Malware in C-Windows-temp and maybe in the MBR. All common removal tools failed

[jowo]

My problem sounds similar to other threads,  mostly like this one:  http://www.computerhope.com/forum/index.php/topic,76406.0.html "
But it seems as if nobody was sucessfull with removing this beast yet.
My issue all started with WINLOGON asking my firewall for web access, which I let go through because Google adviced if the file is in the system32  folder it should be fine. Since then IE pops up sites by random;  forced reboots occured and  Windows keeps saying "Appl. cannot be executed, the file is infected, please activate your antivirus software".

The virus pretends as if itself was a malware removal tool. It claimed that NetSky32 took over the system and wanted the user to donwload security tools (a fake regestry defender window poped open). SuperAntiSpy cannot see anything, Malwarebytes is far better, but still not succesfull . The virus kind of panics as I donwloaded MalWareBytes and after the first scan the virus deleted the Malwarebytes executable. At one point of time it seemed as if I would be fine (the regedit and taskmanager were usable again,  the Virus-warning desktop background was gone, but: I could never boot into a savemode to perform a full system scan and completely get rid of this. When trying to boot in save mode I still get a blue screen of death.

Part of the virus is residing in C:\Windows\temp. The files seem to be rewritten at each boot time:
gnserv.dat, spserv.dat, fla6.tmp,  Perflib_prefdata_44c.dat  and others; the number of the files in this temp folder variates. I dare not open these files but i'm pretty sure the worms stores reg-keys in there and keeps track of what i am doing (IE5 history /index.dat) I can delete most of them except: gnserv.dat, spnserv.dat, spserv.dat , ...also suspicious in win-temp-folder: an installer for a crane system ? LMpermission.exe4 and irsetup.exe (I am sure it was not there before and I did not download it...)

The following DLLs seem to be part of the problem : c:\windows\system32:
masoyumu.dll ,hufemute.dll, rivowaho.dll, dagenoja.dll , vujigami.dll, dagamami.dll.    and also:
azawexuluq.dll.tmp , tamowevu.dll.tmp, buhosazu.dll.tmp, pufutosu.dll.tmp, wulibuli.dll.tmp, degezappa.dll.tmp, wavikuse.dll.tmp,       (wondering what language that is...)

Also, somehow the windoes system files SMS32.exe and WINLOGON.exe seem to be altered/corrupted.

I tried all kinds of manual CMD procedures , Reg-keys and different scanners/removal tools (ATF-Cleaner, cleanns, FxNetsky, KillBox, Spyhunter, NSKClean, PrevX, SuperSpyHunter, MalwareAntiMalware, HiJackThis...  the logs of the last 2 tools are attached ; SuperAntiSpy did not give out a log, but it said "nothing found" anyways...

So if anyone ever succesfully removed this monster I would be more than happy to about help... otherwise I guess i have to access my MBR and get rid of the corruption and reinstall my XP; my problem: i do not even have a recovery CD... Thanks Jochen  
PS.: Is there a save way to open the temp files without having a sandbox system/virtual PC ?
PS.:I took quite a few screenshots, so if someone is interested...

[Saving space, attachment deleted by admin]

[Dr Jay]

Hello. Welcome to CH! 

Are you able to boot to Windows?

These two files: C:\WINDOWS\system32\serauth1.dll and C:\WINDOWS\system32\serauth2.dll -- will continually be restored while their backup is in place. These are not necessarily bad.

If you are able to boot, please do the following:

Please open Notepad and enter in the following:

@echo off
echo DMJ Find > findSUBawf.txt
echo. >> findSUBawf.txt
if exist "%SystemRoot%\System32\clauth1.dll" echo Found clauth1.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\clauth2.dll" echo Found clauth2.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\lsprst7.dll" echo Found lsprst7.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\nsprs.dll" echo Found nsprs.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\serauth1.dll" echo Found serauth1.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\serauth2.dll" echo Found serauth2.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\servdat.slm" echo Found servdat.slm >> findSUBawf.txt
if exist "%SystemRoot%\System32\ssprs.dll" echo Found ssprs.dll >> findSUBawf.txt
if exist "%SystemRoot%\System32\sysprs7.dll" echo Found sysprs7.dll >> findSUBawf.txt
if exist "%system%\bak" echo AWF-POSSIBLE >> findSUBawf.txt
echo. >> findSUBawf.txt
echo EOF >> findSUBawf.txt
Start findSUBawf.txt
exit

Then, click File > Save as...
Save as findSUBawf.cmd to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on findSUBawf.cmd, and it will finish quickly and launch a log.

Please post that in your next reply along with a new HijackThis log. Note: post the contents of it, please do not upload.

[jowo]

Thanks for your reply DragonMasterJay.
To your question: luckily I can boot into XP and your searchresults are below:

DMJ Find
 
Found lsprst7.dll
Found nsprs.dll
Found serauth1.dll
Found serauth2.dll
Found servdat.slm
Found sysprs7.dll
 
EOF

You mentioned not to upload but to post my results; I guess because of security concerns... so: I need to get some data files of that PC ; can i load them to my external (wireless) harddrive and access them from there or is the too risky to infect the rest of my hardware? Also, as you probably saw in my log: i did not try "ComboFix" yet, as I wanted to await your advice...
Thanks again for your help! 

[Dr Jay]

Go ahead and load tools from the external device, or what you would like to use.

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[jowo]

combofix says that my Symantec antivirus scanner is still running... your turorial only mentiones how2 disable a "SYMANTEC ENDPOINT PROTECTION"...the symantec help says to unclick the auto-protecet funtions for "file system auto protect", "internet email auto protect" , "lotus auto protect" and "MS exchange auto protect"
 I disabled all items but combofix says it is still active..
also: the Symantec Scanner NEVER gave me tast icon to klick on, only their firewall has such a thing..should I run combofix anyways ?

[jowo]

by the way: i'm running "symantec antivirus corporate edition"

[Dr Jay]

Ok. Go ahead and run ComboFix, without disabling the protection.

[jowo]

Here's the log:
ComboFix 10-01-29.09 - Wolz 30.01.2010  18:46:56.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.3067.2466 [GMT -5:00]
ausgeführt von:: c:\software-setup\antivirus stuff\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\Wolz\Anwendungsdaten\SystemProc
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}\chrome.manifest
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}\chrome\content\_cfg.js
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}\chrome\content\overlay.xul
c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\{D8BA3E60-F3EB-4277-8956-E77D2F786330}\install.rdf
C:\s
c:\windows\jestertb.dll
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\13015.exe
c:\windows\system32\14604.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16391.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\19667.exe
c:\windows\system32\21342.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\25849.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\prsrvk.dll

Infizierte Kopie von c:\windows\system32\drivers\iaStor.sys wurde gefunden und desinfiziert
Kopie von - Kitty ate it :p wurde wiederhergestellt
.
(((((((((((((((((((((((   Dateien erstellt von 2009-12-28 bis 2010-01-30  ))))))))))))))))))))))))))))))
.

2010-01-30 08:24 . 2010-01-30 08:24   --------   d-----w-   c:\programme\Trend Micro
2010-01-29 18:05 . 2010-01-29 18:05   53136   ----a-w-   c:\windows\system32\PxSecure.dll
2010-01-29 18:05 . 2010-01-29 18:05   47664   ----a-w-   c:\windows\system32\drivers\pxrts.sys
2010-01-29 18:05 . 2010-01-29 18:05   30280   ----a-w-   c:\windows\system32\drivers\pxscan.sys
2010-01-29 18:05 . 2010-01-29 18:05   24496   ----a-w-   c:\windows\system32\drivers\pxkbf.sys
2010-01-29 18:05 . 2010-01-29 18:05   --------   d-----w-   c:\programme\Prevx
2010-01-29 18:05 . 2010-01-30 09:11   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\PrevxCSI
2010-01-29 17:48 . 2010-01-29 17:48   1024   ----a-w-   c:\windows\system32\serauth2.dll
2010-01-29 17:48 . 2010-01-29 17:48   1024   ----a-w-   c:\windows\system32\serauth1.dll
2010-01-29 14:55 . 2009-11-21 15:54   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-29 14:44 . 2010-01-29 14:44   643072   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\audio_1.0.4\plugin_audio.dll
2010-01-29 14:44 . 2010-01-29 14:44   364544   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\file_transfer_1.0.4\plugin_file_transfer.dll
2010-01-29 14:44 . 2010-01-29 14:44   1536000   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\video_1.0.4\plugin_video.dll
2010-01-29 14:44 . 2010-01-29 14:44   77824   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\wm_console.dll
2010-01-29 14:44 . 2010-01-29 14:44   66960   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\isl_cad.exe
2010-01-29 14:44 . 2010-01-29 14:44   61440   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\wm_desktop.dll
2010-01-29 14:44 . 2010-01-29 14:44   593920   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\vncsrv.dll
2010-01-29 14:44 . 2010-01-29 14:44   5632   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\win_utils.dll
2010-01-29 14:44 . 2010-01-29 14:44   45056   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\isl_start.exe
2010-01-29 14:44 . 2010-01-29 14:44   442368   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\plugin_desktop.dll
2010-01-29 14:44 . 2010-01-29 14:44   239000   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3\desktop_1.0.4c\isl_stream.exe
2010-01-29 14:44 . 2010-01-29 15:15   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\XLAB ISL Light Client3
2010-01-29 14:15 . 2007-09-11 19:21   150528   ----a-w-   c:\windows\system32\TLBINF32.dll
2010-01-29 14:15 . 2010-01-29 14:15   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\VSoft
2010-01-29 14:15 . 2010-01-29 14:15   --------   d-----w-   c:\programme\Gemeinsame Dateien\VSoft
2010-01-29 14:15 . 2010-01-29 14:15   --------   d-----w-   c:\programme\SAAZExmonScripts
2010-01-29 14:11 . 2010-01-29 14:11   --------   d-----w-   C:\12539265af95f2fffe2558
2010-01-29 14:11 . 2010-01-30 23:54   --------   d-----w-   c:\programme\SAAZOD
2010-01-29 14:11 . 2010-01-29 14:19   --------   d-----w-   c:\programme\SetupLogs
2010-01-29 14:11 . 2010-01-29 14:11   290816   ----a-w-   c:\windows\system32\WINHTTP5.DLL
2010-01-29 14:11 . 2010-01-29 14:11   102912   ----a-w-   c:\windows\system32\VB6STKIT.DLL
2010-01-29 09:38 . 2010-01-29 09:39   --------   d-----w-   c:\dokumente und einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Temp
2010-01-29 04:34 . 2010-01-29 14:48   --------   d-----w-   C:\_mal
2010-01-28 04:56 . 1999-07-24 05:15   291328   ----a-w-   c:\windows\system32\SAXZIPSP.DLL
2010-01-27 03:44 . 2010-01-29 17:43   --------   d-----w-   C:\!KillBox
2010-01-27 03:08 . 2010-01-27 03:12   --------   d-----w-   C:\_a
2010-01-25 23:20 . 1999-07-24 05:15   291328   ----a-w-   c:\windows\system32\SAXZIPSPAN.DLL
2010-01-25 21:59 . 2010-01-26 00:41   --------   d-----w-   C:\_fp91
2010-01-25 16:32 . 2010-01-25 16:32   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Malwarebytes
2010-01-25 16:32 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 16:32 . 2010-01-29 04:25   --------   d-----w-   c:\programme\Malwarebytes' Anti-Malware
2010-01-25 16:32 . 2010-01-25 16:32   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-01-25 16:32 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-25 13:36 . 2010-01-25 13:36   52224   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-25 13:36 . 2010-01-29 14:06   117760   ----a-w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-25 13:36 . 2010-01-25 13:36   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2010-01-25 13:35 . 2010-01-25 13:35   --------   d-----w-   c:\programme\SUPERAntiSpyware
2010-01-25 13:35 . 2010-01-25 13:35   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\SUPERAntiSpyware.com
2010-01-25 13:35 . 2010-01-25 13:35   --------   d-----w-   c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2010-01-25 13:32 . 2010-01-25 14:20   --------   d-----w-   c:\programme\XLAB ISL Plugins
2010-01-25 13:30 . 2010-01-29 14:32   --------   d-----w-   c:\programme\XLAB ISL Light Client3
2010-01-23 20:43 . 2010-01-23 20:43   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-01-23 20:13 . 2010-01-26 20:19   120   ----a-w-   c:\windows\Twamilaha.dat
2010-01-22 16:11 . 2010-01-25 21:59   --------   d-----w-   C:\____fp91
2010-01-22 03:29 . 2010-01-22 03:31   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\EPSON
2010-01-22 03:29 . 2010-01-22 03:29   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Leadertech
2010-01-22 03:24 . 2010-01-22 04:07   --------   d-----w-   c:\programme\ABBYY FineReader 6.0 Sprint
2010-01-22 03:23 . 2010-01-22 03:23   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\UDL
2010-01-22 03:21 . 2010-01-22 03:21   --------   d-----w-   c:\programme\Epson Software
2010-01-22 03:21 . 2007-12-16 19:00   143872   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\EPSON\EPW!3 SSRP\E_S40ST7.EXE
2010-01-22 03:21 . 2007-01-10 19:02   113664   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2010-01-22 03:21 . 2007-12-06 17:08   86528   ----a-w-   c:\windows\system32\E_FLBEJA.DLL
2010-01-22 03:21 . 2007-12-06 17:01   78848   ----a-w-   c:\windows\system32\E_FD4BEJA.DLL
2010-01-22 03:21 . 2006-10-20 05:10   80024   ----a-w-   c:\windows\system32\PICSDK.dll
2010-01-22 03:21 . 2006-10-20 05:10   501912   ----a-w-   c:\windows\system32\PICSDK2.dll
2010-01-22 03:21 . 2006-10-20 05:10   108704   ----a-w-   c:\windows\system32\PICEntry.dll
2010-01-22 03:19 . 2010-01-22 03:21   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\EPSON
2010-01-22 03:19 . 2007-07-13 05:00   71680   ----a-w-   c:\windows\system32\escwiad.dll
2010-01-22 03:19 . 2010-01-22 03:29   --------   d-----w-   c:\programme\epson
2010-01-17 20:38 . 2010-01-17 21:02   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Apple Computer
2010-01-17 20:38 . 2009-05-18 19:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-17 20:38 . 2008-04-17 18:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2010-01-17 20:38 . 2010-01-17 20:38   --------   d-----w-   c:\programme\iPod
2010-01-17 20:38 . 2010-01-17 20:38   --------   d-----w-   c:\programme\iTunes
2010-01-17 20:38 . 2010-01-17 20:38   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-17 20:37 . 2010-01-17 20:58   --------   d-----w-   c:\programme\Bonjour
2010-01-17 20:37 . 2010-01-17 20:37   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer
2010-01-17 20:37 . 2010-01-17 20:37   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\Apple
2010-01-17 20:37 . 2010-01-17 20:37   --------   d-----w-   c:\programme\Apple Software Update
2010-01-17 20:36 . 2010-01-17 20:36   --------   d-----w-   c:\programme\Gemeinsame Dateien\Apple
2010-01-17 20:36 . 2010-01-17 20:36   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple
2010-01-17 20:36 . 2010-01-18 14:23   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Lokale Einstellungen\Anwendungsdaten\Apple Computer
2010-01-17 19:21 . 2010-01-17 19:21   --------   d-----w-   C:\download_torrent
2010-01-17 09:34 . 2010-01-17 09:34   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\AVS4YOU
2010-01-17 09:33 . 2010-01-17 09:33   --------   d-----w-   c:\programme\Gemeinsame Dateien\AVSMedia
2010-01-17 09:33 . 2010-01-17 09:33   --------   d-----w-   c:\programme\AVS4YOU
2010-01-17 09:33 . 2003-05-21 17:50   24576   ----a-w-   c:\windows\system32\msxml3a.dll
2010-01-06 23:20 . 2010-01-06 23:20   --------   d-----w-   c:\dokumente und einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Google
2010-01-03 12:04 . 2010-01-03 12:12   --------   d-----w-   C:\_PC-Backup
2010-01-02 09:32 . 2010-01-28 15:11   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-02 03:45 . 2010-01-02 03:45   --------   d-----w-   c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Google

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 23:57 . 2009-03-29 15:28   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Skype
2010-01-30 23:52 . 2008-10-08 17:28   40   ----a-w-   c:\windows\system32\profile.dat
2010-01-30 20:08 . 2008-10-17 14:36   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google Updater
2010-01-30 12:36 . 2008-07-21 12:14   312344   ----a-w-   c:\windows\system32\drivers\iaStor.sys
2010-01-30 12:19 . 2009-11-28 05:49   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\TeamViewer Manager
2010-01-30 11:07 . 2008-10-08 17:27   --------   d-----w-   c:\programme\Gemeinsame Dateien\Symantec Shared
2010-01-30 08:04 . 2008-07-21 13:07   --------   d-----w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2010-01-29 15:11 . 2008-07-21 12:14   574580   ----a-w-   c:\windows\system32\perfh007.dat
2010-01-29 15:11 . 2008-07-21 12:14   127768   ----a-w-   c:\windows\system32\perfc007.dat
2010-01-28 07:30 . 2008-11-11 14:33   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\gtk-2.0
2010-01-24 03:49 . 2009-09-15 18:18   --------   d-----w-   c:\programme\Mozilla Thunderbird
2010-01-22 08:37 . 2009-01-09 02:32   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\uTorrent
2010-01-22 03:29 . 2008-07-21 12:45   --------   d--h--w-   c:\programme\InstallShield Installation Information
2010-01-17 21:01 . 2008-07-21 12:26   101664   ----a-w-   c:\dokumente und einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2010-01-17 20:37 . 2009-11-01 19:36   --------   d-----w-   c:\programme\QuickTime
2010-01-07 16:51 . 2009-11-14 05:20   185   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsrvk.dll
2010-01-07 16:51 . 2009-11-14 05:20   162   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\nsprs.dll
2010-01-05 02:05 . 2009-07-21 19:05   --------   d-----w-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\OpenOffice.org2
2010-01-02 04:07 . 2008-10-17 11:38   --------   d-----w-   c:\programme\Google
2009-12-27 05:54 . 2009-12-27 05:54   --------   d-----w-   c:\programme\Ashampoo
2009-12-27 04:03 . 2009-12-27 03:18   --------   d-----w-   c:\programme\Microsoft Bootvis
2009-12-27 03:18 . 2009-12-27 03:18   1078   ----a-r-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_4ae13d6c.exe
2009-12-27 03:18 . 2009-12-27 03:18   1078   ----a-r-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_2cd672ae.exe
2009-12-27 03:18 . 2009-12-27 03:18   1078   ----a-r-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_294823.exe
2009-12-27 03:18 . 2009-12-27 03:18   1078   ----a-r-   c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_18be6784.exe
2009-12-22 05:07 . 2008-07-21 12:14   672768   ----a-w-   c:\windows\system32\wininet.dll
2009-12-22 05:07 . 2008-07-21 12:14   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-12-08 04:39 . 2009-12-08 04:38   --------   d-----w-   c:\programme\ISBE
2009-12-07 02:44 . 2009-12-07 02:44   --------   d-----w-   c:\dokumente und einstellungen\LocalService\Anwendungsdaten\TeamViewer
2009-12-07 02:37 . 2009-10-19 01:43   --------   d-----w-   c:\programme\TeamViewer
2009-11-23 19:34 . 2009-11-23 19:34   436674   ----a-w-   C:\_fp83.zip
2009-11-21 15:54 . 2008-07-21 12:14   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-11-17 18:45 . 2009-11-17 19:53   1449019   ----a-w-   C:\TeamViewerQS.exe
2009-11-14 05:20 . 2009-11-14 05:20   1024   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\serauth2.dll
2009-11-14 05:20 . 2009-11-14 05:20   1024   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\serauth1.dll
2009-11-14 05:20 . 2009-11-14 05:20   1024   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\rvkauth2.dll
2009-11-14 05:20 . 2009-11-14 05:20   1024   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel\Sentinel RMS Development Kit\System\rvkauth1.dll
2009-11-12 22:07 . 2009-11-12 22:07   79144   ----a-w-   c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 17:12 . 2009-11-09 17:12   25088   ----a-w-   c:\windows\system32\drivers\teamviewervpn.sys
2009-11-08 22:34 . 2009-11-05 16:39   1392304   ----a-w-   c:\windows\system32\AutoPartNt.exe
2009-11-05 16:01 . 2009-11-05 16:01   971168   ----a-w-   c:\windows\system32\drivers\tdrpm140.sys
2009-11-05 16:00 . 2009-11-05 16:00   540000   ----a-w-   c:\windows\system32\drivers\timntr.sys
2009-11-05 16:00 . 2009-11-05 16:00   44704   ----a-w-   c:\windows\system32\drivers\tifsfilt.sys
2009-11-05 15:58 . 2009-11-05 15:58   134272   ----a-w-   c:\windows\system32\drivers\snman380.sys
1992-03-10 10:00 . 2009-04-16 09:48   95232   ----a-w-   c:\programme\CARDFILE.EXE
1601-01-01 00:03 . 1601-01-01 00:03   52736   --sha-w-   c:\windows\system32\buhosazu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   55296   --sha-w-   c:\windows\system32\degezapa.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   55296   --sha-w-   c:\windows\system32\pufutosu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   52736   --sha-w-   c:\windows\system32\tamowevu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   55296   --sha-w-   c:\windows\system32\wavikuse.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03   52736   --sha-w-   c:\windows\system32\wulibuli.dll.tmp
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2009-11-05 14:01   2166296   ----a-w-   c:\programme\myBabylon_English\tbmyB1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\programme\myBabylon_English\tbmyB1.dll" [2009-11-05 2166296]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\programme\myBabylon_English\tbmyB1.dll" [2009-11-05 2166296]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="REM" [X]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-03-11 24095528]
"swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-17 39408]
"SUPERAntiSpyware"="c:\programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DpUtil"="REM" [X]
"TPSMain"="TPSMain.exe" [2007-11-21 299008]
"ccApp"="c:\programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"TrueImageMonitor.exe"="c:\programme\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-04 4344472]
"AcronisTimounterMonitor"="c:\programme\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-04 960376]
"Acronis Scheduler2 Service"="c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2008-10-04 165144]
"OSSelectorReinstall"="c:\programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-23 2209224]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-29 13537280]
"TAudEffect"="c:\programme\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 344144]
"nwiz"="nwiz.exe" [2008-05-29 1630208]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-08-11 253952]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\Wolz\Startmen�\Programme\Autostart\
Verkn�pfung mit AUTOEXEC.lnk - C:\AUTOEXEC.BAT [2008-7-21 50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-21 17:54   65536   ----a-w-   c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThpSrv]
c:\windows\system32\thpsrv [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2uvc]
REM [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
2001-06-23 02:28   24576   ----a-w-   c:\windows\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-04-07 14:40   16860672   ----a-w-   c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TPCHSrv"=3 (0x3)
"Tmesrv"=3 (0x3)
"SavRoam"=3 (0x3)
"ISSVC"=3 (0x3)
"DfSdkS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\Gemeinsame Dateien\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Programme\\Gemeinsame Dateien\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\cgtech62\\windows\\jre\\bin\\javaw.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [29.01.2010 13:05 30280]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [05.11.2009 11:01 971168]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [11.01.2008 15:58 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [04.09.2007 03:14 6528]
R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [05.01.2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [05.01.2010 07:56 74480]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [21.07.2008 07:58 5888]
R2 CSIScanner;CSIScanner;c:\programme\Prevx\prevx.exe [29.01.2010 13:05 6224896]
R2 MSSQL$TOOLSTUDIO;SQL Server (TOOLSTUDIO);c:\programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27.05.2009 03:27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [29.01.2010 13:05 47664]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.exe [13.06.2009 11:33 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [04.06.2009 11:49 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [29.01.2010 09:11 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [30.04.2009 19:46 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\SAAZWatchDog.exe [04.06.2009 11:51 81920]
R2 Sentinel RMS License Manager;Sentinel RMS License Manager;c:\cgtech62\windows\license\lservnt.exe [16.10.2008 12:20 774144]
R2 SentinelKeysServer;Sentinel Keys Server;c:\programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [10.07.2008 18:02 328992]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26.03.2007 05:22 105856]
R2 TeamViewer5;TeamViewer 5;c:\programme\TeamViewer\Version5\TeamViewer_Service.exe [12.01.2010 09:57 185640]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19.02.2007 05:15 134016]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [30.04.2008 14:09 4992]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [21.07.2008 07:14 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [13.09.2009 08:00 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21.07.2008 07:31 41216]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [29.01.2010 13:05 24496]
R3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [05.01.2010 07:56 7408]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [09.11.2009 12:12 25088]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [21.07.2008 07:48 435072]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [01.01.2010 23:07 135664]
S2 UGS License Server (ugslmd);UGS License Server (ugslmd);c:\programme\UGS\UGSLicensing\lmgrd.exe [07.07.2009 13:16 1510152]
S3 IwUSB;IwUSB Driver;c:\windows\system32\drivers\IwUSB.sys [26.10.2008 18:28 20645]
S3 UNS;Intel(R) Active Management Technology User Notification Service;c:\programme\Gemeinsame Dateien\Intel\Privacy Icon\UNS\UNS.exe [08.10.2008 10:50 2058776]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [03.05.2009 08:38 627072]
S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [27.10.2008 01:59 259584]
S3 XRNBO;XRNBO;c:\windows\system32\drivers\XRNBO.sys [05.04.2009 19:17 177152]
S4 DfSdkS;Defragmentation-Service;c:\programme\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\DfSdkS.exe [27.12.2009 01:02 406016]
S4 MSSQLServerADHelper100;SQL Server Hilfsdienst für Active Directory;c:\programme\Microsoft SQL Server\100\Shared\sqladhlp.exe [10.07.2008 16:27 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10.07.2008 01:49 242712]
S4 SavRoam;SAVRoam;c:\programme\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [16.03.2006 23:34 115952]
S4 SQLAgent$SQLEXPRESS;SQL Server-Agent (SQLEXPRESS);c:\programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [10.07.2008 16:27 369688]
S4 Tmesrv;Tmesrv3;c:\programme\Toshiba\TME3\TMESRV31.exe [21.07.2008 07:58 118784]
S4 TPCHSrv;TPCH Service;c:\programme\Toshiba\TPHM\TPCHSrv.exe [27.05.2008 06:12 628072]
.
Inhalt des "geplante Tasks" Ordners

2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-30 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-17 13:53]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Google Sidewiki... - c:\programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{21196042-830F-419f-A594-F9D456A6C29A} - {21196042-830F-419f-A594-F9D456A6C29A}   c:\programme\TimeLeft3\TLIntergIE.html - c:\programme\timeleft3\tlintergie.html\inprocserver32 does not exist!
FF - ProfilePath - c:\dokumente und einstellungen\Wolz\Anwendungsdaten\Mozilla\Firefox\Profiles\ba9ldl0e.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npcosmop211.dll
FF - plugin: c:\programme\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: general.useragent.extra.prevx - (Prevx 3.0.5)
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

MSConfigStartUp-Okadi - REM rundll32.exe
MSConfigStartUp-smss32 - c:\windows\system32\smss32.exe
MSConfigStartUp-TPSODDCtl - REM TPSODDCtl.exe
MSConfigStartUp-zufigekab - c:\windows\system32\vujigami.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 18:56
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-328488726-541291574-1648763155-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\not active]
@DACL=(02 0000)
"NDSTray.exe"="REM NDSTray.exe"
"NvCplDaemon"="RUNDLL32.EXE c:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NVRotateSysTray"="REM rundll32.exe c:\\WINDOWS\\system32\\nvsysrot.dll,Enable"
"openvpn-gui"="REM c:\\Programme\\Astaro\\Astaro SSL VPN Client\\bin\\openvpn-gui.exe"
"QuickTime Task"="REM \"c:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"SmoothView"="REM c:\\Programme\\TOSHIBA\\TOSHIBA Zoom-Dienstprogramm\\SmoothView.exe"
"snp2uvc"="REM c:\\WINDOWS\\vsnp2uvc.exe"
"TFncKy"="REM TFncKy.exe"
"TFNF5"="REM TFNF5.exe"
"TMERzCtl.EXE"="REM c:\\Programme\\TOSHIBA\\TME3\\TMERzCtl.EXE /Service"
"TMESRV.EXE"="REM c:\\Programme\\TOSHIBA\\TME3\\TMESRV31.EXE /Logon"
"TOSDCR"="REM TOSDCR.EXE"
"TosHKCW.exe"="REM \"c:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"TPCHWMsg"="REM %ProgramFiles%\\TOSHIBA\\TPHM\\TPCHWMsg.exe"
"picon"="REM \"c:\\Programme\\Gemeinsame Dateien\\Intel\\Privacy Icon\\PrivacyIconClient.exe\" -startup"
"ITSecMng"="REM %ProgramFiles%\\TOSHIBA\\Bluetooth Toshiba Stack\\ItSecMng.exe /START"
"DDWMon"="REM c:\\Programme\\TOSHIBA\\TOSHIBA Direct Disc Writer\\\\ddwmon.exe"
"DataCardMonitor"="REM c:\\Programme\\T-Mobile\\web'n'walk Manager\\DataCardMonitor.exe"
"Camera Assistant Software"="REM \"c:\\Program Files\\Camera Assistant Software for Toshiba\\traybar.exe\" /start"
"Apoint"="REM c:\\Programme\\Apoint2K\\Apoint.exe"
"Alcmtr"="REM ALCMTR.EXE"
"Adobe Reader Speed Launcher"="REM \"c:\\Programme\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1820)
c:\programme\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(4184)
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\msi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
c:\programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
c:\programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\programme\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\SAAZOD\RMHLPDSK.exe
c:\programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\programme\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\programme\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\TODDSrv.exe
c:\programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\programme\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\TPSBattM.exe
c:\programme\iPod\bin\iPodService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-01-30  19:00:16 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2010-01-31 00:00

Vor Suchlauf: 54 Verzeichnis(se), 62.885.388.288 Bytes frei
Nach Suchlauf: 57 Verzeichnis(se), 62.916.112.384 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg
[spybotsd]
timeout.old=30

- - End Of File - - E4C16A1E1E7592A72C84873A5A49E0A1


I don't know if it made a difference that PrvX was running (or kept coming up during the scan...)

[Dr Jay]

Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2. Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

5. Post the following in your next reply:

• MBAM log
• SAS log
• ESET log

And, please tell me how your computer is doing.

[jowo]

Hi Jay.
you were right: the scan took quite a while. In general my PC is running quite okay (not slowed down, no browser hijacking yet, but I'm not sure if it stays like this, because  before I conntacted this forum I already had MalwareAntibytes, SuperAntispy and others running and it somehow cleaned the virus out, but not for good...
What is different this time:
I am finally able to boot into a safe mode ! From there I ran mbam.exe and SUPERAntiSpyware.exe and will post the results on the end. In safe mode i was able to delete the Windows/temp/files (TFC was not succesfull) but: after booting into normal mode the files are back again. Do any of the tools we tried scan the MBR ? 

So here goes the logfiles you requested ( to be shure I made "Full Scans"); the additional logs that I made in a safe boot session are attached at the very end.

;_______________________________________ _______________________________________ ________

Malwarebytes' Anti-Malware 1.44
Database version: 3657
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

31.01.2010 00:41:13
mbam-log-2010-01-31 (00-40-51)_full scan.txt

Scan type: Full Scan (C:\|)
Objects scanned: 376633
Time elapsed: 2 hour(s), 18 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{DC2DA2EA-21ED-457B-93C3-D3405BD437B8}\RP16\A0000567.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{DC2DA2EA-21ED-457B-93C3-D3405BD437B8}\RP16\A0000604.com (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{DC2DA2EA-21ED-457B-93C3-D3405BD437B8}\RP16\A0000752.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{DC2DA2EA-21ED-457B-93C3-D3405BD437B8}\RP16\A0000780.com (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> No action taken.

;_______________________________________ _______________________________________ _________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2010 at 09:56 PM

Application Version : 4.33.1000

Core Rules Database Version : 4531
Trace Rules Database Version: 2343

Scan type       : Quick Scan
Total Scan Time : 00:00:02

Memory items scanned      : 123
Memory threats detected   : 0
Registry items scanned    : 0
Registry threats detected : 0
File items scanned        : 0
File threats detected     : 0


;___________ESET-scanner log_2010-01-31.txt_______________________________________________

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir   Win32/Olmarik.SJ virus   deleted - quarantined
C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\Internet Explorer\Desktop.htt   Win32/TrojanDownloader.FakeAlert.AED virus   deleted - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\6PQ9SBUD\load[1].php   a variant of Win32/Kryptik.BYA trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8RSBCDEF\pdf[1].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8RSBCDEF\pdf[2].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GZI123MN\pdf[1].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GZI123MN\pdf[2].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GZI123MN\pdf[3].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GZI123MN\pdf[4].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\I1K3M5OP\pdf[2].pdf   PDF/Exploit.Gen trojan   cleaned by deleting - quarantined


;_______________________________________ _______________________________________ __________
;_____________the next two logs were create during a safe boot session ________________________________
;____________mbam-log-2010-01-31 (02-11-57)_fullscan in save mode.txt______________________________
Malwarebytes' Anti-Malware 1.44
Database version: 3657
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

31.01.2010 02:12:28
mbam-log-2010-01-31 (02-11-57)_fullscan in save mode.txt

Scan type: Full Scan (C:\|)
Objects scanned: 376092
Time elapsed: 1 hour(s), 0 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

;_____________________SUPERAntiSpyware Scan Log - 01-31-2010 - 01-52-57_save mode quick scan.log_____
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/31/2010 at 01:52 AM

Application Version : 4.33.1000

Core Rules Database Version : 4531
Trace Rules Database Version: 2343

Scan type       : Quick Scan
Total Scan Time : 00:44:45

Memory items scanned      : 239
Memory threats detected   : 0
Registry items scanned    : 670
Registry threats detected : 0
File items scanned        : 21468
File threats detected     : 1

Adware.Tracking Cookie
   C:\Dokumente und Einstellungen\Wolz\Cookies\wolz@doubleclick[1].txt

;_______________________________________ _______________________________________ _________




please tell me what you think...
I need to acess some files (data, picture, emails etc.) which are on the infected PC.
Is it save to transfer them (wireless to my network drive) and copy them on my other , uninfected Laptop ?

Bythe way: I'm using XP-Professional 32bit.

Thanks for your time.

[Dr Jay]

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
• When done, click on Save Report
  
• Save it to the Desktop.
• Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

[jowo]

Hello Jay.
Here's the " RootRepeal report 01-31-10 (20-52-36).txt" :


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/01/31 20:37
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA2EEE000   Size: 843776   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9E630000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\dokumente und einstellungen\wolz\lokale einstellungen\temp\etilqs_9sxlyd6nw4dycsd1gfca
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\dokumente und einstellungen\wolz\lokale einstellungen\temp\etilqs_kqyz2ntqedhbmj6kpryc
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\programme\microsoft sql server\mssql.1\mssql\log\log_252.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\programme\microsoft sql server\mssql10.sqlexpress\mssql\log\log_119.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Programme\Gemeinsame Dateien\Symantec Shared\VirusDefs\20090912.002\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa391cc

#: 031   Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a0cc8a8

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39206

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa3951a

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa393f6

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39292

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa3918e

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Programme\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa312d0b0

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39316

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa3934e

Shadow SSDT
-------------------
#: 013   Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39cec

#: 233   Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39d60

#: 292   Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39c78

#: 383   Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39c36

#: 389   Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39e4c

#: 404   Function Name: NtUserGetForegroundWindow
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39b42

#: 414   Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39b90

#: 416   Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39bc2

#: 428   Function Name: NtUserGetRawInputData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39c04

#: 483   Function Name: NtUserQueryWindow
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39ef0

#: 508   Function Name: NtUserSetClipboardData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39e1c

#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39e9a

#: 592   Function Name: NtUserWindowFromPoint
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xbaa39f6a

==EOF==

Thanks for your help!

[Dr Jay]

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[jowo]

Hello again.
It took quite a while since this GMER scanner seems to run forever...unfortunately I cannot post results because it crashed each time. The first time the PC was just idled/half the way boot down or so.. and the second time it was crashed to a bluescreen, " pagefault in nonpaged area, caused by uxddqpow.sys

All I know that each scan was already running for at least 1.5h before the hang ups occured...
( My firewall was still on, but all the other virus-scanners were off.)

So what can we do ? Any suggestions ? In general the PC is a little bit slow but  doesn't do too bad. But i know that it will get worse if we cannot cure it for good.  I don 't already want to give up but anyways:
Any suggestions of where to buy a original XP-Prof. setup CD ? To avoid this in the future I'd like to install XP fresh and have bootmamager (BootitNG which can also create-copy partitions) so i can go back to a blank system within seconds.

Thanks again for you help 

[Dr Jay]

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code: [Select]

@echo off
Copy /y gmer.exe ark.exe
Start ark.exe
Save it into the gmer folder as  File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

[jowo]

I tried your ark.cmd and GMER started, but unfortuntely it hang up after about the same scanning time as it did earlier (when I started it directly...) only difference:
this time the bluescreen  said, that the system was shut down to prevent further damage "DRIVER_IRQL_NOT_LESS_OR_EQUAL"

so sorry no log...

Any clues ?

[Dr Jay]

Ouchie...

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

[jowo]

this scan went far better but supposely did not turn up any leads...

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: A589F000
Module End: A596D000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: B445F1CC
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwConnectPort
Address: 8AC19140
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: B445F206
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwOpenProcess
Address: B445F51A
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwOpenThread
Address: B445F3F6
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwProtectVirtualMemory
Address: B445F292
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwSetContextThread
Address: B445F18E
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwTerminateProcess
Address: A5AE90B0
Driver Base: A5AE0000
Driver End: A5B05000
Driver Name: \??\C:\Programme\SUPERAntiSpyware\SASKUTIL.sys

Function Name: ZwTerminateThread
Address: B445F316
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwWriteVirtualMemory
Address: B445F34E
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\system32\drivers\mshcmd.sys.
Status: Hidden

----------------------------------------------------------------------------
In general the Pc runs quite okay; my "active desktop" background picture is deactivate after each boot up....

What would be next ? Thanks again for your patience...
 

[Dr Jay]

Enable the viewing of Hidden files

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Show hidden files and folders option.
• Deselect the Hide file extensions for known types option.
• Deselect the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

=====

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
mshcmd.sys
atapi.sys


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[jowo]

I'm using those settings anyway ; I hate when Windows hides stuff, especially the option "hide extension of known file types" makes no sense and is dangerous...


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:55 on 06/02/2010 by Wolz (Administrator - Elevation successful)

========== filefind ==========

Searching for "mshcmd.sys"
No files found.

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys   --a--- 96512 bytes   [23:59 30/01/2010]   [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys   ------ 96512 bytes   [00:10 14/04/2008]   [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

[Dr Jay]

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

[jowo]

Malwarebytes scan with newest version:
(I guess it  only keeps finding that my XP-firewall and update is down (on purpose):

Malwarebytes' Anti-Malware 1.44
Database version: 3699
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

06.02.2010 23:08:23
mbam-log-2010-02-06 (23-08-00)_quick.txt

Scan type: Quick Scan
Objects scanned: 130755
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Dr Jay]

Please copy and paste the following in to Notepad:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
  6d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
  00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\LEGACY_WSCSVC

[jowo]

okay, copy & paste into notepad, then save it as *.reg and execute it , right ? since it looks like a regestry hack I jsut want to make sure b4 i mess up soemthing...
thanks.

[Dr Jay]

It rendered incorrectly.

Please copy and paste the following in to Notepad:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
  6d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
  00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Description"="Provides the endpoint mapper and other miscellaneous RPC services."
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,72,00,70,00,\
  63,00,73,00,73,00,00,00
"ObjectName"="NT Authority\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
  00,02,00,00,00,60,ea,00,00
"DependOnService"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,\
  68,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
  02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Description"="Provides the endpoint mapper and other miscellaneous RPC services."
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,72,00,70,00,\
  63,00,73,00,73,00,00,00
"ObjectName"="NT Authority\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
  00,02,00,00,00,60,ea,00,00
"DependOnService"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,\
  68,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
  02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Then, click File > Save as
Save it as fixSec.reg
Choose Save as type: All Files.
Click Save.

Once saved, double-click on the file and merge it in to the Registry.

Reboot your computer.


Let me know if this has helped.

[jowo]

okay, i merged it to the regestry and did a reboot- change: my desktop background was not deactivated this time,
but: I CANNOT access the internet anymore....

Superantispy discovered 2 threads with have been cleared before (or were just not visible....
Malwareantibytes  found nothing.
The files in the WINDOWS/TEMP folder are still there and now have grown in size and number...
My computer seems to be in worse conditions than before...

Since I cannot connect to my wireless router /network storage and do not dare to hook a data stick directly into the infected PC, I did not post the last logs.
but Antispy found : serauth1.dll and serauth2.dll in the system32 folder.

Can you please explain shorty what we are trying to do right now.

Thanks again for your help...


 

[jowo]

I just found out  that that my wirelss router just needed a reboot; so luckily I do have internet connection , it was not affected by the registry-change. Any news from your side ?

[Dr Jay]

Malwareantibytes  found nothing

Good. That was what the Registry tweaking was for.

======

If you want to check again about serauth1.dll and the other one, then please do the following:

Jotti File Submission:

• Please go to Jotti's malware scan
  
  
• Copy and paste the following file path into  the  "File to upload & scan"box on the top of the page:
  
  
  • C:\WINDOWS\SYSTEM32\serauth1.dll
• Click on the submit button
• Please post the results (URL) in your next reply.

Note: make sure to re-scan them. I do not want a past result.

[jowo]

status says: 0 of 20 scanners were able to find malware
when I klicked on the URL nothing new came up... maybe I'm doing soemthing wrong...

or maybe you are just looking for this:
http://virusscan.jotti.org/de/scanresult/0c5c39497b8ceca49186d2fa56e00214b49e8f63

but anyways, I just copy and paste the result from the current window in here; it comes up in German and I don't know how to change that...

Dateiname:  serauth1.dll 
Status:  Scan abgeschlossen. 0 von 20 Scannern haben Malware gemeldet.

smae for serauth2.dll 
http://virusscan.jotti.org/de/scanresult/f3ea8e3011bd7d032c5b506b560c12e5b35dd8ff



Untersucht am:   Mo 8 Feb 2010 07:31:23 (CET) Ergebnis-Link

Dateigröße:  1024 Bytes 
Dateityp:  ASCII text, with very long lines, with no line terminators 
MD5:  6c357e764b050783191d443ad4e592a4 
SHA1:  f1f37905fb21851d22abde3704a90e58ba13194 1 



2010-02-07 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-07 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-07 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-07 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-04 Nichts gefunden
  2010-02-07 Nichts gefunden   2010-02-07 Nichts gefunden



 

[Dr Jay]

Ok. Those are false positives then, which is no big deal.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[jowo]

Hi Jay.
spend some days without using that pc... today I caught up and followed your latest suggestions...here is the log:

 Results of screen317's Security Check version 0.99.1    
 Windows XP Service Pack 3 
``````````````````````````````
Antivirus/Firewall Check:
 ESET Online Scanner v3   
 Prevx     
 Antivirus up to date! 
``````````````````````````````
Anti-malware/Other Utilities Check:
 SUPERAntiSpyware Free Edition   
 HijackThis 2.0.2   
 Java(TM) 6 Update 10 
 Java(TM) 6 Update 6 
 Out of date Java installed!
 Adobe Flash Player 10 
Adobe Reader 8.1.2 - Deutsch
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 Symantec Client Security Symantec AntiVirus DefWatch.exe 
 antivirus stuff SecurityCheck.exe   
 Symantec Client Security Symantec Client Firewall SymSPort.exe 
``````````````````````````````
DNS Vulnerability Check:
 Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````
_______________________________________ ______________________________________


Do you think i am clean now ?
i still have those files in my Windows temp folder...
Thank you

[Dr Jay]

Please download DDS by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop.

Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.  No input is needed, the scan is running.
• Notepad will open with the results, click Yes to the Optional_Scan
• Please follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your Desktop.

[jowo]

I cannot execute this file since my system associates that "dds.scr" as a Autocad Script (Autocad is a digital drawing software that I have installed on my PC.
Isn't SCR a screensaver file-type ? if I used the "open with..." button: which App. do I choose ? I guess I have to run as DLL32 ... please tell me how to do this..
Thanks again

[Dr Jay]

Try the one from Forospyware up there. That is a PIF file type instead of the other link being a SCR.

[jowo]

Yes, that one worked better...in the "Created Last 30" there is that "serauth2.dll" again....I also had trouble booting my PC:

I rebooted it several times and every time the windows explorer would hang up and therefore the system would not boot completely (Desktop without Icons, non functional taskbar , never the less I was able to prompt for "MSCONFIG" and deactivated (almost) all non Windows startup processes to be able to boot succesfully. My desktop background is gone again...but at least the system is up and running again. These issues drive me nuts...but thank you for your patience.



DDS (Ver_09-12-01.01) - NTFSx86 
Run by Wolz at  1:41:38,10 on 16.02.2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.3067.2455 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)   {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled*   {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programme\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\cgtech62\windows\license\lservnt.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe
C:\Programme\TeamViewer\Version5\Teamviewer.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\TOSHIBA\TAudEffect\TAudEff.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\software-setup\antivirus stuff\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programme\java\jre6\bin\ssv.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\programme\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\programme\mybabylon_english\tbmyB1.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\programme\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\programme\mybabylon_english\tbmyB1.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\programme\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\programme\epson software\easy photo print\EPTBL.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TPSMain] TPSMain.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TAudEffect] c:\programme\toshiba\taudeffect\TAudEff.exe /run
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Google Sidewiki... - c:\programme\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {21196042-830F-419f-A594-F9D456A6C29A} - {21196042-830F-419f-A594-F9D456A6C29A}   c:\programme\timeleft3\tlintergie.html - c:\programme\timeleft3\tlintergie.html\inprocserver32 does not exist!
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264776624859
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TosBtNP - TosBtNP.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\wolz\anwend~1\mozilla\firefox\profiles\ba9ldl0e.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npcosmop211.dll
FF - plugin: c:\programme\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: general.useragent.extra.prevx - (Prevx 3.0.5)
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-1-29 30280]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [2009-11-5 971168]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-1-11 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 SASDIFSV;SASDIFSV;c:\programme\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 SAVRT;SAVRT;c:\programme\symantec client security\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\programme\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-7-21 5888]
R2 ccSetMgr;Symantec Settings Manager;c:\programme\gemeinsame dateien\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 MSSQL$TOOLSTUDIO;SQL Server (TOOLSTUDIO);c:\programme\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-1-29 47664]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2009-6-13 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2009-6-4 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2010-1-29 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2009-4-30 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2009-6-4 81920]
R2 Sentinel RMS License Manager;Sentinel RMS License Manager;c:\cgtech62\windows\license\lservnt.exe [2008-10-16 774144]
R2 SentinelKeysServer;Sentinel Keys Server;c:\programme\gemeinsame dateien\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2008-7-10 328992]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 TeamViewer5;TeamViewer 5;c:\programme\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2008-4-30 4992]
R3 ccEvtMgr;Symantec Event Manager;c:\programme\gemeinsame dateien\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-7-21 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-21 41216]
R3 NAVENG;NAVENG;c:\progra~1\gemein~1\symant~1\virusd~1\20090912.002\naveng.sys [2009-9-13 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\gemein~1\symant~1\virusd~1\20090912.002\navex15.sys [2009-9-13 1323568]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-1-29 24368]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2009-11-9 25088]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2008-7-21 435072]
S2 CSIScanner;CSIScanner;c:\programme\prevx\prevx.exe [2010-1-29 6297008]
S2 gupdate;Google Update Service (gupdate);c:\programme\google\update\GoogleUpdate.exe [2010-1-1 135664]
S2 UGS License Server (ugslmd);UGS License Server (ugslmd);c:\programme\ugs\ugslicensing\lmgrd.exe [2009-7-7 1510152]
S3 ccProxy;Symantec Network Proxy;c:\programme\gemeinsame dateien\symantec shared\ccProxy.exe [2006-3-7 202400]
S3 IwUSB;IwUSB Driver;c:\windows\system32\drivers\IwUSB.sys [2008-10-26 20645]
S3 SASENUM;SASENUM;c:\programme\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\programme\symantec client security\symantec antivirus\Rtvscan.exe [2006-3-16 1799408]
S3 UNS;Intel(R) Active Management Technology User Notification Service;c:\programme\gemeinsame dateien\intel\privacy icon\uns\UNS.exe [2008-10-8 2058776]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-5-3 627072]
S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [2008-10-27 259584]
S3 XRNBO;XRNBO;c:\windows\system32\drivers\XRNBO.sys [2009-4-5 177152]
S4 DfSdkS;Defragmentation-Service;c:\programme\ashampoo\ashampoo winoptimizer 2010 advanced\DfSdkS.exe [2009-12-27 406016]
S4 MSSQLServerADHelper100;SQL Server Hilfsdienst für Active Directory;c:\programme\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SavRoam;SAVRoam;c:\programme\symantec client security\symantec antivirus\SavRoam.exe [2006-3-16 115952]
S4 SQLAgent$SQLEXPRESS;SQL Server-Agent (SQLEXPRESS);c:\programme\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 Tmesrv;Tmesrv3;c:\programme\toshiba\tme3\TMESRV31.exe [2008-7-21 118784]
S4 TPCHSrv;TPCH Service;c:\programme\toshiba\tphm\TPCHSrv.exe [2008-5-27 628072]

=============== Created Last 30 ================

2010-02-15 06:49:56   0   d-----w-   c:\dokumente und einstellungen\wolz\_Email-Backup
2010-02-15 06:47:02   0   d-----w-   c:\dokume~1\wolz\anwend~1\Sync App Settings
2010-02-15 06:46:31   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\Sync App Settings
2010-02-15 06:46:26   0   d-----w-   c:\programme\Allway Sync
2010-02-09 04:52:46   0   d-----w-   c:\dokume~1\wolz\anwend~1\TeraCopy
2010-02-09 04:52:43   0   d-----w-   c:\programme\TeraCopy
2010-02-08 04:38:12   0   d-----w-   C:\_fp39
2010-02-08 04:16:38   291328   ----a-w-   c:\windows\system32\SAXZIPSPAN.DLL
2010-02-07 22:14:29   1024   ----a-w-   c:\windows\system32\serauth2.dll
2010-02-07 22:14:29   1024   ----a-w-   c:\windows\system32\serauth1.dll
2010-02-04 08:11:28   0   d-----w-   C:\_fp39_old
2010-02-02 04:40:51   6443   ----a-w-   c:\dokumente und einstellungen\wolz\.recently-used.xbel
2010-01-31 03:07:39   0   d-----w-   c:\programme\ESET
2010-01-31 02:26:29   95   ----a-w-   c:\windows\system32\prsrvk.dll
2010-01-31 02:26:29   72   ----a-w-   c:\windows\system32\nsprs.dll
2010-01-31 00:10:43   204   ----a-w-   c:\windows\system32\lsprst7.dll
2010-01-30 23:55:43   218   ----a-w-   c:\windows\system32\lsprst7.tgz
2010-01-30 23:55:43   14   ----a-w-   c:\windows\system32\tmpPrst.tgz
2010-01-30 23:36:53   0   d-sha-r-   C:\cmdcons
2010-01-30 23:34:18   77312   ----a-w-   c:\windows\MBR.exe
2010-01-30 23:34:18   261632   ----a-w-   c:\windows\PEV.exe
2010-01-30 08:24:43   0   d-----w-   c:\programme\Trend Micro
2010-01-29 18:05:31   55184   ----a-w-   c:\windows\system32\PxSecure.dll
2010-01-29 18:05:31   47664   ----a-w-   c:\windows\system32\drivers\pxrts.sys
2010-01-29 18:05:31   30280   ----a-w-   c:\windows\system32\drivers\pxscan.sys
2010-01-29 18:05:31   24368   ----a-w-   c:\windows\system32\drivers\pxkbf.sys
2010-01-29 18:05:31   0   d-----w-   c:\programme\Prevx
2010-01-29 18:05:14   32   ----a-w-   c:\windows\wininit.ini
2010-01-29 18:05:14   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\PrevxCSI
2010-01-29 14:55:29   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-29 14:44:30   0   d-----w-   c:\dokume~1\wolz\anwend~1\XLAB ISL Light Client3
2010-01-29 14:15:54   150528   ----a-w-   c:\windows\system32\TLBINF32.dll
2010-01-29 14:15:53   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\VSoft
2010-01-29 14:15:52   0   d-----w-   c:\programme\gemeinsame dateien\VSoft
2010-01-29 14:15:47   0   d-----w-   c:\programme\SAAZExmonScripts
2010-01-29 14:11:48   0   d-----w-   C:\12539265af95f2fffe2558
2010-01-29 14:11:41   0   d-----w-   c:\programme\SAAZOD
2010-01-29 14:11:17   0   d-----w-   c:\programme\SetupLogs
2010-01-29 14:11:13   290816   ----a-w-   c:\windows\system32\WINHTTP5.DLL
2010-01-29 14:11:13   102912   ----a-w-   c:\windows\system32\VB6STKIT.DLL
2010-01-29 04:34:59   0   d-----w-   C:\_mal
2010-01-25 21:59:19   0   d-----w-   C:\_fp91
2010-01-25 16:32:21   0   d-----w-   c:\dokume~1\wolz\anwend~1\Malwarebytes
2010-01-25 16:32:18   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 16:32:16   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-25 16:32:16   0   d-----w-   c:\programme\Malwarebytes' Anti-Malware
2010-01-25 16:32:16   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-01-25 13:36:06   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com
2010-01-25 13:35:34   0   d-----w-   c:\programme\SUPERAntiSpyware
2010-01-25 13:35:34   0   d-----w-   c:\dokume~1\wolz\anwend~1\SUPERAntiSpyware.com
2010-01-25 13:35:13   0   d-----w-   c:\programme\gemeinsame dateien\Wise Installation Wizard
2010-01-25 13:32:11   0   d-----w-   c:\programme\XLAB ISL Plugins
2010-01-25 13:30:26   0   d-----w-   c:\programme\XLAB ISL Light Client3
2010-01-23 20:43:11   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-01-23 20:13:58   120   ----a-w-   c:\windows\Twamilaha.dat
2010-01-22 16:11:44   0   d-----w-   C:\____fp91
2010-01-22 03:24:11   0   d-----w-   c:\programme\ABBYY FineReader 6.0 Sprint
2010-01-22 03:23:29   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\UDL
2010-01-22 03:21:59   0   d-----w-   c:\programme\Epson Software
2010-01-22 03:21:25   86528   ----a-w-   c:\windows\system32\E_FLBEJA.DLL
2010-01-22 03:21:25   78848   ----a-w-   c:\windows\system32\E_FD4BEJA.DLL
2010-01-22 03:21:00   97   ----a-w-   c:\windows\system32\PICSDK.ini
2010-01-22 03:21:00   80024   ----a-w-   c:\windows\system32\PICSDK.dll
2010-01-22 03:21:00   501912   ----a-w-   c:\windows\system32\PICSDK2.dll
2010-01-22 03:21:00   108704   ----a-w-   c:\windows\system32\PICEntry.dll
2010-01-22 03:19:42   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\EPSON
2010-01-22 03:19:23   71680   ----a-w-   c:\windows\system32\escwiad.dll
2010-01-22 03:19:21   0   d-----w-   c:\programme\epson
2010-01-22 03:18:18   44   ----a-w-   c:\windows\EPSNX300.ini
2010-01-17 20:38:39   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-17 20:38:39   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2010-01-17 20:38:14   0   d-----w-   c:\programme\iPod
2010-01-17 20:38:11   0   d-----w-   c:\programme\iTunes
2010-01-17 20:38:11   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-17 20:37:52   0   d-----w-   c:\programme\Bonjour
2010-01-17 20:37:11   40448   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-01-17 20:37:11   2065696   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-01-17 20:36:48   0   d-----w-   c:\programme\gemeinsame dateien\Apple
2010-01-17 19:21:04   0   d-----w-   C:\download_torrent
2010-01-17 09:34:04   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\AVS4YOU
2010-01-17 09:33:52   0   d-----w-   c:\programme\gemeinsame dateien\AVSMedia
2010-01-17 09:33:51   24576   ----a-w-   c:\windows\system32\msxml3a.dll
2010-01-17 09:33:51   0   d-----w-   c:\programme\AVS4YOU

==================== Find3M  ====================

2010-02-02 20:05:14   32   ----a-w-   c:\windows\system32\drivers\mshcmd.sys.
2010-01-30 12:36:15   312344   ----a-w-   c:\windows\system32\drivers\iaStor.sys
2010-01-29 15:11:58   574580   ----a-w-   c:\windows\system32\perfh007.dat
2010-01-29 15:11:58   127768   ----a-w-   c:\windows\system32\perfc007.dat
2009-12-22 05:07:58   672768   ------w-   c:\windows\system32\wininet.dll
2009-12-22 05:07:55   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-11-23 19:34:06   436674   ----a-w-   C:\_fp83.zip
1992-03-10 10:00:00   95232   ----a-w-   c:\programme\CARDFILE.EXE

============= FINISH:  1:41:57,89 ===============

[Dr Jay]

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: http://www.viruslist.com/en/viruses/glossary?glossid=189208417
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do
  

[/color]
Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Help: I Got Hacked. Now What Do I Do? Part II
  
• Where to draw the line? When to recommend a format and reinstall?
  

Guides for format and reinstall: http://www.geekpolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

[jowo]

Hello. Sorry that you haven't heard from me for a while...
So I guess most secure would be setting up a new Windows, right ? and of course changing the router password and so forth...

[jowo]

Actually, before I opened this thread I was already thinking that I need to set up windows again from scratch... now it seems like this is really the case . I assume you found something bad in my last log-post.. so what was it ?
I don't see any benefit in chasing after this malware, so I'd just rather set Windows up again.
 The recovery CD got lost, so I will just buy a XP setup CD.
Two points make me worry:
-bad code in the MBR
-my Data is stored on a wireless network-drive and I will have to reload it onto on my new system, hopefully without getting infected again
I have not read through all the tutorials you suggested... so I might come back with a question, but I thank you very much for all your work and spending your free time to read through all these of log files that added up during the last month...