pqrs.tmo?

Hi there

Yesterday my anti virus software (Avira Premium Security Suite Version 8 ) gave out an alert regarding a file called pqrs.tmo. It said it contained the signature of a piece of malware, a Trojan if I remember correctly. I told it to delete the file.

Now, today, when I booted the computer, I received a warning saying (sorry, need to translate, my Windows XP is in German) "required module pqrs.tmo cannot be loaded". So apparently this malware has left some traces behind...

I followed all the steps of your excellent malware removal procedure. The tools did find some things, and somewhere along the line (I think it was after Anti-Malware) the message didn't come up any more after booting. So problem solved - I think. But just to make sure, I'll post the logs anyway, in case somebody sees something I should take care of.

Thanks a lot!!!!
Joerg


[Saving space, attachment deleted by admin]

Since I didn't get any replies to this - is it save to assume you don't see any problems with my system?

Thanks a lot!
Joerg

Hi, my notebook was infected with virus.  After cleaning, now I have the following error everytime I startp or reboot my machine:
 Error loading pqrw.tmo
 The specified module could not be found

Please help.

Thanks.
Lee 

frietag, please be patient, we are all slaves - I mean volunteers here, sometimes it takes a little while for a virii specialist to get to you, but they will.

slee, you need to post a new topic in this thread, it gets difficult to support more than one poster in a thread.

No problem Quantos. Thanks for the heads-up!

[Malware Removal Specialist]

Hello freitag and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1.I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2.The fixes are specific to your problem and should only be used for this issue on this machine.
3.If you don't know or understand something, please don't hesitate to ask.
4.Please DO NOT run any other tools or scans whilst I am helping you.
5.It is important that you reply to this thread. Do not start a new topic.
6.Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7.Absence of symptoms does not mean that everything is clear.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.ergon.ch:3128;gopher=proxy.ergon.ch:3128;http=proxy.ergon.ch:3128;https=proxy.ergon.ch:3128;socks=proxy.ergon.ch:1080

O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Download DDS from HERE or HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
   

Hello SD!

Thanks a lot for helping me out here! Here are the two logs:


DDS (Ver_09-09-29.01) - NTFSx86 
Run by J”rg at  0:54:33.53 on 19.11.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional  5.1.2600.3.1252.41.1031.18.2046.1452 [GMT 1:00]

AV: Avira Premium Security Suite *On-access scanning enabled* (Updated)   {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *disabled*   {55185680-1D7E-44D7-3094-596BB89B90C9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\Avira Premium Security Suite\sched.exe
svchost.exe
C:\Programme\Avira\Avira Premium Security Suite\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Avira\Avira Premium Security Suite\avesvc.exe
C:\Programme\Bonjour\mDNSResponder.exe
svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\Programme\Avira\Avira Premium Security Suite\avmailc.exe
C:\Programme\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Dokumente und Einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
C:\Programme\Password Safe\pwsafe.exe
C:\Programme\Avira\Avira Premium Security Suite\avgnt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Jörg\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [nwiz] nwiz.exe /install
mRun: [Dell QuickSet] c:\programme\dell\quickset\quickset.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [avgnt] "c:\programme\avira\avira premium security suite\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\programme\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\programme\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\jrg~1\startm~1\progra~1\autost~1\dropbox.lnk - c:\dokumente und einstellungen\jörg\anwendungsdaten\dropbox\bin\Dropbox.exe
StartupFolder: c:\dokume~1\jrg~1\startm~1\progra~1\autost~1\passwo~1.lnk - c:\programme\password safe\pwsafe.exe
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: avsda.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203710845421
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206210370125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\programme\citrix\gotoassist\514\G2AWinLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\jrg~1\anwend~1\mozilla\firefox\profiles\l1mbxlh7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tages-anzeiger.ch/
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2008-4-30 71592]
R1 avgio;avgio;c:\programme\avira\avira premium security suite\avgio.sys [2008-4-30 11608]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R1 SASDIFSV;SASDIFSV;c:\programme\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AntiVirMailService;Avira Premium Security Suite MailGuard;c:\programme\avira\avira premium security suite\avmailc.exe [2008-4-30 164097]
R2 AntiVirScheduler;Avira Premium Security Suite Planer;c:\programme\avira\avira premium security suite\sched.exe [2008-4-30 68865]
R2 AntiVirService;Avira Premium Security Suite Guard;c:\programme\avira\avira premium security suite\avguard.exe [2008-4-30 151297]
R2 antivirwebservice;Avira Premium Security Suite WebGuard;c:\programme\avira\avira premium security suite\avwebgrd.exe [2008-4-30 258305]
R2 AVEService;Avira Premium Security Suite MailGuard Hilfsdienst;c:\programme\avira\avira premium security suite\avesvc.exe [2008-4-30 41217]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\programme\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-6-17 434864]
R3 avgntflt;avgntflt;c:\programme\avira\avira premium security suite\avgntflt.sys [2008-4-30 52056]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [2008-2-22 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [2008-2-22 234720]
S2 gupdate;Google Update Service (gupdate);c:\programme\google\update\GoogleUpdate.exe [2009-7-4 133104]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2008-4-30 71464]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-11-3 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-11-3 3072]
S3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [2008-2-22 141376]
S3 SASENUM;SASENUM;c:\programme\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 SWUSBFLT;Microsoft SideWinder VIA-Filtertreiber;c:\windows\system32\drivers\SWUSBFLT.SYS [2009-4-29 3968]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\drivers\vpnva.sys [2009-6-17 20152]

=============== Created Last 30 ================

2009-11-05 22:08   56   a---h---   c:\windows\system32\ezsidmv.dat
2009-11-04 22:01   411,368   a-------   c:\windows\system32\deploytk.dll
2009-11-04 21:49   <DIR>   --d-----   c:\dokume~1\jrg~1\anwend~1\Malwarebytes
2009-11-04 21:49   38,224   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 21:49   <DIR>   --d-----   c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2009-11-04 21:49   19,160   a-------   c:\windows\system32\drivers\mbam.sys
2009-11-04 21:49   <DIR>   --d-----   c:\programme\Malwarebytes' Anti-Malware
2009-11-04 20:16   <DIR>   --d-----   c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com
2009-11-04 20:16   <DIR>   --d-----   c:\programme\SUPERAntiSpyware
2009-11-04 20:16   <DIR>   --d-----   c:\dokume~1\jrg~1\anwend~1\SUPERAntiSpyware.com
2009-11-04 20:15   <DIR>   --d-----   c:\programme\gemeinsame dateien\Wise Installation Wizard
2009-11-04 19:58   <DIR>   --d-hr--   c:\dokumente und einstellungen\jörg\Recent
2009-11-03 21:32   1,885   a---hr--   c:\windows\EPMBatch.ept
2009-11-03 21:28   14,848   a-------   c:\windows\system32\EuEpmGdi.dll
2009-11-03 21:28   1,663,488   a-------   c:\windows\system32\BootMan.exe
2009-11-03 21:28   86,408   a-------   c:\windows\system32\setupempdrv03.exe
2009-11-03 21:28   8,704   a-------   c:\windows\system32\epmntdrv.sys
2009-11-03 21:28   3,072   a-------   c:\windows\system32\EuGdiDrv.sys
2009-11-03 21:27   <DIR>   --d-----   c:\programme\EASEUS
2009-11-02 14:08   <DIR>   --d-----   c:\programme\XML Notepad 2007
2009-10-27 12:50   <DIR>   --d-----   c:\programme\Cisco
2009-10-27 12:50   <DIR>   --d-----   c:\dokume~1\alluse~1\anwend~1\Cisco

==================== Find3M  ====================

2009-11-16 16:12   4,456,448   a---h---   c:\dokumente und einstellungen\jörg\NTUSER.DAT
2009-11-04 22:01   464,220   a-------   c:\windows\system32\perfh007.dat
2009-11-04 22:01   86,454   a-------   c:\windows\system32\perfc007.dat
2009-10-27 08:07   296,452   a-------   c:\windows\system32\nvModes.dat
2009-09-25 06:35   672,768   a-------   c:\windows\system32\wininet.dll
2009-09-25 06:35   81,920   a-------   c:\windows\system32\ieencode.dll
2009-09-11 15:17   136,192   a-------   c:\windows\system32\msv1_0.dll
2009-09-04 22:03   58,880   a-------   c:\windows\system32\msasn1.dll
2009-08-26 09:00   247,326   a-------   c:\windows\system32\strmdll.dll
2009-01-13 17:58   61,224   a-------   c:\dokumente und einstellungen\jörg\GoToAssistDownloadHelper.exe
2008-03-09 18:10   32   a-------   c:\dokume~1\alluse~1\anwend~1\ezsid.dat
2008-02-22 18:33   76   ---shr--   c:\windows\CT4CET.bin

============= FINISH:  0:54:53.82 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 22.02.2008 14:05:06
System Uptime: 18.11.2009 21:09:52 (3 hours ago)

Motherboard: Dell Inc. |  |       
Processor: Intel(R) Core(TM)2 Duo CPU     T7500  @ 2.20GHz | Microprocessor | 2194/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 48.724 GiB free.
D: is FIXED (NTFS) - 161 GiB total, 129.606 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0000
Service: vpnva

==== System Restore Points ===================

RP175: 12.08.2009 22:27:53 - Systemprüfpunkt
RP176: 13.08.2009 23:13:43 - Systemprüfpunkt
RP177: 15.08.2009 00:13:43 - Systemprüfpunkt
RP178: 15.08.2009 21:29:14 - Software Distribution Service 3.0
RP179: 16.08.2009 18:02:54 - Software Distribution Service 3.0
RP180: 16.08.2009 18:10:34 - Druckertreiber Microsoft XPS Document Writer installiert
RP181: 23.08.2009 18:37:05 - Software Distribution Service 3.0
RP182: 24.08.2009 20:16:18 - Software Distribution Service 3.0
RP183: 27.08.2009 20:45:49 - Software Distribution Service 3.0
RP184: 06.09.2009 19:05:11 - Software Distribution Service 3.0
RP185: 13.09.2009 18:35:22 - Software Distribution Service 3.0
RP186: 22.09.2009 20:38:33 - Systemprüfpunkt
RP187: 24.09.2009 19:58:58 - Systemprüfpunkt
RP188: 24.09.2009 22:25:39 - Installed Silent Wings
RP189: 25.09.2009 21:22:02 - Software Distribution Service 3.0
RP190: 27.09.2009 14:24:36 - Systemprüfpunkt
RP191: 09.10.2009 20:27:24 - Removed Silent Wings
RP192: 10.10.2009 21:15:59 - Systemprüfpunkt
RP193: 14.10.2009 22:53:41 - Software Distribution Service 3.0
RP194: 16.10.2009 13:41:40 - Systemprüfpunkt
RP195: 20.10.2009 20:40:08 - Premium Security Suite - 20.10.2009 20:40
RP196: 22.10.2009 21:54:50 - Software Distribution Service 3.0
RP197: 26.10.2009 19:53:58 - Systemprüfpunkt
RP198: 27.10.2009 12:50:58 - Installed Cisco AnyConnect VPN Client
RP199: 28.10.2009 15:22:54 - Systemprüfpunkt
RP200: 29.10.2009 19:49:40 - Systemprüfpunkt
RP201: 02.11.2009 14:08:23 - Installed XML Notepad 2007
RP202: 04.11.2009 00:11:52 - Systemprüfpunkt
RP203: 04.11.2009 19:03:40 - Software Distribution Service 3.0
RP204: 04.11.2009 20:16:17 - Installed SUPERAntiSpyware Free Edition
RP205: 04.11.2009 22:01:24 - Java(TM) 6 Update 17 wird installiert
RP206: 06.11.2009 14:03:43 - Systemprüfpunkt
RP207: 08.11.2009 21:57:44 - Systemprüfpunkt
RP208: 13.11.2009 00:00:01 - Software Distribution Service 3.0

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe FrameMaker v7.2
Adobe Photoshop CS
Adobe Reader 8.1.7
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Advanced Video FX Engine
AFPL Ghostscript 8.54
AFPL Ghostscript Fonts
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Avira Premium Security Suite
Bonjour
Broadcom Gigabit Integrated Controller
BufferChm
CCleaner
Cisco AnyConnect VPN Client
CityDesk
Compatibility Pack for the 2007 Office system
CompeGPS AIR 6.8
CompeGPS LAND 6.8
Condor: The Competition Soaring Simulator 1.0.8
ConvertHelper 2.2
Dell Touchpad
DELL Webcam Center
DELL Webcam Manager
Destinations
Device drivers for Simple Backup
DeviceManagementQFolder
DivX
DNA
Dropbox
EASEUS Partition Master 4.0 Home Edition
EasternAlps Scenery 2.0
FlyChart
Folder Size for Windows
FreePDF XP (Remove only)
Garmin MapSource
Google Earth
Google Earth Plug-in
Google Update Helper
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Color LaserJet CM1015/CM1017 MFP 1.0
HP Imaging Device Functions 7.0
HP USB Disk Storage Format Tool
hppCLJCM1017
hppFonts
hppIOFiles
hppManualsCM1017
hppscanCM1017
Icon3DMaker 1.05
IGC Flight Replay  0.6
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 17
Laptop Integrated Webcam Driver (1.03.01.1011) 
Live! Cam Avatar
Live! Cam Avatar Creator
LiveUpdate 2.0 (Symantec Corporation)
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
MapSource
MapSource - European MetroGuide Version 5
mCore
mDriver
mDrWiFi
MediaDirect
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Language Pack - DEU
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 German Language Pack
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (German) 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Software Update for Web Folders  (German) 12
Microsoft Virtual PC 2007 SP1
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.15)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mWMI
mZConfig
Nero OEM
Nokia Map Loader
Norton Ghost 9.0
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OpenOffice.org 2.3
OutlookAddinSetup
Password Safe
PC Coach
PC Connectivity Solution
PL-2303 USB-to-Serial
Product_Min_QFolder
Protector Suite QL 5.6
PuTTY version 0.58
QuickBooks 2000
QuickSet
QuickTime
RealPlayer
Remote Control USB Driver
Scan
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Visio 2007 (KB947590)
Sicherheitsupdate für Windows XP (KB923789)
Sicherheitsupdate für Windows XP (KB969947)
SigmaTel Audio
Skype™ 4.1
SUPERAntiSpyware Free Edition
TrayApp
Uninstall Startup Inspector
Unity Web Player
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb975960)
VideoLAN VLC media player 0.8.6i
WD Firewire HID Driver
WebFldrs XP
WebReg
Windows-Treiberpaket - Nokia pccsmcfd  (10/12/2007 6.85.4.0)
Windows-Treiberpaket - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04)
Windows Communication Foundation Language Pack - DEU
Windows Driver Package - Broadcom Bluetooth  (02/24/2004 5.1.2535.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Presentation Foundation Language Pack (DEU)
Windows Workflow Foundation DE Language Pack
WinRAR archiver
XML Notepad 2007
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

16.11.2009 14:08:52, error: Dhcp [1002]  - Die IP-Adresslease 192.168.0.2 für die Netzwerkkarte mit der Netzwerkadresse 001CBF917F48 wurde durch den DHCP-Server 172.30.48.1 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet).
16.11.2009 01:57:19, error: W32Time [34]  - Der Zeitdienst hat festgestellt, dass die Systemzeit um -199048 Sekunden geändert werden muss. Die Systemzeit kann durch den Zeitdienst um maximal -54000 Sekunden geändert werden. Stellen Sie sicher, dass die Uhrzeit und Zeitzone korrekt sind und dass die Zeitquelle time.windows.com (ntp.m|0x1|192.168.0.3:123->207.46.232.182:123) funktionsfähig ist.
13.11.2009 18:44:12, error: Dhcp [1002]  - Die IP-Adresslease 192.168.0.3 für die Netzwerkkarte mit der Netzwerkadresse 001CBF917F48 wurde durch den DHCP-Server 0.0.0.0 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet).

==== End Of File ===========================

[Malware Removal Specialist]

Hello Freitag. Could you please do this for me?

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Hi SD

Did as you said - with a little hick-up, though: First time around, ComboFix caused a Blue Screen, somewhere above Step 25, didn't pay attention well enough to say where exactly. After the reboot caused by the BSoD, WLAN was not working. Ran ComboFix again, this time it ran OK, and after the final reboot, WLAN came back up OK also.

here are the logs:

ComboFix 09-11-20.02 - Jörg 20.11.2009 22:41.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.41.1031.18.2046.1496 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Jörg\Desktop\ComboFix.exe
AV: Avira Premium Security Suite *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *disabled* {55185680-1D7E-44D7-3094-596BB89B90C9}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AegisP.inf
c:\windows\system32\drivers\pciide.sys

.
(((((((((((((((((((((((   Dateien erstellt von 2009-10-20 bis 2009-11-20  ))))))))))))))))))))))))))))))
.

2009-11-05 21:08 . 2009-11-05 21:08   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2009-11-05 21:07 . 2009-11-05 21:07   --------   d-----w-   c:\programme\Gemeinsame Dateien\Skype
2009-11-04 21:01 . 2009-11-04 21:01   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-11-04 20:49 . 2009-09-10 13:54   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 20:49 . 2009-11-04 20:49   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-11-04 20:49 . 2009-11-04 20:49   --------   d-----w-   c:\programme\Malwarebytes' Anti-Malware
2009-11-04 20:49 . 2009-09-10 13:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-04 19:16 . 2009-11-04 19:16   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2009-11-04 19:16 . 2009-11-04 19:16   --------   d-----w-   c:\programme\SUPERAntiSpyware
2009-11-04 19:15 . 2009-11-04 19:15   --------   d-----w-   c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2009-11-03 20:28 . 2009-04-22 13:27   14848   ----a-w-   c:\windows\system32\EuEpmGdi.dll
2009-11-03 20:28 . 2009-06-13 18:54   1663488   ----a-w-   c:\windows\system32\BootMan.exe
2009-11-03 20:28 . 2009-04-22 13:28   8704   ----a-w-   c:\windows\system32\epmntdrv.sys
2009-11-03 20:28 . 2009-04-22 13:28   86408   ----a-w-   c:\windows\system32\setupempdrv03.exe
2009-11-03 20:28 . 2009-04-22 13:28   3072   ----a-w-   c:\windows\system32\EuGdiDrv.sys
2009-11-03 20:27 . 2009-11-03 20:27   --------   d-----w-   c:\programme\EASEUS
2009-11-02 13:08 . 2009-11-02 13:08   --------   d-----w-   c:\programme\XML Notepad 2007
2009-10-27 11:50 . 2009-10-27 11:50   --------   d-----w-   c:\programme\Cisco
2009-10-27 11:50 . 2009-10-27 11:50   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Cisco

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 21:48 . 2008-09-14 11:59   --------   d-----w-   c:\programme\Password Safe
2009-11-19 20:20 . 2008-02-22 15:29   --------   d--h--w-   c:\programme\InstallShield Installation Information
2009-11-12 23:04 . 2008-03-24 12:11   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2009-11-05 21:07 . 2008-03-09 17:06   --------   d-----r-   c:\programme\Skype
2009-11-05 21:07 . 2008-03-09 17:06   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2009-11-04 21:03 . 2008-03-10 21:11   --------   d-----w-   c:\programme\Java
2009-11-04 21:01 . 2004-08-04 12:00   86454   ----a-w-   c:\windows\system32\perfc007.dat
2009-11-04 21:01 . 2004-08-04 12:00   464220   ----a-w-   c:\windows\system32\perfh007.dat
2009-10-28 20:38 . 2009-02-15 12:43   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\CompeGPS
2009-10-27 07:07 . 2008-02-22 15:03   296452   ----a-w-   c:\windows\system32\nvModes.dat
2009-10-14 20:15 . 2008-03-09 17:25   --------   d-----w-   c:\programme\Gemeinsame Dateien\Adobe
2009-10-10 12:30 . 2009-10-10 12:30   --------   d-----w-   c:\programme\Unity
2009-09-25 05:35 . 2004-08-04 12:00   672768   ----a-w-   c:\windows\system32\wininet.dll
2009-09-25 05:35 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-09-23 17:45 . 2008-03-09 16:22   --------   d-----w-   c:\programme\Google
2009-09-11 14:17 . 2004-08-04 12:00   136192   ----a-w-   c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00   58880   ----a-w-   c:\windows\system32\msasn1.dll
2009-08-29 16:47 . 2009-07-19 21:28   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-08-26 08:00 . 2004-08-04 12:00   247326   ----a-w-   c:\windows\system32\strmdll.dll
2008-02-22 17:33 . 2008-02-22 17:33   76   --sh--r-   c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 18:59   2953216   ----a-w-   c:\programme\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 18:59   2953216   ----a-w-   c:\programme\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"Dell QuickSet"="c:\programme\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"avgnt"="c:\programme\Avira\Avira Premium Security Suite\avgnt.exe" [2008-07-22 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"SigmatelSysTrayApp"="c:\programme\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Malwarebytes Anti-Malware (reboot)"="c:\programme\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-11-04 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-17 1626112]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\J”rg\Startmen�\Programme\Autostart\
Dropbox.lnk - c:\dokumente und einstellungen\J”rg\Anwendungsdaten\Dropbox\bin\Dropbox.exe [2009-8-29 26784939]

c:\dokumente und einstellungen\All Users\Startmen�\Programme\Autostart\
Dropbox.lnk - c:\dokumente und einstellungen\J”rg\Anwendungsdaten\Dropbox\bin\Dropbox.exe [2009-8-29 26784939]
Password Safe.lnk - c:\programme\Password Safe\pwsafe.exe [2008-8-30 1949696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-13 16:58   10536   ----a-w-   c:\programme\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 18:46   90112   ----a-w-   c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Jörg^Startmenü^Programme^Autostart^zavupd32.exe]
path=c:\dokumente und einstellungen\Jörg\Startmenü\Programme\Autostart\zavupd32.exe
backup=c:\windows\pss\zavupd32.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Programme\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Programme\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Programme\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [29.07.2004 03:33 138780]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [30.04.2008 21:39 71592]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [29.07.2004 04:13 46779]
R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [12.10.2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [12.10.2009 21:24 74480]
R2 AntiVirMailService;Avira Premium Security Suite MailGuard;c:\programme\Avira\Avira Premium Security Suite\avmailc.exe [30.04.2008 21:39 164097]
R2 antivirwebservice;Avira Premium Security Suite WebGuard;c:\programme\Avira\Avira Premium Security Suite\avwebgrd.exe [30.04.2008 21:39 258305]
R2 AVEService;Avira Premium Security Suite MailGuard Hilfsdienst;c:\programme\Avira\Avira Premium Security Suite\avesvc.exe [30.04.2008 21:39 41217]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [17.06.2009 21:17 434864]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [22.02.2008 17:48 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [22.02.2008 17:48 234720]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [04.07.2009 14:39 133104]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [30.04.2008 21:39 71464]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [03.11.2009 21:28 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [03.11.2009 21:28 3072]
S3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [22.02.2008 17:48 141376]
S3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [12.10.2009 21:24 7408]
S3 SWUSBFLT;Microsoft SideWinder VIA-Filtertreiber;c:\windows\system32\drivers\SWUSBFLT.SYS [29.04.2009 21:14 3968]
.
Inhalt des "geplante Tasks" Ordners

2009-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-07-04 13:39]

2009-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-07-04 13:39]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: avsda.dll
FF - ProfilePath - c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Mozilla\Firefox\Profiles\l1mbxlh7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tages-anzeiger.ch/
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

AddRemove-HijackThis - c:\programme\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 22:48
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1552)
c:\programme\SUPERAntiSpyware\SASWINLO.dll
c:\programme\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\psqlpwd.dll
c:\programme\Protector Suite QL\homefus2.dll
c:\programme\Protector Suite QL\infra.dll
c:\programme\Protector Suite QL\homepass.dll
c:\programme\Protector Suite QL\bio.dll
c:\programme\Protector Suite QL\remote.dll
c:\programme\Protector Suite QL\crypto.dll
c:\programme\Protector Suite QL\biokmd.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(1608)
c:\windows\system32\psqlpwd.dll
c:\programme\Protector Suite QL\homefus2.dll
c:\programme\Protector Suite QL\infra.dll
c:\windows\system32\avsda.dll

- - - - - - - > 'explorer.exe'(2868)
c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll
c:\programme\Protector Suite QL\farchns.dll
c:\programme\Protector Suite QL\infra.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programme\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Intel\Wireless\Bin\S24EvMon.exe
c:\programme\Avira\Avira Premium Security Suite\sched.exe
c:\programme\Avira\Avira Premium Security Suite\avguard.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\programme\Intel\Wireless\Bin\EvtEng.exe
c:\programme\FolderSize\FolderSizeSvc.exe
c:\windows\System32\GEARSec.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\nvsvc32.exe
c:\programme\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\STacSV.exe
c:\programme\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-11-20 22:51 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2009-11-20 21:51

Vor Suchlauf: 8 Verzeichnis(se), 52'225'593'344 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 52'251'586'560 Bytes frei

- - End Of File - - F979E179D72F5B540B54425BF0F43865


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:59:44, on 20.11.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\Avira Premium Security Suite\sched.exe
C:\Programme\Avira\Avira Premium Security Suite\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Avira\Avira Premium Security Suite\avesvc.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\Programme\Avira\Avira Premium Security Suite\avmailc.exe
C:\Programme\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Avira\Avira Premium Security Suite\avgnt.exe
C:\Programme\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Password Safe\pwsafe.exe
C:\Dokumente und Einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office 2007\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = ?
O4 - Global Startup: Dropbox.lnk = ?
O4 - Global Startup: Password Safe.lnk = C:\Programme\Password Safe\pwsafe.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203710845421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206210370125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Programme\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\avmailc.exe
O23 - Service: Avira Premium Security Suite Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira Premium Security Suite MailGuard Hilfsdienst (AVEService) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Programme\FolderSize\FolderSizeSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Programme\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8430 bytes

[Malware Removal Specialist]

I'd like to see the removals performed by ComboFix. Click Start > Run and type the following bold text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

The report should open for you. Please post the contents of that report in the next reply.

2009-11-20 21:51:34 . 2009-11-20 21:51:34              754 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2009-11-20 21:35:36 . 2009-11-20 21:44:32           13,380 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-20 21:31:24 . 2009-11-20 21:40:50              153 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2008-02-22 16:18:56 . 2008-02-22 16:18:56           13,984 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\AegisP.inf.vir
2004-08-04 12:00:00 . 2001-08-18 03:30:42            3,328 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir

[Malware Removal Specialist]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DeQuarantine::

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir

Quit::


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir -> C:\WINDOWS\system32\drivers\pciide.sys ( 3328 bytes )

[Malware Removal Specialist]

Hello freitag. I will be a bit late with another fix. I just spent all day fixing a friend's computer(time that I was going to use to go through your logs). I'll get right on it tonight.

no worries Dave! My computer stopped booting last night, it's getting a new main board on Tuesday (love Dell tech support! Really do, and the warranty extension was so worth the money!). By all means, take all the time you need. :-)

[Malware Removal Specialist]

Sound good. Please let me know when you're up and running again.

SD, my computer is back up again, I'm ready to do whatever you want me to do next :-)

[Malware Removal Specialist]

Wow! That was fast. I would like you to try this and see what happens.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::

File::

Folder::

Registry::
[-HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Jörg^Startmenü^Programme^Autostart^zavupd32.exe]

Driver::


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Also please post another HJT log

Told you their tech support is up to snuff! :-)

Here are the log files. But I'm not sure it all went well: ComboFix wanted to update itself twice before it started to do its work, and I think it may have lost the input file somewhere along this. Should I just repeat it? Here are the logs:

ComboFix 09-11-25.01 - Jörg 25.11.2009 22:26.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.41.1031.18.2046.1384 [GMT 1:00]
ausgeführt von:: c:\programme\ComboFix\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Jörg\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *disabled* {55185680-1D7E-44D7-3094-596BB89B90C9}
.

(((((((((((((((((((((((   Dateien erstellt von 2009-10-25 bis 2009-11-25  ))))))))))))))))))))))))))))))
.

2009-11-25 21:08 . 2009-11-25 21:08   --------   d-----w-   c:\dokumente und einstellungen\LocalService\Startmenü
2009-11-25 21:07 . 2009-11-25 21:00   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2009-11-25 21:07 . 2009-11-25 21:00   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2009-11-25 21:07 . 2009-11-25 21:00   97608   ----a-w-   c:\windows\system32\drivers\avfwot.sys
2009-11-25 21:07 . 2009-11-25 21:00   69632   ----a-w-   c:\windows\system32\drivers\avfwim.sys
2009-11-25 21:07 . 2009-11-25 21:00   55656   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-11-25 21:07 . 2009-11-25 21:00   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2009-11-25 21:07 . 2009-11-25 21:07   --------   d-----w-   c:\programme\Avira
2009-11-21 22:33 . 2009-11-21 22:33   3328   -c--a-w-   c:\windows\system32\dllcache\pciide.sys
2009-11-21 22:33 . 2009-11-21 22:33   3328   ----a-w-   c:\windows\system32\drivers\pciide.sys
2009-11-20 21:53 . 2009-11-25 21:25   --------   d-----w-   c:\programme\ComboFix
2009-11-05 21:08 . 2009-11-05 21:08   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2009-11-05 21:07 . 2009-11-05 21:07   --------   d-----w-   c:\programme\Gemeinsame Dateien\Skype
2009-11-04 21:01 . 2009-11-04 21:01   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-11-04 20:49 . 2009-09-10 13:54   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 20:49 . 2009-11-04 20:49   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-11-04 20:49 . 2009-11-04 20:49   --------   d-----w-   c:\programme\Malwarebytes' Anti-Malware
2009-11-04 20:49 . 2009-09-10 13:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-04 19:16 . 2009-11-04 19:16   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2009-11-04 19:16 . 2009-11-04 19:16   --------   d-----w-   c:\programme\SUPERAntiSpyware
2009-11-04 19:15 . 2009-11-04 19:15   --------   d-----w-   c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2009-11-03 20:28 . 2009-04-22 13:27   14848   ----a-w-   c:\windows\system32\EuEpmGdi.dll
2009-11-03 20:28 . 2009-06-13 18:54   1663488   ----a-w-   c:\windows\system32\BootMan.exe
2009-11-03 20:28 . 2009-04-22 13:28   8704   ----a-w-   c:\windows\system32\epmntdrv.sys
2009-11-03 20:28 . 2009-04-22 13:28   86408   ----a-w-   c:\windows\system32\setupempdrv03.exe
2009-11-03 20:28 . 2009-04-22 13:28   3072   ----a-w-   c:\windows\system32\EuGdiDrv.sys
2009-11-03 20:27 . 2009-11-03 20:27   --------   d-----w-   c:\programme\EASEUS
2009-11-02 13:08 . 2009-11-02 13:08   --------   d-----w-   c:\programme\XML Notepad 2007
2009-10-27 11:50 . 2009-10-27 11:50   --------   d-----w-   c:\programme\Cisco
2009-10-27 11:50 . 2009-10-27 11:50   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Cisco

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 21:31 . 2008-09-14 11:59   --------   d-----w-   c:\programme\Password Safe
2009-11-25 21:07 . 2008-04-30 20:39   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-11-24 14:19 . 2008-02-22 15:03   310660   ----a-w-   c:\windows\system32\nvModes.dat
2009-11-19 20:20 . 2008-02-22 15:29   --------   d--h--w-   c:\programme\InstallShield Installation Information
2009-11-12 23:04 . 2008-03-24 12:11   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2009-11-05 21:07 . 2008-03-09 17:06   --------   d-----r-   c:\programme\Skype
2009-11-05 21:07 . 2008-03-09 17:06   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2009-11-04 21:03 . 2008-03-10 21:11   --------   d-----w-   c:\programme\Java
2009-11-04 21:01 . 2004-08-04 12:00   86454   ----a-w-   c:\windows\system32\perfc007.dat
2009-11-04 21:01 . 2004-08-04 12:00   464220   ----a-w-   c:\windows\system32\perfh007.dat
2009-10-28 20:38 . 2009-02-15 12:43   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\CompeGPS
2009-10-14 20:15 . 2008-03-09 17:25   --------   d-----w-   c:\programme\Gemeinsame Dateien\Adobe
2009-10-10 12:30 . 2009-10-10 12:30   --------   d-----w-   c:\programme\Unity
2009-09-25 05:35 . 2004-08-04 12:00   672768   ------w-   c:\windows\system32\wininet.dll
2009-09-25 05:35 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-09-11 14:17 . 2004-08-04 12:00   136192   ----a-w-   c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00   58880   ----a-w-   c:\windows\system32\msasn1.dll
2009-08-29 16:47 . 2009-07-19 21:28   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2008-02-22 17:33 . 2008-02-22 17:33   76   --sh--r-   c:\windows\CT4CET.bin
.

(((((((((((((((((((((((((((((   SnapShot@2009-11-20_21.48.11   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 01:19 . 2007-11-07 01:19   54272              c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
- 2007-11-07 00:19 . 2007-11-07 00:19   54272              c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   62976              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   62976              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   46080              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   46080              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   46592              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   46592              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   64512              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   64512              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   66048              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   66048              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   65024              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   65024              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   65024              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   65024              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   56832              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   56832              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   66560              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   66560              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   39936              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   39936              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   38912              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   38912              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07   59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
- 2008-07-29 04:07 . 2008-07-29 04:07   59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07   59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
- 2008-07-29 04:07 . 2008-07-29 04:07   59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-11-25 21:32 . 2009-11-25 21:32   16384              c:\windows\temp\Perflib_Perfdata_79c.dat
+ 2009-11-25 21:30 . 2009-11-25 21:30   16384              c:\windows\temp\Perflib_Perfdata_544.dat
+ 2007-11-13 11:31 . 2009-10-28 15:07   46080              c:\windows\system32\tzchange.exe
- 2007-11-13 11:31 . 2009-07-14 11:03   46080              c:\windows\system32\tzchange.exe
- 2008-07-23 21:10 . 2008-07-08 13:00   18808              c:\windows\system32\spmsg.dll
+ 2008-07-23 21:10 . 2009-05-26 11:40   18808              c:\windows\system32\spmsg.dll
+ 2009-11-25 21:07 . 2009-11-25 21:00   28520              c:\windows\system32\drivers\ssmdrv.sys
+ 2009-11-25 21:17 . 2009-11-25 21:17   32768              c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
- 2008-07-29 06:05 . 2008-07-29 06:05   655872              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   655872              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   572928              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   572928              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 02:54 . 2008-07-29 02:54   225280              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
- 2008-07-29 01:54 . 2008-07-29 01:54   225280              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   161784              c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   161784              c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-11-25 21:17 . 2009-11-25 21:17   429568              c:\windows\Installer\19f8f.msi
+ 2008-07-29 07:05 . 2008-07-29 07:05   3783672              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   3783672              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05   3768312              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
- 2008-07-29 06:05 . 2008-07-29 06:05   3768312              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-07-20 23:03 . 2009-07-20 23:03   1348432              c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2008-08-29 19:06 . 2009-07-31 09:02   1372672              c:\windows\system32\msxml6.dll
+ 2009-07-20 23:05 . 2009-07-20 23:05   1348432              c:\windows\system32\msxml4.dll
+ 2004-08-04 12:00 . 2009-07-31 04:32   1172480              c:\windows\system32\msxml3.dll
+ 2008-04-14 02:22 . 2009-07-31 09:02   1372672              c:\windows\system32\dllcache\msxml6.dll
+ 2004-08-04 12:00 . 2009-07-31 04:32   1172480              c:\windows\system32\dllcache\msxml3.dll
.
-- Snapshot auf jetziges Datum zurückgesetzt --
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 18:59   2953216   ----a-w-   c:\programme\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 18:59   2953216   ----a-w-   c:\programme\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"Dell QuickSet"="c:\programme\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"SigmatelSysTrayApp"="c:\programme\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Malwarebytes Anti-Malware (reboot)"="c:\programme\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-11-04 149280]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-11-25 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-17 1626112]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\J”rg\Startmen�\Programme\Autostart\
Dropbox.lnk - c:\dokumente und einstellungen\J”rg\Anwendungsdaten\Dropbox\bin\Dropbox.exe [2009-8-29 26784939]

c:\dokumente und einstellungen\All Users\Startmen�\Programme\Autostart\
Dropbox.lnk - c:\dokumente und einstellungen\J”rg\Anwendungsdaten\Dropbox\bin\Dropbox.exe [2009-8-29 26784939]
Password Safe.lnk - c:\programme\Password Safe\pwsafe.exe [2008-8-30 1949696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-13 16:58   10536   ----a-w-   c:\programme\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 18:46   90112   ----a-w-   c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Programme\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Programme\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Programme\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [29.07.2004 03:33 138780]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [25.11.2009 22:07 97608]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [29.07.2004 04:13 46779]
R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [12.10.2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [12.10.2009 21:24 74480]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\programme\Avira\AntiVir Desktop\avmailc.exe [25.11.2009 22:07 194817]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [25.11.2009 22:07 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\programme\Avira\AntiVir Desktop\avwebgrd.exe [25.11.2009 22:07 434945]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [17.06.2009 21:17 434864]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [25.11.2009 22:07 69632]
R3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [22.02.2008 17:48 141376]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [22.02.2008 17:48 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [22.02.2008 17:48 234720]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [04.07.2009 14:39 133104]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [03.11.2009 21:28 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [03.11.2009 21:28 3072]
S3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [12.10.2009 21:24 7408]
S3 SWUSBFLT;Microsoft SideWinder VIA-Filtertreiber;c:\windows\system32\drivers\SWUSBFLT.SYS [29.04.2009 21:14 3968]
.
Inhalt des "geplante Tasks" Ordners

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-07-04 13:39]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-07-04 13:39]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\programme\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Mozilla\Firefox\Profiles\l1mbxlh7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tages-anzeiger.ch/
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI
AddRemove-RealJukebox 1.0 - c:\programme\Gemeinsame Dateien\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\programme\Gemeinsame Dateien\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 22:31
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(2040)
c:\programme\SUPERAntiSpyware\SASWINLO.dll
c:\programme\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\psqlpwd.dll
c:\programme\Protector Suite QL\homefus2.dll
c:\programme\Protector Suite QL\infra.dll
c:\programme\Protector Suite QL\homepass.dll
c:\programme\Protector Suite QL\bio.dll
c:\programme\Protector Suite QL\remote.dll
c:\programme\Protector Suite QL\crypto.dll
c:\programme\Protector Suite QL\biokmd.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(244)
c:\windows\system32\psqlpwd.dll
c:\programme\Protector Suite QL\homefus2.dll
c:\programme\Protector Suite QL\infra.dll
c:\programme\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(1316)
c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll
c:\programme\Protector Suite QL\farchns.dll
c:\programme\Protector Suite QL\infra.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programme\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Intel\Wireless\Bin\S24EvMon.exe
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\programme\Intel\Wireless\Bin\EvtEng.exe
c:\programme\FolderSize\FolderSizeSvc.exe
c:\windows\System32\GEARSec.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\nvsvc32.exe
c:\programme\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\STacSV.exe
c:\programme\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-11-25 22:36 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2009-11-25 21:36
ComboFix2.txt  2009-11-20 21:51

Vor Suchlauf: 11 Verzeichnis(se), 51'974'762'496 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 52'031'217'664 Bytes frei

- - End Of File - - AE8164E93FDEF9F7058A8B3879D730EC
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:56:10, on 26.11.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\Programme\Avira\AntiVir Desktop\avmailc.exe
C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Dokumente und Einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
C:\Programme\Password Safe\pwsafe.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = ?
O4 - Global Startup: Dropbox.lnk = ?
O4 - Global Startup: Password Safe.lnk = C:\Programme\Password Safe\pwsafe.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203710845421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206210370125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Programme\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Programme\FolderSize\FolderSizeSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Programme\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7947 bytes

[Malware Removal Specialist]

Hello freitag. It's looking good. Just one more scan.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

I'm getting an "Unexpected Error 2002" after the signature files were downloaded (Step 2 out of 4).

[Malware Removal Specialist]

What browser are you using?

Firefox 3

[Malware Removal Specialist]

Ok. Let's try this one

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

Here we go:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Sunday, November 29, 2009
 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Sunday, November 29, 2009 17:41:40
 Records in database: 3307970
--------------------------------------------------------------------------------

Scan settings:
   scan using the following database: extended
   Scan archives: yes
   Scan e-mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\

Scan statistics:
   Objects scanned: 86328
   Threats found: 1
   Infected objects found: 2
   Suspicious objects found: 0
   Scan duration: 01:33:46


File name / Threat / Threats count
C:\System Volume Information\_restore{6F71865E-1372-4529-A60F-E13604F0F2F5}\RP203\A0067835.exe   Infected: Backdoor.Win32.Bredolab.bas   1
C:\WINDOWS\pss\zavupd32.exeStartup   Infected: Backdoor.Win32.Bredolab.bas   1

Selected area has been scanned.


--------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:24, on 29.11.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Dokumente und Einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
C:\Programme\Password Safe\pwsafe.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Microsoft Office 2007\Office12\OUTLOOK.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Avira\AntiVir Desktop\avmailc.exe
C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Programme\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = ?
O4 - Global Startup: Dropbox.lnk = ?
O4 - Global Startup: Password Safe.lnk = C:\Programme\Password Safe\pwsafe.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203710845421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206210370125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Programme\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Programme\FolderSize\FolderSizeSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Programme\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8232 bytes

[Malware Removal Specialist]

Hello freitag. Let's try this:

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
c:\dokumente und einstellungen\Jörg\Startmenü\Programme\Autostart\zavupd32.exe

c:\windows\pss\zavupd32.exeStartup

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Please let me know how your computer is working.

Everything seems fine with my computer, thanks.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\dokumente und einstellungen\Jörg\Startmenü\Programme\Autostart\zavupd32.exe not found.
c:\windows\pss\zavupd32.exeStartup moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Anja
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 24555828 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: Jörg
 
User: Jörg
->Temp folder emptied: 90988626 bytes
->Temporary Internet Files folder emptied: 5449255 bytes
->Java cache emptied: 13958278 bytes
->FireFox cache emptied: 77861307 bytes
->Google Chrome cache emptied: 14044943 bytes
 
User: J”rg
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2134333 bytes
%systemroot%\System32 .tmp files removed: 1262983 bytes
Windows Temp folder emptied: 427593 bytes
RecycleBin emptied: 11141617 bytes
 
Total Files Cleaned = 230.72 mb
 
 
OTM by OldTimer - Version 3.1.2.0 log created on 12032009_103035

Files moved on Reboot...

Registry entries deleted on Reboot...

[Malware Removal Specialist]

Hello freitag. Everything looks ok now. If there are no other issues it's time to do some cleanup. You can uninstall HJT but you can keep SAS and MBAM. Update them and run them every week to stay clean. Also, don't forget your Firewall. Make sure it's enabled.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Sicheres Surfen

Strange, I can't seem to get rid of Combofix - despite the /u, it just does a complete check and remains installed afterwards.

[Malware Removal Specialist]

Not a problem. Please do this:

Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Fabulous, big final Thank You! :-)