Cyber Security Virus Infection on My Computer - Can You Help Me?

**MadMRTeen** · #1 20th Oct 2009, 12:26

Dear CompJuices
Unfortunately I have now the Cyber Security virus on my computer. As I have seen that you could help some other guys with removing this virus, I kindly ask you whether you can help me too. This would be very kind!
Many thanks in advance!
Martin

Let me now describe which steps I performed following your malware removal guide:

1.
My antivirus tool G-Data has been updated yesterday and I screened my computer with it. Result was: No virus has been detected.

2.
As I have no possibility to load updates for my antivirus tool today, I uploaded the WinSockFix tool. Repairing the connection failed with the error message ‘Registry Import Information not Found’. After klick on ‘ok’ on this popup, anothet popup appears with message ‘Repair Completed Please Reboot’. After click again on ‘ok’ another popup raised ‘Runtime error ‘53’: File not found’. No reboot occurred.

3.
I loaded the HostsXpert tool on my computer and performed a restore of the original hosts. I do not know what a host file is, so I assume I am not using a custom host file. Then I did a restart of the computer, but after this updating of the antivirus tool was still not possible.

4.
I checked the Control Panel for suspicious programs and found ‘Cyber Security’. Removal of ‘Cyber Security’ manually was not possible. I found Viewpoint Media Player and removed it manually. Please see the attached screenshot (before Viewpoint Media Player removal has been performed).

5.
I loaded the Ccleaner tool on my computer and performed the steps as described. Some files has been found and reomved by the tool.

6.
I loaded SUPERAntiSpyware an my computer and performed an update. This was not possible, so I did the manual upload of the definitions. This seemed to be successful. Then I followed the steps as described. This I needed to do twice as my computer restartet in between unexpectedly.
During the scan the tool displayed several times breaks during the processing with length of many seconds. Nothing happened during these times.

This is the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/20/2009 at 08:47 PM

Application Version : 4.29.1004

Core Rules Database Version : 4176
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 00:48:17

Memory items scanned : 673
Memory threats detected : 1
Registry items scanned : 7093
Registry threats detected : 7
File items scanned : 68663
File threats detected : 4

Rogue.XP AntiVirus/Resident
C:\PROGRAM FILES\CS\CS.EXE
C:\PROGRAM FILES\CS\CS.EXE

Trojan.Agent/Gen-FakeAlert[TS]
HKLM\Software\Classes\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKCR\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKCR\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKCR\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}\InprocServer32
HKCR\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IEHELPMOD.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKU\S-1-5-21-3422058135-1281735925-3955790660-1000\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}

Adware.Tracking Cookie
C:\Users\saturn\AppData\Roaming\Microsoft\Windows\ Cookies\saturn@doubleclick[2].txt
C:\Users\saturn\AppData\Roaming\Microsoft\Windows\ Cookies\saturn@tribalfusion[2].txt

7.
I loaded the Malwarebytes tool on my computer and performed the installation as described. Then the Quick Scan happened as described.

This is the log after file removal:
alwarebytes' Anti-Malware 1.41
Datenbank Version: 3000
Windows 6.0.6002 Service Pack 2

20.10.2009 21:05:01
mbam-log-2009-10-20 (21-05-01).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 88239
Laufzeit: 5 minute(s), 10 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 2
Infizierte Dateien: 9

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servis es (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
C:\Program Files\Common Files\CSUninstall (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\CS (Rogue.CyberSecurity) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Program Files\Common Files\CSUninstall\Uninstall.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\CS\Computer Scan.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\CS\Cyber Security.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\CS\Help.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\CS\Registration.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\CS\Security Center.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\CS\Settings.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\CS\Update.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.
[FONT=Verdana]C:\Users\saturn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\CS.lnk (Rogue.CyberSecurity) -> Quarantined and deleted successfully.[/FONT]
[FONT=Verdana] [/FONT]
[FONT=Verdana] [/FONT]
[FONT=Verdana]8.[/FONT]
[FONT=Verdana]I do not have Java on my computer, so I scipped this step.[/FONT]
[FONT=Verdana] [/FONT]
[FONT=Verdana] [/FONT]
[FONT=Verdana]9.[/FONT]
[FONT=Verdana]I installed HiJackThis as described.[/FONT]
[FONT=Verdana] [/FONT]
[FONT=Verdana]This is the log:[/FONT]
[FONT=Verdana]ogfile of Trend Micro HijackThis v2.0.2[/FONT]
[FONT=Verdana]Scan saved at 21:20:19, on 20.10.2009[/FONT]
[FONT=Verdana]Platform: Windows Vista SP2 (WinNT 6.00.1906)[/FONT]
[FONT=Verdana]MSIE: Internet Explorer v7.00 (7.00.6002.18005)[/FONT]
[FONT=Verdana]Boot mode: Normal[/FONT]
[FONT=Verdana] [/FONT]
[FONT=Verdana]Running processes:[/FONT]
[FONT=Verdana]C:\Windows\system32\Dwm.exe[/FONT]
[FONT=Verdana]C:\Windows\system32\taskeng.exe[/FONT]
[FONT=Verdana]C:\Windows\Explorer.EXE[/FONT]
[FONT=Verdana]C:\Program Files\Windows Defender\MSASCui.exe[/FONT]
[FONT=Verdana]C:\Windows\RtHDVCpl.exe[/FONT]
[FONT=Verdana]C:\Acer\Empowering Technology\SysMonitor.exe[/FONT]
[FONT=Verdana]C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe[/FONT]
[FONT=Verdana]C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[/FONT]
[FONT=Verdana]C:\Windows\System32\rundll32.exe[/FONT]
[FONT=Verdana]C:\Windows\System32\ico.exe[/FONT]
[FONT=Verdana]C:\Program Files\G DATA\AntiVirus\AVKTray\AVKTray.exe[/FONT]
[FONT=Verdana]C:\Windows\ehome\ehtray.exe[/FONT]
[FONT=Verdana]C:\Program Files\Windows Sidebar\sidebar.exe[/FONT]
[FONT=Verdana]C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[/FONT]
[FONT=Verdana]C:\Program Files\Windows Media Player\wmpnscfg.exe[/FONT]
[FONT=Verdana]C:\Program Files\FRITZ!DSL\StCenter.exe[/FONT]
[FONT=Verdana]C:\Program Files\FRITZ!DSL\FwebProt.exe[/FONT]
[FONT=Verdana]C:\Windows\System32\Pelmiced.exe[/FONT]
[FONT=Verdana]C:\Windows\ehome\ehmsas.exe[/FONT]
[FONT=Verdana]C:\Program Files\Windows Sidebar\sidebar.exe[/FONT]
[FONT=Verdana]C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E[/FONT]
[FONT=Verdana]C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[/FONT]
[FONT=Verdana]C:\Program Files\Internet Explorer\iexplore.exe[/FONT]
[FONT=Verdana]C:\Windows\system32\SearchFilterHost.exe[/FONT]
[FONT=Verdana]C:\Program Files\Trend Micro\HijackThis\juice.exe.exe[/FONT]
[FONT=Verdana] [/FONT]
[FONT=Verdana]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896[/FONT]
[FONT=Verdana]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [/FONT]
[FONT=Verdana]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157[/FONT]
[FONT=Verdana]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896[/FONT]
[FONT=Verdana]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896[/FONT]
[FONT=Verdana]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157[/FONT]
[FONT=Verdana]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [/FONT]
[FONT=Verdana]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [/FONT]
[FONT=Verdana]R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = [/FONT]
[FONT=Verdana]O2 - BHO: G Data WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\AntiVirus\Webfilter\AVKWebIE.dll[/FONT]
[FONT=Verdana]O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll[/FONT]
[FONT=Verdana]O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll[/FONT]
[FONT=Verdana]O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll[/FONT]
[FONT=Verdana]O3 - Toolbar: G Data WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\AntiVirus\Webfilter\AVKWebIE.dll[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\NewSetApanel.cmd[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [G DATA AntiVirus Trayapplication] C:\Program Files\G Data\AntiVirus\AVKTray\AVKTray.exe[/FONT]
[FONT=Verdana]O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript[/FONT]
[FONT=Verdana]O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe[/FONT]
[FONT=Verdana]O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe[/FONT]
[FONT=Verdana]O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun[/FONT]
[FONT=Verdana]O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020[/FONT]
[FONT=Verdana]O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe[/FONT]
[FONT=Verdana]O4 - HKCU\..\Run: [CS] C:\Program Files\CS\cs.exe[/FONT]
[FONT=Verdana]O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')[/FONT]
[FONT=Verdana]O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')[/FONT]
[FONT=Verdana]O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')[/FONT]
[FONT=Verdana]O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe[/FONT]
[FONT=Verdana]O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[/FONT]
[FONT=Verdana]O4 - Global Startup: Empowering Technology Launcher.lnk = ?[/FONT]
[FONT=Verdana]O4 - Global Startup: FRITZ!DSL Startcenter.lnk = ?[/FONT]
[FONT=Verdana]O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE[/FONT]
[FONT=Verdana]O13 - Gopher Prefix: [/FONT]
[FONT=Verdana]O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[/FONT]
[FONT=Verdana]O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe[/FONT]
[FONT=Verdana]O23 - Service: G Data AntiVirus Proxy (AVKProxy) - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe[/FONT]
[FONT=Verdana]O23 - Service: G Data Scheduler (AVKService) - G Data Software AG - C:\Program Files\G DATA\AntiVirus\AVK\AVKService.exe[/FONT]
[FONT=Verdana]O23 - Service: G Data Dateisystem Wächter (AVKWCtl) - G Data Software AG - C:\Program Files\G DATA\AntiVirus\AVK\AVKWCtl.exe[/FONT]
[FONT=Verdana]O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe[/FONT]
[FONT=Verdana]O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[/FONT]
[FONT=Verdana]O23 - Service: G Data Scanner (GDScan) - G Data Software AG - C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe[/FONT]
[FONT=Verdana]O23 - Service: AVM IGD CTRL Service (IGDCTRL) - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE[/FONT]
[FONT=Verdana]O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[/FONT]
[FONT=Verdana]O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe[/FONT]
[FONT=Verdana]O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[/FONT]
[FONT=Verdana]O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[/FONT]
[FONT=Verdana]O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe[/FONT]
[FONT=Verdana]O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe[/FONT]
[FONT=Verdana] [/FONT]
[FONT=Verdana]--[/FONT]
[FONT=Verdana]End of file - 7238 bytes[/FONT]

**evilfantasy** · #2 20th Oct 2009, 18:17

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

**MadMRTeen** · #3 21st Oct 2009, 07:12

Hi Evil
Thanks a lot for the quick response.
Please find below the requested ComboFix log.
Is there anything I need to do?
Best regards
MRTeen

The ComboFix log:
ComboFix 09-10-20.03 - saturn 21.10.2009 15:59.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.2047.1113 [GMT 2:00]
ausgeführt von:: c:\users\saturn\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows-Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-3422058135-1281735925-3955790660-1001
c:\$recycle.bin\S-1-5-21-3422058135-1281735925-3955790660-500
c:\windows\Installer\708892.msi
c:\windows\system32\autorun.ini
.
((((((((((((((((((((((( Dateien erstellt von 2009-09-21 bis 2009-10-21 ))))))))))))))))))))))))))))))
.
2009-10-21 14:04 . 2009-10-21 14:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-20 19:17 . 2009-10-20 19:17 -------- d-----w- c:\program files\Trend Micro
2009-10-20 17:33 . 2009-10-20 17:33 -------- d-----w- c:\program files\CCleaner
2009-10-19 16:08 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 16:07 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 19:01 . 2009-10-18 19:01 -------- dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-18 15:24 . 2009-10-18 15:26 -------- d-----w- c:\program files\HostsXpert
2009-10-18 15:15 . 2009-10-18 15:15 -------- d-----w- c:\users\saturn\AppData\Roaming\Malwarebytes
2009-10-18 15:15 . 2009-10-20 18:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 15:15 . 2009-10-18 15:15 -------- d-----w- c:\programdata\Malwarebytes
2009-10-18 13:55 . 2009-10-18 13:55 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-18 13:51 . 2009-10-20 19:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-18 13:51 . 2009-10-18 13:51 -------- d-----w- c:\users\saturn\AppData\Roaming\SUPERAntiSpyware.c om
2009-10-18 13:22 . 2009-10-18 13:22 -------- d-----w- c:\program files\Enigma Software Group
2009-10-18 13:04 . 2009-10-20 18:48 -------- d-----w- c:\program files\CS
2009-10-05 09:08 . 2009-10-05 09:08 -------- d-----w- C:\BB_Copy
2009-10-03 06:39 . 2009-10-01 08:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-03 06:34 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-03 06:34 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-03 06:34 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-03 06:34 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-03 06:33 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-03 06:33 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-03 06:33 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-03 06:33 . 2009-08-06 17:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-03 06:33 . 2009-08-06 16:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-09-21 15:00 . 2009-09-21 15:00 -------- d-----w- c:\program files\Web Publish
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))) ))))
.
2009-10-21 14:04 . 2008-08-13 14:00 -------- d-----w- c:\users\saturn\AppData\Roaming\FRITZ!
2009-10-20 19:49 . 2009-09-02 12:07 -------- d-----w- c:\programdata\G DATA
2009-10-20 19:49 . 2009-09-02 12:07 -------- d-----w- c:\program files\G DATA
2009-10-20 19:49 . 2009-09-02 12:07 -------- d-----w- c:\program files\Common Files\G DATA
2009-10-20 19:10 . 2008-09-12 03:47 -------- d-----w- c:\program files\Nero
2009-10-20 00:51 . 2009-05-29 13:28 -------- d--h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-10-18 13:50 . 2008-08-13 13:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-17 03:49 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-17 03:21 . 2006-11-02 15:33 618204 ----a-w- c:\windows\system32\perfh007.dat
2009-10-17 03:21 . 2006-11-02 15:33 122442 ----a-w- c:\windows\system32\perfc007.dat
2009-10-07 15:35 . 2009-09-10 17:19 27848 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2009-09-21 13:37 . 2009-05-30 02:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-16 14:55 . 2007-06-16 00:17 -------- d-----w- c:\programdata\Symantec
2009-09-16 14:55 . 2007-06-16 00:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 09:29 . 2009-10-16 03:38 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-10 17:16 . 2009-08-16 13:31 -------- d-----w- c:\program files\ClamWin
2009-09-10 16:48 . 2009-10-16 03:38 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 16:24 . 2009-09-02 13:51 -------- d-----w- c:\program files\DebugView
2009-09-04 11:41 . 2009-10-16 03:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27 . 2009-09-03 14:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 14:15 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 13:29 . 2009-10-16 03:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 12:40 . 2009-10-16 03:38 834048 ----a-w- c:\windows\system32\wininet.dll
2009-08-14 16:27 . 2009-09-09 13:30 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 13:30 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 13:30 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 13:30 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 13:30 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 13:30 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 13:30 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 13:30 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 13:30 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 13:30 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 13:30 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-13 07:42 . 2007-06-16 00:48 353864 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-13 07:42 . 2007-06-16 00:48 505416 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-13 07:42 . 2006-11-21 04:40 1066568 ----a-w- c:\windows\system32\mfc71.dll
2009-08-13 07:42 . 2006-11-21 04:40 1053256 ----a-w- c:\windows\system32\MFC71u.dll
2009-08-04 12:34 . 2009-10-16 03:38 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 12:34 . 2009-10-16 03:38 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-07-28 14:33 . 2009-08-16 06:59 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-03 10:19 . 2009-05-03 10:18 195040 ----a-w- c:\program files\Wavosaur.1.0.1.0(en)[1].zip
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-12-12 1840424]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-01-24 319488]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-06 464168]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp. exe" [2006-11-05 57344]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-03-27 92704]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-02-15 4390912]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\System32\ico.exe [2004-07-14 57344]
c:\users\saturn\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup\
FRITZ!DSL Protect.lnk - c:\program files\FRITZ!DSL\FwebProt.exe [2007-9-7 1070384]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader - Schnellstart.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-6-16 528384]
FRITZ!DSL Startcenter.lnk - c:\windows\Installer\{2457326B-C110-40C3-89B0-889CC913871A}\Icon2457326B4.exe [2009-2-6 29184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\k:\0autocheck autochk *\0lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [29.05.2009 15:33 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12.10.2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12.10.2009 21:24 74480]
R2 IGDCTRL;AVM IGD CTRL Service;c:\program files\FRITZ!DSL\IGDCTRL.EXE [04.09.2007 11:14 87344]
R3 pelmouse;Mouse Suite Driver;c:\windows\System32\drivers\PELMOUSE.SYS [24.06.2009 15:16 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\System32\drivers\pelusblf.sys [24.06.2009 15:16 9216]
R3 RTL85n86;Realtek 8180/8185 Extensible 802.11-Drahtlosgerätetreiber;c:\windows\System32\drivers \RTL85n86.sys [02.11.2006 12:25 311808]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\System32\drivers\SiSGB6.sys [16.06.2007 10:54 46592]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24.09.2009 13:17 1028432]
S3 PAC207;PC Camer@;c:\windows\System32\drivers\PFC027.SYS [20.11.2006 08:48 506112]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12.10.2009 21:24 7408]
S3 SiS6350;SiS6350;c:\windows\System32\drivers\SISGRK MD.sys [16.06.2007 10:54 447864]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [05.09.2008 07:38 80744]
.
Inhalt des "geplante Tasks" Ordners
2009-10-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:34]
.
.
------- Zusätzlicher Suchlauf -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page =
LSP: c:\program files\FRITZ!DSL\\sarah.dll
FF - ProfilePath - c:\users\saturn\AppData\Roaming\Mozilla\Firefox\Pr ofiles\6apcb1fg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.de/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz3");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz3");
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKCU-Run-CS - c:\program files\CS\cs.exe
HKLM-Run-Apanel - c:\acersw\config\NewSetApanel.cmd
HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKLM-Run-eRecoveryService - (no file)
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-CS - c:\program files\CS\cs.exe

************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 16:04
Windows 6.0.6002 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
************************************************** ************************
.
Zeit der Fertigstellung: 2009-10-21 16:05
ComboFix-quarantined-files.txt 2009-10-21 14:05
Vor Suchlauf: 14 Verzeichnis(se), 101.541.707.776 Bytes frei
Nach Suchlauf: 20 Verzeichnis(se), 101.582.802.944 Bytes frei
- - End Of File - - 5F27940C59417AACF72864C80B78AAAC

**evilfantasy** · #4 21st Oct 2009, 07:35

Did you uninstall Norton/Symantec?

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

**MadMRTeen** · #5 21st Oct 2009, 08:30

Hi
Norton AV has been on the computer, but has been removed with a removing tool and is now replaced by G-Data Antivirus (a German AV tool).
I followed your instructions. Again please find below the log for Security Check. And again: what further steps are might be necessary?
Thanks a lot again and best regards
MRTeen

Here is the SecurityCheck log:
Results of screen317's Security Check version 0.99.0
Windows Vista Service Pack 2 (UAC is disabled!)
``````````````````````````````
Antivirus/Firewall Check:
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
SUPERAntiSpyware Free Edition
CCleaner (remove only)
Adobe Flash Player 10
Adobe Reader 7.0 - Deutsch
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````

**evilfantasy** · #6 21st Oct 2009, 16:26

Download RegASSASSIN from MalwareBytes and save it to the desktop.

Windows Vista and Windows 7 users right-click RegASSASSIN and choose Run as Administrator

Open RegASSASSIN and select the following checkboxes:

- Reset registry key permissions
- Delete registry key and all subkeys

* Copy the Registry Key in the Code box below.

Code:

HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall

* Now paste it in RegAssassins window.
* Click the Delete button and then Yes when you see the prompt(s).

Next perform the same steps only with this registry key.

Code:

HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus

----------

Please post a fresh HijackThis log and also let me know how the computer is running now.

**MadMRTeen** · #7 21st Oct 2009, 21:17

Hi Evil
Again many thanks for your quick reply. I did the steps as described by you and rmoved the registry entries. The HiJackThis log you will find below.
The computer behaviour is much better compared with the situation of the last days. It seems that the system is a bit slower than before.
The most concerns I have are related to all my passwords. Do you think they are now 'public'?
Again many thanks for your assistance and best regards from Germany
MRTeen

The HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:13:23, on 22.10.2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\ico.exe
C:\Program Files\G DATA\AntiVirus\AVKTray\AVKTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\Pelmiced.exe
C:\Program Files\FRITZ!DSL\StCenter.exe
C:\Program Files\FRITZ!DSL\FwebProt.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Citrix\ICA Client\wfica32.exe
C:\Program Files\Citrix\ICA Client\wfica32.exe
C:\Program Files\Citrix\ICA Client\wfica32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\juice.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: G Data WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\AntiVirus\Webfilter\AVKWebIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: G Data WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\AntiVirus\Webfilter\AVKWebIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [G DATA AntiVirus Trayapplication] C:\Program Files\G Data\AntiVirus\AVKTray\AVKTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: FRITZ!DSL Protect.lnk = C:\Program Files\FRITZ!DSL\FwebProt.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: G Data AntiVirus Proxy (AVKProxy) - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: G Data Scheduler (AVKService) - G Data Software AG - C:\Program Files\G DATA\AntiVirus\AVK\AVKService.exe
O23 - Service: G Data Dateisystem Wächter (AVKWCtl) - G Data Software AG - C:\Program Files\G DATA\AntiVirus\AVK\AVKWCtl.exe
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: G Data Scanner (GDScan) - G Data Software AG - C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe
O23 - Service: AVM IGD CTRL Service (IGDCTRL) - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
--
End of file - 6361 bytes

**MadMRTeen** · #8 21st Oct 2009, 21:33

Hi Evil
Beside the reduced speed I found that some USB slots will not be recognized by the computer any more. Do you have an idea for this?
Again thanks a lot!
MRTeen

**MadMRTeen** · #9 22nd Oct 2009, 02:49

Hi Evil
Sorry, here is another remaining problem: update of tools like AdAware is not possible.
Best regards - MRTeen

**evilfantasy** · #10 22nd Oct 2009, 08:01

Lets clean up a little and run another scan to be sure we didn't miss anything.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log