Hi!

I'd be more than glad if you could help me fix my problem.
It seems that my computer is infected by TR/Vundo.gen. and it looks like it has hidden in winlogon.exe and explorer.exe.
Here is a fresh HJT log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:51:56, on 30.07.2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PL15Co2K.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C9A66198-D585-4160-A963-A889176926B0} - (no file)
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\Mozilla\Firefox\Profiles\7otdqd06.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\Mozilla\Firefox\Profiles/7otdqd06.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O21 - SSODL: gnowmebk - {A02B90FE-B813-4EB6-BB9E-A92AFB07F1AD} - (no file)
O21 - SSODL: pxgdslro - {E0D4D696-75FC-45B3-AC8F-6CC8376A06A9} - (no file)
O21 - SSODL: KbdChk - {fa6ba10d-bf23-4a34-a3ae-2ed079639825} - C:\WINDOWS\Resources\KbdChk.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4673 bytes



Thanks in advance.

I ran Spybot S&D again and did a fresh HJT log. This time it also includes many BHOs that weren't listed in the last log...

I ran Spybot S&D again and did a fresh HJT log. This time it also includes many BHOs that weren't listed in the last log...

Forgot the log file ... :

___
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:04:00, on 30.07.2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PL15Co2K.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06F0037A-77DC-4CAC-8471-B629FA3639E2} - C:\WINDOWS\System32\efcdeFYr.dll (file missing)
O2 - BHO: (no name) - {07059FD2-4E1B-409E-8F12-D171939ECD6F} - (no file)
O2 - BHO: (no name) - {0777498B-7C29-4A28-BA2D-24B1675FE9CF} - (no file)
O2 - BHO: (no name) - {0B572481-D240-43DE-9280-C7D979CA3B56} - (no file)
O2 - BHO: (no name) - {18F4FBD5-CDE8-492C-9365-1912378EECFE} - C:\WINDOWS\system32\rqRHWnOf.dll
O2 - BHO: (no name) - {22E58F40-2DB9-493B-9EBA-8E01F9D2A8C2} - C:\WINDOWS\System32\efcDspqO.dll (file missing)
O2 - BHO: (no name) - {267C429F-8B19-448C-956E-E7426DD05956} - C:\WINDOWS\System32\ljJATJyx.dll (file missing)
O2 - BHO: (no name) - {308B19E0-692B-4E68-8EE5-243747485D96} - (no file)
O2 - BHO: (no name) - {37C16702-DC68-4D32-B48F-C5E556ED2281} - (no file)
O2 - BHO: (no name) - {3DB3183C-EED6-4F06-AD2C-DB4C05A03AD5} - (no file)
O2 - BHO: (no name) - {424C49E0-8B3E-4D7C-A755-1704369226D4} - (no file)
O2 - BHO: (no name) - {4E62248C-D616-4E12-8B68-811845B6AFFE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F5FF087-B892-427E-B984-2F45CE472BB2} - (no file)
O2 - BHO: (no name) - {65789AA3-119E-45BF-AB9D-E8B5F10662F8} - (no file)
O2 - BHO: (no name) - {74008C54-259C-4E60-AF72-ED29B765F2D5} - (no file)
O2 - BHO: (no name) - {75BD0915-F735-4C4B-AE7D-680B87A7A683} - C:\WINDOWS\System32\cbXNGAtS.dll (file missing)
O2 - BHO: (no name) - {82427A02-5B06-40DB-B596-216D35A6D5CA} - C:\WINDOWS\System32\byXNHWop.dll (file missing)
O2 - BHO: (no name) - {96BEF7B9-62E7-4F0C-ABA5-A40B18AB708B} - (no file)
O2 - BHO: (no name) - {9FE6871C-E29D-4B16-9C61-A83EF965BC08} - (no file)
O2 - BHO: (no name) - {A3A7938B-9999-4BDB-8B1B-D46E5EE7C33E} - (no file)
O2 - BHO: (no name) - {BBA1B420-07C8-45B4-B62A-03E42C5D5172} - (no file)
O2 - BHO: (no name) - {BFB0D21F-A80B-41FD-ACA7-76EA67D44EA0} - (no file)
O2 - BHO: (no name) - {C530DAE4-109E-490A-8417-32892938392F} - (no file)
O2 - BHO: (no name) - {DB035D81-679B-4665-A487-A52295F804C7} - (no file)
O2 - BHO: (no name) - {E61FECD4-9091-45BE-8A12-327DAE12CC4D} - (no file)
O2 - BHO: (no name) - {F4F0EDC7-120E-4306-A52A-0230A204D219} - (no file)
O2 - BHO: (no name) - {FDFD7126-8C42-483D-8E0E-96620B2A12B7} - (no file)
O2 - BHO: (no name) - {FF2C72C9-62AE-4FB6-BEA7-23CDB28FA57A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C9A66198-D585-4160-A963-A889176926B0} - (no file)
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\Mozilla\Firefox\Profiles\7otdqd06.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\Mozilla\Firefox\Profiles/7otdqd06.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRHWnOf - C:\WINDOWS\SYSTEM32\rqRHWnOf.dll
O21 - SSODL: gnowmebk - {A02B90FE-B813-4EB6-BB9E-A92AFB07F1AD} - (no file)
O21 - SSODL: pxgdslro - {E0D4D696-75FC-45B3-AC8F-6CC8376A06A9} - (no file)
O21 - SSODL: KbdChk - {fa6ba10d-bf23-4a34-a3ae-2ed079639825} - C:\WINDOWS\Resources\KbdChk.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prolific HotFix Q0306270 (PLQ0306270) - Unknown owner - C:\WINDOWS\System32\HotFixQ0306270.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7283 bytes

Hi rhp06

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

I did as you requested:


Combofix Log:

ComboFix 08-08-06.04 - Lotti 2008-08-07 19:41:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1031.18.648 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Lotti\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Lotti\Desktop\WinXP_DE_PRO_BF.EXE
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM7bc3b0f8.txt
C:\WINDOWS\BM7bc3b0f8.xml
C:\WINDOWS\system32\alqnivyn.ini
C:\WINDOWS\system32\awpdepor.dll
C:\WINDOWS\system32\biwgfnnl.ini
C:\WINDOWS\system32\bvmcfbxd.ini
C:\WINDOWS\system32\bvpysuiw.ini
C:\WINDOWS\system32\bvwhcfdu.ini
C:\WINDOWS\system32\cdnoqw.dll
C:\WINDOWS\system32\dblhhxjt.ini
C:\WINDOWS\system32\dehemyjc.ini
C:\WINDOWS\system32\duhgredt.ini
C:\WINDOWS\system32\dxbfcmvb.dll
C:\WINDOWS\system32\ebsrriod.ini
C:\WINDOWS\system32\eKTsDcdd.ini
C:\WINDOWS\system32\eKTsDcdd.ini2
C:\WINDOWS\system32\elmtsiiw.dll
C:\WINDOWS\system32\eLVxyyxx.ini
C:\WINDOWS\system32\eLVxyyxx.ini2
C:\WINDOWS\system32\fccbATlj.dll
C:\WINDOWS\system32\fefgkrei.dll
C:\WINDOWS\system32\fwabnwvs.dll
C:\WINDOWS\system32\fwojvcco.ini
C:\WINDOWS\system32\guryghvw.ini
C:\WINDOWS\system32\hehpuaio.ini
C:\WINDOWS\system32\hqjrafvt.ini
C:\WINDOWS\system32\icanxfvd.ini
C:\WINDOWS\system32\igqjitai.ini
C:\WINDOWS\system32\iqrwobhx.ini
C:\WINDOWS\system32\iuhnbkal.ini
C:\WINDOWS\system32\iureindb.dll
C:\WINDOWS\system32\jgbohmep.ini
C:\WINDOWS\system32\jldock.dll
C:\WINDOWS\system32\jlTAbccf.ini
C:\WINDOWS\system32\jlTAbccf.ini2
C:\WINDOWS\system32\jpbckd.dll
C:\WINDOWS\system32\JQssvGgh.ini
C:\WINDOWS\system32\JQssvGgh.ini2
C:\WINDOWS\system32\juksnbmp.ini
C:\WINDOWS\system32\kckphsne.ini
C:\WINDOWS\system32\kexmxxhc.ini
C:\WINDOWS\system32\kvyuueka.ini
C:\WINDOWS\system32\lakbnhui.dll
C:\WINDOWS\system32\lbfnyttn.ini
C:\WINDOWS\system32\lprbxkva.dll
C:\WINDOWS\system32\lrxfsjpx.dll
C:\WINDOWS\system32\mawtbxpf.ini
C:\WINDOWS\system32\mbtinpgt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlnqBcfe.ini
C:\WINDOWS\system32\mlnqBcfe.ini2
C:\WINDOWS\system32\mvjbgwsu.ini
C:\WINDOWS\system32\ocousctt.dll
C:\WINDOWS\system32\odmlolfe.ini
C:\WINDOWS\system32\ongxajlk.ini
C:\WINDOWS\system32\OqpsDcfe.ini
C:\WINDOWS\system32\OqpsDcfe.ini2
C:\WINDOWS\system32\oqtkdrhs.ini
C:\WINDOWS\system32\pavankff.ini
C:\WINDOWS\system32\pduhvgyh.ini
C:\WINDOWS\system32\poWHNXyb.ini
C:\WINDOWS\system32\poWHNXyb.ini2
C:\WINDOWS\system32\qigdkyaq.ini
C:\WINDOWS\system32\qlcjvqka.ini
C:\WINDOWS\system32\QXHiQXbc.ini
C:\WINDOWS\system32\QXHiQXbc.ini2
C:\WINDOWS\system32\rfddwdpd.ini
C:\WINDOWS\system32\rgcsgimv.ini
C:\WINDOWS\system32\rkmsvmyt.ini
C:\WINDOWS\system32\rqRHWnOf.dll
C:\WINDOWS\system32\rYFedcfe.ini
C:\WINDOWS\system32\rYFedcfe.ini2
C:\WINDOWS\system32\shrdktqo.dll
C:\WINDOWS\system32\snlwchsi.ini
C:\WINDOWS\system32\StAGNXbc.ini
C:\WINDOWS\system32\StAGNXbc.ini2
C:\WINDOWS\system32\svwnbawf.ini
C:\WINDOWS\system32\ttcsuoco.ini
C:\WINDOWS\system32\tuCJknmp.ini
C:\WINDOWS\system32\tuCJknmp.ini2
C:\WINDOWS\system32\tuuhmpws.ini
C:\WINDOWS\system32\tuvuEfhk.ini
C:\WINDOWS\system32\tuvuEfhk.ini2
C:\WINDOWS\system32\udjkcmyq.ini
C:\WINDOWS\system32\udyoipse.ini
C:\WINDOWS\system32\ufnhcwkb.ini
C:\WINDOWS\system32\urgbarvv.ini
C:\WINDOWS\system32\uxmvfvyx.ini
C:\WINDOWS\system32\vdiqrtgd.ini
C:\WINDOWS\system32\vfqkmncr.ini
C:\WINDOWS\system32\vgxpbshy.ini
C:\WINDOWS\system32\vklycgbh.dll
C:\WINDOWS\system32\vmigscgr.dll
C:\WINDOWS\system32\vnlnxuyk.ini
C:\WINDOWS\system32\wcfhyjtl.ini
C:\WINDOWS\system32\wcjncjxa.ini
C:\WINDOWS\system32\wiistmle.ini
C:\WINDOWS\system32\wimjrflw.ini
C:\WINDOWS\system32\xbsgktjs.ini
C:\WINDOWS\system32\xnwvivpv.ini
C:\WINDOWS\system32\xpjsfxrl.ini
C:\WINDOWS\system32\xyJTAJjl.ini
C:\WINDOWS\system32\xyJTAJjl.ini2
C:\WINDOWS\system32\xylcxjyi.ini
C:\WINDOWS\system32\xyrgrgmb.ini
C:\WINDOWS\system32\xyvfvmxu.dll
C:\WINDOWS\system32\xzbdtb.dll
C:\WINDOWS\system32\yeldmt.dll

.
((((((((((((((((((((((( Dateien erstellt von 2008-07-07 bis 2008-08-07 ))))))))))))))))))))))))))))))
.

2008-08-02 18:55 . 2008-08-02 18:55 <DIR> d-------- C:\Programme\Foxit Software
2008-07-30 17:35 . 2008-07-30 17:36 134 --a------ C:\WINDOWS\_delis32.ini
2008-07-29 17:20 . 2008-07-29 17:35 <DIR> d-------- C:\WINDOWS\ServicePacks
2008-07-28 20:24 . 2008-07-28 20:24 <DIR> d-------- C:\Programme\Trend Micro
2008-07-28 18:06 . 2008-07-28 18:06 294 ---hs---- C:\WINDOWS\system32\hpbxiwcw.ini
2008-07-25 16:46 . 2008-07-25 16:46 <DIR> d-------- C:\Programme\Avira
2008-07-25 16:46 . 2008-07-25 16:46 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-07-23 15:58 . 2008-07-23 20:24 354 ---hs---- C:\WINDOWS\system32\roogyacg.ini
2008-07-22 15:54 . 2008-07-22 17:25 43,581 ---hs---- C:\WINDOWS\system32\dtadopnn.ini
2008-07-21 15:54 . 2008-07-21 17:39 43,581 ---hs---- C:\WINDOWS\system32\tjfhcvko.ini
2008-07-18 14:20 . 2008-07-18 14:20 31,888 --a------ C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 16:43 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2008-07-29 18:28 --------- d-----w C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\Skype
2008-07-25 15:45 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-07-25 14:44 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-07-24 14:20 --------- d-----w C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\DVD Profiler
2008-07-24 14:19 --------- d-----w C:\Programme\IrfanView
2008-07-24 13:56 --------- d-----w C:\Programme\DVD Profiler
2008-07-04 12:33 --------- d-----w C:\Programme\ICQ6
2008-07-03 13:15 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-07-03 13:15 --------- d-----w C:\Programme\ICQ6Toolbar
2008-07-03 13:15 --------- d-----w C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\ICQ
2008-07-03 13:15 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ICQ
2008-06-28 07:57 --------- d-----w C:\Programme\Audiograbber
2008-06-09 15:54 --------- d-----w C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\vlc
2008-06-09 15:51 --------- d-----w C:\Programme\Video
2008-05-17 21:14 245,760 ----a-w C:\WINDOWS\DEL_nldfmtappek.dll
2007-12-18 19:00 5,862,994 ----a-w C:\Programme\TeamSpeak.exe
2007-08-16 17:45 434,316 ----a-w C:\Programme\lame-3.97.zip
2007-04-09 19:03 1,410,680 ----a-w C:\Programme\install_flash_player.exe
2001-11-23 05:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2000-01-01 00:00 23 --sh--r C:\WINDOWS\mtlid64s2.dat
.

------- Sigcheck -------

2001-08-23 14:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\system32\winlogon.exe
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 00:38 968696]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-01-24 12:15 7311360]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"HI-SPEED USB DEVICE Coinstaller"="PL15Co2K.exe" [2003-07-10 17:59 86016 C:\WINDOWS\PL15Co2K.exe]
"nwiz"="nwiz.exe" [2006-01-24 12:15 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jpbckd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Mixer"=Mixer.exe /startup

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
S2 PLQ0306270;Prolific HotFix Q0306270;C:\WINDOWS\System32\HotFixQ0306270.exe []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
- - - - Entfernte verwaiste Registrierungseintr„ge - - - -

BHO-{06F0037A-77DC-4CAC-8471-B629FA3639E2} - C:\WINDOWS\System32\efcdeFYr.dll
BHO-{22E58F40-2DB9-493B-9EBA-8E01F9D2A8C2} - C:\WINDOWS\System32\efcDspqO.dll
BHO-{267C429F-8B19-448C-956E-E7426DD05956} - C:\WINDOWS\System32\ljJATJyx.dll
BHO-{75BD0915-F735-4C4B-AE7D-680B87A7A683} - C:\WINDOWS\System32\cbXNGAtS.dll
BHO-{82427A02-5B06-40DB-B596-216D35A6D5CA} - C:\WINDOWS\System32\byXNHWop.dll
HKCU-RunOnce-FFTI - C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\Mozilla\Firefox\Profiles\7otdqd06.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe
SSODL-gnowmebk-{A02B90FE-B813-4EB6-BB9E-A92AFB07F1AD} - (no file)
SSODL-pxgdslro-{E0D4D696-75FC-45B3-AC8F-6CC8376A06A9} - (no file)
SSODL-KbdChk-{fa6ba10d-bf23-4a34-a3ae-2ed079639825} - C:\WINDOWS\Resources\KbdChk.dll


.
------- Zus„tzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\Mozilla\Firefox\Profiles\zvw48827.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.de
FF -: plugin - F:\Eigene Dateien Carolin\Rüdiger\Video\VLC\npvlc.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 19:43:39
Windows 5.1.2600 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\guardgui.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\guardgui.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-07 19:48:13 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-08-07 17:46:55

Pre-Run: 8 Verzeichnis(se), 17,471,582,208 Bytes frei
Post-Run: 11 Verzeichnis(se), 17,298,735,104 Bytes frei

WinXP_DE_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

228


-----------


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:57:50, on 07.08.2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\PL15Co2K.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: jpbckd.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prolific HotFix Q0306270 (PLQ0306270) - Unknown owner - C:\WINDOWS\System32\HotFixQ0306270.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3773 bytes


Greets!

Something still left:

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\hpbxiwcw.ini
C:\WINDOWS\system32\roogyacg.ini
C:\WINDOWS\system32\dtadopnn.ini
C:\WINDOWS\system32\tjfhcvko.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Used CFScript in Combofix. This is the new Combofix Log:


ComboFix 08-08-06.04 - Lotti 2008-08-07 20:26:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1031.18.732 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Lotti\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Lotti\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

FILE ::
C:\WINDOWS\system32\dtadopnn.ini
C:\WINDOWS\system32\hpbxiwcw.ini
C:\WINDOWS\system32\roogyacg.ini
C:\WINDOWS\system32\tjfhcvko.ini
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dtadopnn.ini
C:\WINDOWS\system32\hpbxiwcw.ini
C:\WINDOWS\system32\roogyacg.ini
C:\WINDOWS\system32\tjfhcvko.ini

.
((((((((((((((((((((((( Dateien erstellt von 2008-07-07 bis 2008-08-07 ))))))))))))))))))))))))))))))
.

2008-08-02 18:55 . 2008-08-02 18:55 <DIR> d-------- C:\Programme\Foxit Software
2008-07-30 17:35 . 2008-07-30 17:36 134 --a------ C:\WINDOWS\_delis32.ini
2008-07-29 17:20 . 2008-07-29 17:35 <DIR> d-------- C:\WINDOWS\ServicePacks
2008-07-28 20:24 . 2008-07-28 20:24 <DIR> d-------- C:\Programme\Trend Micro
2008-07-25 16:46 . 2008-07-25 16:46 <DIR> d-------- C:\Programme\Avira
2008-07-25 16:46 . 2008-07-25 16:46 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-07-18 14:20 . 2008-07-18 14:20 31,888 --a------ C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 16:43 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2008-07-29 18:28 --------- d-----w C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\Skype
2008-07-25 15:45 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-07-25 14:44 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-07-24 14:20 --------- d-----w C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\DVD Profiler
2008-07-24 14:19 --------- d-----w C:\Programme\IrfanView
2008-07-24 13:56 --------- d-----w C:\Programme\DVD Profiler
2008-07-04 12:33 --------- d-----w C:\Programme\ICQ6
2008-07-03 13:15 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-07-03 13:15 --------- d-----w C:\Programme\ICQ6Toolbar
2008-07-03 13:15 --------- d-----w C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\ICQ
2008-07-03 13:15 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ICQ
2008-06-28 07:57 --------- d-----w C:\Programme\Audiograbber
2008-06-09 15:54 --------- d-----w C:\Dokumente und Einstellungen\Lotti\Anwendungsdaten\vlc
2008-06-09 15:51 --------- d-----w C:\Programme\Video
2008-05-17 21:14 245,760 ----a-w C:\WINDOWS\DEL_nldfmtappek.dll
2007-12-18 19:00 5,862,994 ----a-w C:\Programme\TeamSpeak.exe
2007-08-16 17:45 434,316 ----a-w C:\Programme\lame-3.97.zip
2007-04-09 19:03 1,410,680 ----a-w C:\Programme\install_flash_player.exe
2001-11-23 05:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2000-01-01 00:00 23 --sh--r C:\WINDOWS\mtlid64s2.dat
.

------- Sigcheck -------

2001-08-23 14:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-07_19.46.17.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-07 15:52:52 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-07 17:44:50 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-07 15:52:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-07 17:44:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-07 15:52:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2008-08-07 17:44:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
- 2008-05-22 15:09:40 48,156 ----a-w C:\WINDOWS\system32\perfc007.dat
+ 2008-08-07 17:50:42 48,156 ----a-w C:\WINDOWS\system32\perfc007.dat
- 2008-05-22 15:09:40 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-07 17:50:42 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-22 15:09:40 316,594 ----a-w C:\WINDOWS\system32\perfh007.dat
+ 2008-08-07 17:50:42 316,594 ----a-w C:\WINDOWS\system32\perfh007.dat
- 2008-05-22 15:09:40 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-07 17:50:42 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 00:38 968696]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-01-24 12:15 7311360]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"HI-SPEED USB DEVICE Coinstaller"="PL15Co2K.exe" [2003-07-10 17:59 86016 C:\WINDOWS\PL15Co2K.exe]
"nwiz"="nwiz.exe" [2006-01-24 12:15 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Adobe Gamma Loader.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-20 09:57:55 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Mixer"=Mixer.exe /startup

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
S2 PLQ0306270;Prolific HotFix Q0306270;C:\WINDOWS\System32\HotFixQ0306270.exe []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 20:27:30
Windows 5.1.2600 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-08-07 20:27:50
ComboFix-quarantined-files.txt 2008-08-07 18:27:48
ComboFix2.txt 2008-08-07 17:48:38

Pre-Run: 9 Verzeichnis(se), 17,280,020,480 Bytes frei
Post-Run: 11 Verzeichnis(se), 17,266,573,312 Bytes frei

109



--------------------

And this the Fresh HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:30:41, on 07.08.2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\PL15Co2K.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prolific HotFix Q0306270 (PLQ0306270) - Unknown owner - C:\WINDOWS\System32\HotFixQ0306270.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3783 bytes

Please download this tool (http://go.microsoft.com/fwlink/?linkid=52012) from Microsoft.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.

MGADiag Log


Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Blocked VLK
Validation Code: 3
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-YXRKT-8TG6W-2B7Q8
Windows Product Key Hash: RVvFciZMdQfJLyDpZteolhaqicQ=
Windows Product ID: 55274-640-0000356-23671
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.0.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {16A7089A-1A43-451B-8E40-1ADDE8F9AA67}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office XP Professional mit FrontPage - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE; Win32)
Default Browser: C:\Programme\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\winlogon.exe[5.1.2600.0]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{16A7089A-1A43-451B-8E40-1ADDE8F9AA67}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010100.0.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2B7Q8</PKey><PID>55274-640-0000356-23671</PID><PIDType>1</PIDType><SID>S-1-5-21-1004336348-1078145449-839522115</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>ASUS M2NPV-MX ACPI BIOS Revision 0303</Version><SMBIOSVersion major="2" minor="3"/><Date>20060627******.******+***</Date></BIOS><HWID>05C03ACF0184CE66</HWID><UserLCID>0407</UserLCID><SystemLCID>0407</SystemLCID><TimeZone>Westeuropäische Normalzeit(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>114</Result><Products><Product GUID="{90280407-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Professional mit FrontPage</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54199-640-0000025-17404</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="10" Result="114"/><App Id="16" Version="10" Result="114"/><App Id="17" Version="10" Result="114"/><App Id="18" Version="10" Result="114"/><App Id="1A" Version="10" Result="114"/><App Id="1B" Version="10" Result="114"/></Applications></Office></Software></GenuineResults>

Looks like your windows is not legit so help stops now.

Read more here (http://forums.spybot.info/showpost.php?p=25290&postcount=4)

Sorry!
I wasn't aware of that, since the infected computer is my cousin's!
Nonetheless, thank you for your invested time!

Greets