pqrs.tmo?

Hi there

Yesterday my anti virus software (Avira Premium Security Suite Version 8 ) gave out an alert regarding a file called pqrs.tmo. It said it contained the signature of a piece of malware, a Trojan if I remember correctly. I told it to delete the file.

Now, today, when I booted the computer, I received a warning saying (sorry, need to translate, my Windows XP is in German) "required module pqrs.tmo cannot be loaded". So apparently this malware has left some traces behind...

I followed all the steps of your excellent malware removal procedure. The tools did find some things, and somewhere along the line (I think it was after Anti-Malware) the message didn't come up any more after booting. So problem solved - I think. But just to make sure, I'll post the logs anyway, in case somebody sees something I should take care of.

Thanks a lot!!!!
Joerg


[Saving space, attachment deleted by admin]

Since I didn't get any replies to this - is it save to assume you don't see any problems with my system?

Thanks a lot!
Joerg

Hi, my notebook was infected with virus.  After cleaning, now I have the following error everytime I startp or reboot my machine:
 Error loading pqrw.tmo
 The specified module could not be found

Please help.

Thanks.
Lee 

frietag, please be patient, we are all slaves - I mean volunteers here, sometimes it takes a little while for a virii specialist to get to you, but they will.

slee, you need to post a new topic in this thread, it gets difficult to support more than one poster in a thread.

No problem Quantos. Thanks for the heads-up!

[Malware Removal Specialist]

Hello freitag and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1.I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2.The fixes are specific to your problem and should only be used for this issue on this machine.
3.If you don't know or understand something, please don't hesitate to ask.
4.Please DO NOT run any other tools or scans whilst I am helping you.
5.It is important that you reply to this thread. Do not start a new topic.
6.Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7.Absence of symptoms does not mean that everything is clear.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.ergon.ch:3128;gopher=proxy.ergon.ch:3128;http=proxy.ergon.ch:3128;https=proxy.ergon.ch:3128;socks=proxy.ergon.ch:1080

O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Download DDS from HERE or HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
   

Hello SD!

Thanks a lot for helping me out here! Here are the two logs:


DDS (Ver_09-09-29.01) - NTFSx86 
Run by J”rg at  0:54:33.53 on 19.11.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional  5.1.2600.3.1252.41.1031.18.2046.1452 [GMT 1:00]

AV: Avira Premium Security Suite *On-access scanning enabled* (Updated)   {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *disabled*   {55185680-1D7E-44D7-3094-596BB89B90C9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\Avira Premium Security Suite\sched.exe
svchost.exe
C:\Programme\Avira\Avira Premium Security Suite\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Avira\Avira Premium Security Suite\avesvc.exe
C:\Programme\Bonjour\mDNSResponder.exe
svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\Programme\Avira\Avira Premium Security Suite\avmailc.exe
C:\Programme\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Dokumente und Einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
C:\Programme\Password Safe\pwsafe.exe
C:\Programme\Avira\Avira Premium Security Suite\avgnt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Jörg\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [nwiz] nwiz.exe /install
mRun: [Dell QuickSet] c:\programme\dell\quickset\quickset.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [avgnt] "c:\programme\avira\avira premium security suite\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\programme\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\programme\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\jrg~1\startm~1\progra~1\autost~1\dropbox.lnk - c:\dokumente und einstellungen\jörg\anwendungsdaten\dropbox\bin\Dropbox.exe
StartupFolder: c:\dokume~1\jrg~1\startm~1\progra~1\autost~1\passwo~1.lnk - c:\programme\password safe\pwsafe.exe
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: avsda.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203710845421
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206210370125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\programme\citrix\gotoassist\514\G2AWinLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\jrg~1\anwend~1\mozilla\firefox\profiles\l1mbxlh7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tages-anzeiger.ch/
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2008-4-30 71592]
R1 avgio;avgio;c:\programme\avira\avira premium security suite\avgio.sys [2008-4-30 11608]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R1 SASDIFSV;SASDIFSV;c:\programme\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AntiVirMailService;Avira Premium Security Suite MailGuard;c:\programme\avira\avira premium security suite\avmailc.exe [2008-4-30 164097]
R2 AntiVirScheduler;Avira Premium Security Suite Planer;c:\programme\avira\avira premium security suite\sched.exe [2008-4-30 68865]
R2 AntiVirService;Avira Premium Security Suite Guard;c:\programme\avira\avira premium security suite\avguard.exe [2008-4-30 151297]
R2 antivirwebservice;Avira Premium Security Suite WebGuard;c:\programme\avira\avira premium security suite\avwebgrd.exe [2008-4-30 258305]
R2 AVEService;Avira Premium Security Suite MailGuard Hilfsdienst;c:\programme\avira\avira premium security suite\avesvc.exe [2008-4-30 41217]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\programme\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-6-17 434864]
R3 avgntflt;avgntflt;c:\programme\avira\avira premium security suite\avgntflt.sys [2008-4-30 52056]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [2008-2-22 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [2008-2-22 234720]
S2 gupdate;Google Update Service (gupdate);c:\programme\google\update\GoogleUpdate.exe [2009-7-4 133104]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2008-4-30 71464]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-11-3 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-11-3 3072]
S3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [2008-2-22 141376]
S3 SASENUM;SASENUM;c:\programme\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 SWUSBFLT;Microsoft SideWinder VIA-Filtertreiber;c:\windows\system32\drivers\SWUSBFLT.SYS [2009-4-29 3968]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\drivers\vpnva.sys [2009-6-17 20152]

=============== Created Last 30 ================

2009-11-05 22:08   56   a---h---   c:\windows\system32\ezsidmv.dat
2009-11-04 22:01   411,368   a-------   c:\windows\system32\deploytk.dll
2009-11-04 21:49   <DIR>   --d-----   c:\dokume~1\jrg~1\anwend~1\Malwarebytes
2009-11-04 21:49   38,224   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 21:49   <DIR>   --d-----   c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2009-11-04 21:49   19,160   a-------   c:\windows\system32\drivers\mbam.sys
2009-11-04 21:49   <DIR>   --d-----   c:\programme\Malwarebytes' Anti-Malware
2009-11-04 20:16   <DIR>   --d-----   c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com
2009-11-04 20:16   <DIR>   --d-----   c:\programme\SUPERAntiSpyware
2009-11-04 20:16   <DIR>   --d-----   c:\dokume~1\jrg~1\anwend~1\SUPERAntiSpyware.com
2009-11-04 20:15   <DIR>   --d-----   c:\programme\gemeinsame dateien\Wise Installation Wizard
2009-11-04 19:58   <DIR>   --d-hr--   c:\dokumente und einstellungen\jörg\Recent
2009-11-03 21:32   1,885   a---hr--   c:\windows\EPMBatch.ept
2009-11-03 21:28   14,848   a-------   c:\windows\system32\EuEpmGdi.dll
2009-11-03 21:28   1,663,488   a-------   c:\windows\system32\BootMan.exe
2009-11-03 21:28   86,408   a-------   c:\windows\system32\setupempdrv03.exe
2009-11-03 21:28   8,704   a-------   c:\windows\system32\epmntdrv.sys
2009-11-03 21:28   3,072   a-------   c:\windows\system32\EuGdiDrv.sys
2009-11-03 21:27   <DIR>   --d-----   c:\programme\EASEUS
2009-11-02 14:08   <DIR>   --d-----   c:\programme\XML Notepad 2007
2009-10-27 12:50   <DIR>   --d-----   c:\programme\Cisco
2009-10-27 12:50   <DIR>   --d-----   c:\dokume~1\alluse~1\anwend~1\Cisco

==================== Find3M  ====================

2009-11-16 16:12   4,456,448   a---h---   c:\dokumente und einstellungen\jörg\NTUSER.DAT
2009-11-04 22:01   464,220   a-------   c:\windows\system32\perfh007.dat
2009-11-04 22:01   86,454   a-------   c:\windows\system32\perfc007.dat
2009-10-27 08:07   296,452   a-------   c:\windows\system32\nvModes.dat
2009-09-25 06:35   672,768   a-------   c:\windows\system32\wininet.dll
2009-09-25 06:35   81,920   a-------   c:\windows\system32\ieencode.dll
2009-09-11 15:17   136,192   a-------   c:\windows\system32\msv1_0.dll
2009-09-04 22:03   58,880   a-------   c:\windows\system32\msasn1.dll
2009-08-26 09:00   247,326   a-------   c:\windows\system32\strmdll.dll
2009-01-13 17:58   61,224   a-------   c:\dokumente und einstellungen\jörg\GoToAssistDownloadHelper.exe
2008-03-09 18:10   32   a-------   c:\dokume~1\alluse~1\anwend~1\ezsid.dat
2008-02-22 18:33   76   ---shr--   c:\windows\CT4CET.bin

============= FINISH:  0:54:53.82 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 22.02.2008 14:05:06
System Uptime: 18.11.2009 21:09:52 (3 hours ago)

Motherboard: Dell Inc. |  |       
Processor: Intel(R) Core(TM)2 Duo CPU     T7500  @ 2.20GHz | Microprocessor | 2194/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 48.724 GiB free.
D: is FIXED (NTFS) - 161 GiB total, 129.606 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0000
Service: vpnva

==== System Restore Points ===================

RP175: 12.08.2009 22:27:53 - Systemprüfpunkt
RP176: 13.08.2009 23:13:43 - Systemprüfpunkt
RP177: 15.08.2009 00:13:43 - Systemprüfpunkt
RP178: 15.08.2009 21:29:14 - Software Distribution Service 3.0
RP179: 16.08.2009 18:02:54 - Software Distribution Service 3.0
RP180: 16.08.2009 18:10:34 - Druckertreiber Microsoft XPS Document Writer installiert
RP181: 23.08.2009 18:37:05 - Software Distribution Service 3.0
RP182: 24.08.2009 20:16:18 - Software Distribution Service 3.0
RP183: 27.08.2009 20:45:49 - Software Distribution Service 3.0
RP184: 06.09.2009 19:05:11 - Software Distribution Service 3.0
RP185: 13.09.2009 18:35:22 - Software Distribution Service 3.0
RP186: 22.09.2009 20:38:33 - Systemprüfpunkt
RP187: 24.09.2009 19:58:58 - Systemprüfpunkt
RP188: 24.09.2009 22:25:39 - Installed Silent Wings
RP189: 25.09.2009 21:22:02 - Software Distribution Service 3.0
RP190: 27.09.2009 14:24:36 - Systemprüfpunkt
RP191: 09.10.2009 20:27:24 - Removed Silent Wings
RP192: 10.10.2009 21:15:59 - Systemprüfpunkt
RP193: 14.10.2009 22:53:41 - Software Distribution Service 3.0
RP194: 16.10.2009 13:41:40 - Systemprüfpunkt
RP195: 20.10.2009 20:40:08 - Premium Security Suite - 20.10.2009 20:40
RP196: 22.10.2009 21:54:50 - Software Distribution Service 3.0
RP197: 26.10.2009 19:53:58 - Systemprüfpunkt
RP198: 27.10.2009 12:50:58 - Installed Cisco AnyConnect VPN Client
RP199: 28.10.2009 15:22:54 - Systemprüfpunkt
RP200: 29.10.2009 19:49:40 - Systemprüfpunkt
RP201: 02.11.2009 14:08:23 - Installed XML Notepad 2007
RP202: 04.11.2009 00:11:52 - Systemprüfpunkt
RP203: 04.11.2009 19:03:40 - Software Distribution Service 3.0
RP204: 04.11.2009 20:16:17 - Installed SUPERAntiSpyware Free Edition
RP205: 04.11.2009 22:01:24 - Java(TM) 6 Update 17 wird installiert
RP206: 06.11.2009 14:03:43 - Systemprüfpunkt
RP207: 08.11.2009 21:57:44 - Systemprüfpunkt
RP208: 13.11.2009 00:00:01 - Software Distribution Service 3.0

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe FrameMaker v7.2
Adobe Photoshop CS
Adobe Reader 8.1.7
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Advanced Video FX Engine
AFPL Ghostscript 8.54
AFPL Ghostscript Fonts
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Avira Premium Security Suite
Bonjour
Broadcom Gigabit Integrated Controller
BufferChm
CCleaner
Cisco AnyConnect VPN Client
CityDesk
Compatibility Pack for the 2007 Office system
CompeGPS AIR 6.8
CompeGPS LAND 6.8
Condor: The Competition Soaring Simulator 1.0.8
ConvertHelper 2.2
Dell Touchpad
DELL Webcam Center
DELL Webcam Manager
Destinations
Device drivers for Simple Backup
DeviceManagementQFolder
DivX
DNA
Dropbox
EASEUS Partition Master 4.0 Home Edition
EasternAlps Scenery 2.0
FlyChart
Folder Size for Windows
FreePDF XP (Remove only)
Garmin MapSource
Google Earth
Google Earth Plug-in
Google Update Helper
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Color LaserJet CM1015/CM1017 MFP 1.0
HP Imaging Device Functions 7.0
HP USB Disk Storage Format Tool
hppCLJCM1017
hppFonts
hppIOFiles
hppManualsCM1017
hppscanCM1017
Icon3DMaker 1.05
IGC Flight Replay  0.6
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 17
Laptop Integrated Webcam Driver (1.03.01.1011) 
Live! Cam Avatar
Live! Cam Avatar Creator
LiveUpdate 2.0 (Symantec Corporation)
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
MapSource
MapSource - European MetroGuide Version 5
mCore
mDriver
mDrWiFi
MediaDirect
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Language Pack - DEU
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 German Language Pack
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (German) 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Software Update for Web Folders  (German) 12
Microsoft Virtual PC 2007 SP1
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.15)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mWMI
mZConfig
Nero OEM
Nokia Map Loader
Norton Ghost 9.0
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OpenOffice.org 2.3
OutlookAddinSetup
Password Safe
PC Coach
PC Connectivity Solution
PL-2303 USB-to-Serial
Product_Min_QFolder
Protector Suite QL 5.6
PuTTY version 0.58
QuickBooks 2000
QuickSet
QuickTime
RealPlayer
Remote Control USB Driver
Scan
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Visio 2007 (KB947590)
Sicherheitsupdate für Windows XP (KB923789)
Sicherheitsupdate für Windows XP (KB969947)
SigmaTel Audio
Skype™ 4.1
SUPERAntiSpyware Free Edition
TrayApp
Uninstall Startup Inspector
Unity Web Player
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb975960)
VideoLAN VLC media player 0.8.6i
WD Firewire HID Driver
WebFldrs XP
WebReg
Windows-Treiberpaket - Nokia pccsmcfd  (10/12/2007 6.85.4.0)
Windows-Treiberpaket - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04)
Windows Communication Foundation Language Pack - DEU
Windows Driver Package - Broadcom Bluetooth  (02/24/2004 5.1.2535.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Presentation Foundation Language Pack (DEU)
Windows Workflow Foundation DE Language Pack
WinRAR archiver
XML Notepad 2007
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

16.11.2009 14:08:52, error: Dhcp [1002]  - Die IP-Adresslease 192.168.0.2 für die Netzwerkkarte mit der Netzwerkadresse 001CBF917F48 wurde durch den DHCP-Server 172.30.48.1 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet).
16.11.2009 01:57:19, error: W32Time [34]  - Der Zeitdienst hat festgestellt, dass die Systemzeit um -199048 Sekunden geändert werden muss. Die Systemzeit kann durch den Zeitdienst um maximal -54000 Sekunden geändert werden. Stellen Sie sicher, dass die Uhrzeit und Zeitzone korrekt sind und dass die Zeitquelle time.windows.com (ntp.m|0x1|192.168.0.3:123->207.46.232.182:123) funktionsfähig ist.
13.11.2009 18:44:12, error: Dhcp [1002]  - Die IP-Adresslease 192.168.0.3 für die Netzwerkkarte mit der Netzwerkadresse 001CBF917F48 wurde durch den DHCP-Server 0.0.0.0 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet).

==== End Of File ===========================

[Malware Removal Specialist]

Hello Freitag. Could you please do this for me?

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Hi SD

Did as you said - with a little hick-up, though: First time around, ComboFix caused a Blue Screen, somewhere above Step 25, didn't pay attention well enough to say where exactly. After the reboot caused by the BSoD, WLAN was not working. Ran ComboFix again, this time it ran OK, and after the final reboot, WLAN came back up OK also.

here are the logs:

ComboFix 09-11-20.02 - Jörg 20.11.2009 22:41.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.41.1031.18.2046.1496 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Jörg\Desktop\ComboFix.exe
AV: Avira Premium Security Suite *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *disabled* {55185680-1D7E-44D7-3094-596BB89B90C9}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AegisP.inf
c:\windows\system32\drivers\pciide.sys

.
(((((((((((((((((((((((   Dateien erstellt von 2009-10-20 bis 2009-11-20  ))))))))))))))))))))))))))))))
.

2009-11-05 21:08 . 2009-11-05 21:08   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2009-11-05 21:07 . 2009-11-05 21:07   --------   d-----w-   c:\programme\Gemeinsame Dateien\Skype
2009-11-04 21:01 . 2009-11-04 21:01   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-11-04 20:49 . 2009-09-10 13:54   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 20:49 . 2009-11-04 20:49   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-11-04 20:49 . 2009-11-04 20:49   --------   d-----w-   c:\programme\Malwarebytes' Anti-Malware
2009-11-04 20:49 . 2009-09-10 13:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-04 19:16 . 2009-11-04 19:16   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2009-11-04 19:16 . 2009-11-04 19:16   --------   d-----w-   c:\programme\SUPERAntiSpyware
2009-11-04 19:15 . 2009-11-04 19:15   --------   d-----w-   c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2009-11-03 20:28 . 2009-04-22 13:27   14848   ----a-w-   c:\windows\system32\EuEpmGdi.dll
2009-11-03 20:28 . 2009-06-13 18:54   1663488   ----a-w-   c:\windows\system32\BootMan.exe
2009-11-03 20:28 . 2009-04-22 13:28   8704   ----a-w-   c:\windows\system32\epmntdrv.sys
2009-11-03 20:28 . 2009-04-22 13:28   86408   ----a-w-   c:\windows\system32\setupempdrv03.exe
2009-11-03 20:28 . 2009-04-22 13:28   3072   ----a-w-   c:\windows\system32\EuGdiDrv.sys
2009-11-03 20:27 . 2009-11-03 20:27   --------   d-----w-   c:\programme\EASEUS
2009-11-02 13:08 . 2009-11-02 13:08   --------   d-----w-   c:\programme\XML Notepad 2007
2009-10-27 11:50 . 2009-10-27 11:50   --------   d-----w-   c:\programme\Cisco
2009-10-27 11:50 . 2009-10-27 11:50   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Cisco

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 21:48 . 2008-09-14 11:59   --------   d-----w-   c:\programme\Password Safe
2009-11-19 20:20 . 2008-02-22 15:29   --------   d--h--w-   c:\programme\InstallShield Installation Information
2009-11-12 23:04 . 2008-03-24 12:11   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2009-11-05 21:07 . 2008-03-09 17:06   --------   d-----r-   c:\programme\Skype
2009-11-05 21:07 . 2008-03-09 17:06   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2009-11-04 21:03 . 2008-03-10 21:11   --------   d-----w-   c:\programme\Java
2009-11-04 21:01 . 2004-08-04 12:00   86454   ----a-w-   c:\windows\system32\perfc007.dat
2009-11-04 21:01 . 2004-08-04 12:00   464220   ----a-w-   c:\windows\system32\perfh007.dat
2009-10-28 20:38 . 2009-02-15 12:43   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\CompeGPS
2009-10-27 07:07 . 2008-02-22 15:03   296452   ----a-w-   c:\windows\system32\nvModes.dat
2009-10-14 20:15 . 2008-03-09 17:25   --------   d-----w-   c:\programme\Gemeinsame Dateien\Adobe
2009-10-10 12:30 . 2009-10-10 12:30   --------   d-----w-   c:\programme\Unity
2009-09-25 05:35 . 2004-08-04 12:00   672768   ----a-w-   c:\windows\system32\wininet.dll
2009-09-25 05:35 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-09-23 17:45 . 2008-03-09 16:22   --------   d-----w-   c:\programme\Google
2009-09-11 14:17 . 2004-08-04 12:00   136192   ----a-w-   c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00   58880   ----a-w-   c:\windows\system32\msasn1.dll
2009-08-29 16:47 . 2009-07-19 21:28   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-08-26 08:00 . 2004-08-04 12:00   247326   ----a-w-   c:\windows\system32\strmdll.dll
2008-02-22 17:33 . 2008-02-22 17:33   76   --sh--r-   c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02   77824   ----a-w-   c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 18:59   2953216   ----a-w-   c:\programme\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 18:59   2953216   ----a-w-   c:\programme\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"Dell QuickSet"="c:\programme\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"avgnt"="c:\programme\Avira\Avira Premium Security Suite\avgnt.exe" [2008-07-22 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"SigmatelSysTrayApp"="c:\programme\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Malwarebytes Anti-Malware (reboot)"="c:\programme\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-11-04 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-17 1626112]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\J”rg\Startmen�\Programme\Autostart\
Dropbox.lnk - c:\dokumente und einstellungen\J”rg\Anwendungsdaten\Dropbox\bin\Dropbox.exe [2009-8-29 26784939]

c:\dokumente und einstellungen\All Users\Startmen�\Programme\Autostart\
Dropbox.lnk - c:\dokumente und einstellungen\J”rg\Anwendungsdaten\Dropbox\bin\Dropbox.exe [2009-8-29 26784939]
Password Safe.lnk - c:\programme\Password Safe\pwsafe.exe [2008-8-30 1949696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-13 16:58   10536   ----a-w-   c:\programme\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 18:46   90112   ----a-w-   c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Jörg^Startmenü^Programme^Autostart^zavupd32.exe]
path=c:\dokumente und einstellungen\Jörg\Startmenü\Programme\Autostart\zavupd32.exe
backup=c:\windows\pss\zavupd32.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Programme\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Programme\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Programme\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [29.07.2004 03:33 138780]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [30.04.2008 21:39 71592]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [29.07.2004 04:13 46779]
R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [12.10.2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [12.10.2009 21:24 74480]
R2 AntiVirMailService;Avira Premium Security Suite MailGuard;c:\programme\Avira\Avira Premium Security Suite\avmailc.exe [30.04.2008 21:39 164097]
R2 antivirwebservice;Avira Premium Security Suite WebGuard;c:\programme\Avira\Avira Premium Security Suite\avwebgrd.exe [30.04.2008 21:39 258305]
R2 AVEService;Avira Premium Security Suite MailGuard Hilfsdienst;c:\programme\Avira\Avira Premium Security Suite\avesvc.exe [30.04.2008 21:39 41217]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [17.06.2009 21:17 434864]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [22.02.2008 17:48 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [22.02.2008 17:48 234720]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [04.07.2009 14:39 133104]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [30.04.2008 21:39 71464]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [03.11.2009 21:28 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [03.11.2009 21:28 3072]
S3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [22.02.2008 17:48 141376]
S3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [12.10.2009 21:24 7408]
S3 SWUSBFLT;Microsoft SideWinder VIA-Filtertreiber;c:\windows\system32\drivers\SWUSBFLT.SYS [29.04.2009 21:14 3968]
.
Inhalt des "geplante Tasks" Ordners

2009-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-07-04 13:39]

2009-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-07-04 13:39]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: avsda.dll
FF - ProfilePath - c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Mozilla\Firefox\Profiles\l1mbxlh7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tages-anzeiger.ch/
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

AddRemove-HijackThis - c:\programme\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 22:48
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1552)
c:\programme\SUPERAntiSpyware\SASWINLO.dll
c:\programme\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\psqlpwd.dll
c:\programme\Protector Suite QL\homefus2.dll
c:\programme\Protector Suite QL\infra.dll
c:\programme\Protector Suite QL\homepass.dll
c:\programme\Protector Suite QL\bio.dll
c:\programme\Protector Suite QL\remote.dll
c:\programme\Protector Suite QL\crypto.dll
c:\programme\Protector Suite QL\biokmd.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(1608)
c:\windows\system32\psqlpwd.dll
c:\programme\Protector Suite QL\homefus2.dll
c:\programme\Protector Suite QL\infra.dll
c:\windows\system32\avsda.dll

- - - - - - - > 'explorer.exe'(2868)
c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\DropboxExt.3.dll
c:\programme\Protector Suite QL\farchns.dll
c:\programme\Protector Suite QL\infra.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programme\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Intel\Wireless\Bin\S24EvMon.exe
c:\programme\Avira\Avira Premium Security Suite\sched.exe
c:\programme\Avira\Avira Premium Security Suite\avguard.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\programme\Intel\Wireless\Bin\EvtEng.exe
c:\programme\FolderSize\FolderSizeSvc.exe
c:\windows\System32\GEARSec.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\nvsvc32.exe
c:\programme\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\STacSV.exe
c:\programme\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
c:\dokumente und einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-11-20 22:51 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2009-11-20 21:51

Vor Suchlauf: 8 Verzeichnis(se), 52'225'593'344 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 52'251'586'560 Bytes frei

- - End Of File - - F979E179D72F5B540B54425BF0F43865


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:59:44, on 20.11.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\Avira Premium Security Suite\sched.exe
C:\Programme\Avira\Avira Premium Security Suite\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Avira\Avira Premium Security Suite\avesvc.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\Programme\Avira\Avira Premium Security Suite\avmailc.exe
C:\Programme\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Avira\Avira Premium Security Suite\avgnt.exe
C:\Programme\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Password Safe\pwsafe.exe
C:\Dokumente und Einstellungen\Jörg\Anwendungsdaten\Dropbox\bin\Dropbox.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office 2007\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = ?
O4 - Global Startup: Dropbox.lnk = ?
O4 - Global Startup: Password Safe.lnk = C:\Programme\Password Safe\pwsafe.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203710845421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206210370125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Programme\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\avmailc.exe
O23 - Service: Avira Premium Security Suite Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira Premium Security Suite MailGuard Hilfsdienst (AVEService) - Avira GmbH - C:\Programme\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Programme\FolderSize\FolderSizeSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Programme\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8430 bytes

[Malware Removal Specialist]

I'd like to see the removals performed by ComboFix. Click Start > Run and type the following bold text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

The report should open for you. Please post the contents of that report in the next reply.

2009-11-20 21:51:34 . 2009-11-20 21:51:34              754 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2009-11-20 21:35:36 . 2009-11-20 21:44:32           13,380 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-20 21:31:24 . 2009-11-20 21:40:50              153 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2008-02-22 16:18:56 . 2008-02-22 16:18:56           13,984 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\AegisP.inf.vir
2004-08-04 12:00:00 . 2001-08-18 03:30:42            3,328 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir

[Malware Removal Specialist]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DeQuarantine::

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir

Quit::


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir -> C:\WINDOWS\system32\drivers\pciide.sys ( 3328 bytes )

[Malware Removal Specialist]

Hello freitag. I will be a bit late with another fix. I just spent all day fixing a friend's computer(time that I was going to use to go through your logs). I'll get right on it tonight.

no worries Dave! My computer stopped booting last night, it's getting a new main board on Tuesday (love Dell tech support! Really do, and the warranty extension was so worth the money!). By all means, take all the time you need. :-)