Malware in C-Windows-temp and maybe in the MBR. All common removal tools failed

[jowo]

Hi Jay.
spend some days without using that pc... today I caught up and followed your latest suggestions...here is the log:

 Results of screen317's Security Check version 0.99.1    
 Windows XP Service Pack 3 
``````````````````````````````
Antivirus/Firewall Check:
 ESET Online Scanner v3   
 Prevx     
 Antivirus up to date! 
``````````````````````````````
Anti-malware/Other Utilities Check:
 SUPERAntiSpyware Free Edition   
 HijackThis 2.0.2   
 Java(TM) 6 Update 10 
 Java(TM) 6 Update 6 
 Out of date Java installed!
 Adobe Flash Player 10 
Adobe Reader 8.1.2 - Deutsch
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 Symantec Client Security Symantec AntiVirus DefWatch.exe 
 antivirus stuff SecurityCheck.exe   
 Symantec Client Security Symantec Client Firewall SymSPort.exe 
``````````````````````````````
DNS Vulnerability Check:
 Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````
_______________________________________ ______________________________________


Do you think i am clean now ?
i still have those files in my Windows temp folder...
Thank you

[Dr Jay]

Please download DDS by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop.

Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.  No input is needed, the scan is running.
• Notepad will open with the results, click Yes to the Optional_Scan
• Please follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your Desktop.

[jowo]

I cannot execute this file since my system associates that "dds.scr" as a Autocad Script (Autocad is a digital drawing software that I have installed on my PC.
Isn't SCR a screensaver file-type ? if I used the "open with..." button: which App. do I choose ? I guess I have to run as DLL32 ... please tell me how to do this..
Thanks again

[Dr Jay]

Try the one from Forospyware up there. That is a PIF file type instead of the other link being a SCR.

[jowo]

Yes, that one worked better...in the "Created Last 30" there is that "serauth2.dll" again....I also had trouble booting my PC:

I rebooted it several times and every time the windows explorer would hang up and therefore the system would not boot completely (Desktop without Icons, non functional taskbar , never the less I was able to prompt for "MSCONFIG" and deactivated (almost) all non Windows startup processes to be able to boot succesfully. My desktop background is gone again...but at least the system is up and running again. These issues drive me nuts...but thank you for your patience.



DDS (Ver_09-12-01.01) - NTFSx86 
Run by Wolz at  1:41:38,10 on 16.02.2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.3067.2455 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)   {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled*   {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programme\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\cgtech62\windows\license\lservnt.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe
C:\Programme\TeamViewer\Version5\Teamviewer.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\TOSHIBA\TAudEffect\TAudEff.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\software-setup\antivirus stuff\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programme\java\jre6\bin\ssv.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\programme\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\programme\mybabylon_english\tbmyB1.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\programme\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\programme\mybabylon_english\tbmyB1.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\programme\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\programme\epson software\easy photo print\EPTBL.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TPSMain] TPSMain.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TAudEffect] c:\programme\toshiba\taudeffect\TAudEff.exe /run
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Google Sidewiki... - c:\programme\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {21196042-830F-419f-A594-F9D456A6C29A} - {21196042-830F-419f-A594-F9D456A6C29A}   c:\programme\timeleft3\tlintergie.html - c:\programme\timeleft3\tlintergie.html\inprocserver32 does not exist!
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264776624859
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TosBtNP - TosBtNP.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\wolz\anwend~1\mozilla\firefox\profiles\ba9ldl0e.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npcosmop211.dll
FF - plugin: c:\programme\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: general.useragent.extra.prevx - (Prevx 3.0.5)
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-1-29 30280]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [2009-11-5 971168]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-1-11 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 SASDIFSV;SASDIFSV;c:\programme\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 SAVRT;SAVRT;c:\programme\symantec client security\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\programme\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-7-21 5888]
R2 ccSetMgr;Symantec Settings Manager;c:\programme\gemeinsame dateien\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 MSSQL$TOOLSTUDIO;SQL Server (TOOLSTUDIO);c:\programme\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-1-29 47664]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2009-6-13 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2009-6-4 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2010-1-29 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2009-4-30 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2009-6-4 81920]
R2 Sentinel RMS License Manager;Sentinel RMS License Manager;c:\cgtech62\windows\license\lservnt.exe [2008-10-16 774144]
R2 SentinelKeysServer;Sentinel Keys Server;c:\programme\gemeinsame dateien\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2008-7-10 328992]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 TeamViewer5;TeamViewer 5;c:\programme\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2008-4-30 4992]
R3 ccEvtMgr;Symantec Event Manager;c:\programme\gemeinsame dateien\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-7-21 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-21 41216]
R3 NAVENG;NAVENG;c:\progra~1\gemein~1\symant~1\virusd~1\20090912.002\naveng.sys [2009-9-13 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\gemein~1\symant~1\virusd~1\20090912.002\navex15.sys [2009-9-13 1323568]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-1-29 24368]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2009-11-9 25088]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2008-7-21 435072]
S2 CSIScanner;CSIScanner;c:\programme\prevx\prevx.exe [2010-1-29 6297008]
S2 gupdate;Google Update Service (gupdate);c:\programme\google\update\GoogleUpdate.exe [2010-1-1 135664]
S2 UGS License Server (ugslmd);UGS License Server (ugslmd);c:\programme\ugs\ugslicensing\lmgrd.exe [2009-7-7 1510152]
S3 ccProxy;Symantec Network Proxy;c:\programme\gemeinsame dateien\symantec shared\ccProxy.exe [2006-3-7 202400]
S3 IwUSB;IwUSB Driver;c:\windows\system32\drivers\IwUSB.sys [2008-10-26 20645]
S3 SASENUM;SASENUM;c:\programme\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\programme\symantec client security\symantec antivirus\Rtvscan.exe [2006-3-16 1799408]
S3 UNS;Intel(R) Active Management Technology User Notification Service;c:\programme\gemeinsame dateien\intel\privacy icon\uns\UNS.exe [2008-10-8 2058776]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-5-3 627072]
S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [2008-10-27 259584]
S3 XRNBO;XRNBO;c:\windows\system32\drivers\XRNBO.sys [2009-4-5 177152]
S4 DfSdkS;Defragmentation-Service;c:\programme\ashampoo\ashampoo winoptimizer 2010 advanced\DfSdkS.exe [2009-12-27 406016]
S4 MSSQLServerADHelper100;SQL Server Hilfsdienst für Active Directory;c:\programme\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SavRoam;SAVRoam;c:\programme\symantec client security\symantec antivirus\SavRoam.exe [2006-3-16 115952]
S4 SQLAgent$SQLEXPRESS;SQL Server-Agent (SQLEXPRESS);c:\programme\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 Tmesrv;Tmesrv3;c:\programme\toshiba\tme3\TMESRV31.exe [2008-7-21 118784]
S4 TPCHSrv;TPCH Service;c:\programme\toshiba\tphm\TPCHSrv.exe [2008-5-27 628072]

=============== Created Last 30 ================

2010-02-15 06:49:56   0   d-----w-   c:\dokumente und einstellungen\wolz\_Email-Backup
2010-02-15 06:47:02   0   d-----w-   c:\dokume~1\wolz\anwend~1\Sync App Settings
2010-02-15 06:46:31   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\Sync App Settings
2010-02-15 06:46:26   0   d-----w-   c:\programme\Allway Sync
2010-02-09 04:52:46   0   d-----w-   c:\dokume~1\wolz\anwend~1\TeraCopy
2010-02-09 04:52:43   0   d-----w-   c:\programme\TeraCopy
2010-02-08 04:38:12   0   d-----w-   C:\_fp39
2010-02-08 04:16:38   291328   ----a-w-   c:\windows\system32\SAXZIPSPAN.DLL
2010-02-07 22:14:29   1024   ----a-w-   c:\windows\system32\serauth2.dll
2010-02-07 22:14:29   1024   ----a-w-   c:\windows\system32\serauth1.dll
2010-02-04 08:11:28   0   d-----w-   C:\_fp39_old
2010-02-02 04:40:51   6443   ----a-w-   c:\dokumente und einstellungen\wolz\.recently-used.xbel
2010-01-31 03:07:39   0   d-----w-   c:\programme\ESET
2010-01-31 02:26:29   95   ----a-w-   c:\windows\system32\prsrvk.dll
2010-01-31 02:26:29   72   ----a-w-   c:\windows\system32\nsprs.dll
2010-01-31 00:10:43   204   ----a-w-   c:\windows\system32\lsprst7.dll
2010-01-30 23:55:43   218   ----a-w-   c:\windows\system32\lsprst7.tgz
2010-01-30 23:55:43   14   ----a-w-   c:\windows\system32\tmpPrst.tgz
2010-01-30 23:36:53   0   d-sha-r-   C:\cmdcons
2010-01-30 23:34:18   77312   ----a-w-   c:\windows\MBR.exe
2010-01-30 23:34:18   261632   ----a-w-   c:\windows\PEV.exe
2010-01-30 08:24:43   0   d-----w-   c:\programme\Trend Micro
2010-01-29 18:05:31   55184   ----a-w-   c:\windows\system32\PxSecure.dll
2010-01-29 18:05:31   47664   ----a-w-   c:\windows\system32\drivers\pxrts.sys
2010-01-29 18:05:31   30280   ----a-w-   c:\windows\system32\drivers\pxscan.sys
2010-01-29 18:05:31   24368   ----a-w-   c:\windows\system32\drivers\pxkbf.sys
2010-01-29 18:05:31   0   d-----w-   c:\programme\Prevx
2010-01-29 18:05:14   32   ----a-w-   c:\windows\wininit.ini
2010-01-29 18:05:14   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\PrevxCSI
2010-01-29 14:55:29   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-29 14:44:30   0   d-----w-   c:\dokume~1\wolz\anwend~1\XLAB ISL Light Client3
2010-01-29 14:15:54   150528   ----a-w-   c:\windows\system32\TLBINF32.dll
2010-01-29 14:15:53   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\VSoft
2010-01-29 14:15:52   0   d-----w-   c:\programme\gemeinsame dateien\VSoft
2010-01-29 14:15:47   0   d-----w-   c:\programme\SAAZExmonScripts
2010-01-29 14:11:48   0   d-----w-   C:\12539265af95f2fffe2558
2010-01-29 14:11:41   0   d-----w-   c:\programme\SAAZOD
2010-01-29 14:11:17   0   d-----w-   c:\programme\SetupLogs
2010-01-29 14:11:13   290816   ----a-w-   c:\windows\system32\WINHTTP5.DLL
2010-01-29 14:11:13   102912   ----a-w-   c:\windows\system32\VB6STKIT.DLL
2010-01-29 04:34:59   0   d-----w-   C:\_mal
2010-01-25 21:59:19   0   d-----w-   C:\_fp91
2010-01-25 16:32:21   0   d-----w-   c:\dokume~1\wolz\anwend~1\Malwarebytes
2010-01-25 16:32:18   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 16:32:16   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-25 16:32:16   0   d-----w-   c:\programme\Malwarebytes' Anti-Malware
2010-01-25 16:32:16   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-01-25 13:36:06   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com
2010-01-25 13:35:34   0   d-----w-   c:\programme\SUPERAntiSpyware
2010-01-25 13:35:34   0   d-----w-   c:\dokume~1\wolz\anwend~1\SUPERAntiSpyware.com
2010-01-25 13:35:13   0   d-----w-   c:\programme\gemeinsame dateien\Wise Installation Wizard
2010-01-25 13:32:11   0   d-----w-   c:\programme\XLAB ISL Plugins
2010-01-25 13:30:26   0   d-----w-   c:\programme\XLAB ISL Light Client3
2010-01-23 20:43:11   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-01-23 20:13:58   120   ----a-w-   c:\windows\Twamilaha.dat
2010-01-22 16:11:44   0   d-----w-   C:\____fp91
2010-01-22 03:24:11   0   d-----w-   c:\programme\ABBYY FineReader 6.0 Sprint
2010-01-22 03:23:29   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\UDL
2010-01-22 03:21:59   0   d-----w-   c:\programme\Epson Software
2010-01-22 03:21:25   86528   ----a-w-   c:\windows\system32\E_FLBEJA.DLL
2010-01-22 03:21:25   78848   ----a-w-   c:\windows\system32\E_FD4BEJA.DLL
2010-01-22 03:21:00   97   ----a-w-   c:\windows\system32\PICSDK.ini
2010-01-22 03:21:00   80024   ----a-w-   c:\windows\system32\PICSDK.dll
2010-01-22 03:21:00   501912   ----a-w-   c:\windows\system32\PICSDK2.dll
2010-01-22 03:21:00   108704   ----a-w-   c:\windows\system32\PICEntry.dll
2010-01-22 03:19:42   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\EPSON
2010-01-22 03:19:23   71680   ----a-w-   c:\windows\system32\escwiad.dll
2010-01-22 03:19:21   0   d-----w-   c:\programme\epson
2010-01-22 03:18:18   44   ----a-w-   c:\windows\EPSNX300.ini
2010-01-17 20:38:39   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-17 20:38:39   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2010-01-17 20:38:14   0   d-----w-   c:\programme\iPod
2010-01-17 20:38:11   0   d-----w-   c:\programme\iTunes
2010-01-17 20:38:11   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-17 20:37:52   0   d-----w-   c:\programme\Bonjour
2010-01-17 20:37:11   40448   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-01-17 20:37:11   2065696   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-01-17 20:36:48   0   d-----w-   c:\programme\gemeinsame dateien\Apple
2010-01-17 19:21:04   0   d-----w-   C:\download_torrent
2010-01-17 09:34:04   0   d-----w-   c:\dokume~1\alluse~1\anwend~1\AVS4YOU
2010-01-17 09:33:52   0   d-----w-   c:\programme\gemeinsame dateien\AVSMedia
2010-01-17 09:33:51   24576   ----a-w-   c:\windows\system32\msxml3a.dll
2010-01-17 09:33:51   0   d-----w-   c:\programme\AVS4YOU

==================== Find3M  ====================

2010-02-02 20:05:14   32   ----a-w-   c:\windows\system32\drivers\mshcmd.sys.
2010-01-30 12:36:15   312344   ----a-w-   c:\windows\system32\drivers\iaStor.sys
2010-01-29 15:11:58   574580   ----a-w-   c:\windows\system32\perfh007.dat
2010-01-29 15:11:58   127768   ----a-w-   c:\windows\system32\perfc007.dat
2009-12-22 05:07:58   672768   ------w-   c:\windows\system32\wininet.dll
2009-12-22 05:07:55   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-11-23 19:34:06   436674   ----a-w-   C:\_fp83.zip
1992-03-10 10:00:00   95232   ----a-w-   c:\programme\CARDFILE.EXE

============= FINISH:  1:41:57,89 ===============

[Dr Jay]

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: http://www.viruslist.com/en/viruses/glossary?glossid=189208417
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do
  

[/color]
Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Help: I Got Hacked. Now What Do I Do? Part II
  
• Where to draw the line? When to recommend a format and reinstall?
  

Guides for format and reinstall: http://www.geekpolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

[jowo]

Hello. Sorry that you haven't heard from me for a while...
So I guess most secure would be setting up a new Windows, right ? and of course changing the router password and so forth...

[jowo]

Actually, before I opened this thread I was already thinking that I need to set up windows again from scratch... now it seems like this is really the case . I assume you found something bad in my last log-post.. so what was it ?
I don't see any benefit in chasing after this malware, so I'd just rather set Windows up again.
 The recovery CD got lost, so I will just buy a XP setup CD.
Two points make me worry:
-bad code in the MBR
-my Data is stored on a wireless network-drive and I will have to reload it onto on my new system, hopefully without getting infected again
I have not read through all the tutorials you suggested... so I might come back with a question, but I thank you very much for all your work and spending your free time to read through all these of log files that added up during the last month...