Jump to content

registry keys infected /Crossrider, crossfire, savings sidekick

Recommended Posts

Hello I will post my log here, because I don't know what to do now. I can't even take the infected registry keys into quarantine...

09.08.2012 11:42:02

mbam-log-2012-08-09 (11-42-02).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 381639

Laufzeit: 3 Stunde(n), 33 Minute(n), 1 Sekunde(n)

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 14

HKCR\CrossriderApp0005060.BHO (PUP.CrossFire.Gen) -> Keine Aktion durchgeführt.

HKCR\CrossriderApp0005060.BHO.1 (PUP.CrossFire.Gen) -> Keine Aktion durchgeführt.

HKCR\CrossriderApp0005060.FBApi (PUP.CrossFire.Gen) -> Keine Aktion durchgeführt.

HKCR\CrossriderApp0005060.FBApi.1 (PUP.CrossFire.Gen) -> Keine Aktion durchgeführt.

HKCR\CrossriderApp0005060.Sandbox (PUP.CrossFire.Gen) -> Keine Aktion durchgeführt.

HKCR\CrossriderApp0005060.Sandbox.1 (PUP.CrossFire.Gen) -> Keine Aktion durchgeführt.


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011501160} (PUP.GamePlayLab) -> Keine Aktion durchgeführt.

HKCR\CLSID\{11111111-1111-1111-1111-110011501160} (PUP.GamePlayLab) -> Keine Aktion durchgeführt.

HKCR\TypeLib\{44444444-4444-4444-4444-440044504460} (PUP.GamePlayLab) -> Keine Aktion durchgeführt.

HKCR\Interface\{55555555-5555-5555-5555-550055505560} (PUP.GamePlayLab) -> Keine Aktion durchgeführt.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011501160} (PUP.GamePlayLab) -> Keine Aktion durchgeführt.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011501160} (PUP.GamePlayLab) -> Keine Aktion durchgeführt.

HKCU\Software\Cr_Installer\5060 (Adware.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 1

HKCU\Software\InstalledBrowserExtensions\215 Apps|5060 (PUP.CrossFire.SA) -> Daten: Savings Sidekick -> Keine Aktion durchgeführt.

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 5

C:\Program Files\Uninstall Information\ib_uninst_540\uninstall.exe (PUP.BundleInstaller.IB) -> Keine Aktion durchgeführt.

C:\Users\Maria\AppData\Local\Temp\softonic_ssk_conduit.exe (PUP.BundleInstaller.IB) -> Keine Aktion durchgeführt.

C:\Users\Maria\Downloads\SoftonicDownloader_fuer_cryptload.exe (PUP.ToolbarDownloader) -> Keine Aktion durchgeführt.

C:\Users\Maria\Downloads\Programme\Cryptload\router\FRITZ!Box\nc.exe (PUP.Netcat) -> Keine Aktion durchgeführt.

C:\Program Files\Savings Sidekick\Savings Sidekick.dll (PUP.GamePlayLab) -> Keine Aktion durchgeführt.


thanx for any help guys!!!!!

Link to post
Share on other sites

Hello Marial and welcome to MalwareBytes forums.

Those are indications of "possibly undesired programs", not necessarily infected "keys".

Please follow my guidance.

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here

or http://download.bleepingcomputer.com/sUBs/dds.scr or


Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:



Link to post
Share on other sites

Thank you very much for your instructions!

Here is the DDS.txt:

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1

Run by Maria at 16:08:22 on 2012-08-09

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.43.1031.18.3293.1418 [GMT 2:00]


AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch


C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs


C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup


C:\Windows\system32\svchost.exe -k LocalService


C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe


C:\Program Files\Avira\AntiVir Desktop\sched.exe


C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Toshiba TEMPRO\TempoSVC.exe

C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe


C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup




C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe




C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

C:\Program Files\Toshiba\Power Saver\TPwrMain.exe

C:\Program Files\Toshiba\FlashCards\TCrdMain.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe

C:\Program Files\Toshiba\HDMICtrlMan\HCMSoundChanger.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe






C:\Program Files\Spyware Terminator\st_rsser.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

C:\Program Files\Spyware Terminator\SpywareTerminator.exe






============== Pseudo HJT Report ===============


uSearch Page = hxxp://www.google.com

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2431245

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Savings Sidekick: {11111111-1111-1111-1111-110011501160} - c:\program files\savings sidekick\Savings Sidekick.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

TB: {DFEFCDEE-CF1A-4FC8-88AD-48514E463B27} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

uRun: [DAEMON Tools Lite] "h:\daemon tools lite\DTLite.exe" -autorun

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [NDSTray.exe] NDSTray.exe

mRun: [cfFncEnabler.exe] cfFncEnabler.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [Google EULA Launcher] c:\program files\google\google eula\GoogleEULALauncher.exe IE PA

mRun: [Toshiba TEMPO] c:\program files\toshiba tempro\Toshiba.Tempo.UI.TrayApplication.exe

mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [HDMICtrlMan] c:\program files\toshiba\hdmictrlman\HDMICtrlMan.exe

mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe

mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [spywareTerminatorShield] c:\program files\spyware terminator\SpywareTerminatorShield.exe

mRun: [spywareTerminatorUpdater] c:\program files\spyware terminator\SpywareTerminatorUpdate.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Free YouTube to MP3 Converter - c:\users\maria\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/707-44556-9400-3/4

IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.de/exec/obidos/redirect-home?tag=Toshibadebholink-21&site=home

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

TCP: DhcpNameServer =

TCP: Interfaces\{C311FAF7-0A4B-4D82-82B3-030559BE897B} : DhcpNameServer =

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

Hosts: www.spywareinfo.com


============= SERVICES / DRIVERS ===============


R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-8-9 36000]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-6-3 242240]

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2010-9-3 20384]

R1 sp_rsdrv2;Spyware Terminator 2012 Realtime Shield Driver;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-10-26 32768]

R2 AntiVirSchedulerService;Avira Planer;c:\program files\avira\antivir desktop\sched.exe [2012-8-9 86224]

R2 AntiVirService;Avira Echtzeit Scanner;c:\program files\avira\antivir desktop\avguard.exe [2012-8-9 110032]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-8-9 74640]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]

R2 ezGOSvc;Easybits GO Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]

R2 FontCache;Windows-Dienst für Schriftartencache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-3 22344]

R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-4-15 51160]

R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-3 135664]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-7-18 30192]

S3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-3 135664]

S3 RTL2832U_IRHID;HID Infrared Remote Receiver;c:\windows\system32\drivers\RTL2832U_IRHID.sys [2009-7-13 37280]

S3 RTL2832UBDA;REALTEK 2832U BDA Driver;c:\windows\system32\drivers\RTL2832UBDA.sys [2010-7-1 188392]

S3 RTL2832UUSB;REALTEK 2832U USB Driver;c:\windows\system32\drivers\RTL2832UUSB.sys [2010-7-1 32872]


=============== Created Last 30 ================


2012-08-09 14:01:31 -------- d-----w- c:\programdata\Spyware Terminator

2012-08-09 13:59:57 -------- d-----w- c:\program files\Spyware Terminator

2012-08-08 22:04:38 -------- d-----w- c:\users\maria\appdata\roaming\Avira

2012-08-08 22:02:54 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2012-08-08 22:02:53 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2012-08-08 22:02:52 -------- d-----w- c:\programdata\Avira

2012-08-08 22:02:52 -------- d-----w- c:\program files\Avira

2012-08-07 22:08:22 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{bb74d170-4bce-45f1-b205-d013dcf97b56}\mpengine.dll

2012-08-01 20:55:39 -------- d-----w- C:\Downloads

2012-08-01 20:28:27 -------- d-----w- c:\users\maria\appdata\local\WinZip

2012-08-01 20:20:08 -------- d-----w- c:\programdata\Tarma Installer

2012-08-01 20:20:01 -------- d-----w- c:\programdata\IBUpdaterService

2012-08-01 20:19:57 666272 ----a-w- c:\program files\uninstall information\ib_uninst_540\uninstall.exe

2012-08-01 20:19:34 -------- d-----w- c:\users\maria\appdata\local\Savings Sidekick

2012-08-01 20:19:24 -------- d-----w- c:\program files\Savings Sidekick

2012-07-11 22:38:39 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 10:40:54 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll

2012-07-11 10:40:36 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-07-11 10:40:36 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-07-11 10:40:12 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-11 10:40:12 278528 ----a-w- c:\windows\system32\schannel.dll

2012-07-11 10:40:12 204288 ----a-w- c:\windows\system32\ncrypt.dll


==================== Find3M ====================


2012-07-03 11:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-03 21:41:23 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 13:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 13:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-31 10:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe


=================== ROOTKIT ====================


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6002 Disk: TOSHIBA_MK2552GSX rev.LV010M -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-0


device: opened successfully

user: MBR read successfully


Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys

1 ntkrnlpa!IofCallDriver[0x82882936] -> \Device\Harddisk1\DR1[0x85E88380]

3 CLASSPNP[0x8B10A8B3] -> ntkrnlpa!IofCallDriver[0x82882936] -> \Device\Ide\IdeDeviceP3T0L0-1[0x85DBC030]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user != kernel MBR !!!


============= FINISH: 16:10:28,51 ===============

and here the attach.txt:

DDS (Ver_2011-08-26.01)


Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume5

Install Date: 03.09.2010 16:13:49

System Uptime: 09.08.2012 11:34:49 (5 hours ago)


Motherboard: TOSHIBA | | Satellite P300D

Processor: AMD Turion X2 Dual-Core Mobile RM-70 | Socket M2/S1G1 | 1000/200mhz


==== Disk Partitions =========================


C: is FIXED (NTFS) - 116 GiB total, 29,113 GiB free.

D: is FIXED (NTFS) - 118 GiB total, 85,487 GiB free.

E: is CDROM ()

F: is FIXED (NTFS) - 115 GiB total, 104,802 GiB free.

G: is FIXED (NTFS) - 114 GiB total, 108,75 GiB free.

H: is FIXED (NTFS) - 93 GiB total, 65,211 GiB free.

I: is CDROM ()


==== Disabled Device Manager Items =============


Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Microsoft-6zu4-Adapter

Device ID: ROOT\*6TO4MP\0002

Manufacturer: Microsoft

Name: Microsoft-6zu4-Adapter

PNP Device ID: ROOT\*6TO4MP\0002

Service: tunnel


Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

PNP Device ID: ROOT\NET\0000

Service: vpnva


==== System Restore Points ===================



==== Installed Programs ======================


Activation Assistant for the 2007 Microsoft Office suites

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.2 - Deutsch

Adobe Reader 8.1.2 Security Update 1 (KB403742)

ALPS Touch Pad Driver

Atheros Driver Installation Program

Atheros Wi-Fi Protected Setup Library

ATI Catalyst Install Manager

Avira Free Antivirus

Bluetooth Stack for Windows by Toshiba

Camera Assistant Software for Toshiba

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center Localization Chinese Standard

Catalyst Control Center Localization Chinese Traditional

Catalyst Control Center Localization Czech

Catalyst Control Center Localization Danish

Catalyst Control Center Localization Dutch

Catalyst Control Center Localization Finnish

Catalyst Control Center Localization French

Catalyst Control Center Localization German

Catalyst Control Center Localization Greek

Catalyst Control Center Localization Hungarian

Catalyst Control Center Localization Italian

Catalyst Control Center Localization Japanese

Catalyst Control Center Localization Korean

Catalyst Control Center Localization Norwegian

Catalyst Control Center Localization Polish

Catalyst Control Center Localization Portuguese

Catalyst Control Center Localization Russian

Catalyst Control Center Localization Spanish

Catalyst Control Center Localization Swedish

Catalyst Control Center Localization Thai

Catalyst Control Center Localization Turkish



CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CD/DVD Drive Acoustic Silencer

Cisco AnyConnect VPN Client

Compatibility Pack für 2007 Office System

Conexant HD Audio

DAEMON Tools Lite

Die Siedler - Aufbruch der Kulturen

Die Sims™ 3

Die Sims™ 3 Einfach tierisch

Die Sims™ 3 Late Night

Die Sims™ 3 Reiseabenteuer

Die Sims™ 3 Traumkarrieren

Die Sims Mittelalter

EasyBits GO

Feedback Tool

Google Chrome

Google Desktop

Google Update Helper

Harry Potter - Quidditch-Weltmeisterschaft

Harry Potter und der Halbblut-Prinz™

Harry Potter und der Orden des Phönix™

HDAUDIO Soft Data Fax Modem with SmartCP

HDMI Control Manager

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

iPACS Viewer

Janosch - Ich mach dich gesund

Java Auto Updater

Java 7 Update 5

JavaFX 2.1.1

Malwarebytes Anti-Malware Version

Marvell Miniport Driver

Microsoft .NET Framework 3.5 Language Pack SP1 - deu

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile DEU Language Pack

Microsoft .NET Framework 4 Extended

Microsoft Office File Validation Add-In

Microsoft Office Live Add-in 1.5

Microsoft Office Standard Edition 2003

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Works

Microsoft WSE 3.0 Runtime

Microsoft XML Parser

Moorhuhn Remake

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)


NVIDIA PhysX v8.04.25

O2Micro Flash Memory Card Reader Driver (x86)

OGA Notifier 2.0.0048.0


Picasa 2

Savings Sidekick

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Windows Media Encoder (KB2447961)


Skype™ 5.8


SPORE™ Süß & Schrecklich Ergänzungs-Pack

Spyware Terminator 2012


TOSHIBA Benutzerhandbücher

TOSHIBA ConfigFree

TOSHIBA Disc Creator


TOSHIBA Extended Tiles for Windows Mobility Center

TOSHIBA Face Recognition

TOSHIBA Hardware Setup

Toshiba Online Product Information

TOSHIBA Recovery Disc Creator

TOSHIBA SD Memory Utilities

TOSHIBA Supervisor Password

Toshiba TEMPRO

TOSHIBA Value Added Package




Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

VLC media player 1.1.4

Windows Media Encoder 9 Series

WinZip 14.0


==== End Of File ===========================

Link to post
Share on other sites

Please do this, and let me know when it is finished.

There will be more to do after this.

Disable CD-ROM Emulation Software:

Please download the following tool DeFogger to your desktop.

◦Double click DeFogger to run the tool.

◦The application window will appear

◦Click the Disable button to disable your CD Emulation drivers.

◦Click Yes to continue

◦A 'Finished!' message will appear

◦Click OK

◦DeFogger will now ask to reboot the machine - click OK

◦IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

◦Do not re-enable these drivers until otherwise instructed.

Link to post
Share on other sites

You have Avira antivirus installed, and Spyware Terminator Shield 2012. The latter, I believe, has an antivirus component plus a realtime monitor. It is likely it will interfere with the fixes that we need to run.

Did you buy Spyware Terminator ?

I need for you to turn off Spyware Terminator realtime shield. Can you do that ?

Right click on the taskbar tray icon for Spyware Terminator , click on the one that shows "Realtime Shield" one time.

Is it off now ?

If you did not buy it, and if you are not able to turn it off, I would suggest you Uninstall it and restart Windows fresh.

Link to post
Share on other sites


Turn off (temporarily) Avira antivirus. Leave the Windows firewall on.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the MBAM scan log into a reply.

P.S./N.B. When all done, turn ON Avira antivirus

Edited by Maurice Naggar
Link to post
Share on other sites

Here comes the log ;)

Datenbank Version: v2012.08.09.08

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Maria :: MARIA-PC [Administrator]

Schutz: Aktiviert

09.08.2012 17:55:13

mbam-log-2012-08-09 (17-55-13).txt

Art des Suchlaufs: Quick-Scan

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 232063

Laufzeit: 9 Minute(n), 58 Sekunde(n)

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 13

HKCR\CrossriderApp0005060.BHO (PUP.CrossFire.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCR\CrossriderApp0005060.BHO.1 (PUP.CrossFire.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCR\CrossriderApp0005060.FBApi (PUP.CrossFire.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCR\CrossriderApp0005060.FBApi.1 (PUP.CrossFire.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCR\CrossriderApp0005060.Sandbox (PUP.CrossFire.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCR\CrossriderApp0005060.Sandbox.1 (PUP.CrossFire.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011501160} (PUP.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCR\CLSID\{11111111-1111-1111-1111-110011501160} (PUP.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCR\TypeLib\{44444444-4444-4444-4444-440044504460} (PUP.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKCR\Interface\{55555555-5555-5555-5555-550055505560} (PUP.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011501160} (PUP.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011501160} (PUP.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 1

HKCU\Software\InstalledBrowserExtensions\215 Apps|5060 (PUP.CrossFire.SA) -> Daten: Savings Sidekick -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1

C:\Program Files\Savings Sidekick\Savings Sidekick.dll (PUP.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.


Link to post
Share on other sites

Bravo Marial !

It looks like MBAM has done the magic. :)

We need to do more follow-up.

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Marial0815 only. If you are a casual viewer, do NOT try this on your system!

If you are not and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.


Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.


[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :!:

Reply & attach the C:\Combofix.txt log and tell me, How is the system now ?

Re-enable your antivirus program.

Link to post
Share on other sites

Thank you very very much Maurice :D I'm very grateful for your help!

Attached is the combofix.txt ;)

ComboFix 12-08-09.01 - Maria 09.08.2012 19:06:22.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.43.1031.18.3293.2086 [GMT 2:00]

ausgeführt von:: c:\users\Maria\Desktop\ComboFix.exe

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
















































((((((((((((((((((((((( Dateien erstellt von 2012-07-09 bis 2012-08-09 ))))))))))))))))))))))))))))))



2012-08-09 17:19 . 2012-08-09 17:19 -------- d-----w- c:\users\Gast\AppData\Local\temp

2012-08-09 17:19 . 2012-08-09 17:19 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-09 17:19 . 2012-08-09 17:19 -------- d-----w- c:\users\Biggi\AppData\Local\temp

2012-08-08 22:04 . 2012-08-08 22:04 -------- d-----w- c:\users\Maria\AppData\Roaming\Avira

2012-08-08 22:02 . 2011-10-11 13:00 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2012-08-08 22:02 . 2011-10-11 13:00 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys

2012-08-08 22:02 . 2011-10-11 13:00 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2012-08-08 22:02 . 2012-08-08 22:02 -------- d-----w- c:\programdata\Avira

2012-08-08 22:02 . 2012-08-08 22:02 -------- d-----w- c:\program files\Avira

2012-08-07 22:08 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BB74D170-4BCE-45F1-B205-D013DCF97B56}\mpengine.dll

2012-08-01 20:55 . 2012-08-08 21:46 -------- d-----w- C:\Downloads

2012-08-01 20:28 . 2012-08-01 20:28 -------- d-----w- c:\users\Maria\AppData\Local\WinZip

2012-08-01 20:20 . 2012-08-01 20:20 -------- d-----w- c:\programdata\Tarma Installer

2012-08-01 20:20 . 2012-08-01 20:20 -------- d-----w- c:\programdata\IBUpdaterService

2012-08-01 20:19 . 2012-08-01 20:18 666272 ----a-w- c:\program files\Uninstall Information\ib_uninst_540\uninstall.exe

2012-08-01 20:19 . 2012-08-01 20:19 -------- d-----w- c:\users\Maria\AppData\Local\Savings Sidekick

2012-08-01 20:19 . 2012-08-09 16:08 -------- d-----w- c:\program files\Savings Sidekick

2012-07-11 22:38 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 10:40 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

2012-07-11 10:40 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-07-11 10:40 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-07-11 10:40 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-11 10:40 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll

2012-07-11 10:40 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll




(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))


2012-07-03 11:46 . 2010-09-03 18:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-03 21:41 . 2012-06-03 21:41 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-06-02 22:19 . 2012-06-21 18:34 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-21 18:34 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-21 18:33 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-21 18:33 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-21 18:34 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-21 18:34 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-21 18:33 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 13:19 . 2012-06-21 18:33 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 13:12 . 2012-06-21 18:33 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-31 10:25 . 2010-11-06 12:52 237072 ------w- c:\windows\system32\MpSigStub.exe

2010-09-03 15:38 . 2010-09-03 20:10 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll



(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))



*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.




"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552]



"NDSTray.exe"="NDSTray.exe" [bU]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-03 30192]

"Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]

"Toshiba TEMPO"="c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-04-24 103824]

"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]

"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-03-25 417792]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]

"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]

"HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2008-04-02 716800]

"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]


c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]



"EnableUIADesktopToggle"= 0 (0x0)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

sina_live_deamon REG_MULTI_SZ sina_live_deamon


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs



Inhalt des "geplante Tasks" Ordners


2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-03 15:38]


2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-03 15:38]



------- Zusätzlicher Suchlauf -------


uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2431245

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: Free YouTube to MP3 Converter - c:\users\Maria\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer =


- - - - Entfernte verwaiste Registrierungseinträge - - - -


HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

HKLM-Run-ITSecMng - c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe

HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe

HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe






catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-09 19:22

Windows 6.0.6002 Service Pack 2 NTFS


Scanne versteckte Prozesse...


Scanne versteckte Autostarteinträge...



TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????}l????X?b???b???b???b?


Scanne versteckte Dateien...


Scan erfolgreich abgeschlossen

versteckte Dateien: 0




Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6002 Disk: TOSHIBA_MK2552GSX rev.LV010M -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-0


device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user != kernel MBR !!!




--------------------- Gesperrte Registrierungsschluessel ---------------------


[HKEY_USERS\S-1-5-21-1448571950-3971819457-2364966976-1000\Software\SecuROM\License information*]






@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)



Zeit der Fertigstellung: 2012-08-09 19:26:45

ComboFix-quarantined-files.txt 2012-08-09 17:26


Vor Suchlauf: 9 Verzeichnis(se), 30.511.656.960 Bytes frei

Nach Suchlauf: 12 Verzeichnis(se), 38.051.303.424 Bytes frei


- - End Of File - - ABB6B6217756FD161B4A0C2CDEE58B2D

Link to post
Share on other sites

Very good. You are welcome. :D

We need to do some more things.

Java security maintenance

javaicon.gifYour Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of >> Windows Offline << from here and save it to your desktop.
  • Get the Offline version that corresponds to your "bit-tedness" of your Windows (32-bit or 64-bit)
    How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
  • Close any programs you may have running - especially your web browser(s).
  • Go to Start > Settings > Control Panel, select Programs and Features and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.

  • Reboot your computer once all Java components are removed.

  • Then from your desktop double-click on jre-7u5-windows-i586.exe to install the newest version.
    ( jre-7u5-windows-x64.exe if this is a 64-bit Windows o.s.)

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

Press Apply then OK. Close the applet when done.


Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Also, tell me, How is your system now :excl:

Link to post
Share on other sites

Very good. This has 2 utility programs that must be updated. Keep in mind that Flash Player & Adobe Reader, but more so Java runtime being out-of-date exposes your system to exploits due to security gaps. It is important to keep those 3 current with fixes {as well as Microsoft Windows Update}.

To de-install Flash Player

Use Programs and Features (Windows 7 & Vista) or Add-or-Remove Programs (Windows XP) to de-install older versions of Flash Player.

For stubborn cases,

Download and save the Flash Player uninstaller >> uninstall Flash Player for 32-bit Windows<<

If you have Windows 64-bit, use this Flash Player uninstaller >> uninstall Flash Player for 64-bit Windows<<

Close all browsers and instant messenger (IM) programs.

Run the uninstaller.

To get latest Flash Player

Go to http://www.adobe.com/go/getflash

and get the latest Flash Player

Un-Check any checkbox for McAfee Security Scan Plus, or Google or any other widget or toolbar !!!

Reference: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system


Older versions of Adobe Reader pose a potential security risk.

De-install your Adobe Reader: Use Control Panel's Program and Features, Un-install Adobe Reader.

Get latest Adobe Reader version


Be sure to un-check the box for Free McAfee Security Scan or any "toolbar" (if offered )

I'll give you the final cleanups after this round.

Link to post
Share on other sites

slap.gifSalutes to you. It has been a pleasure helping you. You are one of the fastest & most responsive people I have had a pleasure to work with.

We can wrap this up now. I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used. Advise me after you have completed the cleanups.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it ComboFix icon_exclaim.gif),

put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Highlight the line in this CODEBOX.
    Select & Copy the entire line within this codebox (so that it is in Windows clipboard memory)
    c:\users\Maria\Desktop\ComboFix /uninstall

  • Start >> type in cmd >> press the Ctrl+Shift+Enter keyboard combination and cmd.exe will be launched as if you selected Run as Administrator. You will then see a User Account Control prompt asking if you would like to allow the Command Prompt to be able to make changes on your computer. Click on the Yes button and you will now be at the Elevated Command Prompt.
    Do a Right click within the command prompt window and select Paste. This must show the line from Codebox above.
    Then tap Enter

IF in the case Combofix un-install has an issue, skip that step.


  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Delete the following if still present:



Safer practices & malware prevention

We are finished here. Best regards. cool.gif

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.