33 posts in this topic

ID: 1   Posted (edited)

dear Ladies and Gentlemen,

I have on my notebook MS Vista business IE 9 and Firefox 13:

i have (perhaps after OS-update?)

following error:

ieframe.dll.acr_error Internet Explorer

I get often/always on IE 9




after, 5 minutes later



this sites have now the title

"Failed to restore sites"

and the message on the IE

"Internet Explorer has stopped working - close program"


Alwil (Avast) Antivir found nothing

If you want I can log the HijackThis file (nothing found)

MBAW crashes in normal mode

MBAW, quickscan in safe mode

hat found only this

Infizierte Dateien: 1

C:\Windows\Temp\TMP00000004DD0CB990557B4247 (Trojan.Dropper) -> Erfolgreich gelöscht und in Quarantäne gestellt.


infected files: 1

C:\Windows\Temp\TMP00000004DD0CB990557B4247 (Trojan.Dropper) -> Successfully removed and placed in quarantine.

This notebook has no others problems.

My other PC doesn't have any problem.

I have added DDS.TXT and ATTACH.txt

thanks very much,



DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31

Run by user_1 at 10:49:01 on 2012-08-03

Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1031.18.2038.902 [GMT 2:00]


AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch


C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup


C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\AVAST Software\Avast\AvastSvc.exe



C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork


C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe



C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted


c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe



C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe


C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe


C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe


C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE


C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe



C:\Program Files\Visagesoft\eXPert PDF 6\vspdfprsrv.exe



C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Lenovo\NPDIRECT\NPDTRAY.EXE



C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe

C:\Program Files\Mozilla Firefox\firefox.exe



C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe










============== Pseudo HJT Report ===============


uStart Page = about:blank

uDefault_Page_URL = hxxp://

BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [NPDTRAY] c:\progra~1\lenovo\npdirect\NPDTray.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r

mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [<NO NAME>]

mRun: [TpShocks] TpShocks.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"

mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent

mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [vspdfprsrv.exe] c:\program files\visagesoft\expert pdf 6\vspdfprsrv.exe --background

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\users\user_1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\users\user_1\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Inhaltsverzeichnis.onetoc2

StartupFolder: c:\users\user_1\appdata\roaming\micros~1\windows\startm~1\programs\startup\xampp-~1.lnk - c:\xampplite\xampp-control.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://

TCP: DhcpNameServer =

TCP: Interfaces\{DBE5A0B7-8ECC-47D5-9D47-83E967C4CB4B} : DhcpNameServer =

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

LSA: Notification Packages = scecli ACGina


================= FIREFOX ===================


FF - ProfilePath - c:\users\user_1\appdata\roaming\mozilla\firefox\profiles\e16jyvc0.default\

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll

FF - plugin: c:\program files\google\picasa3\npPicasa2.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\users\user_1\appdata\roaming\mozilla\firefox\profiles\e16jyvc0.default\extensions\\plugins\npLMI64.dll

FF - plugin: c:\users\user_1\appdata\roaming\mozilla\firefox\profiles\e16jyvc0.default\extensions\\plugins\npRACtrl.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll


============= SERVICES / DRIVERS ===============


R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-1 721000]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-2-1 353688]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-2-1 21256]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-2-1 57656]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-2-1 44808]

R2 FontCache;Windows-Dienst für Schriftartencache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

R2 TPHKSVC;Anzeige am Bildschirm;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 55936]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-1-8 569344]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-8-22 179712]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-26 135664]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 250056]

S3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-26 135664]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-5 113120]

S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-5-7 21360]

S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-5-10 23152]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]


=============== Created Last 30 ================


2012-07-11 16:29:36 -------- d-sh--w- C:\found.000

2012-07-08 09:46:24 -------- d-----w- c:\users\user_1\appdata\roaming\Malwarebytes

2012-07-08 09:46:11 -------- d-----w- c:\programdata\Malwarebytes

2012-07-08 09:46:08 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-08 09:46:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-08 08:19:50 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4c6196aa-b507-4081-b290-ec3796a4005b}\offreg.dll

2012-07-06 22:29:15 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4c6196aa-b507-4081-b290-ec3796a4005b}\mpengine.dll

2012-07-06 21:38:15 -------- d-----w- C:\HiJackThis


==================== Find3M ====================


2012-08-03 08:46:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-03 08:46:07 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-07-03 16:21:53 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 13:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 13:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-15 19:51:08 2045440 ----a-w- c:\windows\system32\win32k.sys


============= FINISH: 10:51:08,09 ===============





DDS (Ver_2011-08-26.01)


Microsoft® Windows Vista™ Business

Boot Device: \Device\HarddiskVolume2

Install Date: 21.08.2008 22:58:32

System Uptime: 03.08.2012 07:35:37 (3 hours ago)


Motherboard: LENOVO | | 7650F7G

Processor: Intel® Pentium® Dual CPU T2410 @ 2.00GHz | None | 800/133mhz


==== Disk Partitions =========================


C: is FIXED (NTFS) - 143 GiB total, 4,691 GiB free.

D: is CDROM ()


==== Disabled Device Manager Items =============


Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Microsoft Tun-Miniportadapter

Device ID: ROOT\*TUNMP\0001

Manufacturer: Microsoft

Name: Teredo Tunneling Pseudo-Interface

PNP Device ID: ROOT\*TUNMP\0001

Service: tunmp


Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}

Description: PS/2 TrackPoint

Device ID: ACPI\IBM3780\4&E8B9E42&0

Manufacturer: Lenovo

Name: PS/2 TrackPoint

PNP Device ID: ACPI\IBM3780\4&E8B9E42&0

Service: i8042prt


==== System Restore Points ===================


RP971: 02.08.2012 22:29:33 - Geplanter Prüfpunkt


==== Installed Programs ======================



Access Help

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 8.2.2 - Deutsch

Anzeige am Bildschirm

avast! Free Antivirus

Client Security Solution

Conexant HD Audio

Diskeeper Home


Ergänzung zu Productivity Center für ThinkPad

eXPert PDF 6

Garmin City Navigator Europe NT 2010.20 Update

Google Earth

Google Update Helper

Google Updater

HDAUDIO Soft Data Fax Modem with SmartCP

Help Center

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Integrated Camera

Intel® Graphics Media Accelerator Driver

InterVideo Register Manager

InterVideo WinDVD

Java Auto Updater

Java™ 6 Update 2

Java™ 6 Update 31

Konfiguration der Hot-Key-Funktionen für ThinkPad

Lenovo Registration

Lenovo System Interface Driver

Lenovo ThinkVantage Toolbox

Maintenance Manager

Malwarebytes Anti-Malware Version

Message Center

Message Center Plus

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB2656370)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 3.5 Language Pack SP1 - deu

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile DEU Language Pack

Microsoft Office 2003 Web Components

Microsoft Office 2007 Primary Interop Assemblies

Microsoft Office Excel MUI (German) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (German) 2007

Microsoft Office PowerPoint MUI (German) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (German) 2007

Microsoft Office Proof (Italian) 2007

Microsoft Office Proofing (German) 2007

Microsoft Office Shared MUI (German) 2007

Microsoft Office Small Business Connectivity Components

Microsoft Office Word MUI (German) 2007

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)

Microsoft SQL Server Native Client

Microsoft SQL Server VSS Writer

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Miranda IM 0.8.15

Mozilla Firefox 13.0.1 (x86 de)

Mozilla Maintenance Service

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

Multimedia Center For Think Offerings

NinjaLite V1.9

Picasa 3


Registry patch for Windows Vista USB S3 PM Enablement

Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista

Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista

Registry patch to improve USB device detection on resume from sleep for Windows Vista

Rescue and Recovery

RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870)

Skype™ 4.2

Sonic Icons for Lenovo

System Migration Assistant

System Update

ThinkPad-Dienstprogramm 'EasyEject'

ThinkPad Bluetooth with Enhanced Data Rate Software

ThinkPad Energie-Manager

ThinkPad FullScreen Magnifier

ThinkPad Mobility Center Customization

ThinkPad Power Management Driver

ThinkPad TrackPoint Driver

ThinkVantage Access Connections

ThinkVantage Productivity Center

ThinkVantage System für aktiven Festplattenschutz

ThinkVantage Technologies Welcome Message

Total Commander (Remove or Repair)

uMedia uTV

Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

VLC media player 2.0.1


Windows Driver Package - Broadcom (b57nd60x) Net (05/09/2007

Windows Driver Package - Intel (iaStor) hdc (02/12/2007

Windows Driver Package - Intel hdc (11/15/2006

Windows Driver Package - Intel hdc (12/06/2006

Windows Driver Package - Intel System (09/15/2006

Windows Driver Package - Intel System (09/15/2006

Windows Driver Package - Intel System (09/15/2006

Windows Driver Package - Intel System (09/15/2006

Windows Driver Package - Intel USB (09/15/2006

Windows Driver Package - Lenovo (IBMPMDRV) System (05/31/2007 1.43)

Windows Live Toolbar

Windows Media Player Firefox Plugin

WinSCP 4.1.6


==== End Of File ===========================

Edited by Maurice Naggar

Share this post

Link to post
Share on other sites

ID: 2   Posted (edited)

Hello funnybone,

Please do as much as you can of the following.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

  1. Close any/all open internet browsers. Save any open documents you have open & close programs you started.
  2. Click on START>All Programs>Malwarebytes' Anti-Malware>Tools>Malwarebytes Anti-Malware Chameleon
    On Vista or Windows 7, press Windows-key, then start typing in text box
  3. Malwarebytes

  4. then select/click Malwarebytes Anti-Malware Chameleon
  5. Once the Help file opens, click on a Chameleon button (starting with #1)
  6. If running on Vista, Windows 7, press the Yes button when prompted at the UAC prompt to allow to run.
  7. You should see a black Command-prompt-window that remains open and says MBAM-chameleon ver. 1.6 at the top
  8. Press any key to continue as it says in the window {space-bar will do}
  9. If the Chameleon button you tried does not work, try the next Chameleon button shown. (There are 12 in all).
  10. Have infinite patience during this process
  11. Malwarebytes Chameleon will proceed to update Malwarebytes Anti-Malware, so ensure that you are connected to the internet if possible
  12. Once the update completes and it says your database is updated, click on OK button so that process can continue :excl:
  13. Malwarebytes Chameleon will then terminate any threats running in memory, which may take a while, so please be patient.
  14. After that, Malwarebytes Anti-Malware will open automatically and perform a Quick scan
  15. A quick scan will take a few minutes, possibly 5 or so minutes. Have infinite patience.
  16. Once the scan is complete, click on Show Results and remove any threats that are found by clicking Remove Selected
  17. If prompted to restart your computer to complete the removal process, click Yes :excl:
  18. If no threats are found, press OK button & press EXIT to end MBAM. Press the space-bar (or another key) to exit the command-prompt-window.
  19. After your computer restarts, open Malwarebytes Anti-Malware and perform one last Quick scan to verify that there are no remaining threats

Reply with copy of the MBAM scan log for review.

P.S. Always use NOTEPAD & Copy all & Paste all contents of logs inside the main-body of reply box. Do NOT attach logs. Thanks.

Edited by Maurice Naggar

Share this post

Link to post
Share on other sites

Dear Maurice Naggar

i did point to point of your list to run



mbam chameleon.

and I got followoing messages:

erunt all ok.

Now I disabled the entivir-prgramm (avast/alwil)


in the black dos box of mbam chameleon

mbam chameleon updated the database

and the progam!

but I got at last some strange messages:

"windows defender doesn't run"


mbam-killer.exe damaged

run chkdsk


and later

engl. "firefox.exe damaged"

(i hope i didn't forget to close firefox)

so i had fear

and I stopped the process,

after restart and automatic repair from lenevo-repair

(software from lenovo on hdd, perhaps second partition)

- the notebook -

i am glad - it runs again

but mbam stops bei scan

i have to reboot

and after chdsk

- the notebook -

i am glad - it runs again

firefox also runs again

mbam also runs again but may stop by scans

If have now updatet from mbam vers to vers

Now the questions:

are the messages ok?

Whats about the chdsk-messages are these due of the trojan ore only hdd-erros?

is it reasonable

to run chameleon again?

with best regards


Share this post

Link to post
Share on other sites

No do not run Chameleon again. Do not run chkdsk.

I am having a little bit of a hard time understanding your reply. Maybe you can make it clearer.

For now, advise me if you have your Vista operating system CD/DVD

and just run this report set

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Right click on RSIT.exe & select Run as Administrator & allow to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please COPY & PASTE the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Share this post

Link to post
Share on other sites

Need a status update from you. Have you resolved this ? Do you still need help ?

Share this post

Link to post
Share on other sites

ID: 6   Posted (edited)

Hello Maurice

and thanks very much for support.

I was busy on job and so i am answering today.

I am glad that the Notebook runs.

I m using it as stand-alone pc only for look up.

And files like emails, docs, xls and jpgs i saved meanwhile on an external hd.

This hd i can also check with malwarebytes if it is recommended.

In the last post i forgot to say,

that the program Lenovo rescue and recovery was automatically started 2 times

while booting and the notebeook was running properly after that, as i wrote.

Unfortunately 1 times chkdsk was running after booting before I got support from you.

and i don't know why.

And chkdsk was also running after booting automatically by the last operation i wrote.

Therefore I found 2 folders

found.000 from July 11.


found.001 from August 04th.

Both folders are empty

I don't miss some files yet, but I am looking further.

So i have to remove the bug with IE

and perhaps something to get malwarebytes doesn't stop while running in search mode.

In windows safe mode malwarebyte runs properly.

I am using meanwhile firefox-browser.

with very best regards


Logfile of random's system information tool 1.09 (written by random/random)

Run by User_1 at 2012-08-05 14:35:16

Microsoft® Windows Vista™ Business Service Pack 2

System drive C: has 6 GB (4%) free of 146 GB

Total RAM: 2038 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:35:32, on 05.08.2012

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v9.00 (9.00.8112.16446)

Boot mode: Normal

Running processes:




C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe


C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe


C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe




C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Visagesoft\eXPert PDF 6\vspdfprsrv.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Lenovo\NPDIRECT\NPDTRAY.EXE



C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe




C:\Program Files\trend micro\User_1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup

O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent

O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\Visagesoft\eXPert PDF 6\vspdfprsrv.exe --background

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe

O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

O4 - HKCU\..\Run: [NPDTRAY] C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')

O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Startup: OneNote Inhaltsverzeichnis.onetoc2

O4 - Startup: xampp-control.lnk = C:\xampplite\xampp-control.exe

O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update-Dienst (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe

O23 - Service: Anzeige am Bildschirm (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe

O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


End of file - 11891 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Adobe Flash Player Updater.job

C:\Windows\tasks\Auf Updates für Windows Live Toolbar prüfen.job

C:\Windows\tasks\Google Software Updater.job





=========Mozilla firefox=========

ProfilePath - C:\Users\User_1\AppData\Roaming\Mozilla\Firefox\Profiles\e16jyvc0.default

prefs.js - "extensions.enabledItems" - "{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11, {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13, {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15, {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17, {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}:6.0.19, {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20, {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23, {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24,, {20a82645-c095-46ed-80e3-08825760534b}:1.2.1, {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.19"

"{20a82645-c095-46ed-80e3-08825760534b}"=c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

""=C:\Program Files\AVAST Software\Avast\WebRep\FF


"Description"=Adobe® Flash® Player 11.3.300.270 Plugin



"Description"=Google Earth in your browser

"Path"=C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll


"Description"=Picasa2 plugin

"Path"=C:\Program Files\Picasa2\npPicasa2.dll


"Description"=Picasa3 plugin

"Path"=C:\Program Files\Google\Picasa3\npPicasa3.dll


"Description"=Oracle® Next Generation Java™ Plug-In

"Path"=C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll


"Description"=Windows Presentation Foundation plug-in for Mozilla browsers

"Path"=c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\ Updater;version=14]

"Description"=Google Updater

"Path"=C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\ Update;version=3]

"Description"=Google Update

"Path"=C:\Program Files\Google\Update\\npGoogleUpdate3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\ Update;version=9]

"Description"=Google Update

"Path"=C:\Program Files\Google\Update\\npGoogleUpdate3.dll


"Description"=VLC Multimedia Plugin

"Path"=C:\Program Files\VideoLAN\VLC\npvlc.dll

C:\Program Files\Mozilla Firefox\extensions\


C:\Program Files\Mozilla Firefox\components\



C:\Program Files\Mozilla Firefox\plugins\






WMP Firefox Plugin License.rtf

WMP Firefox Plugin RelNotes.txt

C:\Program Files\Mozilla Firefox\searchplugins\










======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2010-04-02 61888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

Java Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2012-02-19 325408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}]

avast! WebRep - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2012-07-03 1160792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll [2011-09-09 761840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]

Windows Live Toolbar Helper - c:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 546672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2012-02-19 42272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F040E541-A427-4CF7-85D8-75E3E0F476C5}]

CPwmIEBrowserHelper Object - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll [2007-08-09 795960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - c:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 546672]

{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - avast! WebRep - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2012-07-03 1160792]


"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]

"TPFNF7"=C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe [2007-11-29 59168]

"PWMTRV"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor []

"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog []

"TPHOTKEY"=C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2007-03-09 66176]

""= []

"TpShocks"=C:\Windows\system32\TpShocks.exe [2007-11-22 181536]

"EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2007-03-28 243248]

"LenovoOobeOffers"=c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe [2007-09-25 28672]

"TVT Scheduler Proxy"=C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2008-03-04 487424]

"DiskeeperSystray"=C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe [2006-11-15 217176]

"AwaySch"=C:\Program Files\Lenovo\AwayTask\AwaySch.EXE [2006-11-07 91688]

"LPManager"=C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [2007-04-26 120368]

"AMSG"=C:\Program Files\ThinkVantage\AMSG\Amsg.exe [2009-03-06 458752]

"ACTray"=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-07-05 419112]

"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-07-05 124200]

"cssauth"=C:\Program Files\Lenovo\Client Security Solution\cssauth.exe [2007-08-09 2630968]

"Message Center Plus"=C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe [2009-05-27 49976]

"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-10-07 150040]

"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-10-07 178712]

"Persistence"=C:\Windows\system32\igfxpers.exe [2008-10-07 154136]

"vspdfprsrv.exe"=C:\Program Files\Visagesoft\eXPert PDF 6\vspdfprsrv.exe [2008-11-18 1199616]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2010-04-02 40368]

"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]

"TrackPointSrv"=C:\Program Files\Lenovo\TrackPoint\tp4serv.exe [2009-11-24 93032]

"avast"=C:\Program Files\AVAST Software\Avast\avastUI.exe [2012-07-03 4273976]

"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2012-01-18 254696]


"WindowsWelcomeCenter"=oobefldr.dll,ShowWelcomeCenter []

"NPDTRAY"=C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe [2007-11-29 218400]

C:\Users\User_1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

OneNote Inhaltsverzeichnis.onetoc2

xampp-control.lnk - C:\xampplite\xampp-control.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

C:\Windows\system32\igfxdev.dll [2008-10-07 221184]


"notification packages"=scecli



















[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
































======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 month======

2012-08-05 14:25:06 ----D---- C:\Program Files\trend micro

2012-08-05 14:25:04 ----D---- C:\rsit

2012-08-04 14:15:15 ----SHD---- C:\found.001

2012-08-04 12:34:53 ----A---- C:\Windows\system32\drivers\mbamchameleon.sys

2012-08-04 12:32:01 ----D---- C:\Windows\ERDNT

2012-08-04 12:30:30 ----D---- C:\Program Files\ERUNT

2012-07-11 18:29:36 ----SHD---- C:\found.000

2012-07-08 13:15:15 ----A---- C:\Windows\ntbtlog.txt

2012-07-08 11:46:24 ----D---- C:\Users\User_1\AppData\Roaming\Malwarebytes

2012-07-08 11:46:11 ----D---- C:\ProgramData\Malwarebytes

2012-07-08 11:46:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2012-07-08 11:46:08 ----A---- C:\Windows\system32\drivers\mbam.sys

2012-07-06 23:38:15 ----D---- C:\HiJackThis

======List of files/folders modified in the last 1 month======

2012-08-05 14:35:33 ----D---- C:\Windows\Temp

2012-08-05 14:25:19 ----D---- C:\Windows\Prefetch

2012-08-05 14:25:06 ----RD---- C:\Program Files

2012-08-05 09:22:33 ----SHD---- C:\System Volume Information

2012-08-04 17:21:43 ----D---- C:\Windows\system32\drivers

2012-08-04 15:31:46 ----D---- C:\Windows\system32\catroot2

2012-08-04 14:34:28 ----A---- C:\Windows\system32\PROCDB.INI

2012-08-04 14:32:23 ----D---- C:\Windows\System32

2012-08-04 14:32:23 ----A---- C:\Windows\system32\IPSCtrl.INI

2012-08-04 14:26:21 ----D---- C:\Windows\system32\CodeIntegrity

2012-08-04 12:46:53 ----A---- C:\Windows\system32\FlashPlayerApp.exe

2012-08-04 12:32:01 ----D---- C:\Windows

2012-08-03 11:12:32 ----D---- C:\Program Files\PSPad

2012-08-03 10:50:31 ----SHD---- C:\Windows\Installer

2012-08-03 10:50:31 ----SHD---- C:\Config.Msi

2012-07-16 21:44:32 ----D---- C:\Users\User_1\AppData\Roaming\vlc

2012-07-13 20:19:30 ----A---- C:\Windows\system32\PerfStringBackup.INI

2012-07-11 07:29:01 ----D---- C:\Program Files\Microsoft Office

2012-07-10 20:52:07 ----D---- C:\ProgramData\Roxio

2012-07-08 13:28:47 ----D---- C:\Windows\Web

2012-07-08 11:46:11 ----HD---- C:\ProgramData

2012-07-07 14:41:49 ----D---- C:\Users\User_1\AppData\Roaming\eXPert PDF 6

2012-07-06 23:59:58 ----D---- C:\Windows\system32\Tasks

2012-07-06 22:06:51 ----D---- C:\Bilder

2012-07-06 19:47:39 ----D---- C:\Windows\Microsoft.NET

2012-07-06 19:47:35 ----RSD---- C:\Windows\assembly

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 DRVMCDB;DRVMCDB; C:\Windows\System32\Drivers\DRVMCDB.SYS [2007-03-12 99848]

R0 iaStor;Intel AHCI Controller; C:\Windows\system32\DRIVERS\iaStor.sys [2007-02-12 277784]

R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2008-11-20 43872]

R0 Shockprf;Shockprf; C:\Windows\System32\DRIVERS\Apsx86.sys [2007-10-16 103472]

R0 TPDIGIMN;TPDIGIMN; C:\Windows\System32\DRIVERS\ApsHM86.sys [2007-10-16 19504]

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2012-07-03 35928]

R1 aswSnx;aswSnx; C:\Windows\system32\drivers\aswSnx.sys [2012-07-03 721000]

R1 aswSP;aswSP; C:\Windows\system32\drivers\aswSP.sys [2012-07-03 353688]

R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2012-07-03 54232]

R1 DLACDBHM;DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [2007-02-08 12856]

R1 DLARTL_M;DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [2007-02-08 28120]

R1 lenovo.smi;Lenovo System Interface Driver; C:\Windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]

R1 TPPWRIF;TPPWRIF; C:\Windows\System32\drivers\Tppwr32v.sys [2007-12-06 12080]

R2 aswFsBlk;aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [2012-07-03 21256]

R2 aswMonFlt;aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [2012-07-03 57656]

R2 DLABMFSM;DLABMFSM; C:\Windows\System32\DLA\DLABMFSM.SYS [2007-03-13 35064]

R2 DLABOIOM;DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [2007-03-13 32472]

R2 DLADResM;DLADResM; C:\Windows\System32\DLA\DLADResM.SYS [2007-03-13 9400]

R2 DLAIFS_M;DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [2007-03-13 104824]

R2 DLAOPIOM;DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [2007-03-13 26744]

R2 DLAPoolM;DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [2007-03-13 14520]

R2 DLAUDF_M;DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [2007-03-13 98104]

R2 DLAUDFAM;DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [2007-03-13 94648]

R2 DRVNDDM;DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]

R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]

R2 PROCDD;IPS-Helper-Treiber; C:\Windows\system32\DRIVERS\PROCDD.SYS [2006-11-06 12080]

R2 tvtfilter;tvtfilter; C:\Windows\system32\DRIVERS\tvtfilter.sys [2008-08-21 33536]

R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-04-10 8704]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]

R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDRTN32.sys [2009-06-22 486400]

R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-03-25 984064]

R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-03-25 208384]

R3 IBMPMDRV;IBMPMDRV; C:\Windows\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424]

R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-10-07 2473472]

R3 NETw4v32;Intel® Wireless WiFi Link Adaptertreiber für Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-04-29 2219520]

R3 psadd;Lenovo Parties Service Access Device Driver; C:\Windows\system32\DRIVERS\psadd.sys [2009-06-01 30144]

R3 TVTI2C;Lenovo SM bus driver; C:\Windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]

R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-03-25 660480]

S3 AF15BDA;AF9015 BDA Filter; C:\Windows\system32\DRIVERS\AF15BDA.sys [2009-09-06 306816]

S3 BthEnum;Bluetooth-Auflistungsdienst; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-11 22528]

S3 BthPan;Bluetooth-Gerät (PAN); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-21 92160]

S3 BTHPORT;Bluetooth-Porttreiber; C:\Windows\System32\Drivers\BTHport.sys [2011-04-21 508416]

S3 BTHUSB;USB-Treiber für Bluetooth-Sender; C:\Windows\System32\Drivers\BTHUSB.sys [2009-06-17 30208]

S3 btwaudio;Bluetooth-Audiogerät; C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 79664]

S3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 81200]

S3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 16432]

S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]

S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-21 220672]

S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDARTN.sys [2007-04-27 215040]

S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-21 200704]

S3 mbamchameleon;mbamchameleon; \??\C:\Windows\system32\drivers\mbamchameleon.sys [2012-08-04 28488]

S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]

S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]

S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]

S3 NETw3v32;Intel® PRO/Wireless 3945ABG-Adaptertreiber für Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-21 2225664]

S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver; \??\c:\program files\pc-doctor\pcdsrvc.pkms [2010-05-07 21360]

S3 RFCOMM;Bluetooth-Gerät (RFCOMM-Protokoll-TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-11 148992]

S3 Tp4Track;PS/2 TrackPoint Driver; C:\Windows\system32\DRIVERS\tp4track.sys [2009-11-24 23152]

S3 TPM;TPM; C:\Windows\system32\drivers\tpm.sys [2008-01-21 45624]

S3 usbaudio;USB-Audiotreiber (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-11 73216]

S3 usbvideo;USB-Videogerät (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016]

S3 WimFltr;WimFltr; C:\Windows\system32\DRIVERS\wimfltr.sys [2007-01-09 128104]

S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]

S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]

S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]

S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-07-05 91432]

R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-07-05 206120]

R2 avast! Antivirus;avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-07-03 44808]

R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-21 21504]

R2 Diskeeper;Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [2006-11-15 634988]

R2 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-21 21504]

R2 IBMPMSVC;ThinkPad PM Service; C:\Windows\system32\ibmpmsvc.exe [2007-05-31 36400]

R2 IPSSVC;IPS-Basisservice; C:\Windows\system32\IPSSVC.EXE [2007-01-30 108080]

R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]

R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]

R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]

R2 SUService;System Update; c:\program files\lenovo\system update\suservice.exe [2008-10-20 28672]

R2 ThinkVantage Registry Monitor Service;ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [2007-08-09 644408]

R2 TPHDEXLGSVC;ThinkPad HDD APS Logging Service; C:\Windows\System32\TPHDEXLG.exe [2007-10-16 37424]

R2 TPHKSVC;Anzeige am Bildschirm; C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2007-03-02 55936]

R2 TSSCoreService;TSS Core Service; C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe [2007-08-09 722232]

R2 TVT Backup Protection Service;TVT Backup Protection Service; C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-08 569344]

R2 TVT Backup Service;TVT Backup Service; C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe [2007-01-08 950272]

R2 TVT Scheduler;TVT Scheduler; c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2008-03-04 1122304]

R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-04-10 386560]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-26 135664]

S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-09 194104]

S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-01-12 294912]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-04 250056]

S3 aspnet_state;ASP.NET-Zustandsdienst; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2009-03-30 31048]

S3 gupdatem;Google Update-Dienst (gupdatem); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-26 135664]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]

S3 MozillaMaintenance;Mozilla Maintenance Service; C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-18 113120]

S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-01-12 57344]

S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-04-22 880640]

S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-05-30 73728]

S3 WPFFontCache_v0400;@c:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S4 MSSQLServerADHelper;Hilfsdienst von SQL Server für Active Directory; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]

S4 SQLBrowser;SQL Server-Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]



Edited by Maurice Naggar

Share this post

Link to post
Share on other sites

Step 1

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Java rutime security maintenance

javaicon.gifYour Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of >> Windows Offline << from here and save it to your desktop.
  • Get the Offline version that corresponds to your "bit-tedness" of your Windows (32-bit or 64-bit)
    How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
  • Close any programs you may have running - especially your web browser(s).
  • Go to Start > Settings > Control Panel, select Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u5-windows-i586.exe to install the newest version.
    ( jre-7u5-windows-x64.exe if this is a 64-bit Windows o.s.)

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

Press Apply then OK. Close the applet when done.

Adobe Reader security

Older versions of Adobe Reader pose a potential security risk.

De-install your Adobe Reader: Use Control Panel's Program and Features, Un-install Adobe Reader.

Get latest Adobe Reader version

Be sure to un-check the box for Free McAfee Security Scan or any "toolbar" (if offered )

Using IE (only!) to

[ignore any DOES NOT APPLY warning as well as the APPLIES TO section],

run the Fix It and then reboot.

Tip: For optimal results, enable the Delete personal settings option.

Now, then, Tell me, How is the system now :excl:

Share this post

Link to post
Share on other sites

hello Maurice

the backup hd with docs, favorites, xmls, jpgs has been checked on a new clean isolatet PC with new malwarebytes and stinger

look here


The program tfc elapsed time was 3 hrs. I think my notebook is slow.

java update ok

adobereader update ok

Using IE (only!) to

i got this error:

When installing the package, an unexpected error has occurred.

This may indicate a problem with this package. The error code is 2378

malwarebytes runs but hangs by searching in normal mode.

At this point, I watched that the errors occurs after 10 minutes



here your link

and now my link in IE:


sincerly funnybone

Share this post

Link to post
Share on other sites


malwarebytes runs but hangs by searching in normal mode.
Did you turn off temporarily your antivirus before starting MBAM ?


I watched that the errors occurs after 10 minutes



Just what showed this error ?? was that your Internet Explorer ?

Keep this in mind, if a browser is giving you hiccups

Run IE & Firefox browser without addons


Step 1

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member funnybone only. If you are a casual viewer, do NOT try this on your system!

If you are not and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.


Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.


[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & attach the C:\Combofix.txt log and tell me, How is the system now ?

Re-enable your antivirus program.

Share this post

Link to post
Share on other sites

Dear Maurice ...

here is a first abstract

It could be indeed a internal problem with my notebook and malwarebytes, because i have a slowly notebook (i don't know why).

I didn't found any other error except beeing slowly.

Malwarebytes runs properly on other systems with xp and same antivirus scanner.

so i forgot to deactivate the virus scanner

But this notebook:

scanning with malwarebytes in windows normal mode:

Sometimes systems hangs only.

Sometimes I got a bluescreen and dump message.

I have to turn off and to turn on.

After that by restart chkdsk is running.

turn off avast antivirus:

scanning with malwarebytes in windows normal mode:

malwarebytes tells no response but nothing happens,

notebook no response causes reboot

Running in windows save mode: no problems.

see above, first blog:

avast antivir found nothing

mbaw found in save mode

infected files: 1

C:\Windows\Temp\TMP00000004DD0CB990557B4247 (Trojan.Dropper) -> Successfully removed and placed in quarantine.

This is only Internet Explorer:

I watched that the errors occurs after 10 minutes



This is only Internet Explorer

This error occured after standard windows update (automatic update)!

and the message on the IE is

"Internet Explorer has stopped working - close program"


starting Internet Explorer with iexplore -extoff no problems

seems to be some add-ons?

Firefox runs properly.

No other problems found yet.

Word, excel, vnc, windows-mail runs properly

sound ist properly.

with best regards


Share this post

Link to post
Share on other sites


Are you planning to run SecurityCheck and Combofix ? as I requested.

Share this post

Link to post
Share on other sites

hello maurice

yes do, (recommended i think? risk?)

i checked out that ie browser is giving me hiccups often by microsoft-sites ...

first at next i am doing Security Check

one moment please ....

Share this post

Link to post
Share on other sites

Hello funnybone,

Are you planning to run SecurityCheck and Combofix ? as I requested back on 13 August.

Share this post

Link to post
Share on other sites

Hello mauric, thanks for help:

SecurityCehck is doing this

i got some messages in the DOS-Box:

C:\Windows\system32\sc.exe ist keine win32 Anwendung

C:\Windows\system32\sc.exe is not a win32 application

Datei ist gesperrt

file is locked

and here is the logfile,

but what is the meaning of that?

Windows Security Center service is not running! This report may not be accurate!

I have combofix downloaded yet, I am starting soon


Results of screen317's Security Check version 0.99.46

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

avast! Antivirus

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware Version

Java 7 Update 5

Java version out of Date!

Adobe Flash Player 11.3.300.271

Adobe Reader X 10.1.3 Adobe Reader out of Date!

Mozilla Firefox 13.0.1 Firefox out of Date!

````````Process Check: objlist.exe by Laurent````````

Windows Defender MSASCui.exe

Windows Defender MSASCui.exe

AVAST Software Avast AvastSvc.exe

AVAST Software Avast AvastUI.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: %

````````````````````End of Log``````````````````````

Share this post

Link to post
Share on other sites

Proceed forward with the Combofix run and post that log (as I had outlined before).

Once you have done that, I will review that & formulate what we need to do afterwards.

Please do not do anything else on your own and await my future reply.

Meantime, do not do any websurfing, online games, online shopping, or online banking.

Just only go to this forum and the websites I guide you to.

Cannot tell what the issue was in the SecurityCheck run. But it did produce the report, and I'll see what follow-up is needed.

btw, I have an event to attend today, so it will be much later this evening before I get back to you.

Share this post

Link to post
Share on other sites

ID: 17   Posted (edited)

hello maurice,

combofix done

i am happy that notebook runs

I am glad to present the log.txt.

i changed username in user_1

if you see C:\A

that is from beginning as new notebook and vanishes sometimes

perhaps we can find why this notebook is sometimes slowly

can you see success?


ComboFix 12-08-17.03 - user_1 18.08.2012 18:54:00.1.2 - x86

Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1031.18.2038.880 [GMT 2:00]

ausgeführt von:: c:\users\user_1\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))












c:\windows\System32\sc.exe . . . ist infiziert!! ~emphasis added by moderator :excl:



((((((((((((((((((((((( Dateien erstellt von 2012-07-18 bis 2012-08-18 ))))))))))))))))))))))))))))))



2012-08-18 17:42 . 2012-08-18 17:42 -------- d--h--we C:\A

2012-08-18 17:37 . 2012-08-18 17:37 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-14 22:21 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

2012-08-14 22:21 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll

2012-08-14 22:20 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-08-14 22:20 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-08-14 22:20 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-08-14 22:20 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll

2012-08-14 22:20 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll

2012-08-14 17:34 . 2012-08-14 17:34 -------- d-----w- C:\found.002

2012-08-14 06:00 . 2012-08-14 16:44 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-08-12 12:18 . 2012-08-12 12:18 -------- d-----w- c:\program files\Common Files\Java

2012-08-12 12:17 . 2012-08-12 12:15 772592 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-08-12 12:14 . 2012-08-12 12:14 -------- d-----w- c:\program files\Java

2012-08-05 12:25 . 2012-08-05 12:35 -------- d-----w- c:\program files\trend micro

2012-08-05 12:25 . 2012-08-05 12:48 -------- d-----w- C:\rsit

2012-08-04 12:15 . 2012-08-04 12:15 -------- d-----w- C:\found.001

2012-08-04 10:34 . 2012-08-04 10:49 28488 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-08-04 10:30 . 2012-08-04 10:30 -------- d-----w- c:\program files\ERUNT




(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))


2012-08-14 21:45 . 2012-04-05 19:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-14 21:45 . 2011-06-18 07:27 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-12 12:15 . 2010-05-16 08:35 687600 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-03 16:21 . 2012-01-31 22:02 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-07-03 16:21 . 2012-01-31 22:02 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-07-03 16:21 . 2012-01-31 22:02 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-07-03 16:21 . 2012-01-31 22:02 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2012-07-03 16:21 . 2012-01-31 22:02 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-07-03 16:21 . 2012-01-31 22:02 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-07-03 16:21 . 2012-01-31 22:00 41224 ----a-w- c:\windows\avastSS.scr

2012-07-03 16:21 . 2012-01-31 22:00 227648 ----a-w- c:\windows\system32\aswBoot.exe

2012-07-03 11:46 . 2012-07-08 09:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-02 22:19 . 2012-06-24 06:08 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-24 06:08 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-24 06:07 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-24 06:07 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-24 06:08 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-24 06:08 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-24 06:07 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 13:19 . 2012-06-24 06:06 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 13:12 . 2012-06-24 06:06 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-31 10:25 . 2009-10-02 16:50 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-06-18 09:12 . 2012-01-03 04:21 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll



(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))



*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.






2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll



"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

"NPDTRAY"="c:\progra~1\Lenovo\NPDIRECT\NPDTray.exe" [2007-11-29 218400]



"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]

"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-12-06 214576]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]

"TpShocks"="TpShocks.exe" [2007-11-22 181536]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]

"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-15 217176]

"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]

"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2009-03-06 458752]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-27 49976]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-07 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-07 178712]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-07 154136]

"vspdfprsrv.exe"="c:\program files\Visagesoft\eXPert PDF 6\vspdfprsrv.exe" [2008-11-18 1199616]

"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2009-11-24 93032]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]


c:\users\user_1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

OneNote Inhaltsverzeichnis.onetoc2 [2009-7-14 3656]

xampp-control.lnk - c:\xampplite\xampp-control.exe [2010-1-26 148112]



"EnableUIADesktopToggle"= 0 (0x0)


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]



R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]



--- Andere Dienste/Treiber im Speicher ---


*NewlyCreated* - WS2IFSL


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache


Inhalt des "geplante Tasks" Ordners


2012-08-18 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 21:45]


2012-08-18 c:\windows\Tasks\Auf Updates für Windows Live Toolbar prüfen.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 13:54]


2012-08-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-21 04:27]


2012-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 11:59]


2012-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 11:59]


2010-11-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46]


2012-08-18 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdrcui.exe [2010-05-08 21:08]



------- Zusätzlicher Suchlauf -------


uStart Page = about:blank

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer =

FF - ProfilePath - c:\users\user_1\AppData\Roaming\Mozilla\Firefox\Profiles\e16jyvc0.default\




Scanne versteckte Prozesse...


c:\windows\System32\SearchProtocolHost.exe [5740] 0x849A57A0


Scanne versteckte Autostarteinträge...


Scanne versteckte Dateien...


Scan erfolgreich abgeschlossen

versteckte Dateien:





"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"


--------------------- Gesperrte Registrierungsschluessel ---------------------



@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)



--------------------- Durch laufende Prozesse gestartete DLLs ---------------------


- - - - - - - > 'Explorer.exe'(4564)


c:\program files\Lenovo\Drag-to-Disc\Shellex.dll


c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll

c:\program files\WinSCP\DragExt.dll


------------------------ Weitere laufende Prozesse ------------------------



c:\program files\AVAST Software\Avast\AvastSvc.exe



c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe


c:\program files\LENOVO\HOTKEY\TPHKSVC.exe

c:\program files\Lenovo\Client Security Solution\tvttcsd.exe

c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe

c:\program files\Lenovo\Rescue and Recovery\rrservice.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe


c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\lenovo\system update\suservice.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe





c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE

c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE



c:\program files\Lenovo\NPDIRECT\NPDTRAY.EXE

c:\program files\Lenovo\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\Zoom\TpScrex.exe

c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe





Zeit der Fertigstellung: 2012-08-18 19:52:31 - PC wurde neu gestartet

ComboFix-quarantined-files.txt 2012-08-18 17:51


Vor Suchlauf: 6.422.609.920 Bytes frei

Nach Suchlauf: 5.928.927.232 Bytes frei


- - End Of File - - 91C5E48A20E5DAB9DD19B4531A654C1D

Edited by Maurice Naggar
Logs put In-line

Share this post

Link to post
Share on other sites

I do not understand what or why you did this ?

i changed username in user_1

Please do NOT make changes on your own, without asking me first.

IF you have questions, stop and ask your question here.

I see some progress in that Combofix ran and it did find & remove some things.

As for any "slow" issue, that can be addressed much later.

For now, the system still has a problem. There is an infected system component.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Share this post

Link to post
Share on other sites

The report from Systemlook is ok.

Download Dr.Web CureIt to the desktop.

  • Turn OFF your antivirus program.
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program when all done.

Share this post

Link to post
Share on other sites

Hello Maurice

Dr.Web CureIt finshed yet after 12 hrs

found only 2 infected files

otl.exe from oldtimer i found before i found sorry

and some like passwordspy, i never used o this notebook i got it before 2006

i got bluescreen bofore saving:

"Save the report to your desktop. The report will be called DrWeb.csv"

notebook runs

shell i repeat Dr.Web CureIt ?

Share this post

Link to post
Share on other sites

Hello Maurice

I found in




I found in



OTL.exe infiziert mit Trojan.Siggen4.8915 nicht desinfizierbar

pwdspy.exe ...

C:\windows\System32\sc.exe gepackt von FLY-CODE

>C:\windows\System32\sc.exe OK

C:\windows\System32\SCP32.DLL gepackt von FLY-CODE

>C:\windows\System32\SCP32.DLL OK

and more ...

Share this post

Link to post
Share on other sites

No, do NOT run DrWeb Cure-It anymore.

Do an online scan at ESET:

You will want to print out or copy these instructions to Notepad for offline reference!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Re-enable the antivirus program.

Reply with copy of the Eset scan log

Share this post

Link to post
Share on other sites

Hallo Maurice,

the program

found Windows Defender

i will start to disable and i got this message:

Fehler bei Anwendungsinitialisierung 0x8001006ba.

Der Dienst dieses Programms wurde aufgrund eines Problems angehalten.

Führen Sie zum Start des Dienstes einen Neustart des Computers aus,

oder suchen Sie unter Hilfe und Support Informatonen zu manuellen Start dieses Dienstes.

Error in application initialization 0x8001006ba.

The service of this program was stopped due to a problem.

Run to start the service, restart your computer,

or search Help and Support informaton to manually start the service.

Notebook was restartet.

Can I continue?


Share this post

Link to post
Share on other sites

You can temporarily turn off Windows Defender (which is a mini-antimalware applet included with Windows XP, Vista, & WIN7).

Press the Windows-Start Orb, in the search box, type in

windows defender

and click on it to start it.

Next, from it's main menu, press TOOLs

then select OPTIONS

then click on Real-time protection

On the line that says

Use real-time protection
un-check the box

Then click SAVE and Exit

Then one more time, try again The ESET online scan.

N.B. We may have a translation problem since English is my first language, and yours is different !

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.