While using the Windows Live Messenger today some messenges appeared (some off them sent by my own username) but the other person wasn't even able to see them. Each messege said something like "look at those pictures" and something about facebook (in Portuguese) and they had a downloadlink for the "pictures" ... of course there where no pictures or anything. Now Messenger tries to start again an hour or more after I quit it. I can't use Spybot or Malwarebytes, Avira doesn't find anything and neither do the tools offered by windows. I found Combofix and wasn't aware of the risks yet so I wanted to try it but it doesn't work neither.

I just had some troubles with my other computer and really don't want to have to reinstall windows on this one too so I really hope you guys can help me!

Here are my logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Markus at 19:33:19,85 on 11.09.2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.43.1031.18.510.168 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Launchy\Launchy.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\Application\chrome.exe
C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\Application\chrome.exe
C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Dokumente und Einstellungen\Markus\Eigene Dateien\Downloads\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.telekom.at
uSearch Page = hxxp://www.telekom.at/suche
uWindow Title = Telekom Austria TA AG
uInternet Settings,ProxyServer = 192.168.18.250:3128
uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programme\gemeinsame dateien\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\dokumente und einstellungen\markus\lokale einstellungen\anwendungsdaten\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LogitechCommunicationsManager] "c:\programme\gemeinsame dateien\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\programme\logitech\quickcam\Quickcam.exe" /hide
mRun: [Resume copy] copyfstq.exe /startup
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\programme\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\programme\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [ctfmon.exe] ctfmon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\launchy.lnk - c:\programme\launchy\Launchy.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\logite~1.lnk - c:\programme\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\programme\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2009-9-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\avira\antivir desktop\sched.exe [2009-9-9 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2009-9-9 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-9 55656]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]

=============== Created Last 30 ================

2009-09-11 19:32 <DIR> --d-h--- c:\windows\PIF
2009-09-11 13:23 532 a--shr-- C:\autorun.inf
2009-09-11 13:13 88,064 ---shr-- c:\windows\system32\avgvsm.exe
2009-09-09 19:47 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-09 00:19 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-09-09 00:19 <DIR> --d----- c:\programme\Avira
2009-09-09 00:19 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Avira
2009-08-24 23:43 <DIR> --d----- c:\dokume~1\markus\anwend~1\Malwarebytes
2009-08-24 23:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 23:43 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2009-08-24 23:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-24 23:42 <DIR> --d----- c:\programme\Malwarebytes' Anti-Malware
2009-08-23 16:40 95 a------- c:\windows\wininit.ini
2009-08-19 23:35 <DIR> --d----- c:\programme\iPod
2009-08-19 23:34 <DIR> --d----- c:\programme\iTunes
2009-08-13 13:45 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-12 23:04 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 23:04 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-12 01:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 10:59 206,336 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-28 20:24 317,162 a------- c:\windows\system32\perfh007.dat
2009-06-28 20:24 48,558 a------- c:\windows\system32\perfc007.dat
2009-06-26 18:49 672,256 a------- c:\windows\system32\wininet.dll
2009-06-26 18:49 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 16:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 16:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-15 12:43 78,848 a------- c:\windows\system32\telnet.exe

============= FINISH: 19:34:08,42 ===============
__________________________________________________________________

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/11 19:36
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF993000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BF6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP7190
Image Path: \Driver\PCI_PNP7190
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF8BDC000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC8BC000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spkp.sys
Image Path: spkp.sys
Address: 0xF8464000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: C:\WINDOWS\system32\avgvsm.exe
PID: 3748 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf8c42676

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8c4266c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf8c4267b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf8c42685

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spkp.sys" at address 0xf8483ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spkp.sys" at address 0xf8484032

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf8c4268a

#: 119 Function Name: NtOpenKey
Status: Hooked by "spkp.sys" at address 0xf84650c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8c42658

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8c4265d

#: 160 Function Name: NtQueryKey
Status: Hooked by "spkp.sys" at address 0xf848410a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spkp.sys" at address 0xf8483f8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf8c42694

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf8c4268f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf8c42680

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8c42667

==EOF==

Thanks in advance!

This post has been edited by KTB: Sep 11 2009, 11:55 AM

The problem is still existing ... help would be welcome.

Conclusion: Virus that tries to spread itself with Windows Live Messenger (Sends Messenges with Links)

Blocking the following problems: Spybot S&D, Malwarebytes, Security Task Manager, Combofix; Virus removal tools don't show any Results (Avira, web-based Windows spyware and virus removal [forgot the name]); Windows can't start in Safe Mode (Restarts before goes to desktop)


This post has been edited by KTB: Sep 13 2009, 06:02 AM

DO NOT use any TOOLS such as Combofix, MBAM, SmitfraudFix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the final 'All clean' post.


Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them


1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

2) DDS

Please download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  
  • DDS.txt
  • Attach.txt
• Save both reports to your desktop.

3) RR
Please download RootRepeal.zip.
Save it to your Desktop. Alternate download links here or here.
Please print these instructions, you will not have an Internet connection!
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...

1. Right click on RootRepeal.zip and select "Extract All"....
2. Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
3. Click on the Browse...button, then click on Desktop, then click OK.
4. Once done, check (tick) the Show extracted files box and click Finish.
5. Before running RootRepeal:
   Disconnect from the Internet as your system will be unprotected while using this tool.
   Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
6. Open the RootRepeal folder and double-click on RootRepeal.exe to launch it.
7. When the program opens, click the Report tab at the bottom, then click the Scan button.
8. In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
   
9. Click OK.
10. In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
    The scan can take some time to finish. Do not use the computer while the scan is running.
    When the scan has completed, a list of files will be generated in the RootRepeal window.
11. Click on the Save Report button and save it as "rootrepeal.txt" to your desktop.
12. Close and exit RootRepeal
13. Double-click on the file rootrepeal.txt... Notepad will open... copy/paste the file contents in your next reply.

Make sure to enable your anti-virus, Firewall and any other security programs you disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".

4) What You Will Need To Post:

• exeHelper log
• DDS logs
• RR log

Thanks a lot; here are the logs:

exeHelper by Raktor - 09
Build 20090911
Run at 14:27:45 on 09/13/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Resetting filetype association for .exe
Resetting filetype association for .com
Finished.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Markus at 14:31:29,56 on 13.09.2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.43.1031.18.510.139 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programme\Logitech\QuickCam\Quickcam.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Launchy\Launchy.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\Application\chrome.exe
C:\Programme\Windows Live\Messenger\msnmsgr.exe
C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\Application\chrome.exe
C:\Dokumente und Einstellungen\Markus\Eigene Dateien\Downloads\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.telekom.at
uSearch Page = hxxp://www.telekom.at/suche
uWindow Title = Telekom Austria TA AG
uInternet Settings,ProxyServer = 192.168.18.250:3128
uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programme\gemeinsame dateien\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\dokumente und einstellungen\markus\lokale einstellungen\anwendungsdaten\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LogitechCommunicationsManager] "c:\programme\gemeinsame dateien\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\programme\logitech\quickcam\Quickcam.exe" /hide
mRun: [Resume copy] copyfstq.exe /startup
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\programme\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\programme\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [ctfmon.exe] ctfmon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\launchy.lnk - c:\programme\launchy\Launchy.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\logite~1.lnk - c:\programme\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\programme\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2009-9-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\avira\antivir desktop\sched.exe [2009-9-9 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2009-9-9 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-9 55656]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]

=============== Created Last 30 ================

2009-09-13 13:54 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\SecTaskMan
2009-09-13 13:54 <DIR> --d----- c:\programme\Security Task Manager
2009-09-11 19:32 <DIR> --d-h--- c:\windows\PIF
2009-09-11 13:23 532 a--shr-- C:\autorun.inf
2009-09-11 13:13 88,064 ---shr-- c:\windows\system32\avgvsm.exe
2009-09-09 19:47 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-09 00:19 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-09-09 00:19 <DIR> --d----- c:\programme\Avira
2009-09-09 00:19 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Avira
2009-08-24 23:43 <DIR> --d----- c:\dokume~1\markus\anwend~1\Malwarebytes
2009-08-24 23:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 23:43 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2009-08-24 23:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-24 23:42 <DIR> --d----- c:\programme\Malwarebytes' Anti-Malware
2009-08-23 16:40 95 a------- c:\windows\wininit.ini
2009-08-19 23:35 <DIR> --d----- c:\programme\iPod
2009-08-19 23:34 <DIR> --d----- c:\programme\iTunes

==================== Find3M ====================

2009-08-12 01:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 10:59 206,336 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-28 20:24 317,162 a------- c:\windows\system32\perfh007.dat
2009-06-28 20:24 48,558 a------- c:\windows\system32\perfc007.dat
2009-06-26 18:49 672,256 a------- c:\windows\system32\wininet.dll
2009-06-26 18:49 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 16:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 16:36 81,920 a------- c:\windows\system32\fontsub.dll

============= FINISH: 14:32:06,57 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 15.05.2009 16:36:28
System Uptime: 13.09.2009 13:46:01 (1 hours ago)

Motherboard: Hewlett-Packard | | 3085
Processor: AMD Athlon™ 64 Processor 3200+ | U23 | 1989/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 52,271 GiB free.
D: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM-Bus-Controller
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_3085103C&REV_10\3&13C0B0C5&0&A0
Manufacturer:
Name: SM-Bus-Controller
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_3085103C&REV_10\3&13C0B0C5&0&A0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394-Netzwerkadapter
Device ID: V1394\NIC1394\9D094079573F0200
Manufacturer: Microsoft
Name: 1394-Netzwerkadapter
PNP Device ID: V1394\NIC1394\9D094079573F0200
Service: NIC1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Massenspeichercontroller
Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_3085103C&REV_00\4&13826118&0&23A4
Manufacturer:
Name: Massenspeichercontroller
PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_3085103C&REV_00\4&13826118&0&23A4
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139-Familie-PCI-Fast Ethernet-NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3085103C&REV_10\4&13826118&0&30A4
Manufacturer: Realtek
Name: Realtek RTL8139-Familie-PCI-Fast Ethernet-NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3085103C&REV_10\4&13826118&0&30A4
Service: rtl8139

==== System Restore Points ===================

RP52: 13.06.2009 22:46:05 - Systemprüfpunkt
RP53: 15.06.2009 13:02:45 - Systemprüfpunkt
RP54: 16.06.2009 15:59:35 - Systemprüfpunkt
RP55: 17.06.2009 10:24:51 - Software Distribution Service 3.0
RP56: 18.06.2009 19:24:23 - Systemprüfpunkt
RP57: 20.06.2009 15:11:03 - Systemprüfpunkt
RP58: 21.06.2009 15:48:16 - Systemprüfpunkt
RP59: 24.06.2009 17:25:12 - Systemprüfpunkt
RP60: 25.06.2009 17:54:45 - Systemprüfpunkt
RP61: 27.06.2009 13:51:30 - Systemprüfpunkt
RP62: 28.06.2009 15:05:56 - Systemprüfpunkt
RP63: 01.07.2009 12:12:30 - Systemprüfpunkt
RP64: 02.07.2009 12:43:34 - Systemprüfpunkt
RP65: 03.07.2009 20:57:39 - Systemprüfpunkt
RP66: 05.07.2009 04:10:54 - Systemprüfpunkt
RP67: 06.07.2009 13:14:09 - Systemprüfpunkt
RP68: 07.07.2009 19:51:04 - Systemprüfpunkt
RP69: 09.07.2009 15:13:11 - Systemprüfpunkt
RP70: 10.07.2009 15:18:08 - Systemprüfpunkt
RP71: 12.07.2009 11:25:08 - Systemprüfpunkt
RP72: 14.07.2009 11:46:16 - Systemprüfpunkt
RP73: 21.07.2009 21:11:02 - Software Distribution Service 3.0
RP74: 23.07.2009 14:03:12 - Systemprüfpunkt
RP75: 24.07.2009 15:30:35 - Systemprüfpunkt
RP76: 29.07.2009 19:48:45 - Software Distribution Service 3.0
RP77: 12.08.2009 01:11:51 - Java™ 6 Update 15 wird installiert
RP78: 13.08.2009 13:39:07 - Software Distribution Service 3.0
RP79: 14.08.2009 13:48:33 - Systemprüfpunkt
RP80: 15.08.2009 14:54:06 - Systemprüfpunkt
RP81: 16.08.2009 19:22:02 - Systemprüfpunkt
RP82: 18.08.2009 15:24:59 - Systemprüfpunkt
RP83: 19.08.2009 16:47:24 - Systemprüfpunkt
RP84: 21.08.2009 00:03:25 - Systemprüfpunkt
RP85: 22.08.2009 18:54:27 - Systemprüfpunkt
RP86: 24.08.2009 15:14:31 - Systemprüfpunkt
RP87: 25.08.2009 18:04:11 - Systemprüfpunkt
RP88: 26.08.2009 11:57:04 - Software Distribution Service 3.0
RP89: 28.08.2009 00:52:50 - Systemprüfpunkt
RP90: 29.08.2009 14:57:51 - Systemprüfpunkt
RP91: 31.08.2009 22:01:36 - Systemprüfpunkt
RP92: 02.09.2009 14:50:17 - Systemprüfpunkt
RP93: 03.09.2009 20:37:37 - Systemprüfpunkt
RP94: 06.09.2009 18:12:01 - Systemprüfpunkt
RP95: 07.09.2009 23:39:21 - Systemprüfpunkt
RP96: 09.09.2009 00:14:19 - McAfee VirusScan Enterprise wird entfernt
RP97: 09.09.2009 00:17:28 - Avira AntiVir Personal - 09.09.2009 00:17
RP98: 10.09.2009 03:00:38 - Software Distribution Service 3.0
RP99: 11.09.2009 12:14:34 - Systemprüfpunkt
RP100: 11.09.2009 18:31:12 - Die Registrierung wurde mit dem Windows Live OneCare Safety Scanner bereinigt.

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2 - Deutsch
AiO_Scan_CDA
aonUpdate
Apple Mobile Device Support
Apple Software Update
Ares 2.1.1
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Bonjour
Breitband-Internet-Installation
Choice Guard
Compatibility Pack for the 2007 Office system
Conexant AC-Link Audio
Controller
Data Fax SoftModem with SmartCP
ERUNT 1.1j
Google Chrome
Hotfix für Windows XP (KB952287)
Hotfix für Windows XP (KB970653-v3)
HP PSC & OfficeJet 6.1.A
iTunes
Java™ 6 Update 15
Junk Mail filter update
Launchy 2.1.2
Little Fighter 2 version 2.0
Logitech Desktop Messenger
Logitech QuickCam
Logitech QuickCam-Treiberpaket
Logitech Updater
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSVCRT
MSXML 4.0 SP2 (KB954430)
QFolder
QuickTime
Scan
Security Task Manager 1.7h
Security Update for CAPICOM (KB931906)
Segoe UI
Sicherheitsupdate für Windows Media Player (KB952069)
Sicherheitsupdate für Windows Media Player (KB968816)
Sicherheitsupdate für Windows Media Player (KB973540)
Sicherheitsupdate für Windows XP (KB923561)
Sicherheitsupdate für Windows XP (KB923789)
Sicherheitsupdate für Windows XP (KB938464-v2)
Sicherheitsupdate für Windows XP (KB946648)
Sicherheitsupdate für Windows XP (KB950760)
Sicherheitsupdate für Windows XP (KB950762)
Sicherheitsupdate für Windows XP (KB950974)
Sicherheitsupdate für Windows XP (KB951066)
Sicherheitsupdate für Windows XP (KB951376-v2)
Sicherheitsupdate für Windows XP (KB951748)
Sicherheitsupdate für Windows XP (KB952004)
Sicherheitsupdate für Windows XP (KB952954)
Sicherheitsupdate für Windows XP (KB954459)
Sicherheitsupdate für Windows XP (KB954600)
Sicherheitsupdate für Windows XP (KB955069)
Sicherheitsupdate für Windows XP (KB956572)
Sicherheitsupdate für Windows XP (KB956744)
Sicherheitsupdate für Windows XP (KB956802)
Sicherheitsupdate für Windows XP (KB956803)
Sicherheitsupdate für Windows XP (KB956844)
Sicherheitsupdate für Windows XP (KB957097)
Sicherheitsupdate für Windows XP (KB958644)
Sicherheitsupdate für Windows XP (KB958687)
Sicherheitsupdate für Windows XP (KB958690)
Sicherheitsupdate für Windows XP (KB959426)
Sicherheitsupdate für Windows XP (KB960225)
Sicherheitsupdate für Windows XP (KB960715)
Sicherheitsupdate für Windows XP (KB960803)
Sicherheitsupdate für Windows XP (KB960859)
Sicherheitsupdate für Windows XP (KB961371)
Sicherheitsupdate für Windows XP (KB961373)
Sicherheitsupdate für Windows XP (KB961501)
Sicherheitsupdate für Windows XP (KB963027)
Sicherheitsupdate für Windows XP (KB968537)
Sicherheitsupdate für Windows XP (KB969897)
Sicherheitsupdate für Windows XP (KB969898)
Sicherheitsupdate für Windows XP (KB970238)
Sicherheitsupdate für Windows XP (KB971557)
Sicherheitsupdate für Windows XP (KB971633)
Sicherheitsupdate für Windows XP (KB971657)
Sicherheitsupdate für Windows XP (KB971961)
Sicherheitsupdate für Windows XP (KB972260)
Sicherheitsupdate für Windows XP (KB973346)
Sicherheitsupdate für Windows XP (KB973354)
Sicherheitsupdate für Windows XP (KB973507)
Sicherheitsupdate für Windows XP (KB973869)
Skype™ 4.1
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
TabsLock
Update für Windows XP (KB951978)
Update für Windows XP (KB955839)
Update für Windows XP (KB961503)
Update für Windows XP (KB967715)
Update für Windows XP (KB973815)
VLC media player 0.9.9
WebFldrs XP
Winamp
Windows Live-Uploadtool
Windows Live Anmelde-Assistent
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows XP Service Pack 3
WinRAR

==== Event Viewer Messages From Past Week ========

09.09.2009 00:16:32, error: Service Control Manager [7023] - Der Dienst "Anwendungsverwaltung" wurde mit folgendem Fehler beendet: Das angegebene Modul wurde nicht gefunden.

==== End Of File ===========================


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/13 14:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF044000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BC2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP3712
Image Path: \Driver\PCI_PNP3712
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF8C1C000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC9EB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spra.sys
Image Path: spra.sys
Address: 0xF8464000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_754.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Processes
-------------------
Path: C:\WINDOWS\system32\avgvsm.exe
PID: 1424 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf8c71026

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8c7101c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf8c7102b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf8c71035

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spra.sys" at address 0xf8483ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spra.sys" at address 0xf8484032

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf8c7103a

#: 119 Function Name: NtOpenKey
Status: Hooked by "spra.sys" at address 0xf84650c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8c71008

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8c7100d

#: 160 Function Name: NtQueryKey
Status: Hooked by "spra.sys" at address 0xf848410a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spra.sys" at address 0xf8483f8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf8c71044

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf8c7103f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf8c71030

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8c71017

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x825711f8 Size: 121

Object: Hidden Code [Driver: Mouc, IRP_MJ_CREATE]
Process: System Address: 0x8225a1f8 Size: 121

Object: Hidden Code [Driver: Mouc, IRP_MJ_CLOSE]
Process: System Address: 0x8225a1f8 Size: 121

Object: Hidden Code [Driver: Mouc, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8225a1f8 Size: 121

Object: Hidden Code [Driver: Mouc, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8225a1f8 Size: 121

Object: Hidden Code [Driver: Mouc, IRP_MJ_POWER]
Process: System Address: 0x8225a1f8 Size: 121

Object: Hidden Code [Driver: Mouc, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8225a1f8 Size: 121

Object: Hidden Code [Driver: Mouc, IRP_MJ_PNP]
Process: System Address: 0x8225a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x823a21f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x823191f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x823191f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823191f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823191f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x823191f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823191f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x823191f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x825de1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82153500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82153500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82153500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82153500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82153500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82153500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x823a61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x823a61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823a61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823a61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x823a61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823a61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x823a61f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82121500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_CREATE]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_CLOSE]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_READ]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_CLEANUP]
Process: System Address: 0x82236500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ扏济SmApiPortem, IRP_MJ_PNP]
Process: System Address: 0x82236500 Size: 121

==EOF==

Good Luck finding the Problem(s)! Thanks in Advance!

Will Malwarebytes run now?

If not, rename MBAM.exe to MBAM.com

Yes, mbam.com is running now. Running a complete System Scan. Thanks! (Lets just hope its going to find something)

Great

Seems like everything is fixed now! Thanks a lot again! Great job!

Please post the scan results so I can see if anything is leftover or if we need to go futher

Stay with this topic until I give you the all clean post.

Here it is. I hope it doesn't matter that it is in German.

Malwarebytes' Anti-Malware 1.40
Datenbank Version: 2691
Windows 5.1.2600 Service Pack 3

13.09.2009 15:39:18
mbam-log-2009-09-13 (15-39-10).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 140788
Laufzeit: 42 minute(s), 18 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> No action taken.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\autorun.inf (SuspectAutorun.Rootdrive.H) -> No action taken.

Did you select to remove them?

yes, they've been succesfully removed

I take it that everything is working correctly then.

To be on the safe side, I would also change all my passwords.


Here's my usual all clean post

Log looks good

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
     
  5. Change the Download signed ActiveX controls to Prompt
     
  6. Change the Download unsigned ActiveX controls to Disable
     
  7. Change the Initialize and script ActiveX controls not marked as safe to Disable
     
  8. Change the Installation of desktop items to Prompt
     
  9. Change the Launching programs and files in an IFRAME to Prompt
     
  10. Change the Navigate sub-frames across different domains to Prompt
      
  11. When all these settings have been made, click on the OK button.
      
  12. If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

[*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.


[*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.


[*]Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.
[/list]

Only run one Anti-Virus and Firewall program.


I would suggest you read How to Prevent Malware:

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.