virus or malware removal lead to a disabled xp firewall - is there some virus left??

[markus.roega]

Hello everyone!
(using Windows XP home edition service pack 2, updated it now to service pack 3)

I have a huge problem and I'll explain from the beginning:
My family has a family computer which is connected to the internet and was starting to run slower and slower. Thus I uninstalled F-Secure Antivirus and installed and updated Avira Antivir. I ran a full system check where 88 (!!!!) viruses were detected and removed. 4 unknown programs, named heur/crypted were removed to quarantine, where I left them.

(I know, 88 viruses is horrible, but no one of my family knows anything about computers and as I am not always at home, I only do checks once a month or so...also my siblings are really careless concerning what they open on the web but they DO NOT download by sharing or p2p...).

So, I also downloaded Malwarebytes Antimalware and it also found 41 threats which I ticked to delete.

Then the problems really begun: I restarted the computer and it did a whole system check which lasted for about 2 hours (!!). Afterwards, the start desktop did only load the wallpaper but nothing else. When opening the task manager, I observed that the system was running idle for 99% of the system activity (sorry, I don’t know if this is the correct word).

After some time, it loaded anyway and I got the notice that the firewall was not activated. I tried to activate it via the windows security center, but then it told me that the firewall/internetconnection sharing service was not active.
I googled a lot and tried to re-activate this service, I also tried to reset the winsocket and to use cmd with netsh reset and stuff, but it never worked. All I got was that some init helper dll exe does not work (error 10093) and that the wsaStartup could not be performed.

I really don’t know why this is and I tried to update the XP sp2 to sp3 to repair it, but this did not help too. Also a system recovery point did not help.
Now I really want to avoid to lose all installed programs and I still think there might be some virus still around, thus I hope someone can help me fix this problem.

Thank you very much in advance!!!!


dds.txt:


DDS (Ver_09-01-07.01) - FAT32x86
Run by markus.roega at 15:24:53,07 on 03.02.2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.255.73 [GMT 1:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\TBPanel.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\0190WA~1\WARN0190.EXE
C:\Programme\aon\aonMessageCenter\aonMessageCenter.exe
C:\Programme\Java\jre1.6.0_01\bin\jusched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\aon\aonUpdate\aonUpdate.exe
C:\Programme\iPod\bin\iPodService.exe
F:\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.at/
uSearch Page = hxxp://search.aon.at
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Internetexplorer von Vorarlberg Online
mWindow Title = Internetexplorer von Vorarlberg Online
uInternet Settings,ProxyServer = ftp=proxy.aon.at:8080;http=proxy.aon.at:8080
uInternet Settings,ProxyOverride = *.aon.at;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programme\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\googletoolbar3.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [aonUpdate] c:\programme\aon\aonupdate\aonUpdate.exe /tray
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [OEM-Reset]
mRun: [Microsoft Works Portfolio] c:\programme\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\programme\microsoft works\WkDetect.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [SoundMan] soundman.exe
mRun: [Gainward] c:\windows\TBPanel.exe /A
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [Share-to-Web Namespace Daemon] c:\programme\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [windows auto update] msblast.exe
mRun: [0190 Warner] c:\progra~1\0190wa~1\WARN0190.EXE
mRun: [REGSHAVE] c:\programme\regshave\REGSHAVE.EXE /AUTORUN
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [1aonmessagecenter] c:\programme\aon\aonmessagecenter\aonMessageCenter.exe
mRun: [SunJavaUpdateSched] "c:\programme\java\jre1.6.0_01\bin\jusched.exe"
mRun: [iTunesHelper] "c:\programme\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\programme\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Windows Service] winsvc.exe
dRun: [Microsoft Update] msconfg.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\micros~1.lnk - c:\programme\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\programme\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\programme\java\jre1.6.0_01\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\programme\bonjour\ExplorerPlugin.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programme\gemeinsame dateien\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: ComPlusSetup - c:\windows\system32\catsrvut.dll

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\marku~1.roe\anwend~1\mozilla\firefox\profiles\2ttte511.default\
FF - plugin: c:\dokumente und einstellungen\markus.roega\anwendungsdaten\mozilla\firefox\profiles\2ttte511.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir personaledition classic\avgio.sys [2009-2-1 11840]
R3 avgntflt;avgntflt;c:\programme\avira\antivir personaledition classic\avgntflt.sys [2009-2-1 52032]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer;c:\programme\avira\antivir personaledition classic\sched.exe [2009-2-1 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\programme\avira\antivir personaledition classic\avguard.exe [2009-2-1 151297]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2005-1-6 38604]
S3 Ndisusb;GeneLink Network Driver;c:\windows\system32\drivers\genelan.sys [2004-5-21 11328]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [2001-9-10 27904]
S3 viafilter;VIA USB Filter;c:\windows\system32\drivers\viausb.sys [2002-2-19 9038]
S3 Winacusb;Winacusb;c:\windows\system32\drivers\winacusb.sys [2004-6-1 956890]
S4 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys --> c:\windows\system32\drivers\slnt7554.sys [?]
S4 WksPatch;Remote Event Client;c:\windows\system32\drivers\svchost.exe --> c:\windows\system32\drivers\svchost.exe [?]

=============== Created Last 30 ================

2009-02-03 13:32 74,240 a------- c:\windows\system32\dllcache\w3ext.dll
2009-02-03 13:13 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-02-03 13:11 229,439 a------- c:\windows\system32\dllcache\multibox.dll
2009-02-03 13:10 13,463,552 a------- c:\windows\system32\dllcache\hwxjpn.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0804.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0412.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0411.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt040d.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0404.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0401.dll
2009-02-03 13:06 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-02-03 13:06 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-02-03 13:06 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-03 13:06 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-02-03 13:06 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-02-03 13:06 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-02-03 13:05 16,384 a------- c:\windows\system32\dllcache\isignup.exe
2009-02-03 13:05 7,168 a------- c:\windows\system32\dllcache\bitsprx4.dll
2009-02-03 13:05 7,168 a------- c:\windows\system32\bitsprx4.dll
2009-02-03 13:03 290,304 a------- c:\windows\system32\rhttpaa.dll
2009-02-03 13:03 290,304 a------- c:\windows\system32\dllcache\rhttpaa.dll
2009-02-03 13:03 136,192 a------- c:\windows\system32\dllcache\aaclient.dll
2009-02-03 13:03 136,192 a------- c:\windows\system32\aaclient.dll
2009-02-03 13:03 53,248 a------- c:\windows\system32\tsgqec.dll
2009-02-03 13:03 53,248 a------- c:\windows\system32\dllcache\tsgqec.dll
2009-02-03 13:03 370,176 a------- c:\windows\system32\dllcache\wmic.exe
2009-02-03 13:03 92,672 a------- c:\windows\system32\dllcache\policman.dll
2009-02-03 13:00 20,992 a------- c:\windows\system32\drivers\RTL8139.sys
2009-02-03 12:58 4,444 a------- c:\windows\system32\pid.PNF
2009-02-03 12:49 <DIR> --d----- c:\windows\system32\de-de
2009-02-03 12:49 <DIR> --d----- c:\windows\system32\de
2009-02-03 12:49 <DIR> --d----- c:\windows\Network Diagnostic
2009-02-03 12:49 <DIR> --d----- c:\windows\L2Schemas
2009-02-03 12:49 <DIR> --d----- c:\windows\ehome
2009-02-01 20:02 <DIR> --d----- c:\dokume~1\marku~1.roe\anwend~1\Malwarebytes
2009-02-01 20:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-01 20:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-01 20:01 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2009-02-01 20:01 <DIR> --d----- c:\programme\Malwarebytes' Anti-Malware
2009-02-01 16:21 <DIR> --d----- c:\programme\Avira
2009-02-01 16:21 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Avira
2009-01-25 13:36 116 a------- c:\windows\wininit.ini
2009-01-17 09:51 <DIR> --dsh--- C:\FOUND.152

==================== Find3M ====================

2009-02-03 15:16 196 a------- c:\windows\system32\drivers\ALCICH.DAT
2009-02-03 13:37 381,298 a------- c:\windows\system32\perfh007.dat
2009-02-03 13:37 69,262 a------- c:\windows\system32\perfc007.dat
2009-02-03 13:07 86,665 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-03 13:04 22,940 a------- c:\windows\system32\emptyregdb.dat
2008-04-14 13:29 45,632 a------- c:\dokume~1\marku~1.roe\anwend~1\GDIPFONTCACHEV1.DAT
2008-03-23 14:57 32 a------- c:\dokume~1\alluse~1\anwend~1\ezsid.dat
2004-04-19 15:06 96,256 a--sh--- c:\programme\Thumbs.db

============= FINISH: 15:25:30,85 ===============

[markus.roega]

*bump this thread* please!!!! :'-(

[Ried]

Hello markus.roega,

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[markus.roega]

Thank you so much for helping, I will not be in reach of an internet access and the broken down computer for the next two days but I will follow your instructions as soon as I am back home (Tuesday or Wednesday).
I will post the combofix.txt then.

THANK YOU!! :-)

[Ried]

That will be fine, markus.roega. I'll remain subscribed and away your logs.

[markus.roega]

hello Ried!

thank you for your patience, I was able to run ComboFix and I hope you can use the log file, to me it seems rather crypted.

And I am sorry that the ComboFix includes German parts, it seems to me that the download was a German program because I am in Germany. So if there are any problems, I could try to translate the German parts.


ComboFix 09-02-08.02 - markus.roega 2009-02-10 17:21:24.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.255.97 [GMT 1:00]
ausgeführt von:: F:\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokume~1\marku~1.HAM\LOKALE~1\Temp\tmp2.tmp
c:\programme\comet systems
c:\windows\NDNuninstall5_64.exe
c:\windows\NDNuninstall6_10.exe
c:\windows\NDNuninstall6_22.exe
c:\windows\NDNuninstall6_30.exe
c:\windows\NDNuninstall6_38.exe
c:\windows\NDNuninstall6_90.exe
c:\windows\NDNuninstall6_98.exe
c:\windows\NDNuninstall7_14.exe
c:\windows\NDNuninstall7_22.exe
c:\windows\pi.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\Cache
c:\windows\system32\P2P Networking
c:\windows\system32\P2P Networking\MARSHAL21.DLL
c:\windows\system32\P2P Networking\MARSHAL22.DLL
c:\windows\system32\P2P Networking\MARSHAL23.DLL
c:\windows\system32\P2P Networking\MARSHAL24.DLL
c:\windows\system32\P2P Networking\MARSHAL25.DLL
c:\windows\system32\P2P Networking\MARSHAL26.DLL
c:\windows\system32\P2P Networking\P2P Networking21.eng
c:\windows\system32\P2P Networking\P2P Networking22.ENG
c:\windows\system32\P2P Networking\P2P Networking23.ENG
c:\windows\system32\P2P Networking\P2P Networking24.ENG
c:\windows\system32\P2P Networking\P2P Networking25.ENG
c:\windows\system32\P2P Networking\P2P Networking26.ENG

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WKSPATCH
-------\Service_WksPatch


((((((((((((((((((((((( Dateien erstellt von 2009-01-10 bis 2009-02-10 ))))))))))))))))))))))))))))))
.

2022-03-04 08:52 . 2022-03-04 08:52 1,080 --a------ c:\windows\gramit32.cfg
2022-03-01 13:16 . 2022-03-01 13:16 <DIR> d-------- c:\dokumente und einstellungen\roega roega\WINDOWS
2022-03-01 13:14 . 2001-09-10 12:04 <DIR> d--h----- c:\dokumente und einstellungen\roega roega\Vorlagen
2022-03-01 13:14 . 2001-09-10 12:04 <DIR> dr------- c:\dokumente und einstellungen\roega roega\Startmenü
2022-03-01 13:14 . 2001-09-10 12:04 <DIR> d--h----- c:\dokumente und einstellungen\roega roega\Netzwerkumgebung
2022-03-01 13:14 . 2001-09-10 12:04 <DIR> d--h----- c:\dokumente und einstellungen\roega roega\Lokale Einstellungen
2022-03-01 13:14 . 2009-02-03 17:21 <DIR> dr------- c:\dokumente und einstellungen\roega roega\Favoriten
2022-03-01 13:14 . 2009-02-03 17:21 <DIR> dr------- c:\dokumente und einstellungen\roega roega\Eigene Dateien
2022-03-01 13:14 . 2001-09-10 12:04 <DIR> d--h----- c:\dokumente und einstellungen\roega roega\Druckumgebung
2022-03-01 13:14 . 2001-09-10 12:04 <DIR> dr-h----- c:\dokumente und einstellungen\roega roega\Anwendungsdaten
2022-02-28 16:11 . 2002-01-15 13:43 <DIR> d-------- c:\dokumente und einstellungen\markus.roega\Anwendungsdaten\InterTrust
2022-02-26 16:33 . 2022-02-26 16:33 <DIR> d-------- C:\TIVOLA
2022-02-24 14:56 . 2022-02-24 14:56 <DIR> d-------- C:\Program Files
2022-02-24 14:17 . 2022-03-05 14:00 1,048 --a------ c:\windows\disney.ini
2022-02-24 13:42 . 2006-12-21 17:41 306 --a------ c:\windows\QTW.INI
2022-02-24 13:38 . 2022-02-24 13:38 <DIR> d-------- C:\RV_DEMO
2022-02-24 13:38 . 2003-07-13 17:17 8,628 --ah----- c:\windows\Playenu.gid
2022-02-24 13:38 . 2003-12-06 12:30 763 --a------ c:\windows\Winini.qtw
2022-02-24 13:38 . 2022-02-24 13:38 23 --a------ c:\windows\SYS.INI
2009-02-03 15:28 . 2009-02-03 15:28 250 --a------ c:\windows\gmer.ini
2009-02-03 13:32 . 2009-02-03 13:32 <DIR> d-------- C:\Inetpub
2009-02-03 13:13 . 2001-08-23 13:00 28,288 --a------ c:\windows\system32\dllcache\xjis.nls
2009-02-03 13:11 . 2001-08-23 13:00 10,129,408 --a------ c:\windows\system32\dllcache\hwxkor.dll
2009-02-03 13:10 . 2008-04-14 06:50 13,463,552 --a------ c:\windows\system32\dllcache\hwxjpn.dll
2009-02-03 13:09 . 2007-04-02 22:56 19,456 --a------ c:\windows\system32\dllcache\agt0804.dll
2009-02-03 13:09 . 2007-04-02 22:56 19,456 --a------ c:\windows\system32\dllcache\agt0412.dll
2009-02-03 13:09 . 2007-04-02 22:56 19,456 --a------ c:\windows\system32\dllcache\agt0411.dll
2009-02-03 13:09 . 2007-04-02 22:56 19,456 --a------ c:\windows\system32\dllcache\agt040d.dll
2009-02-03 13:09 . 2007-04-02 22:56 19,456 --a------ c:\windows\system32\dllcache\agt0404.dll
2009-02-03 13:09 . 2007-04-02 22:56 19,456 --a------ c:\windows\system32\dllcache\agt0401.dll
2009-02-03 13:06 . 2009-02-03 13:06 749 -rah----- c:\windows\WindowsShell.Manifest
2009-02-03 13:06 . 2009-02-03 13:06 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-03 13:06 . 2009-02-03 13:06 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-02-03 13:06 . 2009-02-03 13:06 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-02-03 13:06 . 2009-02-03 13:06 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-02-03 13:06 . 2009-02-03 13:06 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-02-03 13:05 . 2001-08-23 13:00 16,384 --a------ c:\windows\system32\dllcache\isignup.exe
2009-02-03 13:05 . 2008-04-14 06:52 7,168 --a------ c:\windows\system32\dllcache\bitsprx4.dll
2009-02-03 13:05 . 2008-04-14 06:52 7,168 --a------ c:\windows\system32\bitsprx4.dll
2009-02-03 13:03 . 2008-04-14 06:53 370,176 --a------ c:\windows\system32\dllcache\wmic.exe
2009-02-03 13:03 . 2008-04-14 06:52 290,304 --a------ c:\windows\system32\rhttpaa.dll
2009-02-03 13:03 . 2008-04-14 06:52 290,304 --a------ c:\windows\system32\dllcache\rhttpaa.dll
2009-02-03 13:03 . 2008-04-14 06:52 136,192 --a------ c:\windows\system32\dllcache\aaclient.dll
2009-02-03 13:03 . 2008-04-14 06:52 136,192 --a------ c:\windows\system32\aaclient.dll
2009-02-03 13:03 . 2008-04-14 06:52 92,672 --a------ c:\windows\system32\dllcache\policman.dll
2009-02-03 13:03 . 2008-04-14 06:52 53,248 --a------ c:\windows\system32\tsgqec.dll
2009-02-03 13:03 . 2008-04-14 06:52 53,248 --a------ c:\windows\system32\dllcache\tsgqec.dll
2009-02-03 13:00 . 2008-04-13 22:05 20,992 --a------ c:\windows\system32\drivers\RTL8139.sys
2009-02-03 12:58 . 2009-02-03 12:58 4,444 --a------ c:\windows\system32\pid.PNF
2009-02-03 12:49 . 2009-02-03 12:49 <DIR> d-------- c:\windows\system32\de-de
2009-02-03 12:49 . 2009-02-03 12:49 <DIR> d-------- c:\windows\system32\de
2009-02-03 12:49 . 2009-02-03 12:49 <DIR> d-------- c:\windows\L2Schemas
2009-02-03 12:49 . 2009-02-03 12:49 <DIR> d-------- c:\windows\ehome
2009-02-01 20:02 . 2009-02-01 20:02 <DIR> d-------- c:\dokumente und einstellungen\markus.roega\Anwendungsdaten\Malwarebytes
2009-02-01 20:01 . 2009-02-01 20:01 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-01-25 13:36 . 2009-01-25 13:36 116 --a------ c:\windows\wininit.ini
2009-01-17 09:51 . 2009-01-17 09:51 <DIR> d--hs---- C:\FOUND.152

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2022-03-05 12:55 --------- d-----w c:\programme\Metal Gear Solid Trial
2022-02-24 13:15 --------- d-----w c:\programme\Microsoft Games
2009-02-10 16:26 196 ----a-w c:\windows\system32\drivers\ALCICH.DAT
2008-10-31 12:16 45,632 ----a-w c:\dokumente und einstellungen\markus Privat\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-04-14 12:29 45,632 ----a-w c:\dokumente und einstellungen\markus.roega\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-03-23 13:57 32 ----a-w c:\dokumente und einstellungen\All Users\Anwendungsdaten\ezsid.dat
2006-06-02 07:26 45,240 ----a-w c:\dokumente und einstellungen\roega roega\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2006-01-27 14:33 45,240 ----a-w c:\dokumente und einstellungen\PRIVAT FÜR markus\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2004-04-19 14:06 96,256 --sha-w c:\programme\Thumbs.db
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"aonUpdate"="c:\programme\aon\aonUpdate\aonUpdate.exe" [2005-07-26 4003328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-08-06 155648]
"Microsoft Works Portfolio"="c:\programme\Microsoft Works\WksSb.exe" [2000-07-12 311350]
"Microsoft Works Update Detection"="c:\programme\Microsoft Works\WkDetect.exe" [2000-07-21 28739]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-15 196608]
"Gainward"="c:\windows\TBPanel.exe" [2001-06-28 2916352]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2008-03-28 413696]
"Share-to-Web Namespace Daemon"="c:\programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"0190 Warner"="c:\progra~1\0190WA~1\WARN0190.EXE" [2003-02-28 14:21 466944]
"REGSHAVE"="c:\programme\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"1aonmessagecenter"="c:\programme\aon\aonMessageCenter\aonMessageCenter.exe" [2005-02-14 676352]
"SunJavaUpdateSched"="c:\programme\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"SoundMan"="soundman.exe" [2001-05-29 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen�\Programme\Autostart\
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [13.02.2001 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
2008-04-14 06:52 625664 c:\windows\system32\catsrvut.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\System32\ir32_32.dll
"vidc.iv41"= ir41_32.dll
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PVW2"= pvwv220.dll
"VIDC.PIMJ"= pvljpg20.dll
"msacm.dvacm"= c:\progra~1\GEMEIN~1\ULEADS~1\Vio\Dvacm.acm
"vidc.ffds"= ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [06.01.2005 13:48:15 38604]
S3 Ndisusb;GeneLink Network Driver;c:\windows\system32\drivers\genelan.sys [21.05.2004 17:50:16 11328]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [10.09.2001 13:34:14 27904]

--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - Bonjour Service
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - EventSystem
*Deregistered* - GEARSecurity
*Deregistered* - gusvc
*Deregistered* - IISADMIN
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SENS
*Deregistered* - ShellHWDetection
*Deregistered* - sisagp
*Deregistered* - SLService
*Deregistered* - SMTPSVC
*Deregistered* - SNMP
*Deregistered* - Sparrow
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - sym_hi
*Deregistered* - sym_u3
*Deregistered* - symc8xx
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TosIde
*Deregistered* - ultra
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W3SVC
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
.
Inhalt des "geplante Tasks" Ordners

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-OEM-Reset - (no file)
HKLM-Run-windows auto update - msblast.exe
HKU-Default-Run-Windows Service - winsvc.exe
HKU-Default-Run-Microsoft Update - msconfg.exe


.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.at/
mWindow Title = Internetexplorer von Vorarlberg Online
uInternet Settings,ProxyServer = ftp=proxy.aon.at:8080;http=proxy.aon.at:8080
uInternet Settings,ProxyOverride = *.aon.at;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} - hxxp://install.premiumzone.de/InstallationsAssistent.ocx
FF - ProfilePath - c:\dokumente und einstellungen\markus.roega\Anwendungsdaten\Mozilla\Firefox\Profiles\2ttte511.default\
FF - plugin: c:\dokumente und einstellungen\markus.roega\Anwendungsdaten\Mozilla\Firefox\Profiles\2ttte511.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 17:32:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
windows auto update = msblast.exe?I just want to say LOVE YOU SAN!!?bill

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-4265909289-2669302297-488748980-1005\RemoteAccess\Profile\x *]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(368)
c:\progra~1\GEMEIN~1\ULEADS~1\Vio\Dvacm.acm
c:\windows\system32\scg726.acm
c:\windows\system32\alf2cd.acm
c:\windows\system32\AC3ACM.acm
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\SYSTEM32\GEARSEC.EXE
c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\slserv.exe
c:\programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\programme\iPod\bin\iPodService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-02-10 17:35:22 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-02-10 16:35:18

Vor Suchlauf: 3.134.832.640 Bytes frei
Nach Suchlauf: 4,740,071,424 Bytes frei

266

[Ried]

No worries about the German text, markus.roega. Google Translate is great.


Is there any reason the Windows Recovery Console did not install? Did you receive any error messages?

How is the system behaving now?

=======================================

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

[markus.roega]

Dear Ried, I am sorry but I cannot perform an online scan - the internet connection does not work anymore. I am currently using my laptop for internet access and the infected computer does not have a connection anymore. Is there another way/program I could use? Something I can download, which does not need an immediate connection? Sorry to bother you so much but I can't get the connection to work!

Have a nice day!

[Angelfire777]

Hi, I will be helping you while Ried is away :)

Please download WinsockXPFix

http://www.snapfiles.com/get/winsockxpfix.html

Execute it and click fix. After which, reboot your pc. Let me know if that solves your connection problem.

[markus.roega]

Dear Angelfire777 and Ried,

I was able to fix the firewall problem with the program you told me about. Thank you very much!

Then I was able to perform the panda-online scan.

It showed me a result and I saved the text file (see attachment) but it also said that I need to pay for disinfecting special viruses. What shall I do now? Do I have to buy the Pandascan-Software or is there another (free) software to clean my system?

Thanks again for your time and patience!!
Markus

[Angelfire777]

Hi,

Don't pay for anything, you don't need to :)

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.

Code:

@echo off 
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"c:\windows\gatorpdpsetup.log"
"c:\windows\gatoruninstaller_cme.log"
"c:\windows\gatoruninstaller_cme_u.log"
"C:\WINDOWS\SYSTEM32\CMD.FTP"
"C:\WINDOWS\SYSTEM32\TFTP3480"
"C:\WINDOWS\SYSTEM32\TFTP3740"
"C:\WINDOWS\SYSTEM32\TFTP468"
) do ( 
del /a/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

for %%g in ( 
"c:\dokumente und einstellungen\markus.roega\startmen�\programme\clocksync"
"c:\program files\altnet"
"c:\programme\clocksync"
"c:\programme\perfectnav"
) do ( 
attrib -s -h -r %%g 
rd /s/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" 
) else echo.Deleted Successfully! 
echo. 
pause 
del %0

Locate clean.bat on your Desktop and double-click on it. Tell me what it says.


*Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-hkey_local_machine\software\cydoor]

[-hkey_classes_root\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}]

[-hkey_local_machine\software\gator.com]

[-hkey_local_machine\software\perfectnav]

[-hkey_local_machine\software\classes\wuse.1]

[-HKEY_CLASSES_ROOT\Interface\{AD5BC1F0-72D8-44B3-8E3D-8E8FECCE43FB}]

[-hkey_classes_root\clsid\{e813099d-5529-47f4-9b37-4afafcb00a43}]

[-hkey_local_machine\software\classes\appid\adm.exe]

[-hkey_local_machine\software\classes\appid\altnet signing module.exe]

[-hkey_classes_root\clsid\{9bbcf06c-dcd7-495d-80df-cdd5399d0ff8}]

[-hkey_classes_root\clsid\{3646c2bd-3554-49ca-8125-44deefb881de}]

[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\altnetdm]

[-hkey_local_machine\software\classes\adm25.adm25]

[-hkey_local_machine\software\classes\adm25.adm25.1]

[-hkey_local_machine\software\classes\adm4.adm4]

[-hkey_local_machine\software\classes\signingmodule.signingmodule]

[-hkey_local_machine\software\classes\signingmodule.signingmodule.1]

[-hKEY_CLASSES_ROOT\Interface\{E813099D-5529-47F4-9B37-4AFAFCB00A43}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 12".
• Click the "Download" button to the right.
• For Platform, select "Windows"
• For language, select your language
• Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  • Java(TM) SE Runtime Environment 6 Update 1
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

On your next reply, please include a

• Fresh DDS log (just dds.txt)
• results of clean.bat
• A detailed description on how's your machine running.

[markus.roega]

Dear Angelfire777,

thank you for your quick reply, I followed your instructions carefully.
The clean bat showed a message "deleted succesfully".
The computer seems to be running normally now, I can't really compare it to another time because there was so much going wrong with it but now it seems to be okay.

Thank you for your help, I include the DDS,
Markus

dds:


DDS (Ver_09-02-01.01) - FAT32x86
Run by markus.roega at 13:07:05,48 on 19.02.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.255.70 [GMT 1:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\TBPanel.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\0190WA~1\WARN0190.EXE
C:\Programme\aon\aonMessageCenter\aonMessageCenter.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\aon\aonUpdate\aonUpdate.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Dokumente und Einstellungen\markus.roega\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.at/
mWindow Title = Internetexplorer von Vorarlberg Online
uInternet Settings,ProxyServer = ftp=proxy.aon.at:8080;http=proxy.aon.at:8080
uInternet Settings,ProxyOverride = *.aon.at;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [aonUpdate] c:\programme\aon\aonupdate\aonUpdate.exe /tray
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Microsoft Works Portfolio] c:\programme\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\programme\microsoft works\WkDetect.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [SoundMan] soundman.exe
mRun: [Gainward] c:\windows\TBPanel.exe /A
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [Share-to-Web Namespace Daemon] c:\programme\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [0190 Warner] c:\progra~1\0190wa~1\WARN0190.EXE
mRun: [REGSHAVE] c:\programme\regshave\REGSHAVE.EXE /AUTORUN
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [1aonmessagecenter] c:\programme\aon\aonmessagecenter\aonMessageCenter.exe
mRun: [avgnt] "c:\programme\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\programme\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\micros~1.lnk - c:\programme\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\programme\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\programme\bonjour\ExplorerPlugin.dll
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136651976184
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137843769328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} - hxxp://install.premiumzone.de/InstallationsAssistent.ocx
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programme\gemeinsame dateien\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\markus~1.roe\anwend~1\mozilla\firefox\profiles\2ttte511.default\
FF - plugin: c:\dokumente und einstellungen\markus.roega\anwendungsdaten\mozilla\firefox\profiles\2ttte511.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-14 28544]
R1 avgio;avgio;c:\programme\avira\antivir personaledition classic\avgio.sys [2009-2-14 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer;c:\programme\avira\antivir personaledition classic\sched.exe [2009-2-14 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\programme\avira\antivir personaledition classic\avguard.exe [2009-2-14 151297]
R3 avgntflt;avgntflt;c:\programme\avira\antivir personaledition classic\avgntflt.sys [2009-2-14 52032]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2005-1-6 38604]
S3 Ndisusb;GeneLink Network Driver;c:\windows\system32\drivers\genelan.sys [2004-5-21 11328]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [2001-9-10 27904]
S3 viafilter;VIA USB Filter;c:\windows\system32\drivers\viausb.sys [2002-2-19 9038]
S3 Winacusb;Winacusb;c:\windows\system32\drivers\winacusb.sys [2004-6-1 956890]
S4 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys --> c:\windows\system32\drivers\slnt7554.sys [?]

=============== Created Last 30 ================

2009-02-19 12:58 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-19 12:39 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-19 12:21 286,792 a------- c:\windows\system32\slextspk.dll
2009-02-19 12:21 286,792 a------- c:\windows\system32\dllcache\slextspk.dll
2009-02-19 12:21 13,776 a------- c:\windows\system32\drivers\recagent.sys
2009-02-19 12:21 13,776 a------- c:\windows\system32\dllcache\recagent.sys
2009-02-19 12:11 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-14 11:44 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-02-14 11:43 <DIR> --d----- c:\programme\Panda Security
2009-02-14 11:11 <DIR> --d----- c:\programme\Avira
2009-02-14 11:11 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Avira
2009-02-14 10:58 273,024 -------- c:\windows\system32\drivers\bthport.sys
2009-02-14 10:58 273,024 -------- c:\windows\system32\dllcache\bthport.sys
2009-02-14 10:53 2,147,840 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-14 10:53 2,068,352 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-14 10:53 2,026,496 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-14 10:52 2,191,488 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-14 10:50 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-14 10:34 <DIR> --d----- c:\windows\system32\%
2009-02-11 13:41 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-02-11 13:41 32,128 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-02-11 13:39 <DIR> --d----- c:\programme\tele.ring
2009-02-10 17:19 161,792 a------- c:\windows\SWREG.exe
2009-02-10 17:19 98,816 a------- c:\windows\sed.exe
2009-02-03 15:28 250 a------- c:\windows\gmer.ini
2009-02-03 13:32 74,240 a------- c:\windows\system32\dllcache\w3ext.dll
2009-02-03 13:13 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-02-03 13:11 229,439 a------- c:\windows\system32\dllcache\multibox.dll
2009-02-03 13:10 13,463,552 a------- c:\windows\system32\dllcache\hwxjpn.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0804.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0412.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0411.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt040d.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0404.dll
2009-02-03 13:09 19,456 a------- c:\windows\system32\dllcache\agt0401.dll
2009-02-03 13:06 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-02-03 13:06 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-02-03 13:06 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-03 13:06 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-02-03 13:06 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-02-03 13:06 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-02-03 13:05 16,384 a------- c:\windows\system32\dllcache\isignup.exe
2009-02-03 13:05 7,168 a------- c:\windows\system32\dllcache\bitsprx4.dll
2009-02-03 13:05 7,168 a------- c:\windows\system32\bitsprx4.dll
2009-02-03 13:03 290,304 a------- c:\windows\system32\rhttpaa.dll
2009-02-03 13:03 290,304 a------- c:\windows\system32\dllcache\rhttpaa.dll
2009-02-03 13:03 136,192 a------- c:\windows\system32\dllcache\aaclient.dll
2009-02-03 13:03 136,192 a------- c:\windows\system32\aaclient.dll
2009-02-03 13:03 53,248 a------- c:\windows\system32\tsgqec.dll
2009-02-03 13:03 53,248 a------- c:\windows\system32\dllcache\tsgqec.dll
2009-02-03 13:03 370,176 a------- c:\windows\system32\dllcache\wmic.exe
2009-02-03 13:03 92,672 a------- c:\windows\system32\dllcache\policman.dll
2009-02-03 13:00 20,992 a------- c:\windows\system32\drivers\RTL8139.sys
2009-02-03 12:58 4,444 a------- c:\windows\system32\pid.PNF
2009-02-03 12:49 <DIR> --d----- c:\windows\system32\de-de
2009-02-03 12:49 <DIR> --d----- c:\windows\system32\de
2009-02-03 12:49 <DIR> --d----- c:\windows\Network Diagnostic
2009-02-03 12:49 <DIR> --d----- c:\windows\L2Schemas
2009-02-03 12:49 <DIR> --d----- c:\windows\ehome
2009-02-01 20:02 <DIR> --d----- c:\dokume~1\markus~1.roe\anwend~1\Malwarebytes
2009-02-01 20:01 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2009-01-25 13:36 116 a------- c:\windows\wininit.ini

==================== Find3M ====================

2009-02-19 12:34 196 a------- c:\windows\system32\drivers\ALCICH.DAT
2009-02-14 10:35 381,298 a------- c:\windows\system32\perfh007.dat
2009-02-14 10:35 69,262 a------- c:\windows\system32\perfc007.dat
2009-02-11 12:07 45,632 a------- c:\dokume~1\markus~1.roe\anwend~1\GDIPFONTCACHEV1.DAT
2009-02-03 13:07 86,665 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-03 13:04 22,940 a------- c:\windows\system32\emptyregdb.dat
2008-12-12 18:01 3,088,896 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-03-23 14:57 32 a------- c:\dokume~1\alluse~1\anwend~1\ezsid.dat
2004-04-19 15:06 96,256 a--sh--- c:\programme\Thumbs.db

============= FINISH: 13:07:47,71 ===============

[Angelfire777]

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[markus.roega]

Dear Angelfire777 and Ried,

thanks again for your help and I will donate!
This forum sure is great!


Have a nice day, Markus