Malware in C-Windows-temp and maybe in the MBR. All common removal tools failed

[jowo]

My problem sounds similar to other threads,  mostly like this one:  http://www.computerhope.com/forum/index.php/topic,76406.0.html "
But it seems as if nobody was sucessfull with removing this beast yet.
My issue all started with WINLOGON asking my firewall for web access, which I let go through because Google adviced if the file is in the system32  folder it should be fine. Since then IE pops up sites by random;  forced reboots occured and  Windows keeps saying "Appl. cannot be executed, the file is infected, please activate your antivirus software".

The virus pretends as if itself was a malware removal tool. It claimed that NetSky32 took over the system and wanted the user to donwload security tools (a fake regestry defender window poped open). SuperAntiSpy cannot see anything, Malwarebytes is far better, but still not succesfull . The virus kind of panics as I donwloaded MalWareBytes and after the first scan the virus deleted the Malwarebytes executable. At one point of time it seemed as if I would be fine (the regedit and taskmanager were usable again,  the Virus-warning desktop background was gone, but: I could never boot into a savemode to perform a full system scan and completely get rid of this. When trying to boot in save mode I still get a blue screen of death.

Part of the virus is residing in C:\Windows\temp. The files seem to be rewritten at each boot time:
gnserv.dat, spserv.dat, fla6.tmp,  Perflib_prefdata_44c.dat  and others; the number of the files in this temp folder variates. I dare not open these files but i'm pretty sure the worms stores reg-keys in there and keeps track of what i am doing (IE5 history /index.dat) I can delete most of them except: gnserv.dat, spnserv.dat, spserv.dat , ...also suspicious in win-temp-folder: an installer for a crane system ? LMpermission.exe4 and irsetup.exe (I am sure it was not there before and I did not download it...)

The following DLLs seem to be part of the problem : c:\windows\system32:
masoyumu.dll ,hufemute.dll, rivowaho.dll, dagenoja.dll , vujigami.dll, dagamami.dll.    and also:
azawexuluq.dll.tmp , tamowevu.dll.tmp, buhosazu.dll.tmp, pufutosu.dll.tmp, wulibuli.dll.tmp, degezappa.dll.tmp, wavikuse.dll.tmp,       (wondering what language that is...)

Also, somehow the windoes system files SMS32.exe and WINLOGON.exe seem to be altered/corrupted.

I tried all kinds of manual CMD procedures , Reg-keys and different scanners/removal tools (ATF-Cleaner, cleanns, FxNetsky, KillBox, Spyhunter, NSKClean, PrevX, SuperSpyHunter, MalwareAntiMalware, HiJackThis...  the logs of the last 2 tools are attached ; SuperAntiSpy did not give out a log, but it said "nothing found" anyways...

So if anyone ever succesfully removed this monster I would be more than happy to about help... otherwise I guess i have to access my MBR and get rid of the corruption and reinstall my XP; my problem: i do not even have a recovery CD... Thanks Jochen  
PS.: Is there a save way to open the temp files without having a sandbox system/virtual PC ?
PS.:I took quite a few screenshots, so if someone is interested...

[Saving space, attachment deleted by admin]

[Dr Jay]

Hello. Welcome to CH! 

Are you able to boot to Windows?

These two files: C:\WINDOWS\system32\serauth1.dll and C:\WINDOWS\system32\serauth2.dll -- will continually be restored while their backup is in place. These are not necessarily bad.

If you are able to boot, please do the following:

Please open Notepad and enter in the following:

@echo off
echo DMJ Find > findSUBawf.txt
echo. >> findSUBawf.txt
if exist "%SystemRoot%\System32\clauth1.dll" echo Found clauth1.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\clauth2.dll" echo Found clauth2.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\lsprst7.dll" echo Found lsprst7.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\nsprs.dll" echo Found nsprs.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\serauth1.dll" echo Found serauth1.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\serauth2.dll" echo Found serauth2.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\servdat.slm" echo Found servdat.slm >> findSUBawf.txt
if exist "%SystemRoot%\System32\ssprs.dll" echo Found ssprs.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\sysprs7.dll" echo Found sysprs7.dll >> findSUBawf.txt
if exist "%system%\bak" echo AWF-POSSIBLE >> findSUBawf.txt
echo. >> findSUBawf.txt
echo EOF >> findSUBawf.txt
Start findSUBawf.txt
exit

Then, click File > Save as...
Save as findSUBawf.cmd to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on findSUBawf.cmd, and it will finish quickly and launch a log.

Please post that in your next reply along with a new HijackThis log. Note: post the contents of it, please do not upload.

[jowo]

Thanks for your reply DragonMasterJay.
To your question: luckily I can boot into XP and your searchresults are below:

DMJ Find
 
Found lsprst7.dll
Found nsprs.dll
Found serauth1.dll
Found serauth2.dll
Found servdat.slm
Found sysprs7.dll
 
EOF

You mentioned not to upload but to post my results; I guess because of security concerns... so: I need to get some data files of that PC ; can i load them to my external (wireless) harddrive and access them from there or is the too risky to infect the rest of my hardware? Also, as you probably saw in my log: i did not try "ComboFix" yet, as I wanted to await your advice...
Thanks again for your help! 

[Dr Jay]

Go ahead and load tools from the external device, or what you would like to use.

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[jowo]

combofix says that my Symantec antivirus scanner is still running... your turorial only mentiones how2 disable a "SYMANTEC ENDPOINT PROTECTION"...the symantec help says to unclick the auto-protecet funtions for "file system auto protect", "internet email auto protect" , "lotus auto protect" and "MS exchange auto protect"
 I disabled all items but combofix says it is still active..
also: the Symantec Scanner NEVER gave me tast icon to klick on, only their firewall has such a thing..should I run combofix anyways ?

[jowo]

by the way: i'm running "symantec antivirus corporate edition"

[Dr Jay]

Ok. Go ahead and run ComboFix, without disabling the protection.

[jowo]

Here's the log:
ComboFix 10-01-29.09 - Wolz 30.01.2010  18:46:56.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.3067.2466 [GMT -5:00]
ausgeführt von:: c:\software-setup\antivirus stuff\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\Wolz\Anwendungsdaten\SystemProc
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}\chrome.manifest
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}\chrome\content\_cfg.js
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}\chrome\content\overlay.xul
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}\install.rdf
C:\s
c:\windows\jestertb.dll
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\13015.exe
c:\windows\system32\14604.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16391.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\19667.exe
c:\windows\system32\21342.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\25849.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\prsrvk.dll

Infizierte Kopie von c:\windows\system32\drivers\iaStor.sys wurde gefunden und desinfiziert
Kopie von - Kitty ate it :p wurde wiederhergestellt
.
(((((((((((((((((((((((   Dateien erstellt von 2009-12-28 bis 2010-01-30  ))))))))))))))))))))))))))))))
.

2010-01-30 08:24 . 2010-01-30 08:24   --------   d-----w-   c:\programme\Trend Micro
2010-01-29 18:05 . 2010-01-29 18:05   53136   ----a-w-   c:\windows\system32\PxSecure.dll
2010-01-29 18:05 . 2010-01-29 18:05   47664   ----a-w-   c:\windows\system32\drivers\pxrts.sys
2010-01-29 18:05 . 2010-01-29 18:05   30280   ----a-w-   c:\windows\system32\drivers\pxscan.sys
2010-01-29 18:05 . 2010-01-29 18:05   24496   ----a-w-   c:\windows\system32\drivers\pxkbf.sys
2010-01-29 18:05 . 2010-01-29 18:05   --------   d-----w-   c:\programme\Prevx
2010-01-29 18:05 . 2010-01-30 09:11   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\PrevxCSI
2010-01-29 17:48 . 2010-01-29 17:48   1024   ----a-w-   c:\windows\system32\serauth2.dll
2010-01-29 17:48 . 2010-01-29 17:48   1024   ----a-w-   c:\windows\system32\serauth1.dll
2010-01-29 14:55 . 2009-11-21 15:54   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-29 14:44 . 2010-01-29 14:44   643072   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\audio_1.0.4\plugin_audio.dll
2010-01-29 14:44 . 2010-01-29 14:44   364544   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\file_transfer_1.0.4\plugin_file_transfer.dll
2010-01-29 14:44 . 2010-01-29 14:44   1536000   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\video_1.0.4\plugin_video.dll
2010-01-29 14:44 . 2010-01-29 14:44   77824   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\wm_console.dll
2010-01-29 14:44 . 2010-01-29 14:44   66960   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\isl_cad.exe
2010-01-29 14:44 . 2010-01-29 14:44   61440   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\wm_desktop.dll
2010-01-29 14:44 . 2010-01-29 14:44   593920   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\vncsrv.dll
2010-01-29 14:44 . 2010-01-29 14:44   5632   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\win_utils.dll
2010-01-29 14:44 . 2010-01-29 14:44   45056   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\isl_start.exe
2010-01-29 14:44 . 2010-01-29 14:44   442368   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\plugin_desktop.dll
2010-01-29 14:44 . 2010-01-29 14:44   239000   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\isl_stream.exe
2010-01-29 14:44 . 2010-01-29 15:15   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3
2010-01-29 14:15 . 2007-09-11 19:21   150528   ----a-w-   c:\windows\system32\TLBINF32.dll
2010-01-29 14:15 . 2010-01-29 14:15   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\VSoft
2010-01-29 14:15 . 2010-01-29 14:15   --------   d-----w-   c:\programme\Gemeinsame Dateien\VSoft
2010-01-29 14:15 . 2010-01-29 14:15   --------   d-----w-   c:\programme\SAAZExmonScripts
2010-01-29 14:11 . 2010-01-29 14:11   --------   d-----w-   C:\12539265af95f2fffe2558
2010-01-29 14:11 . 2010-01-30 23:54   --------   d-----w-   c:\programme\SAAZOD
2010-01-29 14:11 . 2010-01-29 14:19   --------   d-----w-   c:\programme\SetupLogs
2010-01-29 14:11 . 2010-01-29 14:11   290816   ----a-w-   c:\windows\system32\WINHTTP5.DLL
2010-01-29 14:11 . 2010-01-29 14:11   102912   ----a-w-   c:\windows\system32\VB6STKIT.DLL
2010-01-29 09:38 . 2010-01-29 09:39   --------   d-----w-   c:\dokumente und einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Temp
2010-01-29 04:34 . 2010-01-29 14:48   --------   d-----w-   C:\_mal
2010-01-28 04:56 . 1999-07-24 05:15   291328   ----a-w-   c:\windows\system32\SAXZIPSP.DLL
2010-01-27 03:44 . 2010-01-29 17:43   --------   d-----w-   C:\!KillBox
2010-01-27 03:08 . 2010-01-27 03:12   --------   d-----w-   C:\_a
2010-01-25 23:20 . 1999-07-24 05:15   291328   ----a-w-   c:\windows\system32\SAXZIPSPAN.DLL
2010-01-25 21:59 . 2010-01-26 00:41   --------   d-----w-   C:\_fp91
2010-01-25 16:32 . 2010-01-25 16:32   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Malwarebytes
2010-01-25 16:32 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 16:32 . 2010-01-29 04:25   --------   d-----w-   c:\programme\Malwarebytes' Anti-Malware
2010-01-25 16:32 . 2010-01-25 16:32   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-01-25 16:32 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-25 13:36 . 2010-01-25 13:36   52224   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-25 13:36 . 2010-01-29 14:06   117760   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-25 13:36 . 2010-01-25 13:36   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2010-01-25 13:35 . 2010-01-25 13:35   --------   d-----w-   c:\programme\SUPERAntiSpyware
2010-01-25 13:35 . 2010-01-25 13:35   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\SUPERAntiSpyware.com
2010-01-25 13:35 . 2010-01-25 13:35   --------   d-----w-   c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2010-01-25 13:32 . 2010-01-25 14:20   --------   d-----w-   c:\programme\XLAB ISL Plugins
2010-01-25 13:30 . 2010-01-29 14:32   --------   d-----w-   c:\programme\XLAB ISL Light Client3
2010-01-23 20:43 . 2010-01-23 20:43   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-01-23 20:13 . 2010-01-26 20:19   120   ----a-w-   c:\windows\Twamilaha.dat
2010-01-22 16:11 . 2010-01-25 21:59   --------   d-----w-   C:\____fp91
2010-01-22 03:29 . 2010-01-22 03:31   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\EPSON
2010-01-22 03:29 . 2010-01-22 03:29   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Leadertech
2010-01-22 03:24 . 2010-01-22 04:07   --------   d-----w-   c:\programme\ABBYY FineReader 6.0 Sprint
2010-01-22 03:23 . 2010-01-22 03:23   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\UDL
2010-01-22 03:21 . 2010-01-22 03:21   --------   d-----w-   c:\programme\Epson Software
2010-01-22 03:21 . 2007-12-16 19:00   143872   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\EPSON\EPW!3 SSRP\E_S40ST7.EXE
2010-01-22 03:21 . 2007-01-10 19:02   113664   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2010-01-22 03:21 . 2007-12-06 17:08   86528   ----a-w-   c:\windows\system32\E_FLBEJA.DLL
2010-01-22 03:21 . 2007-12-06 17:01   78848   ----a-w-   c:\windows\system32\E_FD4BEJA.DLL
2010-01-22 03:21 . 2006-10-20 05:10   80024   ----a-w-   c:\windows\system32\PICSDK.dll
2010-01-22 03:21 . 2006-10-20 05:10   501912   ----a-w-   c:\windows\system32\PICSDK2.dll
2010-01-22 03:21 . 2006-10-20 05:10   108704   ----a-w-   c:\windows\system32\PICEntry.dll
2010-01-22 03:19 . 2010-01-22 03:21   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\EPSON
2010-01-22 03:19 . 2007-07-13 05:00   71680   ----a-w-   c:\windows\system32\escwiad.dll
2010-01-22 03:19 . 2010-01-22 03:29   --------   d-----w-   c:\programme\epson
2010-01-17 20:38 . 2010-01-17 21:02   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Apple Computer
2010-01-17 20:38 . 2009-05-18 19:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-17 20:38 . 2008-04-17 18:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2010-01-17 20:38 . 2010-01-17 20:38   --------   d-----w-   c:\programme\iPod
2010-01-17 20:38 . 2010-01-17 20:38   --------   d-----w-   c:\programme\iTunes
2010-01-17 20:38 . 2010-01-17 20:38   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-17 20:37 . 2010-01-17 20:58   --------   d-----w-   c:\programme\Bonjour
2010-01-17 20:37 . 2010-01-17 20:37   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer
2010-01-17 20:37 . 2010-01-17 20:37   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\Apple
2010-01-17 20:37 . 2010-01-17 20:37   --------   d-----w-   c:\programme\Apple Software Update
2010-01-17 20:36 . 2010-01-17 20:36   --------   d-----w-   c:\programme\Gemeinsame Dateien\Apple
2010-01-17 20:36 . 2010-01-17 20:36   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple
2010-01-17 20:36 . 2010-01-18 14:23   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\Apple Computer
2010-01-17 19:21 . 2010-01-17 19:21   --------   d-----w-   C:\download_torrent
2010-01-17 09:34 . 2010-01-17 09:34   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\AVS4YOU
2010-01-17 09:33 . 2010-01-17 09:33   --------   d-----w-   c:\programme\Gemeinsame Dateien\AVSMedia
2010-01-17 09:33 . 2010-01-17 09:33   --------   d-----w-   c:\programme\AVS4YOU
2010-01-17 09:33 . 2003-05-21 17:50   24576   ----a-w-   c:\windows\system32\msxml3a.dll
2010-01-06 23:20 . 2010-01-06 23:20   --------   d-----w-   c:\dokumente und einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Google
2010-01-03 12:04 . 2010-01-03 12:12   --------   d-----w-   C:\_PC-Backup
2010-01-02 09:32 . 2010-01-28 15:11   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-02 03:45 . 2010-01-02 03:45   --------   d-----w-   c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Google

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 23:57 . 2009-03-29 15:28   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Skype
2010-01-30 23:52 . 2008-10-08 17:28   40   ----a-w-   c:\windows\system32\profile.dat
2010-01-30 20:08 . 2008-10-17 14:36   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google Updater
2010-01-30 12:36 . 2008-07-21 12:14   312344   ----a-w-   c:\windows\system32\drivers\iaStor.sys
2010-01-30 12:19 . 2009-11-28 05:49   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\TeamViewer Manager
2010-01-30 11:07 . 2008-10-08 17:27   --------   d-----w-   c:\programme\Gemeinsame Dateien\Symantec Shared
2010-01-30 08:04 . 2008-07-21 13:07   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2010-01-29 15:11 . 2008-07-21 12:14   574580   ----a-w-   c:\windows\system32\perfh007.dat
2010-01-29 15:11 . 2008-07-21 12:14   127768   ----a-w-   c:\windows\system32\perfc007.dat
2010-01-28 07:30 . 2008-11-11 14:33   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\gtk-2.0
2010-01-24 03:49 . 2009-09-15 18:18   --------   d-----w-   c:\programme\Mozilla Thunderbird
2010-01-22 08:37 . 2009-01-09 02:32   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\uTorrent
2010-01-22 03:29 . 2008-07-21 12:45   --------   d--h--w-   c:\programme\InstallShield Installation Information
2010-01-17 21:01 . 2008-07-21 12:26   101664   ----a-w-   c:\dokumente und einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2010-01-17 20:37 . 2009-11-01 19:36   --------   d-----w-   c:\programme\QuickTime
2010-01-07 16:51 . 2009-11-14 05:20   185   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsrvk.dll
2010-01-07 16:51 . 2009-11-14 05:20   162   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\nsprs.dll
2010-01-05 02:05 . 2009-07-21 19:05   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\OpenOffice.org2
2010-01-02 04:07 . 2008-10-17 11:38   --------   d-----w-   c:\programme\Google
2009-12-27 05:54 . 2009-12-27 05:54   --------   d-----w-   c:\programme\Ashampoo
2009-12-27 04:03 . 2009-12-27 03:18   --------   d-----w-   c:\programme\Microsoft Bootvis
2009-12-27 03:18 . 2009-12-27 03:18   1078   ----a-r-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_4ae13d6c.exe
2009-12-27 03:18 . 2009-12-27 03:18   1078   ----a-r-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_2cd672ae.exe
2009-12-27 03:18 . 2009-12-27 03:18   1078   ----a-r-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_294823.exe
2009-12-27 03:18 . 2009-12-27 03:18   1078   ----a-r-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_18be6784.exe
2009-12-22 05:07 . 2008-07-21 12:14   672768   ----a-w-   c:\windows\system32\wininet.dll
2009-12-22 05:07 . 2008-07-21 12:14   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-12-08 04:39 . 2009-12-08 04:38   --------   d-----w-   c:\programme\ISBE
2009-12-07 02:44 . 2009-12-07 02:44   --------   d-----w-   c:\dokumente und einstellungen\LocalService\Anwendungsdaten\TeamViewer
2009-12-07 02:37 . 2009-10-19 01:43   --------   d-----w-   c:\programme\TeamViewer
2009-11-23 19:34 . 2009-11-23 19:34   436674   ----a-w-   C:\_fp83.zip
2009-11-21 15:54 . 2008-07-21 12:14   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-11-17 18:45 . 2009-11-17 19:53   1449019   ----a-w-   C:\TeamViewerQS.exe
2009-11-14 05:20 . 2009-11-14 05:20   1024   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\serauth2.dll
2009-11-14 05:20 . 2009-11-14 05:20   1024   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\serauth1.dll
2009-11-14 05:20 . 2009-11-14 05:20   1024   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\rvkauth2.dll
2009-11-14 05:20 . 2009-11-14 05:20   1024   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\rvkauth1.dll
2009-11-12 22:07 . 2009-11-12 22:07   79144   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 17:12 . 2009-11-09 17:12   25088   ----a-w-   c:\windows\system32\drivers\teamviewervpn.sys
2009-11-08 22:34 . 2009-11-05 16:39   1392304   ----a-w-   c:\windows\system32\AutoPartNt.exe
2009-11-05 16:01 . 2009-11-05 16:01   971168   ----a-w-   c:\windows\system32\drivers\tdrpm140.sys
2009-11-05 16:00 . 2009-11-05 16:00   540000   ----a-w-   c:\windows\system32\drivers\timntr.sys
2009-11-05 16:00 . 2009-11-05 16:00   44704   ----a-w-   c:\windows\system32\drivers\tifsfilt.sys
2009-11-05 15:58 . 2009-11-05 15:58   134272   ----a-w-   c:\windows\system32\drivers\snman380.sys
1992-03-10 10:00 . 2009-04-16 09:48   95232   ----a-w-   c:\programme\CARDFILE.EXE
1601-01-01 00:03 . 1601-01-01 00:03   52736   --sha-w-   c:\windows\system32\buhosazu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   55296   --sha-w-   c:\windows\system32\degezapa.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   55296   --sha-w-   c:\windows\system32\pufutosu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   52736   --sha-w-   c:\windows\system32\tamowevu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   55296   --sha-w-   c:\windows\system32\wavikuse.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   52736   --sha-w-   c:\windows\system32\wulibuli.dll.tmp
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2009-11-05 14:01   2166296   ----a-w-   c:\programme\myBabylon_English\tbmyB1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\programme\myBabylon_English\tbmyB1.dll" [2009-11-05 2166296]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\programme\myBabylon_English\tbmyB1.dll" [2009-11-05 2166296]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="REM" [X]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-03-11 24095528]
"swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-17 39408]
"SUPERAntiSpyware"="c:\programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DpUtil"="REM" [X]
"TPSMain"="TPSMain.exe" [2007-11-21 299008]
"ccApp"="c:\programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"TrueImageMonitor.exe"="c:\programme\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-04 4344472]
"AcronisTimounterMonitor"="c:\programme\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-04 960376]
"Acronis Scheduler2 Service"="c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2008-10-04 165144]
"OSSelectorReinstall"="c:\programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-23 2209224]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-29 13537280]
"TAudEffect"="c:\programme\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 344144]
"nwiz"="nwiz.exe" [2008-05-29 1630208]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-08-11 253952]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\Wolz\Startmen�\Programme\Autostart\
Verkn�pfung mit AUTOEXEC.lnk - C:\AUTOEXEC.BAT [2008-7-21 50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-21 17:54   65536   ----a-w-   c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThpSrv]
c:\windows\system32\thpsrv [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2uvc]
REM [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
2001-06-23 02:28   24576   ----a-w-   c:\windows\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-04-07 14:40   16860672   ----a-w-   c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TPCHSrv"=3 (0x3)
"Tmesrv"=3 (0x3)
"SavRoam"=3 (0x3)
"ISSVC"=3 (0x3)
"DfSdkS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\Gemeinsame Dateien\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Programme\\Gemeinsame Dateien\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\cgtech62\\windows\\jre\\bin\\javaw.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [29.01.2010 13:05 30280]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [05.11.2009 11:01 971168]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [11.01.2008 15:58 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [04.09.2007 03:14 6528]
R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [05.01.2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [05.01.2010 07:56 74480]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [21.07.2008 07:58 5888]
R2 CSIScanner;CSIScanner;c:\programme\Prevx\prevx.exe [29.01.2010 13:05 6224896]
R2 MSSQL$TOOLSTUDIO;SQL Server (TOOLSTUDIO);c:\programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27.05.2009 03:27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [29.01.2010 13:05 47664]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.exe [13.06.2009 11:33 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [04.06.2009 11:49 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [29.01.2010 09:11 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [30.04.2009 19:46 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\SAAZWatchDog.exe [04.06.2009 11:51 81920]
R2 Sentinel RMS License Manager;Sentinel RMS License Manager;c:\cgtech62\windows\license\lservnt.exe [16.10.2008 12:20 774144]
R2 SentinelKeysServer;Sentinel Keys Server;c:\programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [10.07.2008 18:02 328992]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26.03.2007 05:22 105856]
R2 TeamViewer5;TeamViewer 5;c:\programme\TeamViewer\Version5\TeamViewer_Service.exe [12.01.2010 09:57 185640]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19.02.2007 05:15 134016]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [30.04.2008 14:09 4992]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [21.07.2008 07:14 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [13.09.2009 08:00 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21.07.2008 07:31 41216]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [29.01.2010 13:05 24496]
R3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [05.01.2010 07:56 7408]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [09.11.2009 12:12 25088]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [21.07.2008 07:48 435072]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [01.01.2010 23:07 135664]
S2 UGS License Server (ugslmd);UGS License Server (ugslmd);c:\programme\UGS\UGSLicensing\lmgrd.exe [07.07.2009 13:16 1510152]
S3 IwUSB;IwUSB Driver;c:\windows\system32\drivers\IwUSB.sys [26.10.2008 18:28 20645]
S3 UNS;Intel(R) Active Management Technology User Notification Service;c:\programme\Gemeinsame Dateien\Intel\Privacy Icon\UNS\UNS.exe [08.10.2008 10:50 2058776]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [03.05.2009 08:38 627072]
S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [27.10.2008 01:59 259584]
S3 XRNBO;XRNBO;c:\windows\system32\drivers\XRNBO.sys [05.04.2009 19:17 177152]
S4 DfSdkS;Defragmentation-Service;c:\programme\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\DfSdkS.exe [27.12.2009 01:02 406016]
S4 MSSQLServerADHelper100;SQL Server Hilfsdienst für Active Directory;c:\programme\Microsoft SQL Server\100\Shared\sqladhlp.exe [10.07.2008 16:27 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10.07.2008 01:49 242712]
S4 SavRoam;SAVRoam;c:\programme\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [16.03.2006 23:34 115952]
S4 SQLAgent$SQLEXPRESS;SQL Server-Agent (SQLEXPRESS);c:\programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [10.07.2008 16:27 369688]
S4 Tmesrv;Tmesrv3;c:\programme\Toshiba\TME3\TMESRV31.exe [21.07.2008 07:58 118784]
S4 TPCHSrv;TPCH Service;c:\programme\Toshiba\TPHM\TPCHSrv.exe [27.05.2008 06:12 628072]
.
Inhalt des "geplante Tasks" Ordners

2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-30 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-17 13:53]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Google Sidewiki... - c:\programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{21196042-830F-419f-A594-F9D456A6C29A} - {21196042-830F-419f-A594-F9D456A6C29A}   c:\programme\TimeLeft3\TLIntergIE.html - c:\programme\timeleft3\tlintergie.html\inprocserver32 does not exist!
FF - ProfilePath - c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Mozilla\Firefox\Profiles\ba9ldl0e.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npcosmop211.dll
FF - plugin: c:\programme\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: general.useragent.extra.prevx - (Prevx 3.0.5)
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

MSConfigStartUp-Okadi - REM rundll32.exe
MSConfigStartUp-smss32 - c:\windows\system32\smss32.exe
MSConfigStartUp-TPSODDCtl - REM TPSODDCtl.exe
MSConfigStartUp-zufigekab - c:\windows\system32\vujigami.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 18:56
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-328488726-541291574-1648763155-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\not active]
@DACL=(02 0000)
"NDSTray.exe"="REM NDSTray.exe"
"NvCplDaemon"="RUNDLL32.EXE c:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NVRotateSysTray"="REM rundll32.exe c:\\WINDOWS\\system32\\nvsysrot.dll,Enable"
"openvpn-gui"="REM c:\\Programme\\Astaro\\Astaro SSL VPN Client\\bin\\openvpn-gui.exe"
"QuickTime Task"="REM \"c:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"SmoothView"="REM c:\\Programme\\TOSHIBA\\TOSHIBA Zoom-Dienstprogramm\\SmoothView.exe"
"snp2uvc"="REM c:\\WINDOWS\\vsnp2uvc.exe"
"TFncKy"="REM TFncKy.exe"
"TFNF5"="REM TFNF5.exe"
"TMERzCtl.EXE"="REM c:\\Programme\\TOSHIBA\\TME3\\TMERzCtl.EXE /Service"
"TMESRV.EXE"="REM c:\\Programme\\TOSHIBA\\TME3\\TMESRV31.EXE /Logon"
"TOSDCR"="REM TOSDCR.EXE"
"TosHKCW.exe"="REM \"c:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"TPCHWMsg"="REM %ProgramFiles%\\TOSHIBA\\TPHM\\TPCHWMsg.exe"
"picon"="REM \"c:\\Programme\\Gemeinsame Dateien\\Intel\\Privacy Icon\\PrivacyIconClient.exe\" -startup"
"ITSecMng"="REM %ProgramFiles%\\TOSHIBA\\Bluetooth Toshiba Stack\\ItSecMng.exe /START"
"DDWMon"="REM c:\\Programme\\TOSHIBA\\TOSHIBA Direct Disc Writer\\\\ddwmon.exe"
"DataCardMonitor"="REM c:\\Programme\\T-Mobile\\web'n'walk Manager\\DataCardMonitor.exe"
"Camera Assistant Software"="REM \"c:\\Program Files\\Camera Assistant Software for Toshiba\\traybar.exe\" /start"
"Apoint"="REM c:\\Programme\\Apoint2K\\Apoint.exe"
"Alcmtr"="REM ALCMTR.EXE"
"Adobe Reader Speed Launcher"="REM \"c:\\Programme\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1820)
c:\programme\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(4184)
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\msi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
c:\programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
c:\programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\programme\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\SAAZOD\RMHLPDSK.exe
c:\programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\programme\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\programme\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\TODDSrv.exe
c:\programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\programme\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\TPSBattM.exe
c:\programme\iPod\bin\iPodService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-01-30  19:00:16 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2010-01-31 00:00

Vor Suchlauf: 54 Verzeichnis(se), 62.885.388.288 Bytes frei
Nach Suchlauf: 57 Verzeichnis(se), 62.916.112.384 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg
[spybotsd]
timeout.old=30

- - End Of File - - E4C16A1E1E7592A72C84873A5A49E0A1


I don't know if it made a difference that PrvX was running (or kept coming up during the scan...)

[Dr Jay]

Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2. Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

5. Post the following in your next reply:

• MBAM log
• SAS log
• ESET log

And, please tell me how your computer is doing.

[jowo]

Hi Jay.
you were right: the scan took quite a while. In general my PC is running quite okay (not slowed down, no browser hijacking yet, but I'm not sure if it stays like this, because  before I conntacted this forum I already had MalwareAntibytes, SuperAntispy and others running and it somehow cleaned the virus out, but not for good...
What is different this time:
I am finally able to boot into a safe mode ! From there I ran mbam.exe and SUPERAntiSpyware.exe and will post the results on the end. In safe mode i was able to delete the Windows/temp/files (TFC was not succesfull) but: after booting into normal mode the files are back again. Do any of the tools we tried scan the MBR ? 

So here goes the logfiles you requested ( to be shure I made "Full Scans"); the additional logs that I made in a safe boot session are attached at the very end.

;_______________________________________ _______________________________________ ________

Malwarebytes' Anti-Malware 1.44
Database version: 3657
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

31.01.2010 00:41:13
mbam-log-2010-01-31 (00-40-51)_full scan.txt

Scan type: Full Scan (C:\|)
Objects scanned: 376633
Time elapsed: 2 hour(s), 18 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{DC2DA2EA-21ED-457B-93C3-D3405BD437B8}\RP16\A0000567.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{DC2DA2EA-21ED-457B-93C3-D3405BD437B8}\RP16\A0000604.com (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{DC2DA2EA-21ED-457B-93C3-D3405BD437B8}\RP16\A0000752.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{DC2DA2EA-21ED-457B-93C3-D3405BD437B8}\RP16\A0000780.com (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> No action taken.

;_______________________________________ _______________________________________ _________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2010 at 09:56 PM

Application Version : 4.33.1000

Core Rules Database Version : 4531
Trace Rules Database Version: 2343

Scan type       : Quick Scan
Total Scan Time : 00:00:02

Memory items scanned      : 123
Memory threats detected   : 0
Registry items scanned    : 0
Registry threats detected : 0
File items scanned        : 0
File threats detected     : 0


;___________ESET-scanner log_2010-01-31.txt_______________________________________________

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir   Win32/Olmarik.SJ virus   deleted - quarantined
C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\Internet Explorer\Desktop.htt   Win32/TrojanDownloader.FakeAlert.AED virus   deleted - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\6PQ9SBUD\load[1].php   a variant of Win32/Kryptik.BYA trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8RSBCDEF\pdf[1].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8RSBCDEF\pdf[2].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GZI123MN\pdf[1].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GZI123MN\pdf[2].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GZI123MN\pdf[3].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GZI123MN\pdf[4].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\I1K3M5OP\pdf[2].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined


;_______________________________________ _______________________________________ __________
;_____________the next two logs were create during a safe boot session ________________________________
;____________mbam-log-2010-01-31 (02-11-57)_fullscan in save mode.txt______________________________
Malwarebytes' Anti-Malware 1.44
Database version: 3657
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

31.01.2010 02:12:28
mbam-log-2010-01-31 (02-11-57)_fullscan in save mode.txt

Scan type: Full Scan (C:\|)
Objects scanned: 376092
Time elapsed: 1 hour(s), 0 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

;_____________________SUPERAntiSpyware Scan Log - 01-31-2010 - 01-52-57_save mode quick scan.log_____
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/31/2010 at 01:52 AM

Application Version : 4.33.1000

Core Rules Database Version : 4531
Trace Rules Database Version: 2343

Scan type       : Quick Scan
Total Scan Time : 00:44:45

Memory items scanned      : 239
Memory threats detected   : 0
Registry items scanned    : 670
Registry threats detected : 0
File items scanned        : 21468
File threats detected     : 1

Adware.Tracking Cookie
   C:\Dokumente und Einstellungen\Wolz\Cookies\wolz@doubleclick[1].txt

;_______________________________________ _______________________________________ _________




please tell me what you think...
I need to acess some files (data, picture, emails etc.) which are on the infected PC.
Is it save to transfer them (wireless to my network drive) and copy them on my other , uninfected Laptop ?

Bythe way: I'm using XP-Professional 32bit.

Thanks for your time.

[Dr Jay]

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
• When done, click on Save Report
  
• Save it to the Desktop.
• Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

[jowo]

Hello Jay.
Here's the " RootRepeal report 01-31-10 (20-52-36).txt" :


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/01/31 20:37
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA2EEE000   Size: 843776   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9E630000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\dokumente und einstellungen\wolz\lokale einstellungen\temp\etilqs_9sxlyd6nw4dycsd1gfca
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\dokumente und einstellungen\wolz\lokale einstellungen\temp\etilqs_kqyz2ntqedhbmj6kpryc
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\programme\microsoft sql server\mssql.1\mssql\log\log_252.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\programme\microsoft sql server\mssql10.sqlexpress\mssql\log\log_119.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Programme\Gemeinsame Dateien\Symantec Shared\VirusDefs\20090912.002\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa391cc

#: 031   Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a0cc8a8

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39206

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa3951a

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa393f6

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39292

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa3918e

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Programme\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa312d0b0

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39316

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa3934e

Shadow SSDT
-------------------
#: 013   Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39cec

#: 233   Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39d60

#: 292   Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39c78

#: 383   Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39c36

#: 389   Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39e4c

#: 404   Function Name: NtUserGetForegroundWindow
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39b42

#: 414   Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39b90

#: 416   Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39bc2

#: 428   Function Name: NtUserGetRawInputData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39c04

#: 483   Function Name: NtUserQueryWindow
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39ef0

#: 508   Function Name: NtUserSetClipboardData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39e1c

#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39e9a

#: 592   Function Name: NtUserWindowFromPoint
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39f6a

==EOF==

Thanks for your help!

[Dr Jay]

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[jowo]

Hello again.
It took quite a while since this GMER scanner seems to run forever...unfortunately I cannot post results because it crashed each time. The first time the PC was just idled/half the way boot down or so.. and the second time it was crashed to a bluescreen, " pagefault in nonpaged area, caused by uxddqpow.sys

All I know that each scan was already running for at least 1.5h before the hang ups occured...
( My firewall was still on, but all the other virus-scanners were off.)

So what can we do ? Any suggestions ? In general the PC is a little bit slow but  doesn't do too bad. But i know that it will get worse if we cannot cure it for good.  I don 't already want to give up but anyways:
Any suggestions of where to buy a original XP-Prof. setup CD ? To avoid this in the future I'd like to install XP fresh and have bootmamager (BootitNG which can also create-copy partitions) so i can go back to a blank system within seconds.

Thanks again for you help 

[Dr Jay]

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code: [Select]

@echo off
Copy /y gmer.exe ark.exe
Start ark.exe
Save it into the gmer folder as  File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.