Dyrektor
2011-04-15, 08:52
Hi I have problem with Click.GiftLoad,
I scanned with aswMBR
Please Help me, my English works only with Google translate
Thanks
Dyrektor
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-15 08:36:12
-----------------------------
08:36:12.499 OS Version: Windows 6.1.7601 Service Pack 1
08:36:12.499 Number of processors: 2 586 0xE08
08:36:12.500 ComputerName: XPS UserName:
08:36:17.870 Initialize success
08:36:29.318 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
08:36:29.321 Disk 0 Vendor: ST9500421AS 0002SDM3 Size: 476940MB BusType: 3
08:36:29.325 Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST9500421AS_____________________________0002SDM3#5&b9654a1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
08:36:31.340 Disk 0 MBR read successfully
08:36:31.344 Disk 0 MBR scan
08:36:31.347 Disk 0 TDL4@MBR code has been found
08:36:31.354 Disk 0 MBR hidden
08:36:31.359 Disk 0 MBR [TDL4] **ROOTKIT**
08:36:31.363 Disk 0 trace - called modules:
08:36:31.369 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86571439]<<
08:36:31.374 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86550030]
08:36:31.379 3 CLASSPNP.SYS[8bfa559e] -> nt!IofCallDriver -> [0x857075c0]
08:36:31.386 5 ACPI.sys[831b83d4] -> nt!IofCallDriver -> \IdeDeviceP0T0L0-0[0x86451030]
08:36:31.391 \Driver\atapi[0x8655faf0] -> IRP_MJ_CREATE -> 0x86571439
08:36:31.401 Scan finished successfully
Hi I have problem with Click.GiftLoad,Please Help me, my English works only with Google translate
Thanks
Dyrektor
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Darius at 9:00:37,12 on 15.04.2011
Internet Explorer: 8.0.7601.17514
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.3326.2074 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\CSR\Vista Profile Pack\BtHidUi.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CSR\Vista Profile Pack\HidSw.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe
C:\Windows\System32\svchost.exe -k secsvcs
D:\Downloads\aswMBR.exe
D:\Program Files\Mozilla Firefox 4.0 Beta 12\plugin-container.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
D:\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Remote Control Editor] "c:\program files\common files\terratec\remote\TTTvRc.exe"
uRun: [Steam] d:\program files\valve\steam\\Steam.exe -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [BtHidUi] c:\program files\csr\vista profile pack\BtHidUi.exe
mRun: [<NO NAME>]
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [BCSSync] "d:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Conime] %windir%\system32\conime.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-
991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~1\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\darius\appdata\roaming\mozilla\firefox\profiles\7o611uty.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: d:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: d:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: d:\program files\adobe\reader 10.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\videolan\vlc\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\avira\antivir desktop\sched.exe [2011-3-2 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-2 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-2 61960]
R2 BthFilterHelper;Bluetooth Feature Support;c:\program files\csr\vista profile pack\BthFilterHelper.exe [2006-11-7 127488]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13
308656]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-6 1153368]
R3 BTHFILT;Bluetooth-Befehlsfilter;c:\windows\system32\drivers\BthFilt.sys [2011-3-2 13824]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE
[2010-1-9 4640000]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
[2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-3 136176]
S3 b57nd60x;Broadcom NetXtreme-Gigabit-Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\microsoft office
\office14\GROOVE.EXE [2010-3-25 30969208]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000-Serie - Adaptertreiber für Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6
-10 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S3 StorSvc;Speicherdienst;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-7 52224]
.
=============== Created Last 30 ================
.
2011-04-14 19:30:13 -------- d-----w- c:\users\darius\appdata\roaming\Malwarebytes
2011-04-14 19:30:00 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-14 19:29:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 17:44:49 -------- d-----w- c:\windows\system32\appmgmt
2011-04-14 14:34:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 13:13:32 -------- d-----w- c:\users\darius\appdata\local\GHISLER
2011-04-13 13:24:53 -------- d-----w- c:\users\darius\appdata\local\Mozilla Corporation
2011-04-12 16:13:16 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{9544baa0-5a43-41f1-a728-
039e868b32c0}\mpengine.dll
2011-04-09 17:40:45 -------- d-----w- c:\users\darius\appdata\roaming\TeamViewer
2011-04-07 19:57:48 545 ----a-w- c:\windows\UC.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\RAR.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\PKZIP.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\PKUNZIP.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\NOCLOSE.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\LHA.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\ARJ.PIF
2011-04-07 19:57:48 -------- d-----w- c:\users\darius\appdata\roaming\GHISLER
2011-04-06 11:48:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-06 11:48:58 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-04-04 16:25:42 -------- d-----w- c:\users\darius\appdata\roaming\Rovio
2011-04-03 21:41:27 -------- d-----w- c:\users\darius\appdata\roaming\GetRightToGo
2011-03-29 09:10:24 -------- d-----w- c:\users\darius\appdata\roaming\Avira
2011-03-22 15:34:02 6234624 ----a-w- c:\users\darius\appdata\roaming\microsoft\windows\start menu\programs\ifunbox_de\iFunBox.exe
.
==================== Find3M ====================
.
2011-03-07 18:49:06 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-18 15:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-17 05:47:13 161792 ----a-w- c:\windows\system32\d3d10_1.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: ST9500421AS rev.0002SDM3 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86571439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865777d0]; MOV EAX, [0x8657784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP
+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A4D52F] -> \Device\Harddisk0\DR0[0x86550030]
3 CLASSPNP[0x8BFA559E] -> ntkrnlpa!IofCallDriver[0x82A4D52F] -> [0x857075C0]
5 ACPI[0x831B83D4] -> ntkrnlpa!IofCallDriver[0x82A4D52F] -> \IdeDeviceP0T0L0-0[0x86451030]
\Driver\atapi[0x8655FAF0] -> IRP_MJ_CREATE -> 0x86571439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH
AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST9500421AS_____________________________0002SDM3#5&b9654a1&0&0.0.0#{53f56307-b6bf-11d0-94f2-
00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 976773166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 9:01:16,82 ===============
Edit
Open thread in Deutsch forum,
http://forums.spybot.info/showthread.php?p=401210#post401210
I scanned with aswMBR
Please Help me, my English works only with Google translate
Thanks
Dyrektor
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-15 08:36:12
-----------------------------
08:36:12.499 OS Version: Windows 6.1.7601 Service Pack 1
08:36:12.499 Number of processors: 2 586 0xE08
08:36:12.500 ComputerName: XPS UserName:
08:36:17.870 Initialize success
08:36:29.318 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
08:36:29.321 Disk 0 Vendor: ST9500421AS 0002SDM3 Size: 476940MB BusType: 3
08:36:29.325 Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST9500421AS_____________________________0002SDM3#5&b9654a1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
08:36:31.340 Disk 0 MBR read successfully
08:36:31.344 Disk 0 MBR scan
08:36:31.347 Disk 0 TDL4@MBR code has been found
08:36:31.354 Disk 0 MBR hidden
08:36:31.359 Disk 0 MBR [TDL4] **ROOTKIT**
08:36:31.363 Disk 0 trace - called modules:
08:36:31.369 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86571439]<<
08:36:31.374 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86550030]
08:36:31.379 3 CLASSPNP.SYS[8bfa559e] -> nt!IofCallDriver -> [0x857075c0]
08:36:31.386 5 ACPI.sys[831b83d4] -> nt!IofCallDriver -> \IdeDeviceP0T0L0-0[0x86451030]
08:36:31.391 \Driver\atapi[0x8655faf0] -> IRP_MJ_CREATE -> 0x86571439
08:36:31.401 Scan finished successfully
Hi I have problem with Click.GiftLoad,Please Help me, my English works only with Google translate
Thanks
Dyrektor
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Darius at 9:00:37,12 on 15.04.2011
Internet Explorer: 8.0.7601.17514
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.3326.2074 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\CSR\Vista Profile Pack\BtHidUi.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CSR\Vista Profile Pack\HidSw.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe
C:\Windows\System32\svchost.exe -k secsvcs
D:\Downloads\aswMBR.exe
D:\Program Files\Mozilla Firefox 4.0 Beta 12\plugin-container.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
D:\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Remote Control Editor] "c:\program files\common files\terratec\remote\TTTvRc.exe"
uRun: [Steam] d:\program files\valve\steam\\Steam.exe -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [BtHidUi] c:\program files\csr\vista profile pack\BtHidUi.exe
mRun: [<NO NAME>]
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [BCSSync] "d:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Conime] %windir%\system32\conime.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-
991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~1\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\darius\appdata\roaming\mozilla\firefox\profiles\7o611uty.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: d:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: d:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: d:\program files\adobe\reader 10.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\videolan\vlc\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\avira\antivir desktop\sched.exe [2011-3-2 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-2 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-2 61960]
R2 BthFilterHelper;Bluetooth Feature Support;c:\program files\csr\vista profile pack\BthFilterHelper.exe [2006-11-7 127488]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13
308656]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-6 1153368]
R3 BTHFILT;Bluetooth-Befehlsfilter;c:\windows\system32\drivers\BthFilt.sys [2011-3-2 13824]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE
[2010-1-9 4640000]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
[2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-3 136176]
S3 b57nd60x;Broadcom NetXtreme-Gigabit-Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\microsoft office
\office14\GROOVE.EXE [2010-3-25 30969208]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000-Serie - Adaptertreiber für Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6
-10 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S3 StorSvc;Speicherdienst;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-7 52224]
.
=============== Created Last 30 ================
.
2011-04-14 19:30:13 -------- d-----w- c:\users\darius\appdata\roaming\Malwarebytes
2011-04-14 19:30:00 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-14 19:29:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 17:44:49 -------- d-----w- c:\windows\system32\appmgmt
2011-04-14 14:34:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 13:13:32 -------- d-----w- c:\users\darius\appdata\local\GHISLER
2011-04-13 13:24:53 -------- d-----w- c:\users\darius\appdata\local\Mozilla Corporation
2011-04-12 16:13:16 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{9544baa0-5a43-41f1-a728-
039e868b32c0}\mpengine.dll
2011-04-09 17:40:45 -------- d-----w- c:\users\darius\appdata\roaming\TeamViewer
2011-04-07 19:57:48 545 ----a-w- c:\windows\UC.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\RAR.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\PKZIP.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\PKUNZIP.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\NOCLOSE.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\LHA.PIF
2011-04-07 19:57:48 545 ----a-w- c:\windows\ARJ.PIF
2011-04-07 19:57:48 -------- d-----w- c:\users\darius\appdata\roaming\GHISLER
2011-04-06 11:48:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-06 11:48:58 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-04-04 16:25:42 -------- d-----w- c:\users\darius\appdata\roaming\Rovio
2011-04-03 21:41:27 -------- d-----w- c:\users\darius\appdata\roaming\GetRightToGo
2011-03-29 09:10:24 -------- d-----w- c:\users\darius\appdata\roaming\Avira
2011-03-22 15:34:02 6234624 ----a-w- c:\users\darius\appdata\roaming\microsoft\windows\start menu\programs\ifunbox_de\iFunBox.exe
.
==================== Find3M ====================
.
2011-03-07 18:49:06 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-18 15:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-17 05:47:13 161792 ----a-w- c:\windows\system32\d3d10_1.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: ST9500421AS rev.0002SDM3 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86571439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865777d0]; MOV EAX, [0x8657784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP
+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A4D52F] -> \Device\Harddisk0\DR0[0x86550030]
3 CLASSPNP[0x8BFA559E] -> ntkrnlpa!IofCallDriver[0x82A4D52F] -> [0x857075C0]
5 ACPI[0x831B83D4] -> ntkrnlpa!IofCallDriver[0x82A4D52F] -> \IdeDeviceP0T0L0-0[0x86451030]
\Driver\atapi[0x8655FAF0] -> IRP_MJ_CREATE -> 0x86571439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH
AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST9500421AS_____________________________0002SDM3#5&b9654a1&0&0.0.0#{53f56307-b6bf-11d0-94f2-
00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 976773166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 9:01:16,82 ===============
Edit
Open thread in Deutsch forum,
http://forums.spybot.info/showthread.php?p=401210#post401210