Really nasty one... (Resolved)

[stine1]

Hi,
for one week now I have a problem which no Antivirus programme can delete :-( I have tried Avira (didn't find it), Norton 360 (found it but can't remove it), Spybot (didn't find it) and Ad-Aware (didn't find it). Oh, and AVG, but couldn't remove it either.

This is the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:19:30, on 16.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\movie - XL\j-point.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame

Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MessengerUpdate - {5948A52A-BA3A-49A8-BCAF-D578502BDA9D} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Programme\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: movie - XL.lnk = C:\Programme\movie - XL\StartJP.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{56A5CBB6-02B4-4323-BBC5-5C7958ED46C5}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2FEBBBC-1F75-48B9-BBF5-7BD7B8D893CB}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: ,C:\DOKUME~1\stine1\LOKALE~1\Temp\4205218933mxx.dll
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Programme\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame

Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programme\Java\jre6\bin\jqs.exe (file

missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Programme\Alcohol Soft\Alcohol

120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Tor Win32 Service (tor) - Unknown owner - C:\Programme\Vidalia Bundle\Tor\tor.exe (file missing)

--
End of file - 4622 bytes

And I have used RootAlyzer. This one can identify the files but I can't delete them. As it is not allowed to post the files RootAlyzer has packed, I will provide a screenshot - I hope it's ok:

As far as I know this trojan/virus/whatever changes my search engine results. I don't know how to express this in English.... When I use a search engine like Google and click on a result, it redirects me to another site. Sometimes with a tool for removing trojans... ha ha....

How can I get rid of this?
Thank you very much!

 

[katana]

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. Please Read All Instructions Carefully
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you
4. Failure to reply within 5 days will result in the topic being closed.
5. Please continue to respond until I give you the "All Clear"
   (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe


----------------------------------------------------------------------------------------
Step 1

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

O20 - AppInit_DLLs: ,C:\DOKUME~1\stine1\LOKALE~1\Temp\4205218933mxx.dll

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

----------------------------------------------------------------------------------------
Step 2

Download and Run RSIT

• Please download Random's System Information Tool by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.

----------------------------------------------------------------------------------------
Step 3

Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
  
• GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log.
• Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

• RSIT Logs
• GMER Log

 

[stine1]

Thank you ver much,
here are the logs from step 2, step 1 worked:

info.txt logfile of random's system information tool 1.06 2009-07-19 07:42:00

======Uninstall list======

-->MsiExec /X{74224F8D-4A17-4816-9EDB-7BB854DE532C}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.2 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A91000000001}
Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir Desktop\setup.exe /REMOVE
CCleaner (remove only)-->"C:\Programme\CCleaner\uninst.exe"
Die Siedler - Aufbruch der Kulturen-->"D:\Die Siedler - Aufbruch der Kulturen\uninstall.exe"
DivX Codec-->C:\Programme\DivX\DivXCodecUninstall.exe /CODEC
DivX Plus DirectShow Filters-->C:\Programme\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
GEAR driver installer for x86 and x64-->MsiExec.exe /I{2EA45803-BEB7-46C4-9ADC-46A5F9E7BB77}
GetRight-->"C:\Programme\GetRight\unins000.exe"
HijackThis 2.0.2-->"C:\Programme\Trend Micro\HijackThis\HijackThis.exe" /uninstall
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
make-euros.net paid4surf 4.2.1-->"C:\Programme\make-euros 4.2.1\unins000.exe"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0 Language Pack - DEU\install.exe
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft-Basissmartcard-Kryptografiedienstanbieterpaket-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
movie - XL-->"C:\Programme\movie - XL\Uninstall.exe" "C:\Programme\movie - XL\install.log"
Mozilla Firefox (2.0.0.16)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX v8.04.25-->MsiExec.exe /X{74224F8D-4A17-4816-9EDB-7BB854DE532C}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x7 -removeonly
Runes of Magic-->"d:\Runes of Magic\unins000.exe"
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spybot - Search & Destroy-->"C:\Programme\Spybot - Search & Destroy\unins000.exe"
System Requirements Lab-->C:\Programme\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2-->C:\Programme\Teamspeak2_RC2\unins000.exe
Turbo Lister 2-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
ULi LAN Driver-->C:\WINDOWS\system32\UnLAN.EXE RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{143BE018-D8F8-4014-8CB6-AF63F5799D21}\Setup.exe" -uninst
Uninstall 1.0.0.0-->"C:\Programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Winamp-->"C:\Programme\Winamp\UninstWA.exe"
Windows Media Format 11 runtime-->"C:\Programme\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Programme\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR-->C:\Programme\WinRAR\uninstall.exe
World of Warcraft-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\WORLD OF WARCRAFT\Uninstall.exe
XMedia Recode 2.0.7.0-->C:\Programme\XMedia Recode\uninst.exe

=====HijackThis Backups=====

O23 - Service: Tor Win32 Service (tor) - Unknown owner - C:\Programme\Vidalia Bundle\Tor\tor.exe (file missing) [2009-07-15]
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing) [2009-07-15]
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing) [2009-07-15]
O23 - Service: Tor Win32 Service (tor) - Unknown owner - C:\Programme\Vidalia Bundle\Tor\tor.exe (file missing) [2009-07-15]
O2 - BHO: MessengerUpdate - {5948A52A-BA3A-49A8-BCAF-D578502BDA9D} - (no file) [2009-07-16]
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) [2009-07-16]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe [2009-07-16]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe [2009-07-16]
O20 - AppInit_DLLs: ,C:\DOKUME~1\stine1\LOKALE~1\Temp\4205218933mxx.dll [2009-07-19]

======Hosts File======

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: STINEPC
Event Code: 7036
Message: Dienst "NLA (Network Location Awareness)" befindet sich jetzt im Status "Ausgeführt".

Record Number: 2431
Source Name: Service Control Manager
Time Written: 20090601151227.000000+120
Event Type: Informationen
User:

Computer Name: STINEPC
Event Code: 7035
Message: Der Steuerbefehl "starten" wurde erfolgreich an den Dienst "SSDP-Suchdienst" gesendet.

Record Number: 2430
Source Name: Service Control Manager
Time Written: 20090601151227.000000+120
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM

Computer Name: STINEPC
Event Code: 7035
Message: Der Steuerbefehl "starten" wurde erfolgreich an den Dienst "NLA (Network Location Awareness)" gesendet.

Record Number: 2429
Source Name: Service Control Manager
Time Written: 20090601151227.000000+120
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM

Computer Name: STINEPC
Event Code: 7036
Message: Dienst "Kompatibilität für schnelle Benutzerumschaltung" befindet sich jetzt im Status "Ausgeführt".

Record Number: 2428
Source Name: Service Control Manager
Time Written: 20090601151227.000000+120
Event Type: Informationen
User:

Computer Name: STINEPC
Event Code: 7035
Message: Der Steuerbefehl "starten" wurde erfolgreich an den Dienst "Kompatibilität für schnelle Benutzerumschaltung" gesendet.

Record Number: 2427
Source Name: Service Control Manager
Time Written: 20090601151227.000000+120
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM

=====Application event log=====

Computer Name: STINEPC
Event Code: 4096
Message:
Record Number: 3419
Source Name: H+BEDV AntiVir
Time Written: 20070820111004.000000+120
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM

Computer Name: STINEPC
Event Code: 1800
Message: Der Windows-Sicherheitscenterdienst wurde gestartet.

Record Number: 3418
Source Name: SecurityCenter
Time Written: 20070819183245.000000+120
Event Type: Informationen
User:

Computer Name: STINEPC
Event Code: 4096
Message:
Record Number: 3417
Source Name: H+BEDV AntiVir
Time Written: 20070819183242.000000+120
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM

Computer Name: STINEPC
Event Code: 1800
Message: Der Windows-Sicherheitscenterdienst wurde gestartet.

Record Number: 3416
Source Name: SecurityCenter
Time Written: 20070819155805.000000+120
Event Type: Informationen
User:

Computer Name: STINEPC
Event Code: 4096
Message:
Record Number: 3415
Source Name: H+BEDV AntiVir
Time Written: 20070819155803.000000+120
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Programme\Gemeinsame Dateien\DivX Shared\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 55 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=3702
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

 

[stine1]

Logfile of random's system information tool 1.06 (written by random/random)
Run by stine1 at 2009-07-19 07:41:55
Microsoft Windows XP Professional Service Pack 3
System drive C: has 47 GB (47%) free of 100 GB
Total RAM: 2047 MB (72% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:41:59, on 19.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\stine1\Desktop\RSIT.exe
C:\Programme\Trend Micro\HijackThis\stine1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: movie - XL.lnk = C:\Programme\movie - XL\StartJP.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{56A5CBB6-02B4-4323-BBC5-5C7958ED46C5}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2FEBBBC-1F75-48B9-BBF5-7BD7B8D893CB}: NameServer = 192.168.2.1
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Programme\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programme\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Tor Win32 Service (tor) - Unknown owner - C:\Programme\Vidalia Bundle\Tor\tor.exe (file missing)

--
End of file - 4406 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
bho2gr Class - C:\Programme\GetRight\xx2gr.dll [2008-06-23 344336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Programme\Java\jre6\bin\ssv.dll [2008-12-04 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Programme\Java\jre6\bin\jp2ssv.dll [2008-12-04 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SW20"=C:\WINDOWS\System32\sw20.exe [2005-06-29 212992]
"SW24"=C:\WINDOWS\System32\sw24.exe [2005-07-04 69632]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-12-09 15691264]
"avgnt"=C:\Programme\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-06-10 13758464]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-06-10 86016]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Dokumente und Einstellungen\stine1\Startmenü\Programme\Autostart
movie - XL.lnk - C:\Programme\movie - XL\StartJP.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=B1000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"D:\utorrent16.exe"="D:\utorrent16.exe:*:Enabled:µTorrent"
"D:\BlueByte\Siedler3\s3.exe"="D:\BlueByte\Siedler3\s3.exe:*:Enabled:Siedler3"
"C:\Programme\Cleverlearn\Clicktionary\bin\Clicktionary.exe"="C:\Programme\Cleverlearn\Clicktionary\bin\Clicktionary.exe:*isabled:Clicktionary"
"D:\Die Siedler II - Die nächste Generation\bin\S2DNG.exe"="D:\Die Siedler II - Die nächste Generation\bin\S2DNG.exe:*:Enabled:S2DNG"
"C:\Programme\ICQ\Icq.exe"="C:\Programme\ICQ\Icq.exe:*:Enabled:ICQ"
"D:\World of Warcraft\BackgroundDownloader.exe"="D:\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\WoW-1.12.x-to-2.0.1-deDE-patch-downloader.exe"="D:\World of Warcraft\WoW-1.12.x-to-2.0.1-deDE-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\Anno\Anno1701.exe"="D:\Anno\Anno1701.exe:*:Enabled:Anno 1701"
"C:\Programme\BuddyW\BuddyW.exe"="C:\Programme\BuddyW\BuddyW.exe:*:Enabled:BuddyW"
"D:\World of Warcraft\WoW-2.0.3-deDE-downloader.exe"="D:\World of Warcraft\WoW-2.0.3-deDE-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\WoW-2.0.4.6314-to-2.0.5.6320-deDE-downloader.exe"="D:\World of Warcraft\WoW-2.0.4.6314-to-2.0.5.6320-deDE-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\WoW-2.0.3.6299-to-2.0.5.6320-deDE-downloader.exe"="D:\World of Warcraft\WoW-2.0.3.6299-to-2.0.5.6320-deDE-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\WoW-2.0.5.6320-to-2.0.6.6337-deDE-downloader.exe"="D:\World of Warcraft\WoW-2.0.5.6320-to-2.0.6.6337-deDE-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-deDE-downloader.exe"="D:\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-deDE-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-deDE-downloader.exe"="D:\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-deDE-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Programme\Sony\Station\LaunchPad\LaunchPad.exe"="C:\Programme\Sony\Station\LaunchPad\LaunchPad.exe:*:Enabled:LaunchPad"
"D:\Regnum Online\LiveServer\ROClientGame.exe"="D:\Regnum Online\LiveServer\ROClientGame.exe:*:Enabled:RegnumOnline"
"D:\Programme\Vampire city\Vampirecity.exe"="D:\Programme\Vampire city\Vampirecity.exe:*:Enabled:Vampirecity"
"D:\Der Herr de Ringe Online BETA\lotroclient.exe"="D:\Der Herr de Ringe Online BETA\lotroclient.exe:*:Enabled:lotroclient"
"D:\Der Herr de Ringe Online\HDRO\lotroclient.exe"="D:\Der Herr de Ringe Online\HDRO\lotroclient.exe:*:Enabled:lotroclient"
"C:\Dokumente und Einstellungen\stine1\Desktop\DnLDownloader.exe"="C:\Dokumente und Einstellungen\stine1\Desktop\DnLDownloader.exe:*:EnablednLDownloader"
"C:\Dokumente und Einstellungen\stine1\Desktop\WoW-deDE-Installer-downloader.exe"="C:\Dokumente und Einstellungen\stine1\Desktop\WoW-deDE-Installer-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\Der Herr de Ringe Online\lotroclient.exe"="D:\Der Herr de Ringe Online\lotroclient.exe:*:Enabled:lotroclient.exe"
"C:\Dokumente und Einstellungen\stine1\Desktop\CabalTemp\ESTdnheadless.exe"="C:\Dokumente und Einstellungen\stine1\Desktop\CabalTemp\ESTdnheadless.exe:*:Enabled:EST! download engine"
"D:\Programme\Minions of Mirth\bin\MinionsOfMirth.exe"="D:\Programme\Minions of Mirth\bin\MinionsOfMirth.exe:*:Enabled:MinionsOfMirth"
"D:\CABAL Online\launcher\update\ESTdnheadless.exe"="D:\CABAL Online\launcher\update\ESTdnheadless.exe:*:Enabled:EST! download engine"
"D:\World of Warcraft\WoW-2.0.12.6546-to-2.1.0.6692-deDE-downloader.exe"="D:\World of Warcraft\WoW-2.0.12.6546-to-2.1.0.6692-deDE-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Programme\RDS\PLDlnk.exe"="C:\Programme\RDS\PLDlnk.exe:*:Enabled:Ridoc Document System Auto Document Link Software."
"C:\Programme\Mozilla Firefox\firefox.exe"="C:\Programme\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Programme\mIRC\mirc.exe"="C:\Programme\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\WINDOWS\system32\dplaysvr.exe"="C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"H:\BlueByte\Siedler3\s3.exe"="H:\BlueByte\Siedler3\s3.exe:*:Enabled:Siedler3"
"C:\Programme\ICQLite\ICQLite.exe"="C:\Programme\ICQLite\ICQLite.exe:*:Enabled:ICQ Lite"
"D:\Catan-Insel\Catan.exe"="D:\Catan-Insel\Catan.exe:*:Enabled:Catan - Die erste Insel"
"C:\Programme\Xfire\xfire.exe"="C:\Programme\Xfire\xfire.exe:*:Enabled:Xfire"
"C:\Programme\Internet Explorer\iexplore.exe"="C:\Programme\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Programme\Joost\xulrunner\tvprunner.exe"="C:\Programme\Joost\xulrunner\tvprunner.exe:*:Enabled:tvprunner"
"C:\Programme\NetMeeting\conf.exe"="C:\Programme\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Programme\GVShare\GVShare.exe"="C:\Programme\GVShare\GVShare.exe:*:Enabled:Game Voice"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8-Server"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Eine DLL-Datei als Anwendung ausführen"
"H:\Programme\Metin2_UK\metin2.bin"="H:\Programme\Metin2_UK\metin2.bin:*:Enabled:metin2"
"C:\Dokumente und Einstellungen\stine1\Desktop\YuLeech-bbo_de_setup_0_21_exe.exe"="C:\Dokumente und Einstellungen\stine1\Desktop\YuLeech-bbo_de_setup_0_21_exe.exe:*:Enabled:YuLeech"
"C:\Dokumente und Einstellungen\stine1\Desktop\Papa\MiniRacingOnline\MiniRacingOnLine.exe"="C:\Dokumente und Einstellungen\stine1\Desktop\Papa\MiniRacingOnline\MiniRacingOnLine.exe:*:Enabled:MiniRacingOnLine"
"C:\Programme\Electronic Arts\EADM\Core.exe"="C:\Programme\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Programme\Tale of Tales\The Endless Forest 3\ForestViewer.exe"="C:\Programme\Tale of Tales\The Endless Forest 3\ForestViewer.exe:*isabled:ForestViewer"
"C:\Programme\uTorrent\uTorrent.exe"="C:\Programme\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"H:\YuLeech-StoneAge2_OB.exe"="H:\YuLeech-StoneAge2_OB.exe:*:Enabled:YuLeech"
"C:\Programme\Java\jre6\bin\javaw.exe"="C:\Programme\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Programme\Metaversum\Twinity\bin\Twinity.exe"="C:\Programme\Metaversum\Twinity\bin\Twinity.exe:*:Enabled:Twinity"
"C:\Dokumente und Einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\7Million\clientApp.exe"="C:\Dokumente und Einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\7Million\clientApp.exe:*:Enabled:7Million"
"C:\Dokumente und Einstellungen\stine1\Lokale Einstellungen\Temp\Blizzard Launcher Temporary - 16011a38\Launcher.exe"="C:\Dokumente und Einstellungen\stine1\Lokale Einstellungen\Temp\Blizzard Launcher Temporary - 16011a38\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Dokumente und Einstellungen\stine1\Desktop\YuLeech-RunesofMagic2_0_1_1821-de.exe"="C:\Dokumente und Einstellungen\stine1\Desktop\YuLeech-RunesofMagic2_0_1_1821-de.exe:*:Enabled:FOG Downloader"
"D:\World of Warcraft\Launcher.exe"="D:\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Programme\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Programme\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player "
"C:\Programme\Zattoo\zattood.exe"="C:\Programme\Zattoo\zattood.exe:*:Enabled:zattood"
"C:\Programme\Zattoo\Zattoo2.exe"="C:\Programme\Zattoo\Zattoo2.exe:*:Enabled: "
"C:\Dokumente und Einstellungen\stine1\Lokale Einstellungen\Temp\7zSC.tmp\SymNRT.exe"="C:\Dokumente und Einstellungen\stine1\Lokale Einstellungen\Temp\7zSC.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool"
"C:\Dokumente und Einstellungen\stine1\Lokale Einstellungen\Temp\7zS26.tmp\SymNRT.exe"="C:\Dokumente und Einstellungen\stine1\Lokale Einstellungen\Temp\7zS26.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"D:\Programme\Minions of Mirth\bin\MinionsOfMirth.exe"="D:\Programme\Minions of Mirth\bin\MinionsOfMirth.exe:*:Enabled:MinionsOfMirth"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c89ebb0e-f1a0-11db-90ee-0013d4b7782a}]
shell\AutoRun\command - I:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-07-19 07:41:55 ----D---- C:\rsit
2009-07-18 08:18:23 ----D---- C:\Fotos & Dokumente
2009-07-17 06:31:53 ----D---- C:\Programme\SystemRequirementsLab
2009-07-17 06:14:20 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-07-16 08:35:45 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2009-07-15 13:48:05 ----A---- C:\test.txt
2009-07-15 13:33:20 ----A---- C:\WINDOWS\system32\GEARAspi.dll
2009-07-15 13:33:17 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-07-15 13:32:43 ----D---- C:\Programme\Gemeinsame Dateien\Symantec Shared
2009-07-15 13:32:16 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2009-07-15 13:32:15 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Norton
2009-07-15 13:30:55 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NortonInstaller
2009-07-15 12:36:55 ----N---- C:\WINDOWS\SchedLgU.Txt
2009-07-15 11:21:26 ----D---- C:\Programme\AVG
2009-07-15 11:21:25 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg8
2009-07-15 11:08:51 ----D---- C:\Programme\Trend Micro
2009-07-14 08:03:35 ----D---- C:\Programme\CCleaner
2009-07-11 08:40:02 ----D---- C:\Programme\Spybot - Search & Destroy
2009-07-11 08:38:09 ----D---- C:\Programme\Safer Networking
2009-07-09 14:46:24 ----D---- C:\WINDOWS\Prefetch
2009-07-09 12:09:08 ----N---- C:\WINDOWS\system32\smtpapi.dll
2009-07-09 12:09:08 ----N---- C:\WINDOWS\system32\rwnh.dll
2009-07-09 12:09:08 ----D---- C:\Programme\Messenger
2009-07-09 12:08:40 ----A---- C:\WINDOWS\000001_.tmp
2009-07-09 09:28:32 ----D---- C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\Messenger

======List of files/folders modified in the last 1 months======

2009-07-19 07:19:16 ----D---- C:\Programme\Mozilla Firefox
2009-07-19 07:16:33 ----D---- C:\WINDOWS
2009-07-19 07:16:18 ----D---- C:\WINDOWS\Temp
2009-07-19 07:16:18 ----D---- C:\WINDOWS\system32
2009-07-19 07:16:04 ----D---- C:\WINDOWS\system32\Lang
2009-07-19 07:16:03 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-18 22:57:58 ----D---- C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\uTorrent
2009-07-18 09:11:08 ----D---- C:\Programme\DivX
2009-07-18 09:10:51 ----D---- C:\Programme\Gemeinsame Dateien\DivX Shared
2009-07-18 09:10:48 ----SHD---- C:\WINDOWS\Installer
2009-07-18 06:06:00 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-17 16:32:46 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-07-17 06:45:49 ----D---- C:\WINDOWS\Help
2009-07-17 06:45:14 ----HD---- C:\WINDOWS\inf
2009-07-17 06:45:13 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-17 06:45:06 ----D---- C:\WINDOWS\system32\drivers
2009-07-17 06:45:05 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-17 06:40:32 ----D---- C:\NVIDIA
2009-07-17 06:39:33 ----D---- C:\WINDOWS\system32\de-de
2009-07-17 06:39:33 ----D---- C:\Programme\Internet Explorer
2009-07-17 06:36:14 ----D---- C:\WINDOWS\WBEM
2009-07-17 06:31:53 ----D---- C:\Programme
2009-07-17 06:17:08 ----D---- C:\WINDOWS\Media
2009-07-17 05:49:12 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-07-17 05:49:12 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2009-07-16 08:35:45 ----D---- C:\Programme\Avira
2009-07-16 08:35:15 ----D---- C:\WINDOWS\WinSxS
2009-07-16 08:16:32 ----SD---- C:\WINDOWS\Tasks
2009-07-16 08:05:43 ----N---- C:\boot.ini
2009-07-16 08:05:43 ----A---- C:\WINDOWS\win.ini
2009-07-16 08:05:43 ----A---- C:\WINDOWS\system.ini
2009-07-16 08:01:14 ----A---- C:\WINDOWS\wininit.ini
2009-07-16 07:54:08 ----SHD---- C:\System Volume Information
2009-07-15 13:32:43 ----D---- C:\Programme\Gemeinsame Dateien
2009-07-15 13:32:12 ----SD---- C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\Microsoft
2009-07-15 13:30:51 ----D---- C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\GetRightToGo
2009-07-15 11:59:15 ----D---- C:\WINDOWS\system32\LogFiles
2009-07-14 09:46:42 ----D---- C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\GetRight
2009-07-14 08:04:57 ----D---- C:\WINDOWS\Debug
2009-07-09 12:09:08 ----D---- C:\WINDOWS\system32\inetsrv
2009-07-09 12:09:07 ----D---- C:\WINDOWS\system32\oobe
2009-07-09 12:08:41 ----D---- C:\WINDOWS\security
2009-07-09 12:08:20 ----D---- C:\WINDOWS\EHome
2009-07-09 10:19:05 ----D---- C:\WINDOWS\Downloaded Installations
2009-07-05 16:05:42 ----D---- C:\Musik
2009-06-21 08:46:58 ----A---- C:\WINDOWS\system32\NVUNINST.EXE

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2007-10-03 33408]
R1 kbdhid;Tastatur-HID-Treiber; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 Tcpip6;Microsoft IPv6-Protokolltreiber; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2009-02-05 279712]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2009-02-05 25888]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS-kompatibles Transportprotokoll; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;NWLink-NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2001-08-18 63232]
R2 NwlnkSpx;NWLink SPX/SPXII-Protokoll; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2001-08-18 55936]
R2 rspndr;Antwort für Verbindungsschicht-Topologieerkennung; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-12-13 62336]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-01-15 23848]
R3 HDAudBus;Microsoft UAA-Bustreiber für High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class-Treiber; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-12-09 4123136]
R3 mouhid;Maus-HID-Treiber; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-18 12288]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-06-10 8087712]
R3 tunmp;Microsoft Tun-Miniportadaptertreiber; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-14 12288]
R3 ULI5261XP;ULi M526X Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672]
R3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Miniporttreiber für Microsoft USB Open Host-Controller; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-14 17152]
S2 athbb;athbb; \??\C:\WINDOWS\system32\drivers\azuhdwfbf.sys []
S2 npkcrypt;npkcrypt; \??\d:\Nexon\Mabinogi\npkcrypt.sys []
S3 a1wrtztn;a1wrtztn; C:\WINDOWS\system32\drivers\a1wrtztn.sys []
S3 a3ltdaxf;a3ltdaxf; C:\WINDOWS\system32\drivers\a3ltdaxf.sys []
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS []
S3 CCDECODE;Untertiteldecoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 GMSIPCI;GMSIPCI; \??\F:\INSTALL\GMSIPCI.SYS []
S3 ms_mpu401;Microsoft MPU-401 MIDI UART-Treiber; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [2004-08-13 5810]
S3 NABTSFEC;NABTS/FEC VBI-Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV-/Videoverbindung; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2004-11-24 33408]
S3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2004-11-24 12928]
S3 OVT511Plus;TerraCAM USB/Pro; C:\WINDOWS\System32\Drivers\omcamvid.sys [2001-10-18 167816]
S3 Ser2pl;Prolific2 Serial port driver; C:\WINDOWS\system32\DRIVERS\ser2pl.sys [2003-12-01 43136]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA-IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 tbhsd;Tunebite High-Speed Dubbing; C:\WINDOWS\system32\drivers\tbhsd.sys [2006-06-21 15488]
S3 usbprint;Microsoft USB-Druckerklasse; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbstor;USB-Massenspeichertreiber; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 vaxscsi;vaxscsi; C:\WINDOWS\System32\Drivers\vaxscsi.sys []
S3 WSTCODEC;World Standard Teletext-Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 XDva020;XDva020; \??\C:\WINDOWS\system32\XDva020.sys []
S3 XTrapD12;XTrapD12; \??\C:\WINDOWS\system32\XTrapD12.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Filtertreiber für Systemwiederherstellung; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6-Hilfsdienst; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Programme\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Programme\Avira\AntiVir Desktop\avguard.exe [2009-05-11 185089]
R2 nvsvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-06-10 168004]
S2 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe -service -config C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf []
S2 StarWindServiceAE;StarWind AE Service; C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe []
S2 tor;Tor Win32 Service; C:\Programme\Vidalia Bundle\Tor\tor.exe --nt-service -f C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\Vidalia\torrc ControlPort 9051 []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Programme\NOS\bin\getPlus_HelperSvc.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576]
S4 npkcmsvc;npkcmsvc; d:\Nexon\Mabinogi\npkcmsvc.exe []

-----------------EOF-----------------

 

[stine1]

Step 3, GMER:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-19 07:47:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8A2A5B60 ZwEnumerateKey
Code 8A280C18 ZwFlushInstructionCache
Code 8A2AE3FE IofCallDriver
Code 8A278A66 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE120 5 Bytes JMP 8A2AE403
.text ntkrnlpa.exe!IofCompleteRequest 804EE1B0 5 Bytes JMP 8A278A6B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABE38 5 Bytes JMP 8A280C1C
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AAC6 5 Bytes JMP 8A2A5B64
? C:\WINDOWS\system32\drivers\sptd.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
.text USBPORT.SYS!DllUnload B74B68AC 5 Bytes JMP 8A57F1C8

---- User code sections - GMER 1.0.15 ----

.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[180] ntdll.dll!LdrLoadDll 7C9263A3 5 Bytes JMP 003F000A
.text C:\WINDOWS\RTHDCPL.EXE[768] ntdll.dll!LdrLoadDll 7C9263A3 5 Bytes JMP 003F000A
.text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[780] ntdll.dll!LdrLoadDll 7C9263A3 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\RUNDLL32.EXE[804] ntdll.dll!LdrLoadDll 7C9263A3 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\winlogon.exe[824] ntdll.dll!LdrLoadDll 7C9263A3 5 Bytes JMP 0062000A
.text ...
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!HttpOpenRequestA 77192AF9 5 Bytes JMP 135082BC
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetConnectA 77193452 5 Bytes JMP 13508164
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetCloseHandle 77194D8C 5 Bytes JMP 13509A58
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetOpenA 7719578E 5 Bytes JMP 13508114
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!HttpSendRequestA 771960A1 5 Bytes JMP 13508C5C
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetReadFile 771982EA 5 Bytes JMP 13509858
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetQueryDataAvailable 771A89F7 5 Bytes JMP 13509648
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetReadFileExW 771C83F9 5 Bytes JMP 13509A08
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetReadFileExA 771C9100 5 Bytes JMP 135099B8
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!HttpSendRequestW 771E2EBC 5 Bytes JMP 13509058
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[2028] ntdll.dll!LdrLoadDll 7C9263A3 5 Bytes JMP 0098000A
.text C:\Programme\WinRAR\WinRAR.exe[3012] ntdll.dll!LdrLoadDll 7C9263A3 5 Bytes JMP 003C000A
.text C:\DOKUME~1\stine1\LOKALE~1\Temp\Rar$EX00.485\gmer.exe[3064] ntdll.dll!LdrLoadDll 7C9263A3 5 Bytes JMP 003A000A
.text C:\Programme\Mozilla Firefox\firefox.exe[4068] WS2_32.dll!gethostbyname 71A15355 5 Bytes JMP 1350A9AC

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EBF61E] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7CD1E8
Device \FileSystem\Fastfat \FatCdrom 89E571E8
Device \Driver\usbohci \Device\USBPDO-0 8A57E1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7621E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A7621E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A7621E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A7621E8
Device \Driver\usbohci \Device\USBPDO-1 8A57E1E8
Device \Driver\usbohci \Device\USBPDO-2 8A57E1E8
Device \Driver\usbehci \Device\USBPDO-3 8A55C5D0
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7CF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7CF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A7CF1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A211790
Device \Driver\NetBT \Device\NetbiosSmb 8A211790
Device \Driver\NetBT \Device\NetBT_Tcpip_{D2FEBBBC-1F75-48B9-BBF5-7BD7B8D893CB} 8A211790
Device \Driver\usbohci \Device\USBFDO-0 8A57E1E8
Device \Driver\usbohci \Device\USBFDO-1 8A57E1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A36E1E8
Device \Driver\usbohci \Device\USBFDO-2 8A57E1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A36E1E8
Device \Driver\usbehci \Device\USBFDO-3 8A55C5D0
Device \Driver\Ftdisk \Device\FtControl 8A7CF1E8
Device \FileSystem\Fastfat \Fat 89E571E8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A4FA790
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\Programme\Avira\AntiVir Desktop\avguard.exe [180] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\RTHDCPL.EXE [768] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\Programme\Avira\AntiVir Desktop\avgnt.exe [780] 0x003F0000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\RUNDLL32.EXE [804] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [824] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [868] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [880] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [904] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [1056] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1084] 0x02650000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1192] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1300] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1344] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1668] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1716] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1832] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1920] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\Programme\Avira\AntiVir Desktop\sched.exe [2028] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2476] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\Programme\WinRAR\WinRAR.exe [3012] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\DOKUME~1\stine1\LOKALE~1\Temp\Rar$EX00.485\gmer.exe [3064] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruigvmuwpdx.dll (*** hidden *** ) @ C:\Programme\Mozilla Firefox\firefox.exe [4068] 0x10000000

---- EOF - GMER 1.0.15 ----

 

[katana]

----------------------------------------------------------------------------------------
Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
• If requested, please reboot
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------
Step 2


Download and Run ComboFix (by sUBs)

Please download Commbofix from HERE

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply
• Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
For a full tutorial on using Combofix, please see this topic
Bleeping Computer ComboFix Tutorial

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

• MalwareBytes Log
• Combofix Log
• How are things running now ?

 

[stine1]

Result of step 1:

Malwarebytes' Anti-Malware 1.39
Datenbank Version: 2462
Windows 5.1.2600 Service Pack 3

19.07.2009 13:05:21
mbam-log-2009-07-19 (13-05-17).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|H:\|)
Durchsuchte Objekte: 125947
Laufzeit: 18 minute(s), 34 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 8
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 3
Infizierte Verzeichnisse: 3
Infizierte Dateien: 4

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\Interface\{bbcc290a-5e32-4e54-80db-f0f3f3892444} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{e3a14032-f6fc-426d-a024-bead613d5db3} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{d8c0508c-e235-4d9e-a27e-c8bb5f527dc9} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5948a52a-ba3a-49a8-bcaf-d578502bda9d} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000162-9980-0010-8000-00aa00389b71} (Rogue.WinAntiVirus) -> No action taken.
HKEY_CLASSES_ROOT\AppID\MessengerUpdateProject.dll (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> No action taken.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Infizierte Verzeichnisse:
C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\Messenger\Drivers (Trojan.Agent.M) -> No action taken.
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\Aud32 (Trojan.Agent.M) -> No action taken.
C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\Messenger\Sys (Trojan.Agent.M) -> No action taken.

Infizierte Dateien:
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\Aud32\msgutil83.dll (Adware.Agent) -> No action taken.
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\conf.sys (Trojan.Agent.M) -> No action taken.
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\pub.dll (Trojan.Agent.M) -> No action taken.
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\serial.sys (Trojan.Agent.M) -> No action taken.

 

[stine1]

After deleting:

Malwarebytes' Anti-Malware 1.39
Datenbank Version: 2462
Windows 5.1.2600 Service Pack 3

19.07.2009 13:07:01
mbam-log-2009-07-19 (13-07-01).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|H:\|)
Durchsuchte Objekte: 125947
Laufzeit: 18 minute(s), 34 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 8
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 3
Infizierte Verzeichnisse: 3
Infizierte Dateien: 4

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\Interface\{bbcc290a-5e32-4e54-80db-f0f3f3892444} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e3a14032-f6fc-426d-a024-bead613d5db3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{d8c0508c-e235-4d9e-a27e-c8bb5f527dc9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5948a52a-ba3a-49a8-bcaf-d578502bda9d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000162-9980-0010-8000-00aa00389b71} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\MessengerUpdateProject.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\Messenger\Drivers (Trojan.Agent.M) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\Aud32 (Trojan.Agent.M) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\stine1\Anwendungsdaten\Messenger\Sys (Trojan.Agent.M) -> Quarantined and deleted successfully.

Infizierte Dateien:
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\Aud32\msgutil83.dll (Adware.Agent) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\conf.sys (Trojan.Agent.M) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\pub.dll (Trojan.Agent.M) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\stine1\anwendungsdaten\messenger\Drivers\serial.sys (Trojan.Agent.M) -> Quarantined and deleted successfully.

 

[stine1]

ComboFix log:

ComboFix 09-07-14.08 - stine1 19.07.2009 13:21.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2047.1740 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\stine1\Desktop\Combo-Fix.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
c:\windows\system32\drivers\hjgruiiordqjoy.sys
c:\windows\system32\hjgruigvmuwpdx.dll
c:\windows\system32\hjgruilvqqfwpw.dat
c:\windows\system32\hjgruiurwuxbrx.dll
c:\windows\system32\hjgruiyjtkqmjw.dat

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiimrmpxgs


((((((((((((((((((((((( Dateien erstellt von 2009-06-19 bis 2009-07-19 ))))))))))))))))))))))))))))))
.

2009-07-19 10:45 . 2009-07-19 10:45 -------- d-----w- c:\dokumente und einstellungen\stine1\Anwendungsdaten\Malwarebytes
2009-07-19 10:45 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 10:45 . 2009-07-19 10:45 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2009-07-19 10:45 . 2009-07-19 10:45 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-07-19 10:45 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 05:41 . 2009-07-19 05:42 -------- d-----w- C:\rsit
2009-07-18 06:18 . 2009-07-18 07:02 -------- d-----w- C:\Fotos & Dokumente
2009-07-17 04:31 . 2009-07-17 04:31 -------- d-----w- c:\programme\SystemRequirementsLab
2009-07-17 04:30 . 2009-07-17 04:30 -------- d-sh--w- c:\dokumente und einstellungen\stine1\PrivacIE
2009-07-17 04:22 . 2009-07-17 04:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-17 04:21 . 2009-07-17 04:21 -------- d-sh--w- c:\dokumente und einstellungen\stine1\IETldCache
2009-07-17 04:14 . 2008-04-14 05:52 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-07-15 11:48 . 2009-07-15 11:48 -------- d-----w- c:\dokumente und einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\Symantec
2009-07-15 11:33 . 2009-01-15 10:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-15 11:33 . 2008-04-17 10:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-15 11:33 . 2009-07-15 11:33 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-07-15 11:33 . 2009-07-15 11:33 -------- d-----w- c:\dokumente und einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\Downloaded Installations
2009-07-15 11:32 . 2009-07-16 06:06 -------- d-----w- c:\programme\Gemeinsame Dateien\Symantec Shared
2009-07-15 11:32 . 2009-07-16 05:52 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Symantec
2009-07-15 11:32 . 2009-07-16 05:52 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Norton
2009-07-15 11:30 . 2009-07-15 11:30 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\NortonInstaller
2009-07-15 09:21 . 2009-07-15 09:21 -------- d-----w- c:\programme\AVG
2009-07-15 09:21 . 2009-07-15 11:32 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\avg8
2009-07-15 09:08 . 2009-07-15 09:08 -------- d-----w- c:\programme\Trend Micro
2009-07-14 07:35 . 2009-07-15 12:24 -------- d-----w- c:\dokumente und einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\SAdK
2009-07-14 06:03 . 2009-07-14 06:03 -------- d-----w- c:\programme\CCleaner
2009-07-11 11:16 . 2009-07-11 11:18 -------- d-----w- c:\dokumente und einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\ZattooPlayer
2009-07-11 11:16 . 2009-07-11 11:18 -------- d-----w- c:\dokumente und einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\Zattoo
2009-07-11 06:40 . 2009-07-11 06:40 -------- d-----w- c:\programme\Spybot - Search & Destroy
2009-07-11 06:38 . 2009-07-11 06:38 -------- d-----w- c:\programme\Safer Networking
2009-07-09 10:09 . 2008-04-14 05:52 10752 ------w- c:\windows\system32\smtpapi.dll
2009-07-09 10:09 . 2008-04-14 05:52 9728 ------w- c:\windows\system32\rwnh.dll
2009-07-09 07:28 . 2009-07-19 11:07 -------- d-----w- c:\dokumente und einstellungen\stine1\Anwendungsdaten\Messenger
2009-07-06 07:17 . 2009-07-06 07:17 -------- d-----w- c:\dokumente und einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\Identities

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 11:20 . 2008-05-31 10:32 -------- d-----w- c:\programme\Avira
2009-07-19 11:07 . 2008-09-20 09:13 169936 ----a-w- c:\dokumente und einstellungen\stine1\Anwendungsdaten\Mozilla\Firefox\Profiles\lgm0avyx.default\FlashGot.exe
2009-07-19 10:44 . 2006-08-04 14:58 -------- d-----w- c:\dokumente und einstellungen\stine1\Anwendungsdaten\uTorrent
2009-07-18 07:11 . 2006-09-01 16:16 -------- d-----w- c:\programme\DivX
2009-07-18 07:10 . 2009-05-25 16:45 -------- d-----w- c:\programme\Gemeinsame Dateien\DivX Shared
2009-07-17 14:32 . 2006-08-04 15:14 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-07-17 03:49 . 2007-07-02 08:08 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Lavasoft
2009-07-15 11:30 . 2008-10-05 15:29 -------- d-----w- c:\dokumente und einstellungen\stine1\Anwendungsdaten\GetRightToGo
2009-07-14 07:46 . 2008-09-20 07:31 -------- d-----w- c:\dokumente und einstellungen\stine1\Anwendungsdaten\GetRight
2009-06-21 06:46 . 2008-02-24 17:09 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-13 05:53 . 2006-08-05 10:14 73800 ----a-w- c:\dokumente und einstellungen\stine1\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-06-10 06:28 . 2009-06-10 06:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 06:28 . 2009-06-10 06:28 5890048 ----a-w- c:\windows\system32\nvdispsr.dll
2009-06-10 06:28 . 2009-06-10 06:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 06:28 . 2009-06-10 06:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 06:28 . 2009-06-10 06:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 06:28 . 2009-06-10 06:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 06:28 . 2009-06-10 06:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 06:28 . 2009-06-10 06:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 04:03 . 2009-06-10 04:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 04:03 . 2009-06-10 04:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 04:03 . 2009-06-10 04:03 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 04:03 . 2009-06-10 04:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 04:03 . 2009-06-10 04:03 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-10 04:03 . 2009-06-10 04:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 04:03 . 2009-06-10 04:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 04:03 . 2009-06-10 04:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 04:03 . 2009-06-10 04:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 04:03 . 2009-06-10 04:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 04:03 . 2008-02-24 17:10 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-05-24 14:20 . 2001-08-18 19:00 75194 ----a-w- c:\windows\system32\perfc007.dat
2009-05-24 14:20 . 2001-08-18 19:00 415800 ----a-w- c:\windows\system32\perfh007.dat
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-06-13 07:54 . 2008-08-30 11:58 134648 ----a-w- c:\programme\mozilla firefox\components\brwsrcmp.dll
2006-05-06 16:42 . 2006-11-16 12:42 7260160 -c--a-w- c:\programme\mozilla firefox\plugins\libvlc.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="c:\windows\System32\sw20.exe" [2005-06-29 212992]
"SW24"="c:\windows\System32\sw24.exe" [2005-07-04 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\stine1\Startmen\Programme\Autostart\
movie - XL.lnk - c:\programme\movie - XL\StartJP.exe [2002-7-29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\World of Warcraft\\BackgroundDownloader.exe"=
"d:\\World of Warcraft\\WoW-2.0.12.6546-to-2.1.0.6692-deDE-downloader.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Programme\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
"d:\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [10.04.2009 12:14 28672]
S2 athbb;athbb;\??\c:\windows\system32\drivers\azuhdwfbf.sys --> c:\windows\system32\drivers\azuhdwfbf.sys [?]
S2 tor;Tor Win32 Service;"c:\programme\Vidalia Bundle\Tor\tor.exe" --nt-service -f "c:\dokumente und einstellungen\stine1\Anwendungsdaten\Vidalia\torrc" ControlPort 9051 --> c:\programme\Vidalia Bundle\Tor\tor.exe [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\programme\NOS\bin\getPlus_HelperSvc.exe --> c:\programme\NOS\bin\getPlus_HelperSvc.exe [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Suchlauf -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {56A5CBB6-02B4-4323-BBC5-5C7958ED46C5} = 192.168.2.1
TCP: {D2FEBBBC-1F75-48B9-BBF5-7BD7B8D893CB} = 192.168.2.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\dokumente und einstellungen\stine1\Anwendungsdaten\Mozilla\Firefox\Profiles\lgm0avyx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.klamm.de/partner/velerion.php
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\programme\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 13:24
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2009-07-19 13:26
ComboFix-quarantined-files.txt 2009-07-19 11:26

Vor Suchlauf: 15 Verzeichnis(se), 48.882.032.640 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 48.934.592.512 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
181

 

[stine1]

Result:

RootAlyzer is all green again.

I really hope that's it. Should I do some scans again just to be sure?


Thank you in advance!

 

[katana]

1) I really hope that's it.
2) Should I do some scans again just to be sure?

1) very nearly
2) Just a couple ..

Please post a fresh HJT log along with the following.

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

 

[stine1]

log 1:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:56:49, on 19.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Java\jre6\bin\java.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: movie - XL.lnk = C:\Programme\movie - XL\StartJP.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{56A5CBB6-02B4-4323-BBC5-5C7958ED46C5}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2FEBBBC-1F75-48B9-BBF5-7BD7B8D893CB}: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Programme\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programme\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Tor Win32 Service (tor) - Unknown owner - C:\Programme\Vidalia Bundle\Tor\tor.exe (file missing)

--
End of file - 4851 bytes



and after 4 hours of scanning: log 2:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, July 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 19, 2009 17:26:58
Records in database: 2495153
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
H:\

Scan statistics:
Files scanned: 44221
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 04:11:46

No malware has been detected. The scan area is clean.

The selected area was scanned.

 

[katana]

OTMoveIt
Please download OTM by OldTimer and save it to your desktop

• Double-click OTM.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include rocesses )

:Processes
:Services
athbb
:Files
c:\windows\system32\drivers\azuhdwfbf.sys
:Commands
[Purity]
[EmptyTemp]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


----------------------------------------------------------------------------------------
Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up



Uninstall Combofix

• This will clear your System Volume Information restore points and remove all the infected files that were quarantined
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • 

Uninstall OTMoveIt (OTM.exe)

• Open OTMoveIt Click Cleanup,
• When a box pops up click YES.

You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

• 
  AntiSpyware is not the same thing as Antivirus.
  Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
  You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
  Most of the programs in this list have a free (for Home Users ) and paid versions,
  it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
• Spybot - Search & Destroy <<< A must have program
  • It includes host protection and registry protection
  • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
• MalwareBytes Anti-malware <<< A New and effective program
• a-squared Free <<< A good "realtime" or "on demand" scanner
• superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

• 
  These programs don't detect malware, they help stop it getting on your machine in the first place.
  Each does a different job, so you can have more than one
• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
• SpywareBlaster 4.0
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Internet Browsers

• 
  Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
  Using a different web browser can help stop malware getting on your machine.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
       • Change the Download signed ActiveX controls to Prompt
       • Change the Download unsigned ActiveX controls to Disable
       • Change the Initialise and script ActiveX controls not marked as safe to Disable
       • Change the Installation of desktop items to Prompt
       • Change the Launching programs and files in an IFRAME to Prompt
       • Change the Navigate sub-frames across different domains to Prompt
       • When all these settings have been made, click on the OK button.
       • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  If you are still using IE6 then either update, or get one of the following.
  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential
  • Opera
    • Another popular alternative
  • Netscape
    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

• 
  Temporary Internet Files are mainly the files that are downloaded when you open a web page.
  Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
  It is a good idea to empty the Temporary Internet Files folder on a regular basis.
  
  Tracking Cookies are files that websites use to monitor which sites you visit and how often.
  A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
  CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
  
  Both of these can be cleaned manually, but a quicker option is to use a program
• ATF Cleaner
  • Free and very simple to use
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

 

[stine1]

Everything is ok now. Thank you very much.

This is worth a little donation for Spybot!

Luv you :bigthumb:

 

[katana]

This is worth a little donation for Spybot!

:thanks::bigthumb: