Computer infected with "trojan.dropper.bcminer"

[mats_mats]

Hello,

I can't get rid of a trojan that malwarebytes identifies as "trojan.dropper.bcminer" - it keeps coming back,... I've read it's very dangerous and I need your help, please! Thank you very much in advance!!

My 2 dds logfiles are:

dds.txt:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31

Run by Mats at 15:40:25 on 2012-07-20

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.43.1031.18.4095.2423 [GMT 2:00]

.

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe

C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe

C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\vsnpstd3.exe

C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Windows\SysWOW64\CtHelper.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\SysWOW64\ctfmon.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.babylon.com/?AF=109989&babsrc=HP_ss&mntrId=80db860f00000000000000252254169c

uInternet Settings,ProxyServer = socks=127.0.0.1:18079

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - No File

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO: Windows Live ID-Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL

mRun: [CTHelper] CTHELPER.EXE

mRun: [<NO NAME>]

mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: An vorhandene PDF-Datei anfügen - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: In Adobe PDF konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Linkziel an vorhandene PDF-Datei anhängen - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Linkziel in Adobe PDF konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Nach Microsoft E&xcel exportieren - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{68093085-2855-471A-8FE0-DCF7B3D3B2EF} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll

Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}

BHO-X64: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - No File

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}

{9030D464-4C02-4ABF-8ECC-5164760863C6}

{AE7CD045-E861-484f-8273-0445EE161910}

{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

{B4F3A835-0E21-4959-BA22-42B3008E02FF}

{DBC80044-A445-435b-BC74-9C25C1C588A9}

{F4971EE7-DAA0-4053-9964-665D8EE6A077}

{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}

{47833539-D0C5-4125-9FA8-0819E2EAAC93}

{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}

mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun-x64: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL

mRun-x64: [CTHelper] CTHELPER.EXE

mRun-x64: [(Standard)]

mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Mats\AppData\Roaming\Mozilla\Firefox\Profiles\jukgosb3.default\

FF - prefs.js: browser.startup.homepage - hxxp://de.mg4.mail.yahoo.com/neo/launch?.rand=fbjcn5a0r5bu8

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll

FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll

FF - plugin: C:\Users\Mats\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]

R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-3-5 53888]

R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]

R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-7-9 44808]

R2 hshld;Hotspot Shield Service;C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-1-17 331608]

R2 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-13 655944]

R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

R3 COMMONFX.SYS;COMMONFX.SYS;C:\Windows\system32\drivers\COMMONFX.SYS --> C:\Windows\system32\drivers\COMMONFX.SYS [?]

R3 CTAUDFX.SYS;CTAUDFX.SYS;C:\Windows\system32\drivers\CTAUDFX.SYS --> C:\Windows\system32\drivers\CTAUDFX.SYS [?]

R3 CTSBLFX.SYS;CTSBLFX.SYS;C:\Windows\system32\drivers\CTSBLFX.SYS --> C:\Windows\system32\drivers\CTSBLFX.SYS [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]

R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]

S2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-6-11 361984]

S2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-3-5 53888]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update-Dienst (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-3-16 136176]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-4-5 158856]

S3 COMMONFX;COMMONFX;C:\Windows\system32\drivers\COMMONFX.SYS --> C:\Windows\system32\drivers\COMMONFX.SYS [?]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-2-28 79360]

S3 CTAUDFX;CTAUDFX;C:\Windows\system32\drivers\CTAUDFX.SYS --> C:\Windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\Windows\system32\drivers\CTERFXFX.SYS --> C:\Windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTERFXFX;CTERFXFX;C:\Windows\system32\drivers\CTERFXFX.SYS --> C:\Windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTSBLFX;CTSBLFX;C:\Windows\system32\drivers\CTSBLFX.SYS --> C:\Windows\system32\drivers\CTSBLFX.SYS [?]

S3 gupdatem;Google Update-Dienst (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-3-16 136176]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-10 113120]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]

S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows-Aktivierungstechnologieservice;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-07-18 18:37:27 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-07-17 20:27:16 -------- d-----w- C:\Program Files (x86)\Emsisoft HiJackFree

2012-07-17 20:02:12 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-07-09 15:46:21 -------- d-----w- C:\Users\Mats\AppData\Roaming\Diercke Globus Online

2012-07-09 15:46:04 947517 ----a-w- C:\Windows\Diercke Globus Online Uninstaller.exe

2012-07-09 15:46:04 -------- d-----w- C:\Program Files (x86)\ImagonShared

2012-07-09 15:46:04 -------- d-----w- C:\Program Files (x86)\Diercke Globus Online

2012-07-09 15:39:22 -------- d-----w- C:\Program Files (x86)\AMD APP

2012-07-09 09:44:53 -------- d-----w- C:\Users\Mats\AppData\Roaming\Malwarebytes

2012-07-09 01:14:59 -------- d-----w- C:\ProgramData\Malwarebytes

2012-07-09 01:14:58 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-07-09 01:14:58 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-07-08 17:55:08 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys

2012-07-08 17:54:57 958400 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2012-07-08 17:54:53 71064 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2012-07-08 17:54:39 41224 ----a-w- C:\Windows\avastSS.scr

2012-07-08 17:54:31 -------- d-----w- C:\ProgramData\AVAST Software

2012-07-08 17:54:31 -------- d-----w- C:\Program Files\AVAST Software

2012-07-08 10:01:22 -------- d-----w- C:\Users\Mats\AppData\Roaming\Logef

2012-07-05 21:34:00 -------- d-----w- C:\Users\Mats\dwhelper

2012-06-23 13:41:50 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-23 13:41:26 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-23 13:41:10 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-23 13:41:10 186752 ----a-w- C:\Windows\System32\wuwebv.dll

.

==================== Find3M ====================

.

2012-07-18 18:37:27 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-11 18:59:38 10248192 ----a-w- C:\Windows\System32\drivers\atikmdag.sys

2012-06-11 18:35:48 70144 ----a-w- C:\Windows\System32\coinst_8.98.dll

2012-06-11 18:29:34 24826368 ----a-w- C:\Windows\System32\atio6axx.dll

2012-06-11 18:00:32 20467712 ----a-w- C:\Windows\SysWow64\atioglxx.dll

2012-06-11 17:25:06 163840 ----a-w- C:\Windows\System32\atiapfxx.exe

2012-06-11 17:24:58 924160 ----a-w- C:\Windows\SysWow64\aticfx32.dll

2012-06-11 17:23:12 1090560 ----a-w- C:\Windows\System32\aticfx64.dll

2012-06-11 17:20:02 442368 ----a-w- C:\Windows\System32\ATIDEMGX.dll

2012-06-11 17:19:58 532992 ----a-w- C:\Windows\System32\atieclxx.exe

2012-06-11 17:19:14 239616 ----a-w- C:\Windows\System32\atiesrxx.exe

2012-06-11 17:17:56 120320 ----a-w- C:\Windows\System32\atitmm64.dll

2012-06-11 17:17:42 21504 ----a-w- C:\Windows\System32\atimuixx.dll

2012-06-11 17:17:38 59392 ----a-w- C:\Windows\System32\atiedu64.dll

2012-06-11 17:17:32 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll

2012-06-11 17:16:48 6301696 ----a-w- C:\Windows\SysWow64\atidxx32.dll

2012-06-11 17:01:56 6914560 ----a-w- C:\Windows\System32\atidxx64.dll

2012-06-11 16:51:54 4246528 ----a-w- C:\Windows\System32\atiumd6a.dll

2012-06-11 16:45:48 51200 ----a-w- C:\Windows\System32\aticalrt64.dll

2012-06-11 16:45:46 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll

2012-06-11 16:45:44 5480448 ----a-w- C:\Windows\SysWow64\atiumdag.dll

2012-06-11 16:45:40 44544 ----a-w- C:\Windows\System32\aticalcl64.dll

2012-06-11 16:45:38 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll

2012-06-11 16:45:26 15703040 ----a-w- C:\Windows\System32\aticaldd64.dll

2012-06-11 16:43:18 4729344 ----a-w- C:\Windows\SysWow64\atiumdva.dll

2012-06-11 16:40:58 13277696 ----a-w- C:\Windows\SysWow64\aticaldd.dll

2012-06-11 16:36:56 6605824 ----a-w- C:\Windows\System32\atiumd64.dll

2012-06-11 16:27:02 539136 ----a-w- C:\Windows\System32\atiadlxx.dll

2012-06-11 16:26:52 368640 ----a-w- C:\Windows\SysWow64\atiadlxy.dll

2012-06-11 16:26:40 17920 ----a-w- C:\Windows\System32\atig6pxx.dll

2012-06-11 16:26:36 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll

2012-06-11 16:26:36 14848 ----a-w- C:\Windows\System32\atiglpxx.dll

2012-06-11 16:26:30 41984 ----a-w- C:\Windows\System32\atig6txx.dll

2012-06-11 16:26:22 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll

2012-06-11 16:26:14 367616 ----a-w- C:\Windows\System32\drivers\atikmpag.sys

2012-06-11 16:25:20 54784 ----a-w- C:\Windows\System32\atiuxp64.dll

2012-06-11 16:25:12 42496 ----a-w- C:\Windows\SysWow64\atiuxpag.dll

2012-06-11 16:25:06 45056 ----a-w- C:\Windows\System32\atiu9p64.dll

2012-06-11 16:24:58 32768 ----a-w- C:\Windows\SysWow64\atiu9pag.dll

2012-06-11 16:24:24 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll

2012-06-11 16:23:18 56320 ----a-w- C:\Windows\System32\atimpc64.dll

2012-06-11 16:23:18 56320 ----a-w- C:\Windows\System32\amdpcom64.dll

2012-06-11 16:23:10 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll

2012-06-11 16:23:10 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll

2012-06-11 11:50:46 187392 ----a-w- C:\Windows\System32\clinfo.exe

2012-06-11 11:50:30 75264 ----a-w- C:\Windows\System32\OpenVideo64.dll

2012-06-11 11:50:24 65024 ----a-w- C:\Windows\SysWow64\OpenVideo.dll

2012-06-11 11:50:18 63488 ----a-w- C:\Windows\System32\OVDecode64.dll

2012-06-11 11:50:14 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll

2012-06-11 11:50:06 16457728 ----a-w- C:\Windows\System32\amdocl64.dll

2012-06-11 11:49:22 13008896 ----a-w- C:\Windows\SysWow64\amdocl.dll

2012-05-18 10:25:38 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll

.

============= FINISH: 15:40:56,21 ===============

Attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 28.02.2012 12:59:56

System Uptime: 20.07.2012 13:37:39 (2 hours ago)

.

Motherboard: ASRock | | 870 Extreme3

Processor: AMD Phenom II X4 955 Processor | CPUSocket | 800/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 63 GiB total, 15,75 GiB free.

D: is FIXED (NTFS) - 149 GiB total, 59,96 GiB free.

E: is FIXED (NTFS) - 1334 GiB total, 171,263 GiB free.

F: is CDROM ()

G: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}

Description: Creative Game Port

Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\4&2B4059EA&0&31A4

Manufacturer: Creative

Name: Creative Game Port

PNP Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\4&2B4059EA&0&31A4

Service:

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: AODDriver4.1

Device ID: ROOT\LEGACY_AODDRIVER4.1\0000

Manufacturer:

Name: AODDriver4.1

PNP Device ID: ROOT\LEGACY_AODDRIVER4.1\0000

Service: AODDriver4.1

.

==== System Restore Points ===================

.

RP108: 18.07.2012 23:00:11 - Geplanter Prüfpunkt

.

==== Installed Programs ======================

.

Adobe Acrobat X Pro - English, Français, Deutsch

Adobe AIR

Adobe Audition 2.0

Adobe Bridge 1.0

Adobe Common File Installer

Adobe Community Help

Adobe Creative Suite 5 Master Collection

Adobe Flash Player 11 ActiveX

Adobe Help Center 2.0

Adobe Media Player

AMD USB Filter Driver

AMD VISION Engine Control Center

ASRock OC Tuner v2.3.81

µTorrent

avast! Free Antivirus

calibre

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CCleaner

Creative-Audiokonsole

Creative Software AutoUpdate

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Diercke Globus Online

DogFighter_Launcher version 1.0

Drakensang (Patch Version 1.01)

Driver Sweeper 2.1.0

Emsisoft HiJackFree 4.5

Facebook Video Calling 1.2.0.159

FileZilla Client 3.1.1.1

Freemake Video Converter version 1.3.0

Freizeitkarte_Deutschland (Ausgabe 12.02)

Freizeitkarte_Oesterreich (Ausgabe 12.02)

Garmin MapSource

Garmin Training Center 3.4.3

Garmin USB Drivers

GmapTool 0.5.2

Google Chrome

Google Earth

Google Update Helper

GSAK 8.1.0.10 (Final)

High-Definition Video Playback 10

Hotspot Shield 2.25

IrfanView (remove only)

Java Auto Updater

Java 6 Update 31

JDownloader 0.9

Junk Mail filter update

Malwarebytes Anti-Malware Version 1.62.0.1300

Microsoft Games for Windows - LIVE Redistributable

Microsoft Games for Windows Marketplace

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (German) 2010

Microsoft Office Excel MUI (German) 2010

Microsoft Office Groove MUI (German) 2010

Microsoft Office InfoPath MUI (German) 2010

Microsoft Office OneNote MUI (German) 2010

Microsoft Office Outlook MUI (German) 2010

Microsoft Office PowerPoint MUI (German) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (German) 2010

Microsoft Office Proof (Italian) 2010

Microsoft Office Proofing (German) 2010

Microsoft Office Publisher MUI (German) 2010

Microsoft Office Shared MUI (German) 2010

Microsoft Office Word MUI (German) 2010

Microsoft Primary Interoperability Assemblies 2005

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft XNA Framework Redistributable 3.1

Microsoft_VC80_ATL_x86

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_CRT_x86

Microsoft_VC90_MFC_x86

Mobipocket Creator 4.2

Mopsos 1.0.118 28.11.2011

Mozilla Firefox 13.0.1 (x86 de)

Mozilla Maintenance Service

Mp3tag v2.49

MSVC80_x86_v2

MSVCRT

MSVCRT_amd64

NBA 2K12

NEC Electronics USB 3.0 Host Controller Driver

Nero 10 Menu TemplatePack Basic

Nero 10 Movie ThemePack Basic

Nero BackItUp 10 Help (CHM)

Nero Burning ROM 10

Nero BurningROM 10 Help (CHM)

Nero BurnRights 10 Help (CHM)

Nero Control Center 10

Nero ControlCenter 10 Help (CHM)

Nero Core Components 10

Nero CoverDesigner 10 Help (CHM)

Nero DiscSpeed 10

Nero DiscSpeed 10 Help (CHM)

Nero Dolby Files 10

Nero Express 10 Help (CHM)

Nero InfoTool 10

Nero InfoTool 10 Help (CHM)

Nero MediaHub 10 Help (CHM)

Nero Multimedia Suite 10

Nero Recode 10

Nero Recode 10 Help (CHM)

Nero RescueAgent 10

Nero RescueAgent 10 Help (CHM)

Nero SoundTrax 10 Help (CHM)

Nero StartSmart 10 Help (CHM)

Nero Vision 10

Nero Vision 10 Help (CHM)

Nero WaveEditor 10 Help (CHM)

Nokia Connectivity Cable Driver

Nokia PC Suite

NVIDIA PhysX

OpenAL

PC Connectivity Solution

PDF Settings CS5

RCH65 Spoiler Downloader

Realtek Ethernet Controller Driver For Windows 7

RRK Turkey

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)

Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition

Skype Click to Call

Skype™ 5.9

SopCast 3.5.0

SoulSeek 157 NS 13e

Spotify

StreamTorrent 1.0

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Veetle TV

VLC media player 2.0.1

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live Photo Common

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Media Player Firefox Plugin

.

==== End Of File ===========================

Thank you!!

[MrCharlie]

Welcome to the forum.

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:

http://forums.malwar...showtopic=97700

---------------------------------------

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

  services.exe

  [*]Now press the Search button

  [*]When the search is complete, search.txt will also be written to your USB

  [*]Type exit and reboot the computer normally

  [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[mats_mats]

Hello MrCharlie,

thanks so much for your help! I've removed utorrent and performed the frst scans, see the txt files below:

frst.txt:

Scan result of Farbar Recovery Scan Tool Version: 20-07-2012

Ran by SYSTEM at 20-07-2012 16:02:44

Running from I:\

Windows 7 Ultimate (X64) OS Language: German Standard

The current controlset is ControlSet001

ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.

========================== Registry (Whitelisted) =============

HKLM\...\Run: [CTHelper] CTHELPER.EXE [x]

HKLM-x32\...\Winlogon: [userinit] [x]

HKLM-x32\...\Winlogon: [shell] [x ] ()

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ======

3 Creative Audio Engine Licensing Service; "C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe" [79360 2010-08-27] (Creative Labs)

2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [286720 2010-02-12] (Creative Technology Ltd)

3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [42856 2009-06-10] (Microsoft Corporation)

3 idsvc; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [878416 2009-06-10] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbdx.sys [430080 2009-07-13] (Broadcom Corporation)

3 b57nd60x; C:\Windows\System32\Drivers\b57nd60x.sys [229888 2009-07-13] (Broadcom Corporation)

3 CTAUDFX.SYS; C:\Windows\System32\drivers\CTAUDFX.SYS [555096 2010-03-18] (Creative Technology Ltd)

3 ctdvda2k; C:\Windows\System32\Drivers\ctdvda2k.sys [347144 2010-03-18] (Creative Technology Ltd)

3 E1G60; C:\Windows\System32\DRIVERS\E1G60I32.sys [118784 2009-07-13] (Intel Corporation)

3 ebdrv; C:\Windows\system32\DRIVERS\evbdx.sys [3100160 2009-07-13] (Broadcom Corporation)

3 RTL8167; C:\Windows\System32\DRIVERS\Rt86win7.sys [277536 2010-03-04] (Realtek )

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-09 03:05 - 2012-07-09 03:13 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0

============ 3 Months Modified Files ========================

========================= Known DLLs (Whitelisted) ============

C:\Windows\SysWOW64\clbcatq.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\ole32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\advapi32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\COMDLG32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\gdi32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\IERTUTIL.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\IMAGEHLP.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\IMM32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\kernel32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\MSCTF.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\MSVCRT.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\NORMALIZ.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\NSI.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\OLEAUT32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\PSAPI.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\rpcrt4.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\sechost.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\Setupapi.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\SHELL32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\SHLWAPI.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\URLMON.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\user32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\USP10.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\WININET.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\WLDAP32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\WS2_32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\DifxApi.dll IS MISSING <==== ATTENTION!

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe

[2009-07-14 00:37] - [2009-07-14 02:14] - 0285696 ____A (Microsoft Corporation) 8EC6A4AB12B8F3759E21F8E3A388F2CF

C:\Windows\System32\wininit.exe

[2009-07-14 00:36] - [2009-07-14 02:14] - 0096256 ____A (Microsoft Corporation) B5C5DCAD3899512020D135600129D665

C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\explorer.exe

[2009-07-14 00:41] - [2009-07-14 02:14] - 2613248 ____A (Microsoft Corporation) 15BC38A7492BEFE831966ADB477CF76F

C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\svchost.exe

[2009-07-14 00:19] - [2009-07-14 02:14] - 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866

C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\services.exe

[2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\User32.dll

[2009-07-14 00:24] - [2009-07-14 02:16] - 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861

C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\System32\userinit.exe

[2009-07-14 00:34] - [2009-07-14 02:14] - 0026112 ____A (Microsoft Corporation) 6DE80F60D7DE9CE6B8C2DDFDF79EF175

C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\Drivers\volsnap.sys

[2009-07-14 00:11] - [2009-07-14 02:19] - 0245328 ____A (Microsoft Corporation) 58DF9D2481A56EDDE167E51B334D44FD

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%

Total physical RAM: 4095.24 MB

Available physical RAM: 3528.39 MB

Total Pagefile: 4093.39 MB

Available Pagefile: 3510.02 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Sylvia) (Fixed) (Total:149.04 GB) (Free:59.92 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (Daten) (Fixed) (Total:1333.69 GB) (Free:171.26 GB) NTFS

3 Drive f: () (Fixed) (Total:63.48 GB) (Free:15.77 GB) NTFS

5 Drive h: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

6 Drive i: (DRÖMSTICK) (Removable) (Total:7.47 GB) (Free:4.41 GB) FAT32

7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

8 Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Datentr„ger ### Status Gr”áe Frei Dyn GPT

--------------- ------------- ------- ------- --- ---

Datentr„ger 0 Online 1397 GB 0 B

Datentr„ger 1 Online 149 GB 8 MB

Datentr„ger 2 Online 7667 MB 0 B

Partitions of Disk 0:

===============

Partition ### Typ GrӇe Offset

------------- ---------------- ------- -------

Partition 1 Prim„r 100 MB 1024 KB

Partition 2 Prim„r 1333 GB 101 MB

Partition 3 Prim„r 63 GB 1333 GB

==================================================================================

Disk: 0

Partition 1

Typ : 07

Versteckt: Nein

Aktiv : Ja

Volume ### Bst Bezeichnung DS Typ GrӇe Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 Y NTFS Partition 100 MB Fehlerfre

==================================================================================

Disk: 0

Partition 2

Typ : 07

Versteckt: Nein

Aktiv : Nein

Volume ### Bst Bezeichnung DS Typ GrӇe Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E Daten NTFS Partition 1333 GB Fehlerfre

==================================================================================

Disk: 0

Partition 3

Typ : 07

Versteckt: Nein

Aktiv : Nein

Volume ### Bst Bezeichnung DS Typ GrӇe Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F NTFS Partition 63 GB Fehlerfre

==================================================================================

Partitions of Disk 1:

===============

Partition ### Typ GrӇe Offset

------------- ---------------- ------- -------

Partition 1 Prim„r 149 GB 31 KB

==================================================================================

Disk: 1

Partition 1

Typ : 07

Versteckt: Nein

Aktiv : Ja

Volume ### Bst Bezeichnung DS Typ GrӇe Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 C Sylvia NTFS Partition 149 GB Fehlerfre

==================================================================================

Partitions of Disk 2:

===============

Partition ### Typ GrӇe Offset

------------- ---------------- ------- -------

Partition 1 Prim„r 7655 MB 22 KB

==================================================================================

Disk: 2

Partition 1

Typ : 0B

Versteckt: Nein

Aktiv : Nein

Volume ### Bst Bezeichnung DS Typ GrӇe Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 I DR™MSTICK FAT32 Wechselmed 7655 MB Fehlerfre

==================================================================================

==========================================================

Last Boot: 2009-10-14 03:08

======================= End Of Log ==========================

search.txt:

Farbar Recovery Scan Tool Version: 20-07-2012

Ran by SYSTEM at 2012-07-20 16:03:55

Running from I:\

================== Search: "services.exe" ===================

C:\Windows.old\Windows\system32\services.exe

[2006-02-28 13:00] - [2009-02-09 11:04] - 0111104 ____A (Microsoft Corporation) 65F6B774819BD727358157CEDEA67B8E

C:\Windows.old\Windows\system32\dllcache\services.exe

[2006-02-28 13:00] - [2009-02-09 11:04] - 0111104 ___AC (Microsoft Corporation) 65F6B774819BD727358157CEDEA67B8E

C:\Windows.old\Windows\SoftwareDistribution\Download\a746b2abbbec3e139e29152ba22decd1\services.exe

[2009-09-21 09:52] - [2008-04-14 03:22] - 0109056 ____A (Microsoft Corporation) 4BB6A83640F1D1792AD21CE767B621C6

C:\Windows.old\Windows\SoftwareDistribution\Download\93e58f5d52bf354542037f044fc8ca09\SP3QFE\services.exe

[2009-09-18 18:49] - [2009-02-09 12:14] - 0111104 ____A (Microsoft Corporation) F0A7D59AF279326528715B206669B86C

C:\Windows.old\Windows\SoftwareDistribution\Download\93e58f5d52bf354542037f044fc8ca09\SP3GDR\services.exe

[2009-09-18 18:49] - [2009-02-09 12:21] - 0111104 ____A (Microsoft Corporation) A3EDBE9053889FB24AB22492472B39DC

C:\Windows.old\Windows\SoftwareDistribution\Download\93e58f5d52bf354542037f044fc8ca09\SP2QFE\services.exe

[2009-09-18 18:49] - [2009-02-09 10:48] - 0111104 ____A (Microsoft Corporation) A07CA23EA361A01E627D911CF139B950

C:\Windows.old\Windows\SoftwareDistribution\Download\93e58f5d52bf354542037f044fc8ca09\SP2GDR\services.exe

[2009-09-18 18:49] - [2009-02-09 11:04] - 0111104 ____A (Microsoft Corporation) 65F6B774819BD727358157CEDEA67B8E

C:\Windows.old\Windows\$NtUninstallKB956572$\services.exe

[2009-09-18 19:05] - [2006-02-28 13:00] - 0108544 ___AC (Microsoft Corporation) EDB6B81761BD60F32F740BBC40AFB676

C:\Windows.old\Windows\$hf_mig$\KB956572\SP3QFE\services.exe

[2009-09-18 18:49] - [2009-02-09 12:14] - 0111104 ____A (Microsoft Corporation) F0A7D59AF279326528715B206669B86C

C:\Windows.old\Windows\$hf_mig$\KB956572\SP3GDR\services.exe

[2009-09-18 18:49] - [2009-02-09 12:21] - 0111104 ____A (Microsoft Corporation) A3EDBE9053889FB24AB22492472B39DC

C:\Windows.old\Windows\$hf_mig$\KB956572\SP2QFE\services.exe

[2009-09-18 18:49] - [2009-02-09 10:48] - 0111104 ____A (Microsoft Corporation) A07CA23EA361A01E627D911CF139B950

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe

[2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

====== End Of Search ======

thanks,

mats_mats

[MrCharlie]

That didn't come out right:

ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.

Please do this............

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[mats_mats]

Here it is:

RogueKiller V7.6.4 [07/17/2012] durch Tigzy

mail: tigzyRK<at>gmail<dot>com

Kommentare: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Gestartet in: Normal Modus

Benutzer: Mats [Admin Rechte]

Funktion: Scannen --Datum: 07/20/2012 16:19:29

¤¤¤ Böswillige Prozesse: 0 ¤¤¤

¤¤¤ Registry-Einträge: 6 ¤¤¤

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (socks=127.0.0.1:18079) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Mats\AppData\Local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

¤¤¤ Treiber: [NICHT GELADEN] ¤¤¤

¤¤¤ Infektion : ZeroAccess ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤

127.0.0.1 activate.adobe.com

127.0.0.1 practivate.adobe.com

127.0.0.1 ereg.adobe.com

127.0.0.1 activate.wip3.adobe.com

127.0.0.1 wip3.adobe.com

127.0.0.1 3dns-3.adobe.com

127.0.0.1 3dns-2.adobe.com

127.0.0.1 adobe-dns.adobe.com

127.0.0.1 adobe-dns-2.adobe.com

127.0.0.1 adobe-dns-3.adobe.com

127.0.0.1 ereg.wip3.adobe.com

127.0.0.1 activate-sea.adobe.com

127.0.0.1 wwis-dubc1-vip60.adobe.com

127.0.0.1 activate-sjc0.adobe.com

127.0.0.1 wwis-dubc1-vip60.adobe.com

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600JS-00NCB1 ATA Device +++++

--- User ---

[MBR] 58c1a8f8433f520a8a4d855f14438bfd

[bSP] a40b8b8d6cdfdb474db9450c36998549 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD15EARS-00Z5B1 ATA Device +++++

--- User ---

[MBR] 56f446c62a3c061226af88fd42e53253

[bSP] f62e031a7367a40b71e431e379ca7c46 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 1365698 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2797156352 | Size: 64999 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Abgeschlossen : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

OK...............

OK, run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest:

¤¤¤ Registry-Einträge: 6 ¤¤¤

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (socks=127.0.0.1:18079) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Mats\AppData\Local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\n.) -> FOUND

Now click Delete on the right hand column under Options

Repeat the process for these

Click on the ¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤ > put a check next to these and uncheck the rest

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

Now click Delete on the right hand column under Options

-------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[mats_mats]

I couldn't find "[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (socks=127.0.0.1:18079) -> FOUND" in the registry tab, so I looked at the other tabs and found it in the proxy tab. I tried to delete it there, but it wasn't possible. Then I saw that I accidentally deleted ALL the entries in the registry tab,..... ( so now it's empty... also after a restart and a new scan, it stays empty. Now the rkreport looks like this:

RogueKiller V7.6.4 [07/17/2012] durch Tigzy

mail: tigzyRK<at>gmail<dot>com

Kommentare: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Gestartet in: Normal Modus

Benutzer: Mats [Admin Rechte]

Funktion: Scannen --Datum: 07/20/2012 16:39:31

¤¤¤ Böswillige Prozesse: 0 ¤¤¤

¤¤¤ Registry-Einträge: 1 ¤¤¤

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (socks=127.0.0.1:18079) -> FOUND

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\L --> FOUND

[ZeroAccess][FOLDER] @ : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

¤¤¤ Treiber: [NICHT GELADEN] ¤¤¤

¤¤¤ Infektion : ZeroAccess ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤

127.0.0.1 activate.adobe.com

127.0.0.1 practivate.adobe.com

127.0.0.1 ereg.adobe.com

127.0.0.1 activate.wip3.adobe.com

127.0.0.1 wip3.adobe.com

127.0.0.1 3dns-3.adobe.com

127.0.0.1 3dns-2.adobe.com

127.0.0.1 adobe-dns.adobe.com

127.0.0.1 adobe-dns-2.adobe.com

127.0.0.1 adobe-dns-3.adobe.com

127.0.0.1 ereg.wip3.adobe.com

127.0.0.1 activate-sea.adobe.com

127.0.0.1 wwis-dubc1-vip60.adobe.com

127.0.0.1 activate-sjc0.adobe.com

127.0.0.1 wwis-dubc1-vip60.adobe.com

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600JS-00NCB1 ATA Device +++++

--- User ---

[MBR] 58c1a8f8433f520a8a4d855f14438bfd

[bSP] a40b8b8d6cdfdb474db9450c36998549 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD15EARS-00Z5B1 ATA Device +++++

--- User ---

[MBR] 56f446c62a3c061226af88fd42e53253

[bSP] f62e031a7367a40b71e431e379ca7c46 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 1365698 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2797156352 | Size: 64999 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Abgeschlossen : << RKreport[5].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

[MrCharlie]

That's OK, RogueKiller makes a back-up of what ever was deleted.

You could delete these??

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\L --> FOUND

[ZeroAccess][FOLDER] @ : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\mats\appdata\local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

Please run ComboFix. MrC

[mats_mats]

No, I deleted those:

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Mats\AppData\Local\{7821d9a2-fc42-7211-1137-64bc3a86f7f5}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

the combofix log:

ComboFix 12-07-20.02 - Mats 20.07.2012 17:02:13.1.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.43.1031.18.4095.2616 [GMT 2:00]

ausgeführt von:: c:\users\Mats\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Neuer Wiederherstellungspunkt wurde erstellt

.

.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

.

Infizierte Kopie von c:\windows\system32\Services.exe wurde gefunden und desinfiziert

Kopie von - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe wurde wiederhergestellt

.

.

((((((((((((((((((((((( Dateien erstellt von 2012-06-20 bis 2012-07-20 ))))))))))))))))))))))))))))))

.

.

2012-07-20 15:07 . 2012-07-20 15:07 -------- d-----w- c:\users\Wildcat\AppData\Local\temp

2012-07-20 15:07 . 2012-07-20 15:07 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-18 18:37 . 2012-07-18 18:37 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-17 20:27 . 2012-07-17 20:27 -------- d-----w- c:\program files (x86)\Emsisoft HiJackFree

2012-07-17 20:02 . 2012-07-17 20:02 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-07-09 15:46 . 2012-07-09 15:46 -------- d-----w- c:\users\Mats\AppData\Roaming\Diercke Globus Online

2012-07-09 15:46 . 2012-07-09 15:46 947517 ----a-w- c:\windows\Diercke Globus Online Uninstaller.exe

2012-07-09 15:46 . 2012-07-09 15:46 -------- d-----w- c:\program files (x86)\ImagonShared

2012-07-09 15:46 . 2012-07-09 15:46 -------- d-----w- c:\program files (x86)\Diercke Globus Online

2012-07-09 15:39 . 2012-07-09 15:39 -------- d-----w- c:\programdata\ATI

2012-07-09 15:39 . 2012-07-09 15:39 -------- d-----w- c:\program files (x86)\AMD APP

2012-07-09 09:44 . 2012-07-09 09:44 -------- d-----w- c:\users\Mats\AppData\Roaming\Malwarebytes

2012-07-09 01:15 . 2012-07-09 01:15 -------- d-----w- c:\users\Wildcat\AppData\Roaming\Malwarebytes

2012-07-09 01:14 . 2012-07-09 01:14 -------- d-----w- c:\programdata\Malwarebytes

2012-07-09 01:14 . 2012-07-13 08:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-07-09 01:14 . 2012-07-03 11:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-08 23:56 . 2012-07-08 23:56 -------- d-----w- c:\users\Wildcat\AppData\Roaming\Nero

2012-07-08 17:55 . 2012-07-08 17:59 -------- d-----w- c:\users\Wildcat\AppData\Local\Google

2012-07-08 17:55 . 2012-07-03 16:21 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-07-08 17:55 . 2012-07-03 16:21 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-07-08 17:55 . 2012-07-03 16:21 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-07-08 17:55 . 2012-07-03 16:21 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-07-08 17:54 . 2012-07-03 16:21 958400 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-07-08 17:54 . 2012-07-03 16:21 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-07-08 17:54 . 2012-07-03 16:21 285328 ----a-w- c:\windows\system32\aswBoot.exe

2012-07-08 17:54 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr

2012-07-08 17:54 . 2012-07-03 16:21 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe

2012-07-08 17:54 . 2012-07-08 17:54 -------- d-----w- c:\programdata\AVAST Software

2012-07-08 17:54 . 2012-07-08 17:54 -------- d-----w- c:\program files\AVAST Software

2012-07-08 10:01 . 2012-07-08 18:27 -------- d-----w- c:\users\Mats\AppData\Roaming\Logef

2012-07-05 21:34 . 2012-07-05 21:34 -------- d-----w- c:\users\Mats\dwhelper

2012-06-27 22:26 . 2012-06-27 22:26 -------- d-----w- c:\program files\Windows Live

2012-06-23 13:41 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-23 13:41 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-23 13:41 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-23 13:41 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-23 13:41 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-23 13:41 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-23 13:41 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-23 13:41 . 2012-06-02 13:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-23 13:41 . 2012-06-02 13:15 36864 ----a-w- c:\windows\system32\wuapp.exe

.

.

.

(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-18 18:37 . 2012-05-05 13:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-11 18:59 . 2012-06-11 18:59 10248192 ----a-w- c:\windows\system32\drivers\atikmdag.sys

2012-06-11 18:35 . 2012-06-11 18:35 70144 ----a-w- c:\windows\system32\coinst_8.98.dll

2012-06-11 18:29 . 2012-06-11 18:29 24826368 ----a-w- c:\windows\system32\atio6axx.dll

2012-06-11 18:00 . 2012-06-11 18:00 20467712 ----a-w- c:\windows\SysWow64\atioglxx.dll

2012-06-11 17:25 . 2012-06-11 17:25 163840 ----a-w- c:\windows\system32\atiapfxx.exe

2012-06-11 17:24 . 2011-12-06 03:17 924160 ----a-w- c:\windows\SysWow64\aticfx32.dll

2012-06-11 17:23 . 2011-12-06 03:16 1090560 ----a-w- c:\windows\system32\aticfx64.dll

2012-06-11 17:20 . 2012-06-11 17:20 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll

2012-06-11 17:19 . 2012-06-11 17:19 532992 ----a-w- c:\windows\system32\atieclxx.exe

2012-06-11 17:19 . 2012-06-11 17:19 239616 ----a-w- c:\windows\system32\atiesrxx.exe

2012-06-11 17:17 . 2012-06-11 17:17 120320 ----a-w- c:\windows\system32\atitmm64.dll

2012-06-11 17:17 . 2012-06-11 17:17 21504 ----a-w- c:\windows\system32\atimuixx.dll

2012-06-11 17:17 . 2012-06-11 17:17 59392 ----a-w- c:\windows\system32\atiedu64.dll

2012-06-11 17:17 . 2012-06-11 17:17 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll

2012-06-11 17:16 . 2011-12-06 03:06 6301696 ----a-w- c:\windows\SysWow64\atidxx32.dll

2012-06-11 17:01 . 2011-12-06 02:51 6914560 ----a-w- c:\windows\system32\atidxx64.dll

2012-06-11 16:51 . 2012-06-11 16:51 4246528 ----a-w- c:\windows\system32\atiumd6a.dll

2012-06-11 16:45 . 2012-06-11 16:45 51200 ----a-w- c:\windows\system32\aticalrt64.dll

2012-06-11 16:45 . 2012-06-11 16:45 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll

2012-06-11 16:45 . 2012-06-11 16:45 5480448 ----a-w- c:\windows\SysWow64\atiumdag.dll

2012-06-11 16:45 . 2012-06-11 16:45 44544 ----a-w- c:\windows\system32\aticalcl64.dll

2012-06-11 16:45 . 2012-06-11 16:45 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll

2012-06-11 16:45 . 2012-06-11 16:45 15703040 ----a-w- c:\windows\system32\aticaldd64.dll

2012-06-11 16:43 . 2012-06-11 16:43 4729344 ----a-w- c:\windows\SysWow64\atiumdva.dll

2012-06-11 16:40 . 2012-06-11 16:40 13277696 ----a-w- c:\windows\SysWow64\aticaldd.dll

2012-06-11 16:36 . 2012-06-11 16:36 6605824 ----a-w- c:\windows\system32\atiumd64.dll

2012-06-11 16:27 . 2012-06-11 16:27 539136 ----a-w- c:\windows\system32\atiadlxx.dll

2012-06-11 16:26 . 2012-06-11 16:26 368640 ----a-w- c:\windows\SysWow64\atiadlxy.dll

2012-06-11 16:26 . 2012-06-11 16:26 17920 ----a-w- c:\windows\system32\atig6pxx.dll

2012-06-11 16:26 . 2012-06-11 16:26 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll

2012-06-11 16:26 . 2012-06-11 16:26 14848 ----a-w- c:\windows\system32\atiglpxx.dll

2012-06-11 16:26 . 2012-06-11 16:26 41984 ----a-w- c:\windows\system32\atig6txx.dll

2012-06-11 16:26 . 2012-06-11 16:26 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll

2012-06-11 16:26 . 2012-06-11 16:26 367616 ----a-w- c:\windows\system32\drivers\atikmpag.sys

2012-06-11 16:25 . 2011-12-06 02:11 54784 ----a-w- c:\windows\system32\atiuxp64.dll

2012-06-11 16:25 . 2011-12-06 02:11 42496 ----a-w- c:\windows\SysWow64\atiuxpag.dll

2012-06-11 16:25 . 2012-06-11 16:25 45056 ----a-w- c:\windows\system32\atiu9p64.dll

2012-06-11 16:24 . 2012-02-15 02:12 32768 ----a-w- c:\windows\SysWow64\atiu9pag.dll

2012-06-11 16:24 . 2012-06-11 16:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2012-06-11 16:23 . 2012-06-11 16:23 56320 ----a-w- c:\windows\system32\atimpc64.dll

2012-06-11 16:23 . 2012-06-11 16:23 56320 ----a-w- c:\windows\system32\amdpcom64.dll

2012-06-11 16:23 . 2012-06-11 16:23 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll

2012-06-11 16:23 . 2012-06-11 16:23 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll

2012-06-11 11:50 . 2012-06-11 11:50 187392 ----a-w- c:\windows\system32\clinfo.exe

2012-06-11 11:50 . 2012-06-11 11:50 75264 ----a-w- c:\windows\system32\OpenVideo64.dll

2012-06-11 11:50 . 2012-06-11 11:50 65024 ----a-w- c:\windows\SysWow64\OpenVideo.dll

2012-06-11 11:50 . 2012-06-11 11:50 63488 ----a-w- c:\windows\system32\OVDecode64.dll

2012-06-11 11:50 . 2012-06-11 11:50 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll

2012-06-11 11:50 . 2012-06-11 11:50 16457728 ----a-w- c:\windows\system32\amdocl64.dll

2012-06-11 11:49 . 2012-06-11 11:49 13008896 ----a-w- c:\windows\SysWow64\amdocl.dll

2012-05-18 10:25 . 2012-05-18 10:25 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll

.

.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-01-22 106496]

"AsioThk32Reg"="CTASIO.DLL" [2010-03-18 47104]

"CTHelper"="CTHELPER.EXE" [2010-03-18 19456]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update-Dienst (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-16 136176]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2010-03-18 158808]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-02-28 79360]

R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2010-03-18 706648]

R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2010-03-18 141912]

R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2010-03-18 141912]

R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2010-03-18 681048]

R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-16 136176]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-14 113120]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]

R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-11 1255736]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2012-02-28 834544]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-06-11 239616]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-06-11 361984]

S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-07-03 71064]

S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-01-17 331608]

S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2012-01-04 329544]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]

S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-06-11 10248192]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-06-11 367616]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2010-03-18 158808]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2010-03-18 706648]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2010-03-18 681048]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-01-22 77824]

S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-01-22 180224]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-04 346144]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-12-22 38456]

.

.

--- Andere Dienste/Treiber im Speicher ---

.

*NewlyCreated* - WS2IFSL

.

Inhalt des "geplante Tasks" Ordners

.

2012-07-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3878835867-1666332686-777086807-1000Core.job

- c:\users\Mats\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-14 11:20]

.

2012-07-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3878835867-1666332686-777086807-1000UA.job

- c:\users\Mats\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-14 11:20]

.

2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-16 12:28]

.

2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-16 12:28]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2012-01-04 23:02 287048 ----a-w- c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-07-03 16:21 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x1

.

------- Zusätzlicher Suchlauf -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://search.babylon.com/?AF=109989&babsrc=HP_ss&mntrId=80db860f00000000000000252254169c

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyServer = socks=127.0.0.1:18079

IE: An vorhandene PDF-Datei anfügen - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: In Adobe PDF konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Linkziel in Adobe PDF konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab

FF - ProfilePath - c:\users\Mats\AppData\Roaming\Mozilla\Firefox\Profiles\jukgosb3.default\

FF - prefs.js: browser.startup.homepage - hxxp://de.mg4.mail.yahoo.com/neo/launch?.rand=fbjcn5a0r5bu8

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -

.

URLSearchHooks-{a060276a-53be-45ec-8ebe-b94b1e803179} - (no file)

BHO-{3706EE7C-3CAD-445D-8A43-03EBC3B75908} - (no file)

.

.

.

--------------------- Gesperrte Registrierungsschluessel ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:51,66,7a,6c,4c,1d,38,12,57,36,90,

43,f7,9e,4b,04,e0,be,4b,59,e7,b4,e8,87

"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,

8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{AE7CD045-E861-484F-8273-0445EE161910}"=hex:51,66,7a,6c,4c,1d,38,12,2b,d3,6f,

aa,53,a6,21,0d,fd,65,47,05,eb,48,5d,04

"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,

aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{F4971EE7-DAA0-4053-9964-665D8EE6A077}"=hex:51,66,7a,6c,4c,1d,38,12,89,1d,84,

f0,92,94,3d,05,e6,72,25,1d,8b,b8,e4,63

"{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}"=hex:51,66,7a,6c,4c,1d,38,12,3a,a3,f7,

fd,83,a7,ad,0e,fc,b5,35,e1,ab,2d,25,64

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:a9,3b,78,44,66,64,cd,01

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Weitere laufende Prozesse ------------------------

.

c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files (x86)\Hotspot Shield\HssWPR\hsssrv.exe

.

**************************************************************************

.

Zeit der Fertigstellung: 2012-07-20 17:13:33 - PC wurde neu gestartet

ComboFix-quarantined-files.txt 2012-07-20 15:13

.

Vor Suchlauf: 9 Verzeichnis(se), 17.781.465.088 Bytes frei

Nach Suchlauf: 13 Verzeichnis(se), 22.599.274.496 Bytes frei

.

- - End Of File - - E18C72C9057B19F64C24DE11B3497EDB

[MrCharlie]

Looks Good..................

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[mats_mats]

Malwarebytes Anti-Malware (Test) 1.62.0.1300

www.malwarebytes.org

Datenbank Version: v2012.07.20.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Mats :: MATS-PC [Administrator]

Schutz: Aktiviert

20.07.2012 17:27:12

mbam-log-2012-07-20 (17-27-12).txt

Art des Suchlaufs: Quick-Scan

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 211195

Laufzeit: 3 Minute(n), 29 Sekunde(n)

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0

(Keine bösartigen Objekte gefunden)

(Ende)

Computer is running well overall, but I do not have access to my drive E:\ anymore, if I want to save files for example from MS Word! It asks me if I want to save in mypictures on drive c: instead! I can save anywhere on drive c: but not on e: must have to do with the registry files I deleted,... What can I do?

[MrCharlie]

No, what you delete was OK.

What is the "E" drive?? MrC

[mats_mats]

the e:\ drive is the second partition of my main harddisk. I have c:\ as my programs partition (e.g. for Windows, MS Office, etc.) and e:\ for my files like pictures, sound files, videos, etc.

[MrCharlie]

Please download Listparts64

Run the tool, click Scan and post the log (Result.txt) it makes

MrC

[mats_mats]

ok, now it's working! I adjusted some privileges in the controls panel, which must have been somewhat alterded during the process,....

[MrCharlie]

Great

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[mats_mats]

The clean-up worked as well, thank you very much!!! All systems go!!! You are the best!!

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!