715}
RPS AntiSpyware-->MsiExec.exe /I{9F4ACFEE-56F7-42AA-A334-FE096B66AD38}
RPS AntiVirus-->MsiExec.exe /I{CEBD6094-1BD9-4D70-BA28-4F285B38672A}
RPS App Detector-->MsiExec.exe /I{70E12878-2832-49EA-BE42-AB63BDB99CE4}
RPS Backup-->MsiExec.exe /I{F1CA2F96-62F8-4910-BCF0-E932956E9C7F}
RPS Burn-->MsiExec.exe /I{CD090154-112E-4691-BDD2-722523BA36C3}
RPS CRT-->MsiExec.exe /I{5D8CC168-A12E-422D-A3DF-53AD64E4F1ED}
RPS Diagnostic Utility-->MsiExec.exe /I{EEE4915E-DE29-4EAF-BAA6-7416D6CA088C}
RPS Firewall-->MsiExec.exe /I{0780E6EC-24B8-4026-83A9-40768B4296FF}
RPS Ksdk-->MsiExec.exe /I{2C513AF4-5277-445B-B573-479EED03CE65}
RPS ParentalControl-->MsiExec.exe /I{96F79E2B-2694-458F-AA18-0418ED74D12F}
RPS Performance Tool-->MsiExec.exe /I{6D28AB0F-040B-4A2A-B64F-18AA4E51608C}
RPS PopupBlocker-->MsiExec.exe /I{C3520BD2-B480-4305-8D73-B891BFAAF9E2}
RPS Privacy Manager-->MsiExec.exe /I{6A3C448A-91EA-467A-BABB-A3D96DA5D219}
RPS RpsCore-->MsiExec.exe /I{81918A34-CCAE-4985-BC17-AC97DB96BFB5}
RPS Security Cleanup-->MsiExec.exe /I{0978245B-17FE-4ECA-A4A5-379E9DBFA9EE}
RPS Zip-->MsiExec.exe /I{4745EDC8-2A89-42A9-AC1A-7F9BF8943F48}
Sony Picture Utility-->C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe -runfromtemp -l0x0007 uninstall -removeonly
TELUS security advisor 2.0.21-->"C:\Program Files\TELUS\TELUS security advisor\unins000.exe"
TELUS security services-->"C:\Program Files\InstallShield Installation Information\{69F6C2C5-2DFB-47C3-9B4D-45918ED52E6C}\setup.exe" -runfromtemp -l0x0009 -removeonly
TELUS Support Centre (remove only)-->C:\Program Files\TELUS\TELUS Support Centre\bin\uninstallTSC.exe
TELUS Wireless Connection Manager-->C:\Program Files\TELUS\TELUS Wireless Connection Manager\uninstallWCM.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Yahoo! Extras-->C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager-->C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail-->C:\Windows\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
======Security center information======
AV: AntiVir Desktop
AS: AntiVir Desktop
AS: Windows Defender
======System event log======
Computer Name: mobagher-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB971961(Security Update) into Install Requested(Install Requested) state
Record Number: 73034
Source Name: Microsoft-Windows-Servicing
Time Written: 20091207221846.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: mobagher-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB976749(Update) into Install Requested(Install Requested) state
Record Number: 73048
Source Name: Microsoft-Windows-Servicing
Time Written: 20091207221857.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: mobagher-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB976749(Update) into Install Requested(Install Requested) state
Record Number: 73050
Source Name: Microsoft-Windows-Servicing
Time Written: 20091207221857.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: mobagher-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB976749(Update) into Install Requested(Install Requested) state
Record Number: 73052
Source Name: Microsoft-Windows-Servicing
Time Written: 20091207221857.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: mobagher-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB976749(Update) into Install Requested(Install Requested) state
Record Number: 73054
Source Name: Microsoft-Windows-Servicing
Time Written: 20091207221857.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
=====Application event log=====
Computer Name: mobagher-PC
Event Code: 4113
Message: AntiVir has detected 'TR/Crypt.XPACK.Gen2' in the file C:\Windows\winsxs\Temp\PendingRenames\99549b261077ca01a30600003809fc16.x86_microsoft-windows-shlwapi_31bf3856ad364e35_6.0.6001.18000_none_f9d9b204a4aeeb4a_shlwapi.dll_1eec0a2e
Record Number: 9216
Source Name: Avira AntiVir
Time Written: 20091207073739.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: mobagher-PC
Event Code: 4113
Message: AntiVir has detected 'TR/Crypt.XPACK.Gen2' in the file C:\Windows\winsxs\Temp\PendingRenames\493113541077ca016a0700003809fc16.x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18167_none_6bef4f42122643ed_shell32.dll_0d29dca9
Record Number: 9217
Source Name: Avira AntiVir
Time Written: 20091207073902.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: mobagher-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
6 user registry handles leaked from \Registry\User\S-1-5-21-3670383763-2252064450-1082423527-1000:
Process 1144 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3670383763-2252064450-1082423527-1000
Process 936 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3670383763-2252064450-1082423527-1000
Process 1144 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3670383763-2252064450-1082423527-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1144 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3670383763-2252064450-1082423527-1000\Software\Policies\Microsoft\SystemCertificates
Process 1144 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3670383763-2252064450-1082423527-1000\Software\Microsoft\SystemCertificates\Root
Process 1144 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3670383763-2252064450-1082423527-1000\Software\Microsoft\SystemCertificates\trust
Record Number: 9224
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20091207080222.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: mobagher-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3670383763-2252064450-1082423527-1000_Classes:
Process 936 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3670383763-2252064450-1082423527-1000_CLASSES
Record Number: 9225
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20091207080224.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: mobagher-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
0 user registry handles leaked from \Registry\User\S-1-5-21-3670383763-2252064450-1082423527-1000:
Record Number: 9263
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20091207100949.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
=====Security event log=====
Computer Name: mobagher-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll
Record Number: 7888
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091207233835.541130-000
Event Type: Audit Failure
User:
Computer Name: mobagher-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll
Record Number: 7889
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091207233835.587930-000
Event Type: Audit Failure
User:
Computer Name: mobagher-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll
Record Number: 7890
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091207233835.650330-000
Event Type: Audit Failure
User:
Computer Name: mobagher-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll
Record Number: 7891
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091207233835.697130-000
Event Type: Audit Failure
User:
Computer Name: mobagher-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll
Record Number: 7892
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091207233835.759530-000
Event Type: Audit Failure
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 22 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=1601
"NUMBER_OF_PROCESSORS"=1
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
-----------------EOF-----------------
GMER: Code:
ATTFilter GMER 1.0.15.15272 - http://www.gmer.net
Rootkit scan 2009-12-07 16:40:47
Windows 6.0.6000
Running: oxy6d8xh.exe; Driver: C:\Users\mobagher\AppData\Local\Temp\awldqkow.sys
---- System - GMER 1.0.15 ----
SSDT A2A9666C ZwCreateThread
SSDT A2A96658 ZwOpenProcess
SSDT A2A9665D ZwOpenThread
SSDT A2A96667 ZwTerminateProcess
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7440FBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [743DB9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743CA31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [743CCBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743C8AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [743DCF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743C7D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743C7CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743C6A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7445C1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [743E7F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743C90CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [743D2179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743D21A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743D7F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743D7D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744083D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----
|
|
08.12.2009, 03:18
| #6 |
| | Viren oder zu wenig Arbeitsspeicher? Ein weiteres Problem: Windows versucht staendig Updates zu machen. Zweimal wurde bereits das Service Pack 1 installiert. Dann kam die Aufforderung den PC neu zu starten. Dies dauerte dann ewig und schliesslich erfaehrt man, dass das Update nicht korrekt installiert wurde. Wie gesagt, zwei mal habe ich das jetzt durchexerziert. Jetzt zeigt der mir mittlerweile 5 Updates an und versucht diese herunterzuladen. Da passiert aber nichts. Seit nunmehr 10 Minuten steht da 0KB heruntergeladen. Finde ich sehr merkwuerdig. |
|
08.12.2009, 07:50
| #7 |
| | Viren oder zu wenig Arbeitsspeicher? Hi, hast Du GMER einen kompletten Scan machen lassen, oder ist das Log vom automatischen Scan beim Start von Gmer? Was ist das für ein File: C:\Users\mobagher\Downloads\mobagher.exe ? Wir müssen noch ein Stück tiefer bohren... (Bis jetzt nicht gefunden ev. Rootkit...) Combofix Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop. Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter. Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird. Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen. Weiterhin hängt noch eine Fileoperation die von Windows beim Booten durchgeführt werden sollte (und bei dem der Virenscanner angeschlagen hat). Wahrscheinlich verhindert das den Update... http://www.netzwelt.de/forum/windows...e80073712.html http://windows.microsoft.com/en-US/w...error-80070002 System Reparieren: Lade Dir "Advanced Windowscare Professional" von folgender Adresse: http://www.iobit.com/advancedwindows...l?Str=download Installieren auf Deutsch, Yahoo-Toolbar etc. abwählen. Erstelle einen Systemwiederherstellungspunkt (Start->Programme->Zubehör->Systemprogramme->Systemwiederherstellung->einen Wiederherstellungspunkt erstellen->weiter, Beschreibung ausdenken->Erstellen) oder lasse ihn automatisch erstellen. Führe dann einen Update der Signatur/Reperaturdateien aus. Lasse dann das gesamte System scannen und Bereinigen sowie Immunisieren. Damit werden einige Einträge wieder gerade gebogen, die von Trojaneren/Viren verbogen worden sind.. chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
08.12.2009, 08:36
| #8 |
| | Viren oder zu wenig Arbeitsspeicher? GMER war ein kompletter Scan. Beim Start hatte der nichts gefunden. mobagher.exe kann ich gar nicht finden ueber den Explorrer. mobagher ist der Computername. Falls das weiterhilft. Hier ist jetzt das Logfile von Combofix: Code:
ATTFilter ComboFix 09-12-07.07 - mobagher 07/12/2009 23:06.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.2.1033.18.1013.318 [GMT -8:00]
Running from: c:\users\mobagher\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1738422755-998661840-641317060-500
c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\$recycle.bin\S-1-5-21-3670383763-2252064450-1082423527-500
c:\windows\system32\oem6.inf
.
((((((((((((((((((((((((( Files Created from 2009-11-08 to 2009-12-08 )))))))))))))))))))))))))))))))
.
2009-12-08 07:22 . 2009-12-08 07:23 -------- d-----w- c:\users\mobagher\AppData\Local\temp
2009-12-08 07:22 . 2009-12-08 07:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-08 02:41 . 2009-12-08 02:55 -------- d-----w- c:\users\mobagher\AppData\Local\Apple Computer
2009-12-08 02:41 . 2009-12-08 02:55 -------- d-----w- c:\users\mobagher\AppData\Roaming\Apple Computer
2009-12-08 02:39 . 2009-05-18 22:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-08 02:39 . 2008-04-17 21:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-08 02:39 . 2009-12-08 02:39 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-08 02:38 . 2009-12-08 02:38 -------- d-----w- c:\program files\iPod
2009-12-08 02:38 . 2009-12-08 02:39 4096 d-----w- c:\program files\iTunes
2009-12-08 02:38 . 2009-12-08 02:39 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-08 02:35 . 2009-12-08 02:35 -------- d-----w- c:\program files\Bonjour
2009-12-08 02:34 . 2009-12-08 02:35 4096 d-----w- c:\program files\QuickTime
2009-12-08 02:34 . 2009-12-08 02:38 -------- d-----w- c:\programdata\Apple Computer
2009-12-08 02:31 . 2009-12-08 02:31 -------- d-----w- c:\users\mobagher\AppData\Local\Apple
2009-12-08 02:31 . 2009-12-08 02:31 4096 d-----w- c:\program files\Apple Software Update
2009-12-08 02:26 . 2009-12-08 02:29 -------- d-----w- c:\windows\LastGood
2009-12-08 02:20 . 2009-12-08 02:38 -------- d-----w- c:\program files\Common Files\Apple
2009-12-08 02:20 . 2009-12-08 02:20 -------- d-----w- c:\programdata\Apple
2009-12-07 23:43 . 2009-12-07 23:43 -------- d-----w- C:\rsit
2009-12-07 22:30 . 2009-12-07 22:30 -------- d-----w- c:\users\mobagher\AppData\Roaming\Malwarebytes
2009-12-07 22:30 . 2009-12-07 22:30 -------- d-----w- c:\programdata\Malwarebytes
2009-12-07 22:30 . 2009-12-07 22:30 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 08:10 . 2009-12-07 08:10 -------- d-----w- C:\PerfLogs
2009-12-07 07:13 . 2009-12-07 07:20 -------- d-----w- C:\8400c5623fc3a6d97efd9cd826
2009-12-07 04:10 . 2009-11-19 19:48 43008 ----a-w- c:\users\mobagher\AppData\Roaming\Mozilla\Firefox\Profiles\jt0lcxnh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-07 04:10 . 2009-11-19 19:48 340480 ----a-w- c:\users\mobagher\AppData\Roaming\Mozilla\Firefox\Profiles\jt0lcxnh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-07 04:10 . 2009-11-19 19:48 872960 ----a-w- c:\users\mobagher\AppData\Roaming\Mozilla\Firefox\Profiles\jt0lcxnh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-07 04:10 . 2009-11-19 19:48 346624 ----a-w- c:\users\mobagher\AppData\Roaming\Mozilla\Firefox\Profiles\jt0lcxnh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-07 04:05 . 2009-12-07 04:05 -------- d-----w- c:\users\mobagher\AppData\Local\Mozilla
2009-12-07 02:31 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-07 02:15 . 2009-12-08 02:17 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-07 02:15 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-07 02:15 . 2009-12-07 02:15 -------- d-----w- c:\programdata\Avira
2009-12-07 02:15 . 2009-12-07 02:15 -------- d-----w- c:\program files\Avira
2009-12-07 00:01 . 2009-10-29 07:59 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-06 23:31 . 2009-08-10 13:05 1406464 ----a-w- c:\windows\system32\msxml6.dll
2009-12-06 23:31 . 2009-08-10 13:05 1260032 ----a-w- c:\windows\system32\msxml3.dll
2009-12-06 23:31 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-12-06 23:31 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-11-14 01:44 . 2009-08-14 14:01 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-14 01:43 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-14 01:18 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-14 01:18 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-14 01:18 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-14 01:18 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-14 01:17 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-14 01:17 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-14 01:17 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-14 01:16 . 2009-08-07 03:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-14 01:16 . 2009-08-07 02:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-08 07:27 . 2009-04-16 10:23 92834592 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-08 02:06 . 2008-07-20 14:33 4096 d-----w- c:\program files\Google
2009-12-08 01:53 . 2008-07-20 22:02 4096 d-----w- c:\program files\DellTPad
2009-12-07 08:33 . 2006-11-02 12:35 4096 d-----w- c:\program files\Windows Sidebar
2009-12-07 08:33 . 2006-11-02 12:35 4096 d-----w- c:\program files\Windows Collaboration
2009-12-07 08:33 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-12-07 08:33 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-12-07 08:33 . 2006-11-02 12:35 4096 d-----w- c:\program files\Windows Photo Gallery
2009-12-07 08:33 . 2006-11-02 12:35 4096 d-----w- c:\program files\Windows Defender
2009-12-07 06:12 . 2009-04-16 10:23 1155140 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-07 06:10 . 2008-07-20 14:42 24576 d-----w- c:\program files\Common Files\Symantec Shared
2009-12-07 06:10 . 2008-07-20 14:42 4096 d-----w- c:\programdata\Symantec
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-09-14 09:50 . 2009-10-17 19:21 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:38 . 2009-10-17 19:22 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 17:31 . 2009-10-31 19:11 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-10 17:30 . 2009-10-31 19:11 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-10 15:29 . 2009-10-31 19:11 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-10 15:14 . 2009-10-31 19:10 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2008-07-20 21:55 . 2008-07-20 21:40 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-20 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-07-20 1006264]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"TelusWCC_McciTrayApp"="c:\program files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe" [2006-03-10 543232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
c:\users\mobagher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picture Motion Browser Medien-Prfung.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-11-15 385024]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-20 50688]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-20 14:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 18:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TELUS_McciTrayApp]
2007-10-08 06:16 1462272 ----a-w- c:\program files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [20/07/2008 6:09 AM 73728]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/12/2009 6:15 PM 108289]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdxserv.exe [09/03/2009 6:30 PM 98984]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [20/07/2008 2:02 PM 111616]
S3 Radialpoint Security Services;TELUS security services;c:\program files\TELUS\TELUS security services\RpsSecurityAwareR.exe [09/12/2008 2:04 PM 97520]
S4 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [20/07/2008 6:33 AM 30192]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080720
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\mobagher\AppData\Roaming\Mozilla\Firefox\Profiles\jt0lcxnh.default\
FF - prefs.js: browser.startup.homepage - www.igoogle.com
FF - component: c:\users\mobagher\AppData\Roaming\Mozilla\Firefox\Profiles\jt0lcxnh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\TELUS\TELUS security advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-07 23:22
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-07 23:30
ComboFix-quarantined-files.txt 2009-12-08 07:30
Pre-Run: 78,984,581,120 bytes free
Post-Run: 79,121,723,392 bytes free
- - End Of File - - A16CB0D13C33306EC78115B910FD27B5
Danke uebrigens fuer deine gruendliche Hilfe. Glaubst du denn da ist noch was? Dieses Advanced Systemcare Pro kostet aber etwas. Geht auch die free Variante??? Ich moeche mich auch nicht so gerne mei irgend nem Service anmelden, um es umsonst zu kriegen. Ich werde jetzt einfach die Free variante nehmen. Geht das mit der überhaupt. Ich habe da son bisschen Probleme mit dem Programm. Habe jetzt einfach auf Los gedrückt. Der findet auch überall Probleme, die er dann löst. Klasse. Aber isses das schon? Geändert von Peter0850 (08.12.2009 um 09:17 Uhr) |
|
08.12.2009, 09:06
| #9 | |
| | Viren oder zu wenig Arbeitsspeicher? Hi, Combofix hat was im Papierkorb gelöscht und noch eine ini... Allerdings sind Securityeinstellungen verbogen worden: [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 Wenn Du Dich mit regedit auskennst, kannst Du sie löschen ansonsten zimmere ich ein entsprechendes combifix-script zusammen... Lass noch mal HJ laufen und poste das Log, mal sehen ob die mobagher.exe noch da ist, dann schauen wir sie mal genauer an... Bist Du mit den hängenden Updates weitergekommen? Gmer meldet Veränderungen am MBR, daher wie folgt vorgehen: MBR-Rootkit Lade den MBR-Rootkitscanner von GMER auf Deine Bootplatte: http://www2.gmer.net/mbr/mbr.exe Merke Dir das Verzeichnis wo Du ihn runtergeladen hast; Start->Ausführen->cmd Wechsle in das Verzeichnis des Downloads und starte durch Eingabe von mbr das Programm... Das Ergebnis sollte so aussehen: Zitat:
poste es im Thread; Falls er was meldet folge den Anweisungen von MBR, wenn das nicht klappt, brauchen wir eine Boot-CD mit Rettungskonsole (die starten, in die CommandShell gehen und dort fixmbr eingeben... Prevx: http://www.prevx.com/freescan.asp Falls das Tool was findet, nicht das Log posten sondern einen Screenshot des dann angezeigten Fensters... chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
08.12.2009, 09:36
| #10 |
| | Viren oder zu wenig Arbeitsspeicher? Regedit hoere ich zum ersten Mal. HiJack Log: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:32:05 AM, on 08/12/2009 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v8.00 (8.00.6001.18828) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\DellTPad\Apoint.exe C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Windows\System32\WLTRAY.EXE C:\Windows\system32\igfxsrvc.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\mobagher\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080720 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS security services\pkR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [TelusWCC_McciTrayApp] C:\Program Files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe" O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Startup: Picture Motion Browser Medien-Prüfung.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe O4 - Global Startup: AutorunsDisabled O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe O23 - Service: lxdx_device - - C:\Windows\system32\lxdxcoms.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: TELUS security services (Radialpoint Security Services) - TELUS - C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe O23 - Service: TELUS security services Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS security services\Fws.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9540 bytes Jetzt habe ich mbr laufen lassen. Das Ergebnis ist allerdings nicht das erwartete: Code:
ATTFilter device: opened successfully
user: error reading MBR
kernel: error reading MBR
Geändert von Peter0850 (08.12.2009 um 09:51 Uhr) |
|
08.12.2009, 10:12
| #11 |
| | Viren oder zu wenig Arbeitsspeicher? Hallo, von Vista-Cd booten und den MBR zurechtbiegen: Von CD/DVD booten, in die Rettungskonsole gehen und dort fixmbr eingeben... CD/DVD raus und normal booten... Gibt es einen errorcode von update? Was passiert wenn DU sie per hand anschmeisst? chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
08.12.2009, 10:18
| #12 |
| | Viren oder zu wenig Arbeitsspeicher? Zum Update: Ne, der sucht und sucht und sucht nach Updates. Findet aber nichts. Aber er findet auch nicht nichts. Also es kommt keine Meldung, dass es keine Updates gibt. Edit: Huch, jetzt installiert er ploetzlich doch Updates. Tja die Boot-CD habe ich leider nicht. Ich habe nur eine von nem anderen baugleichen Notebook. War damals son Angebot, dass es guenstiger wurde, wenn man zwei kauft, und deshalb haben wir nun beide das gleiche. Die CD duerfte doch dann nicht gehen oder? Seriennummer und so... Ich probier es einfach mal aus. |
|
08.12.2009, 10:40
| #13 |
| | Viren oder zu wenig Arbeitsspeicher? Ich habe jetzt mal neu hochgefahren und F8 gedrückt. Dort habe ich dann den Reparaturmodus oder so ähnlich ausgeführt. Jetzt bin ich bei den System Recovery Options. Ich schreibe grad von meinem anderen Notebook. Es gibt nun mehrere Optionen: Code:
ATTFilter Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Dell Fatory Image Restore
Was soll ich machen? Edit: fixmbr in der Commandobox geht nicht. Ich konnte ja auch nicht von der CD booten. Ist ja auch die von dem anderen Notebook. Aber es wurde beim booten (drei Versuche) nie die Option angezeigt von CD zu booten. Normalerweise ist im BIOS doch eingestellt, dass CDs Priorität haben. Ich habe versucht das zu checken, komme aber nicht ins BIOS. Bisher habe ich das auch erst bei WinXP gemacht. War da irgendwie einfacher. |
|
08.12.2009, 11:59
| #14 |
| | Viren oder zu wenig Arbeitsspeicher? Hi, ok, dann probieren wir mal das hier: http://www.sysint.no/nedlasting/mbrfix.htm Aufruf: MbrFix /drive 0 fixmbr /vista Achtung: Hast Du die mbr.exe als Administrator ausgeführt? Die CMD die Du aufmachst, muss Adminrechte haben... chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
09.12.2009, 00:17
| #15 |
| | Viren oder zu wenig Arbeitsspeicher? nun habe ich mbr.exe mit Adminrechten ausgefuehrt. Hat dann auch den erwarteten Text angezeigt. Aber ein Logfile hat es nicht erstellt. FixMbr hat auch geklappt:  Auf einmal ist der Rechner richtig schnell. Das ist ja der Wahnsinn. Ich habe das gefuehl die Probleme sind behoben. Oder siehst du noch irgendwelche? Erstmal ein ganz fettes Dankeschoen fuer die gute Hilfe. Echt krass, was du da an Geschuetzen aufgefahren hast. Sag mal, wo lernt man das eigentlich alles. Ich mein, als normaler User lernt man mit der Zeit ja auch viele Probleme zu loesen. Aber die ganzen Operationen, die du mir angeordnet hast, gingen dann doch ueber mein Wissen weit hinaus. Vielen Dank noch mal, Peter Geändert von Peter0850 (09.12.2009 um 00:45 Uhr) |
|
| Themen zu Viren oder zu wenig Arbeitsspeicher? |
| adobe, antivir, antivir guard, arbeitsspeicher, avg, avira, bho, browser, defender, desktop, error, excel, frage, google, helper, hijack, hijackthis log-file, internet, internet explorer, monitor, pop-up, prozessor, rundll, security, software, systemcheck, viren, virus, windows, wlan |
Linear-Darstellung
