Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: W32/Patched.UB in services.exe (Win7 32-Bit)

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 13.07.2012, 13:04   #1
fpueck
 
W32/Patched.UB in services.exe (Win7 32-Bit) - Standard

W32/Patched.UB in services.exe (Win7 32-Bit)



Ahoy,

Heute nacht hats mich auch mal erwischt - irgendwann ist immer das erste Mal. War auf einer Forenseite, die ich nicht allzuhäufig frequentiere und wurde von einem adobe-flashplayer-update-Fenster auf ein notwendiges update hingewiesen. Normalerweise würden bei mir die Alarmglocken klingeln, aber ich war müde, das Fenster sah exakt so aus (Farbschema, Text etc.) wie "das Original" und ich hab "installieren" geklickt. Ne Sekunde später war ich schon wieder klar, hab panisch den kompletten flashplayer deinstalliert - aber es war schon zu spät.

Nach dem Neustart ist der komplette Windows-Sicherheitsdienst deaktiviert und lässt sich manuell nicht aktivieren, gleiches gilft für die Firewall. Das von Microsoft zur Verfügung stehende msert wird mit der Fehlermeldung "keine gültige Win32-Datei" nicht gestartet.

Antivir Guard findet den im Titel genannten Schädling in der services.exe.

Beim stöbern auf eurem Board bin ich auch schon über vereinzelte Probleme mit diesem digitalen Fiesling gestolpert und hab mal versucht, das, was den Betroffenen geraten wurde, nachzumachen - wenn ichs richtig verstanden habe, kommt man aber um eine individuelle Behandlung nicht rum. Deswegen schonmal ein dickes Danke im Vorfeld an wer auch immer die Zeit findet, mich virtuell zu entlausen.


Defogger
Defgger wurde vor den Scans gestartet.
Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 05:37 on 13/07/2012 (fpueck)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-
         


OTL
Hier die 2 logdateien, die mit OTL erstellt wurden:

Erstmal die OTL:
OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 13.07.2012 05:41:18 - Run 1
OTL by OldTimer - Version 3.2.54.0     Folder = C:\Users\fpueck\Desktop
 Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,25 Gb Total Physical Memory | 2,43 Gb Available Physical Memory | 74,85% Memory free
6,49 Gb Paging File | 5,58 Gb Available in Paging File | 85,94% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931,41 Gb Total Space | 508,32 Gb Free Space | 54,58% Space Free | Partition Type: NTFS
 
Computer Name: FPUECK-PC | User Name: fpueck | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.07.13 05:40:01 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\fpueck\Desktop\OTL.exe
PRC - [2012.06.30 06:47:55 | 000,224,096 | ---- | M] () -- C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe
PRC - [2012.05.08 05:12:36 | 000,291,840 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
PRC - [2012.05.08 04:49:26 | 000,393,216 | ---- | M] (AMD) -- C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
PRC - [2011.06.30 22:31:54 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011.04.27 09:07:14 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011.01.28 06:03:32 | 000,270,176 | ---- | M] () -- C:\ProgramData\DatacardService\HWDeviceService.exe
PRC - [2011.01.28 06:03:26 | 000,236,384 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\ProgramData\DatacardService\DCSHelper.exe
PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010.01.14 22:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009.08.24 15:38:06 | 000,068,136 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\essvr.exe
PRC - [2009.07.14 03:14:36 | 000,259,072 | ---- | M] () -- C:\Windows\System32\services.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.06.16 23:51:22 | 000,240,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\f2f8201dd3453250dfd9ed1afce630a0\WindowsFormsIntegration.ni.dll
MOD - [2012.06.16 15:41:07 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll
MOD - [2012.06.16 15:40:40 | 014,340,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll
MOD - [2012.06.16 15:40:03 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
MOD - [2012.06.16 15:39:44 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
MOD - [2012.06.16 15:39:37 | 012,237,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll
MOD - [2012.06.09 04:57:39 | 002,297,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.Core.ni.dll
MOD - [2012.06.08 16:49:17 | 000,226,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\ae55e761d480fe15781156d1311a1837\PresentationFramework.Classic.ni.dll
MOD - [2012.06.08 16:48:54 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll
MOD - [2012.06.08 16:48:06 | 000,060,928 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ca2eff60beb3ba00a529a2d42dceca22\UIAutomationProvider.ni.dll
MOD - [2012.06.08 16:47:51 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll
MOD - [2012.06.08 16:47:44 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012.06.08 16:47:39 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012.06.08 16:47:38 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012.06.08 16:47:28 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2012.05.08 05:12:42 | 000,095,232 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
MOD - [2012.05.08 04:57:22 | 000,369,152 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2010.12.17 22:14:37 | 000,139,264 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010.11.13 02:02:22 | 000,434,176 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_de_b77a5c561934e089\System.Windows.Forms.resources.dll
MOD - [2010.11.13 02:02:21 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll
MOD - [2010.11.05 03:59:41 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_de_b77a5c561934e089\System.resources.dll
MOD - [2009.07.14 10:47:20 | 000,249,856 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework.resources\3.0.0.0_de_31bf3856ad364e35\PresentationFramework.resources.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2012.06.30 06:47:55 | 000,224,096 | ---- | M] () [Auto | Stopped] -- C:\Program Files\T-Mobile\InternetManager_H\UpdateDog\ouc.exe -- (Internet Manager. RunOuc)
SRV - [2012.06.16 15:30:37 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.05.26 21:36:12 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.05.10 21:21:48 | 000,136,616 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2012.05.08 12:06:04 | 000,217,088 | ---- | M] (AMD) [Disabled | Stopped] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2012.05.08 05:12:36 | 000,291,840 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV - [2011.09.02 15:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011.08.30 15:55:54 | 000,160,256 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe -- (ICCS) Intel(R) Integrated Clock Controller Service - Intel(R)
SRV - [2011.06.30 22:31:54 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011.04.27 09:07:14 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011.01.28 06:03:32 | 000,270,176 | ---- | M] () [Auto | Running] -- C:\ProgramData\DatacardService\HWDeviceService.exe -- (HWDeviceService.exe)
SRV - [2010.11.11 15:39:34 | 000,128,928 | ---- | M] (Futuremark Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe -- (Futuremark SystemInfo Service)
SRV - [2010.01.19 04:31:26 | 000,072,304 | R--- | M] () [Disabled | Stopped] -- C:\Windows\System32\XSrvSetup.exe -- (JMB36X)
SRV - [2009.08.24 15:38:06 | 000,068,136 | ---- | M] () [Auto | Running] -- C:\Program Files\Gigabyte\EasySaver\essvr.exe -- (ES lite Service)
SRV - [2009.08.18 00:19:24 | 000,093,848 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011\RpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.05.19 14:51:34 | 000,069,632 | ---- | M] (ElcomSoft Co. Ltd.) [Disabled | Stopped] -- C:\Users\fpueck\SystPassw\Proactive System Password Recovery\psprserv.exe -- (PSPRSERV)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\fpueck\AppData\Local\Temp\ALSysIO.sys -- (ALSysIO)
DRV - [2012.07.13 05:39:01 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2012.06.30 06:47:57 | 000,181,760 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_juwwanecm.sys -- (huawei_wwanecm)
DRV - [2012.06.30 06:47:57 | 000,026,624 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_juextctrl.sys -- (huawei_ext_ctrl)
DRV - [2012.06.30 06:47:57 | 000,024,192 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2012.06.30 06:47:57 | 000,011,136 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_usbenumfilter.sys -- (ew_usbenumfilter)
DRV - [2012.06.30 06:47:56 | 000,102,784 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_hwusbdev.sys -- (ew_hwusbdev)
DRV - [2012.06.30 06:47:56 | 000,090,112 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_jucdcacm.sys -- (huawei_cdcacm)
DRV - [2012.06.30 06:47:56 | 000,073,216 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ew_jubusenum.sys -- (huawei_enumerator)
DRV - [2012.06.30 06:47:56 | 000,013,184 | ---- | M] (Bytemobile, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\BMLoad.sys -- (BMLoad)
DRV - [2012.06.18 16:55:40 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\etdrv.sys -- (etdrv)
DRV - [2012.05.10 21:20:16 | 000,048,256 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Running] -- C:\Program Files\AMD\OverDrive\i386\AODDriver2.sys -- (AODDriver4.2.0)
DRV - [2012.05.08 12:55:16 | 009,334,784 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2012.05.08 11:02:00 | 000,275,968 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2012.03.05 16:04:30 | 000,045,184 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Stopped] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\aoddriver2.sys -- (AODDriver4.1)
DRV - [2012.03.05 16:04:30 | 000,045,184 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\aoddriver2.sys -- (AODDriver4.01)
DRV - [2011.09.04 17:50:04 | 000,083,872 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt)
DRV - [2011.09.04 17:50:04 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2011.06.30 22:31:56 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011.06.30 22:31:56 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010.12.25 23:57:39 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2010.12.03 11:05:34 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.07.01 15:21:14 | 000,034,896 | ---- | M] (Screaming Bee LLC) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ScreamingBAudio.sys -- (SCREAMINGBDRIVER)
DRV - [2010.06.17 15:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010.03.12 05:35:48 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Program Files\Gigabyte\ET6\i386\AODDriver.sys -- (AODDriver)
DRV - [2010.02.18 10:18:22 | 000,037,944 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\amdiox86.sys -- (amdiox86)
DRV - [2010.01.27 10:58:32 | 000,098,928 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\jraid.sys -- (JRAID)
DRV - [2010.01.27 05:04:00 | 000,183,584 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService)
DRV - [2009.11.20 13:15:18 | 000,137,728 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV - [2009.11.20 13:15:16 | 000,058,880 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nusb3hub.sys -- (nusb3hub)
DRV - [2009.08.08 00:46:56 | 000,023,112 | ---- | M] (SiSoftware) [Kernel | On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011\WNt500x86\sandra.sys -- (SANDRA)
DRV - [2005.04.18 16:16:00 | 000,015,104 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avmunet.sys -- (AVMUNET)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,DefaultNetworkProfile = 536084092
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7B 69 9E CD 86 65 CC 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {A4266196-008F-466D-B41C-B7953FBF0EFA}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{A4266196-008F-466D-B41C-B7953FBF0EFA}: "URL" = hxxp://www.google.de/search?q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.3
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.1.14
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.9
FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:3.5
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.4.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.6.0.8442
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: ff-bmboc@bytemobile.com:4.2.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@ngm.nexoneu.com/NxGame: C:\ProgramData\NexonEU\NGM\npNxGameeu.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\ff-bmboc@bytemobile.com: C:\Program Files\T-Mobile\InternetManager_H\OCx32\addon [2012.06.30 06:48:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.06.16 15:30:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.05.19 12:12:59 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.06.16 15:30:37 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.05.19 12:12:59 | 000,000,000 | ---D | M]
 
[2010.12.19 11:21:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\fpueck\AppData\Roaming\mozilla\Extensions
[2012.07.10 10:03:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions
[2012.07.13 03:37:24 | 000,000,000 | ---D | M] (Flagfox) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2012.04.28 10:45:56 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012.06.27 17:51:02 | 000,000,000 | ---D | M] (Bitdefender QuickScan) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2012.05.22 03:34:00 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions\foxyproxy@eric.h.jung
[2012.05.19 12:13:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011.11.10 04:29:00 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012.06.27 17:51:01 | 000,339,843 | ---- | M] () (No name found) -- C:\USERS\FPUECK\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KW5S02K7.DEFAULT\EXTENSIONS\{19503E42-CA3C-4C27-B1E2-9CDB2170EE34}.XPI
[2012.06.16 15:30:37 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.04.28 11:05:20 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010.12.26 12:16:21 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2011.03.22 20:38:12 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2012.05.19 12:12:56 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.05.19 12:12:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.05.19 12:12:56 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.05.19 12:12:56 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.05.19 12:12:56 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.05.19 12:12:56 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - homepage: hxxp://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\fpueck\AppData\Local\Google\Chrome\Application\10.0.648.151\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\fpueck\AppData\Local\Google\Chrome\Application\10.0.648.151\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Users\fpueck\AppData\Local\Google\Chrome\Application\10.0.648.151\gears.dll
CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: VLC Multimedia Plug-in (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Google Update (Enabled) = C:\Users\fpueck\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
 
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [AMD AVT] C:\Windows\System32\cmd.exe (Microsoft Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe (AMD)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\PrxerNsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\PrxerDrv.dll (Initex)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\PrxerDrv.dll (Initex)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\PrxerDrv.dll (Initex)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\PrxerDrv.dll (Initex)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\PrxerDrv.dll (Initex)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Vertrauenswürdige Sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{992CC9E3-ECF7-41B1-A21D-608869CB2B6C}: NameServer = 10.111.81.129 10.129.32.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9EB39F72-554A-45E8-A8F0-A67FCB196613}: NameServer = 10.111.81.129 10.129.32.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9ED6A9A4-BAC8-4874-A3E6-50FD08BDDD37}: NameServer = 10.129.32.1 10.111.81.129
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C1BD3F1E-97B2-468B-B788-F172E419F90A}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CC30CF86-FEFF-407E-B94B-40F305D58A47}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{00a909f0-c26c-11e1-9cb3-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{00a909f0-c26c-11e1-9cb3-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{00a90a04-c26c-11e1-9cb3-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{00a90a04-c26c-11e1-9cb3-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{00a90a38-c26c-11e1-9cb3-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{00a90a38-c26c-11e1-9cb3-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{21f29d77-8981-11e1-a5ab-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{21f29d77-8981-11e1-a5ab-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{21f29d8b-8981-11e1-a5ab-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{21f29d8b-8981-11e1-a5ab-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{21f29da7-8981-11e1-a5ab-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{21f29da7-8981-11e1-a5ab-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{24bef2eb-117e-11e0-8279-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{24bef2eb-117e-11e0-8279-1c6f6535bf17}\Shell\AutoRun\command - "" = E:\autorun.exe
O33 - MountPoints2\{aa09f2f1-c2a0-11e1-9cee-b5b26f98a407}\Shell - "" = AutoRun
O33 - MountPoints2\{aa09f2f1-c2a0-11e1-9cee-b5b26f98a407}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{d9a8dfea-0b49-11e0-ae88-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{d9a8dfea-0b49-11e0-ae88-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Run.exe
O33 - MountPoints2\{dd974dda-c29d-11e1-9e4d-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{dd974dda-c29d-11e1-9e4d-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\preinst.exe
O33 - MountPoints2\{f9353dd1-8a42-11e1-be24-1c6f6535bf17}\Shell - "" = AutoRun
O33 - MountPoints2\{f9353dd1-8a42-11e1-be24-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.07.13 05:40:27 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\fpueck\Desktop\OTL.exe
[2012.07.13 05:20:34 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012.07.13 05:09:07 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012.07.13 05:09:02 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012.07.13 05:08:58 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012.07.13 05:06:36 | 004,576,941 | R--- | C] (Swearware) -- C:\Users\fpueck\Desktop\ComboFix.exe
[2012.07.13 05:03:15 | 002,135,640 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\fpueck\Desktop\tdsskiller.exe
[2012.07.13 04:46:17 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2012.07.13 04:46:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager
[2012.07.13 04:46:13 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2012.07.13 04:30:23 | 000,000,000 | ---D | C] -- C:\Users\fpueck\msert
[2012.07.07 19:56:52 | 000,000,000 | ---D | C] -- C:\Char16816346
[2012.07.06 08:17:38 | 000,000,000 | ---D | C] -- C:\77ef9cb24339bc29c26f048b64e76394
[2012.07.01 04:03:00 | 000,000,000 | ---D | C] -- C:\Char100674208
[2012.06.30 12:32:57 | 000,015,104 | ---- | C] (AVM GmbH) -- C:\Windows\System32\drivers\avmunet.sys
[2012.06.30 12:32:57 | 000,000,000 | ---D | C] -- C:\Windows\AVM_Driver
[2012.06.30 12:32:54 | 000,000,000 | ---D | C] -- C:\Users\fpueck\AVM_Driver
[2012.06.30 06:48:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Manager
[2012.06.30 06:48:35 | 000,861,696 | ---- | C] (DiBcom SA) -- C:\Windows\System32\drivers\mod7700.sys
[2012.06.30 06:48:35 | 000,353,280 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbwwan.sys
[2012.06.30 06:48:35 | 000,193,792 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbmdm.sys
[2012.06.30 06:48:35 | 000,181,760 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_juwwanecm.sys
[2012.06.30 06:48:35 | 000,102,784 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_hwusbdev.sys
[2012.06.30 06:48:35 | 000,090,112 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jucdcacm.sys
[2012.06.30 06:48:35 | 000,073,216 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jubusenum.sys
[2012.06.30 06:48:35 | 000,064,384 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jucdcecm.sys
[2012.06.30 06:48:35 | 000,026,624 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_juextctrl.sys
[2012.06.30 06:48:35 | 000,025,856 | ---- | C] (Huawei Tech. Co., Ltd.) -- C:\Windows\System32\drivers\ewdcsc.sys
[2012.06.30 06:48:35 | 000,019,200 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_hwupgrade.sys
[2012.06.30 06:48:35 | 000,011,136 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_usbenumfilter.sys
[2012.06.30 06:48:12 | 000,480,384 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\bmnet.dll
[2012.06.30 06:48:12 | 000,308,352 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\bminstall.dll
[2012.06.30 06:48:12 | 000,132,224 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\bmdumpd.bin
[2012.06.30 06:48:12 | 000,024,192 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\drivers\tcpipBM.sys
[2012.06.30 06:48:12 | 000,013,184 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\drivers\BMLoad.sys
[2012.06.30 06:47:43 | 000,000,000 | ---D | C] -- C:\Program Files\T-Mobile
[2012.06.28 23:05:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xider
[2012.06.28 23:03:52 | 000,000,000 | ---D | C] -- C:\Program Files\Xider
[2012.06.28 17:52:51 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2012.06.24 13:19:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funcom
[2012.06.20 18:04:59 | 000,000,000 | ---D | C] -- C:\Users\fpueck\Documents\Hero & Villain Builds
[2012.06.20 18:04:32 | 000,000,000 | ---D | C] -- C:\Users\fpueck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Titan Network
[2012.06.20 18:04:27 | 000,000,000 | ---D | C] -- C:\Program Files\Titan Network
[2012.06.20 00:07:24 | 000,000,000 | ---D | C] -- C:\Users\fpueck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCsoft
[2012.06.18 17:01:29 | 000,000,000 | ---D | C] -- C:\Users\fpueck\cpuz
[2012.06.18 16:25:46 | 000,000,000 | ---D | C] -- C:\Program Files\Intel
[2012.06.18 16:25:45 | 000,000,000 | ---D | C] -- C:\Intel
[2012.06.18 16:24:15 | 000,000,000 | ---D | C] -- C:\Users\fpueck\gigatool
[2012.06.18 16:13:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD
[2012.06.18 16:13:10 | 000,000,000 | ---D | C] -- C:\Program Files\AMD
[2012.06.18 16:12:15 | 000,000,000 | ---D | C] -- C:\Users\fpueck\AppData\Local\Downloaded Installations
[2011.05.17 09:03:34 | 006,866,985 | ---- | C] (Zugg Software) -- C:\Users\fpueck\zmud721.exe
[30 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[30 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012.07.13 05:46:22 | 000,013,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.07.13 05:46:22 | 000,013,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.13 05:45:44 | 000,707,088 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.07.13 05:45:44 | 000,660,706 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.07.13 05:45:44 | 000,152,680 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.07.13 05:45:44 | 000,124,896 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.07.13 05:40:01 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\fpueck\Desktop\OTL.exe
[2012.07.13 05:38:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.07.13 05:38:56 | 2615,320,576 | -HS- | M] () -- C:\hiberfil.sys
[2012.07.13 05:37:57 | 000,000,020 | ---- | M] () -- C:\Users\fpueck\defogger_reenable
[2012.07.13 05:36:07 | 000,050,477 | ---- | M] () -- C:\Users\fpueck\Desktop\Defogger.exe
[2012.07.13 05:07:01 | 004,576,941 | R--- | M] (Swearware) -- C:\Users\fpueck\Desktop\ComboFix.exe
[2012.07.13 05:03:23 | 002,135,640 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\fpueck\Desktop\tdsskiller.exe
[2012.06.30 06:48:53 | 000,001,163 | ---- | M] () -- C:\Users\Public\Desktop\Internet Manager.lnk
[2012.06.30 06:47:57 | 000,861,696 | ---- | M] (DiBcom SA) -- C:\Windows\System32\drivers\mod7700.sys
[2012.06.30 06:47:57 | 000,181,760 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_juwwanecm.sys
[2012.06.30 06:47:57 | 000,064,384 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jucdcecm.sys
[2012.06.30 06:47:57 | 000,026,624 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_juextctrl.sys
[2012.06.30 06:47:57 | 000,024,192 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\drivers\tcpipBM.sys
[2012.06.30 06:47:57 | 000,011,136 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_usbenumfilter.sys
[2012.06.30 06:47:56 | 000,353,280 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbwwan.sys
[2012.06.30 06:47:56 | 000,193,792 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbmdm.sys
[2012.06.30 06:47:56 | 000,102,784 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_hwusbdev.sys
[2012.06.30 06:47:56 | 000,090,112 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jucdcacm.sys
[2012.06.30 06:47:56 | 000,073,216 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jubusenum.sys
[2012.06.30 06:47:56 | 000,025,856 | ---- | M] (Huawei Tech. Co., Ltd.) -- C:\Windows\System32\drivers\ewdcsc.sys
[2012.06.30 06:47:56 | 000,019,200 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_hwupgrade.sys
[2012.06.30 06:47:56 | 000,013,184 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\drivers\BMLoad.sys
[2012.06.30 06:47:55 | 000,480,384 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\bmnet.dll
[2012.06.30 06:47:55 | 000,308,352 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\bminstall.dll
[2012.06.30 06:47:47 | 000,132,224 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\bmdumpd.bin
[2012.06.28 23:05:34 | 000,002,028 | ---- | M] () -- C:\Users\fpueck\Desktop\Edna bricht aus Demo.lnk
[2012.06.26 05:35:50 | 000,013,716 | ---- | M] () -- C:\Users\fpueck\Desktop\Justice_Corps_Roster_City_of_Heroes_Villains_COH_SuperTeam_Site_at_button_33.mp3
[2012.06.24 19:21:43 | 008,454,041 | ---- | M] () -- C:\Users\fpueck\Documents\blubb.rar
[2012.06.24 13:19:45 | 000,001,125 | ---- | M] () -- C:\Users\Public\Desktop\The Secret World.lnk
[2012.06.20 18:04:33 | 000,001,190 | ---- | M] () -- C:\Users\fpueck\Desktop\Mids' Hero & Villain Designer.lnk
[2012.06.20 00:07:24 | 000,002,034 | ---- | M] () -- C:\Users\fpueck\Desktop\City of Heroes BETA.lnk
[2012.06.18 17:01:39 | 000,006,830 | ---- | M] () -- C:\Users\fpueck\Desktop\The_Guard_Ein_Ire_avi_Your_Webhostservice__KiwiLoad.com_The.Guard.Ein.Ire.avi
[2012.06.18 16:55:11 | 000,024,944 | ---- | M] () -- C:\Windows\System32\drivers\GVTDrv.sys
[2012.06.18 16:25:44 | 000,001,930 | ---- | M] () -- C:\Users\Public\Desktop\ET6.lnk
[2012.06.18 16:13:16 | 000,001,985 | ---- | M] () -- C:\Users\Public\Desktop\AMD OverDrive.lnk
[2012.06.16 15:37:48 | 000,291,240 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[30 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[30 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012.07.13 05:37:35 | 000,000,020 | ---- | C] () -- C:\Users\fpueck\defogger_reenable
[2012.07.13 05:36:07 | 000,050,477 | ---- | C] () -- C:\Users\fpueck\Desktop\Defogger.exe
[2012.07.13 05:17:22 | 000,018,944 | ---- | C] () -- C:\Windows\Installer\{0b053145-8f9f-1779-43ec-51c0f740ee7a}\U\800000cb.@
[2012.07.13 05:17:22 | 000,013,312 | ---- | C] () -- C:\Windows\Installer\{0b053145-8f9f-1779-43ec-51c0f740ee7a}\U\80000000.@
[2012.07.13 05:17:21 | 000,001,696 | ---- | C] () -- C:\Windows\Installer\{0b053145-8f9f-1779-43ec-51c0f740ee7a}\U\00000001.@
[2012.06.30 06:48:53 | 000,001,163 | ---- | C] () -- C:\Users\Public\Desktop\Internet Manager.lnk
[2012.06.28 23:05:34 | 000,002,028 | ---- | C] () -- C:\Users\fpueck\Desktop\Edna bricht aus Demo.lnk
[2012.06.26 05:35:35 | 000,013,716 | ---- | C] () -- C:\Users\fpueck\Desktop\Justice_Corps_Roster_City_of_Heroes_Villains_COH_SuperTeam_Site_at_button_33.mp3
[2012.06.24 19:20:01 | 008,454,041 | ---- | C] () -- C:\Users\fpueck\Documents\blubb.rar
[2012.06.24 13:19:45 | 000,001,125 | ---- | C] () -- C:\Users\Public\Desktop\The Secret World.lnk
[2012.06.20 18:04:33 | 000,001,190 | ---- | C] () -- C:\Users\fpueck\Desktop\Mids' Hero & Villain Designer.lnk
[2012.06.20 00:07:24 | 000,002,034 | ---- | C] () -- C:\Users\fpueck\Desktop\City of Heroes BETA.lnk
[2012.06.18 17:01:37 | 000,006,830 | ---- | C] () -- C:\Users\fpueck\Desktop\The_Guard_Ein_Ire_avi_Your_Webhostservice__KiwiLoad.com_The.Guard.Ein.Ire.avi
[2012.06.18 16:28:03 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys
[2012.06.18 16:25:44 | 000,001,930 | ---- | C] () -- C:\Users\Public\Desktop\ET6.lnk
[2012.06.18 16:13:16 | 000,001,985 | ---- | C] () -- C:\Users\Public\Desktop\AMD OverDrive.lnk
[2012.05.26 08:06:44 | 000,000,001 | ---- | C] () -- C:\Windows\System32\SI.bin
[2012.05.08 11:16:56 | 000,204,952 | ---- | C] () -- C:\Windows\System32\ativvsvl.dat
[2012.05.08 11:16:56 | 000,157,144 | ---- | C] () -- C:\Windows\System32\ativvsva.dat
[2012.05.08 06:25:48 | 000,159,232 | ---- | C] () -- C:\Windows\System32\clinfo.exe
[2012.04.15 02:38:08 | 000,016,360 | ---- | C] () -- C:\Users\fpueck\Addendum.odt
[2012.04.15 01:31:00 | 000,030,320 | ---- | C] () -- C:\Users\fpueck\LastWords.odt
[2012.03.19 14:29:10 | 000,012,304 | ---- | C] () -- C:\Users\fpueck\mieteauszug.odt
[2012.03.09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\System32\kdbsdk32.dll
[2012.03.05 08:35:06 | 000,015,019 | ---- | C] () -- C:\Users\fpueck\Anschreiben.odt
[2012.02.06 08:34:27 | 000,012,307 | ---- | C] () -- C:\Users\fpueck\Notenliste 8a.odt
[2012.01.31 03:31:45 | 000,032,611 | ---- | C] () -- C:\Users\fpueck\Expose.odt
[2012.01.24 15:11:57 | 001,190,114 | ---- | C] () -- C:\Users\fpueck\Lehrprobe Englisch.odt
[2012.01.10 23:10:08 | 000,601,728 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011.10.30 23:31:08 | 000,000,275 | ---- | C] () -- C:\Users\fpueck\AppData\Local\HamsterVideoConverterSettings.cfg
[2011.10.30 23:11:28 | 038,588,136 | ---- | C] () -- C:\Users\fpueck\Karok.wmv
[2011.09.28 22:58:42 | 000,026,280 | ---- | C] () -- C:\Users\fpueck\weimarquotes.odt
[2011.09.27 06:16:40 | 000,055,068 | ---- | C] () -- C:\Users\fpueck\Weimarparteienüberblick.odt
[2011.09.27 06:01:05 | 000,017,621 | ---- | C] () -- C:\Users\fpueck\Konzept G9.odt
[2011.09.27 05:40:03 | 000,029,534 | ---- | C] () -- C:\Users\fpueck\KPDtext.odt
[2011.09.27 05:36:02 | 000,023,107 | ---- | C] () -- C:\Users\fpueck\Stichpunkte Parteien.odt
[2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2011.09.11 18:31:12 | 000,031,882 | ---- | C] () -- C:\Users\fpueck\bothothel.odt
[2011.09.04 17:45:00 | 000,083,872 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2011.09.04 17:44:59 | 000,025,888 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2011.08.28 02:11:00 | 000,054,000 | ---- | C] () -- C:\Windows\System32\PrxerNsp.dll
[2011.08.04 16:16:20 | 000,007,602 | ---- | C] () -- C:\Users\fpueck\AppData\Local\Resmon.ResmonCfg
[2011.05.31 08:39:50 | 000,058,368 | ---- | C] () -- C:\Windows\System32\bdmpegv.dll
[2011.05.31 08:38:18 | 000,015,360 | ---- | C] () -- C:\Windows\System32\bdmjpeg.dll
[2011.05.03 12:26:20 | 000,015,344 | ---- | C] () -- C:\Users\fpueck\wiederholungdienstweg.odt
[2011.04.25 16:58:30 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2011.04.25 16:58:30 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011.04.23 08:59:16 | 000,000,094 | ---- | C] () -- C:\Users\fpueck\AppData\Local\fusioncache.dat
[2011.04.14 19:48:00 | 000,824,807 | ---- | C] () -- C:\Users\fpueck\LOL.odt
[2011.04.11 20:04:23 | 000,045,757 | ---- | C] () -- C:\Users\fpueck\FSE.odt
[2011.03.24 13:46:08 | 000,071,168 | ---- | C] () -- C:\Users\fpueck\Niederschrift neu.dot
[2011.03.24 09:46:36 | 000,026,054 | ---- | C] () -- C:\Users\fpueck\FSGProtokoll.odt
[2011.03.21 14:11:00 | 583,331,280 | ---- | C] () -- C:\Users\fpueck\CastleVania Symphony of the night.iso
[2011.03.16 08:32:45 | 000,135,300 | ---- | C] () -- C:\Users\fpueck\Ablassstunde.odt
[2011.03.04 17:55:31 | 000,076,345 | ---- | C] () -- C:\Users\fpueck\conditionals.odt
[2011.03.03 09:47:44 | 000,020,123 | ---- | C] () -- C:\Users\fpueck\Unterrichtsplanung Geschichte.odt
[2011.03.01 14:30:13 | 000,023,041 | ---- | C] () -- C:\Users\fpueck\erwhoreng9.odt
[2011.03.01 11:54:04 | 000,020,495 | ---- | C] () -- C:\Users\fpueck\comment.odt
[2011.03.01 07:34:09 | 000,019,602 | ---- | C] () -- C:\Users\fpueck\UplanEnglisch.odt
[2011.02.19 09:16:35 | 000,001,720 | ---- | C] () -- C:\Users\fpueck\League of Legends spielen .lnk
[2011.02.09 01:16:41 | 030,718,643 | ---- | C] () -- C:\Users\fpueck\Factory scene from Modern Times.flv
[2010.12.26 21:40:07 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010.12.24 20:21:53 | 000,015,880 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2010.12.19 11:56:36 | 014,938,112 | ---- | C] () -- C:\ProgramData\sandra.mda
[2010.12.19 10:44:53 | 000,072,304 | R--- | C] () -- C:\Windows\System32\XSrvSetup.exe
[2010.12.19 10:43:43 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2010.12.19 10:42:10 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010.12.19 10:36:12 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
 
========== LOP Check ==========
 
[2010.12.31 08:01:20 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\DAEMON Tools Lite
[2012.03.31 17:38:27 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Darkfall
[2011.06.20 09:24:31 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Electronic Arts
[2012.04.25 13:27:49 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\EVEMon
[2010.12.26 12:18:49 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Foxit Software
[2011.08.07 17:25:50 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\GetRightToGo
[2011.02.03 04:49:28 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\LolClient
[2012.05.02 04:58:39 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Mumble
[2010.12.24 21:42:19 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\OpenOffice.org
[2011.10.30 22:39:21 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Pegasys Inc
[2011.08.28 02:11:08 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Proxifier
[2012.07.13 04:40:22 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\QuickScan
[2012.03.26 16:20:22 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\RIFT
[2011.02.02 14:57:10 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Screaming Bee
[2011.09.24 23:22:29 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Sony Online Entertainment
[2012.04.19 19:03:11 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\T-Mobile
[2012.02.17 13:18:27 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\TS3Client
[2011.08.27 04:46:10 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\uTorrent
[2012.06.29 00:34:11 | 000,032,630 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:359B3BDA

< End of report >
         
--- --- ---


und dann noch die Extras
OTL Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 13.07.2012 05:41:18 - Run 1
OTL by OldTimer - Version 3.2.54.0     Folder = C:\Users\fpueck\Desktop
 Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,25 Gb Total Physical Memory | 2,43 Gb Available Physical Memory | 74,85% Memory free
6,49 Gb Paging File | 5,58 Gb Available in Paging File | 85,94% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931,41 Gb Total Space | 508,32 Gb Free Space | 54,58% Space Free | Partition Type: NTFS
 
Computer Name: FPUECK-PC | User Name: fpueck | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
========== Firewall Settings ==========
 
========== Authorized Applications List ==========
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0282C413-1FDA-DB0C-002D-F0306F37B8E9}" = CCC Help Chinese Standard
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07300F01-89CA-4CF8-92BD-2A605EB83C95}" = EasySaver B9.1214.1 
"{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1" = Core Temp version 1.0
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{1023383E-D9F6-478C-A965-23A4657B3C9A}" = Sacred 2
"{105E26C5-2311-6B4C-BC79-91E1E8CCCDB8}" = AMD VISION Engine Control Center
"{12421338-71ED-1595-8C3F-C118162F2090}" = CCC Help Polish
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20071984-5EB1-4881-8EDB-082532ACEC6D}" = Heroes of Might and Magic V
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{20612F0A-7E82-FF36-14F0-61521F481DC7}" = CCC Help French
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{289AC7E0-0AEE-4a7b-913C-709D9803D23E}" = Nexon Game Manager
"{28DABD97-D76F-FE7F-9EF1-81F97D8102DA}" = CCC Help German
"{29C042AB-059B-414C-840E-94775E3F24A8}" = Personality Voices
"{2F5B0382-8269-4A86-9568-05542CA0CC39}_is1" = Edna bricht aus Demo
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34BCB3AF-9DF8-4D1F-7F79-49C57ED73730}" = AMD Catalyst Install Manager
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = Gigabyte Raid Configurer
"{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Star Wars: The Old Republic
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{44A3BDE7-E797-4FBC-8FBD-DE5E68AB4D26}" = Fischer Weltalmanach und Atlas 2010
"{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B12.0424.1
"{46EDCFA5-7EDB-46A9-B093-1C6237470CEC}" = 3DMark 11
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F09C764-E4DB-4DED-8489-55119833FAF7}_is1" = PDF Expert 6 - Installer
"{518109CD-F11C-42BE-9789-BDFB38B042C4}" = CCC Help English
"{5449FB4F-1802-4D5B-A6D8-087DB1142147}" = Realtek HDMI Audio Driver for ATI
"{5F3D82D0-ACDC-598A-9D78-F014430AFE12}" = CCC Help Chinese Traditional
"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = NCsoft Launcher
"{6319E97C-00A0-2FFE-5AE3-EA2743344A10}" = AMD Fuel
"{66FF4C48-0083-4E60-8556-B883AB200091}" = Heroes of Might & Magic V: Hammers of Fate
"{66FF4C48-0083-4E60-8556-B883AB200092}" = Heroes of Might and Magic V - Tribes of the East
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{69ECF154-6436-D0A8-0BD0-DC3631A89E27}" = CCC Help Norwegian
"{6C90C4C4-559D-4FE8-A4BF-37550E74D1FC}" = Bloodline Champions
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71F8C486-8A13-468E-8B73-06051075556A}" = Female Voice Pack
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{744AD0D8-409D-7E55-EB35-CD92853FA661}" = CCC Help Czech
"{76622017-64BB-8DF4-BCBA-EF98B1D6F6F0}" = CCC Help Japanese
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}" = 3DMark06
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{86E0CAC0-6DF8-416D-A195-31FEAD651191}" = MorphVOX Pro
"{87FD605E-2099-2EAE-84A2-AA7D0EF1D655}" = CCC Help Finnish
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows 7
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{908E6E66-DDF1-26A7-D17B-AA538DC8A541}" = CCC Help Russian
"{918A9082-6287-4D25-9002-5E5D5E4971CB}" = League of Legends
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{9373F09C-C222-BBFC-A45C-A824FE8973A1}" = Catalyst Control Center Graphics Previews Common
"{93DA8968-092B-4E6F-B568-AB8471952143}" = Warlords Battlecry III
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}" = AGEIA PhysX v7.11.13
"{98018CA9-C8AA-BF58-17D0-21B1250698C7}" = AMD Accelerated Video Transcoding
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C1FAB12-F426-432E-8579-75CAB60C69CF}" = AMD OverDrive
"{9C4485DD-8FCF-E87C-0846-7443424FF1D8}" = CCC Help Hungarian
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7BC99D5-60F1-F840-EF97-C57BBF1019A6}" = CCC Help Turkish
"{A9626196-D370-A73F-800E-9C10F3DB57B6}" = CCC Help Swedish
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AABFED91-C2C7-2DB5-F20F-27C76C7096B2}" = CCC Help Dutch
"{AC524B17-B82D-414A-B2E2-C38DC4ABF5C9}" = Darkfall
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.0) - Deutsch
"{AF53219F-E6BB-5634-D029-A3DA7A540CC6}" = CCC Help Portuguese
"{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie
"{B533F23C-5851-2ECB-50AA-BD74BCDD3B57}" = HydraVision
"{B6270E05-A7CC-50A4-D03C-753FA83D6E84}" = AMD Drag and Drop Transcoding
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BC0A330A-6A54-D5D4-F4DB-65B4C960285F}" = CCC Help Italian
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2011
"{C3E9887A-23BA-4777-8080-191A5AFCAB74}" = Mumble 1.2.3
"{C414B3F3-BEBD-0766-5D95-5A6BDE8B9176}" = CCC Help Greek
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{CACBFEA1-3157-6016-117E-EF06E5AC72CF}" = Catalyst Control Center InstallProxy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC8C6851-E21F-866D-50D0-285C97D5C7DD}" = CCC Help Spanish
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0AD841D-16E7-BDDE-9325-F70B5768EBB7}" = CCC Help Thai
"{D3F63A79-282B-B1BC-555E-9E473E761F64}" = AMD AVIVO Codecs
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D7A0A22A-C132-4B6F-8D68-67B95117DE93}" = RIFT
"{D7A89413-FB45-4ECE-A893-32DC87F45554}" = Legends of Norrath
"{D7BF9739-8A68-4335-BBEE-37752AD9E86B}" = NEC Electronics USB 3.0 Host Controller Driver
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E2F0AF23-FE2F-4222-9A43-55E63CC41EF1}" = Catalyst Control Center - Branding
"{E4A41428-A261-1356-7949-4EFEA3F7A450}" = ccc-utility
"{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker
"{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}" = Nexon Game Manager
"{EDCAE2CB-B0E6-3E79-A566-F87966E9D9D6}" = AMD Media Foundation Decoders
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1826FDF-6554-470E-5B8B-83EF59F7D1C9}" = CCC Help Korean
"{F3114AD6-9F46-2CD8-6C7F-C62F9CBE4C78}" = Catalyst Control Center Localization All
"{F33251DB-F472-F17E-6E61-B74B2154D64E}" = CCC Help Danish
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"12bbe590-c890-11d9-9669-0800200c9a66_is1" = The Lord of the Rings Online™ v03.06.00.8025
"AC3Filter_is1" = AC3Filter 1.63b
"Ad-Aware" = Ad-Aware
"Age of Conan_is1" = Age of Conan: Unchained
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BandiMPEG1" = Bandisoft MPEG-1 Decoder
"bc8a6440-918f-11dd-ad8b-0800200c9a66_is1" = Dungeons & Dragons Online ®:  Eberron Unlimited ™ v01.13.04.801
"Champions Online" = Champions Online
"DaggerfallSetup_is1" = Daggerfall
"Dark Age of Camelot" = Dark Age of Camelot
"Diablo III" = Diablo III
"Diablo III Beta" = Diablo III Beta
"EVE" = EVE Online (remove only)
"EVEMon" = EVEMon
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.50
"Foxit Reader" = Foxit Reader
"Fraps" = Fraps
"hon" = Heroes of Newerth
"InstallShield_{44A3BDE7-E797-4FBC-8FBD-DE5E68AB4D26}" = Fischer Weltalmanach und Atlas 2010
"InstallShield_{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B12.0424.1
"InstallShield_{D7A0A22A-C132-4B6F-8D68-67B95117DE93}" = RIFT
"InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}" = NEC Electronics USB 3.0 Host Controller Driver
"Internet Manager" = Internet Manager
"IsoBuster_is1" = IsoBuster 2.8.5
"LOLReplay" = LOLReplay
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 13.0.1 (x86 de)" = Mozilla Firefox 13.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NirSoft Network Password Recovery" = NirSoft Network Password Recovery
"OpenAL" = OpenAL
"PixelRuler_is1" = PixelRuler v9.0.0.0
"Proxifier_is1" = Proxifier version 3.0
"ProxyFirewall_is1" = ProxyFirewall 1.0.4 Beta
"Security Task Manager" = Security Task Manager 1.8d
"Steam App 55410" = Warhammer 40,000: Space Marine Demo
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"The Secret World_is1" = The Secret World
"The Witcher Enhanced Edition_is1" = The Witcher Enhanced Edition
"uTorrent" = µTorrent
"Vindictus" = Vindictus
"Vindictus EU" = Vindictus EU
"VLC media player" = VLC media player 2.0.1
"Warhammer Online - Wrath of Heroes" = Warhammer Online - Wrath of Heroes
"Warhammer Online: Age of Reckoning" = Warhammer Online: Age of Reckoning
"Winamp" = Winamp
"Window Ruler 1.x_is1" = Window Ruler 1.x
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.00 Beta 3 (32-Bit)
"World of Warcraft" = World of Warcraft
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"NCsoft-CoHBeta" = CoH Subscriber Beta
"NCsoft-GuildWars" = Guild Wars
"Proactive System Password Recovery" = Proactive System Password Recovery
"SOE-EverQuest II" = EverQuest II
"SOE-Legends of Norrath" = Legends of Norrath
"Winamp Detect" = Winamp Detector Plug-in
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 07.07.2012 11:36:32 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description = 
 
Error - 08.07.2012 15:38:52 | Computer Name = fpueck-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: Skype.exe, Version: 5.5.0.124, Zeitstempel:
 0x4e96a02b  Name des fehlerhaften Moduls: RPCRT4.dll, Version: 6.1.7601.17514, Zeitstempel:
 0x4ce7b9a2  Ausnahmecode: 0xc0020043  Fehleroffset: 0x000622d3  ID des fehlerhaften Prozesses:
 0xc78  Startzeit der fehlerhaften Anwendung: 0x01cd5cf18185b5a3  Pfad der fehlerhaften
 Anwendung: C:\Program Files\Skype\Phone\Skype.exe  Pfad des fehlerhaften Moduls: 
C:\Windows\system32\RPCRT4.dll  Berichtskennung: 8bd9c6fb-c934-11e1-98dd-00150c20e0ec
 
Error - 09.07.2012 00:48:02 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description = 
 
Error - 09.07.2012 01:57:36 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description = 
 
Error - 09.07.2012 20:50:44 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description = 
 
Error - 10.07.2012 14:33:06 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description = 
 
Error - 10.07.2012 15:48:44 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description = 
 
Error - 11.07.2012 10:22:35 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description = 
 
Error - 12.07.2012 05:36:28 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description = 
 
Error - 12.07.2012 21:02:35 | Computer Name = fpueck-PC | Source = Wininit | ID = 1015
Description = Ein kritischer Systemprozess C:\Windows\system32\lsm.exe ist fehlgeschlagen
 mit den Statuscode 1. Der Computer muss neu gestartet werden.
 
Error - 12.07.2012 21:38:39 | Computer Name = fpueck-PC | Source = System Restore | ID = 8210
Description = 
 
 
< End of report >
         
--- --- ---



Gmer
hab ich runtergeladen - aber das will nicht so recht bei mir. Ich kanns zwar starten, aber wenn ich auf "scan" klicke, friert das Programm ein und tut nichts mehr - man kanns dann nur noch über den taskmanager abschiessen.


Vtotal
Wurde in einem anderen thread mit selbem Schädling verlangt, deswegen dacht ich mir, machste das gleich mal
Code:
ATTFilter
ssdeep
6144:5lMlQV2agWccMdwo6vQHLS0iVtq/3PmRJC:5l9VIC2wX4+0iV43+
TrID
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ExifTool

UninitializedDataSize....: 0
InitializedDataSize......: 38400
ImageVersion.............: 6.1
ProductName..............: Microsoft   Windows   Operating System
FileVersionNumber........: 6.1.7600.16385
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Services and Controller app
CharacterSet.............: Unicode
LinkerVersion............: 9.0
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 6.1.7600.16385 (win7_rtm.090713-1255)
TimeStamp................: 2009:07:14 01:11:23+02:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: services.exe
ProductVersion...........: 6.1.7600.16385
SubsystemVersion.........: 6.1
OSVersion................: 6.1
OriginalFilename.........: services.exe
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 218624
FileSubtype..............: 0
ProductVersionNumber.....: 6.1.7600.16385
EntryPoint...............: 0x1388a
ObjectFileType...........: Executable application

Sigcheck

publisher................: Microsoft Corporation
product..................: Microsoft_ Windows_ Operating System
internal name............: services.exe
copyright................: (c) Microsoft Corporation. All rights reserved.
original name............: services.exe.mui
file version.............: 6.1.7600.16385 (win7_rtm.090713-1255)
description..............: Services and Controller app

Portable Executable structural information

Compilation timedatestamp.....: 2009-07-13 23:11:23
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x0001388A

PE Sections...................:

Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
.text                  4096        218185    218624     6.46  3d09aeeb2259f3c02b198e4fde13fd12
.data                225280          3932      4096     1.48  11c37c1085d75d036b3719399d58bd15
.rsrc                229376         19104     19456     3.82  a02b2b88d8d39c43e7a2f4579bb88240
.reloc               249856         14660     14848     6.80  bbc7b7b521d2ad296241418b92ea94a4

PE Imports....................:

API_MS_Win_Core_ProcessThreads_L1_1_0.dll
	CreateProcessW, CreateThread, TerminateProcess, GetCurrentThreadId, OpenThreadToken, GetCurrentThread, GetProcessId, GetCurrentProcess, CreateProcessAsUserW, DeleteProcThreadAttributeList, UpdateProcThreadAttribute, InitializeProcThreadAttributeList, OpenProcessToken, ResumeThread, SetThreadPriority, ExitThread, SetProcessShutdownParameters, GetCurrentProcessId, GetProcessTimes

API_MS_Win_Core_Profile_L1_1_0.dll
	QueryPerformanceCounter

CRYPTBASE.dll
	SystemFunction005, SystemFunction029

API_MS_Win_Core_Handle_L1_1_0.dll
	DuplicateHandle, CloseHandle

API_MS_Win_Core_LocalRegistry_L1_1_0.dll
	RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegGetKeySecurity, RegSetKeySecurity, RegNotifyChangeKeyValue, RegLoadMUIStringW, RegSetValueExW, RegCreateKeyExW

ntdll.dll
	EtwRegisterTraceGuidsW, RtlUnicodeStringToInteger, RtlSetLastWin32Error, NtTraceControl, RtlInitializeCriticalSection, NtQueueApcThread, NtOpenThread, EvtIntReportEventAndSourceAsync, RtlSetProcessIsCritical, NtOpenProcessToken, NtSetInformationProcess, NtSetEvent, EtwEventRegister, EtwEventWrite, RtlFreeHeap, NtDeleteFile, NtQueryDirectoryFile, NtWaitForSingleObject, RtlAppendUnicodeToString, RtlAppendUnicodeStringToString, NtQueryInformationFile, NtSetInformationFile, NtFilterToken, RtlCopyUnicodeString, RtlMapGenericMask, RtlValidRelativeSecurityDescriptor, RtlSetSecurityObject, RtlQuerySecurityObject, NtQueryInformationToken, NtDuplicateToken, NtAdjustPrivilegesToken, NtSetInformationThread, NtAccessCheckAndAuditAlarm, NtAccessCheck, NtOpenThreadToken, NtPrivilegeCheck, NtPrivilegeObjectAuditAlarm, WinSqmAddToStream, RtlSetEnvironmentVariable, RtlLengthSecurityDescriptor, RtlValidSecurityDescriptor, RtlSetControlSecurityDescriptor, NtDeleteKey, RtlSubAuthoritySid, NtOpenKey, NtEnumerateKey, NtDeleteValueKey, NtSetValueKey, NtQueryValueKey, NtCreateKey, RtlConvertSharedToExclusive, RtlConvertExclusiveToShared, RtlRegisterWait, RtlCreateServiceSid, RtlGetNtProductType, RtlEqualUnicodeString, RtlLengthSid, RtlCopySid, NtLoadDriver, NtOpenDirectoryObject, NtQueryDirectoryObject, RtlCompareUnicodeString, NtUnloadDriver, DbgPrintEx, RtlAdjustPrivilege, RtlExpandEnvironmentStrings_U, RtlInitializeSRWLock, NtFlushKey, NtOpenFile, RtlDosPathNameToNtPathName_U, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlFreeUnicodeString, RtlAcquireSRWLockShared, NtDeleteObjectAuditAlarm, RtlReleaseSRWLockShared, RtlAreAllAccessesGranted, NtCloseObjectAuditAlarm, RtlDeregisterWait, RtlQueueWorkItem, RtlCopyLuid, RtlDeleteSecurityObject, RtlAcquireSRWLockExclusive, RtlReleaseSRWLockExclusive, RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlInitializeResource, NtInitializeRegistry, NtQueryKey, NtClose, RtlInitUnicodeString, NtSetSystemEnvironmentValue, RtlNtStatusToDosError, NtShutdownSystem, EtwTraceMessage, RtlUnhandledExceptionFilter, NtQuerySystemInformation, RtlNtStatusToDosErrorNoTeb, RtlInitializeSid, RtlAllocateHeap, RtlLengthRequiredSid, RtlSubAuthorityCountSid, RtlSetSaclSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAce, RtlCreateAcl, RtlNewSecurityObject, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlUnicodeStringToAnsiString, EtwGetTraceEnableFlags, EtwGetTraceEnableLevel, EtwGetTraceLoggerHandle

API_MS_Win_Core_SysInfo_L1_1_0.dll
	GetTickCount, GetSystemTimeAsFileTime, GetComputerNameExW, GetSystemTime, GetVersionExW

API_MS_Win_Core_File_L1_1_0.dll
	CreateFileW, SetFileInformationByHandle, FindNextFileW, FindClose, CreateDirectoryW, FindFirstFileW

API_MS_Win_Security_SDDL_L1_1_0.dll
	ConvertSecurityDescriptorToStringSecurityDescriptorW, ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW

API_MS_Win_Core_Heap_L1_1_0.dll
	HeapFree, HeapCreate, HeapAlloc, HeapSetInformation

SspiCli.dll
	LogonUserExExW

API_MS_Win_Core_ErrorHandling_L1_1_0.dll
	SetLastError, GetLastError, SetErrorMode, SetUnhandledExceptionFilter, UnhandledExceptionFilter

API_MS_Win_Core_Misc_L1_1_0.dll
	LocalFree, Sleep, lstrlenW, LocalAlloc

API_MS_Win_Core_String_L1_1_0.dll
	CompareStringW

API_MS_Win_Security_LSALookup_L1_1_0.dll
	LsaLookupFreeMemory, LsaLookupTranslateSids, LsaLookupOpenLocalPolicy, LsaLookupManageSidNameMapping, LsaLookupGetDomainInfo, LsaLookupTranslateNames, LsaLookupClose

API_MS_Win_Core_Synch_L1_1_0.dll
	LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, WaitForSingleObject, SetEvent, CreateEventW, ResetEvent, WaitForMultipleObjectsEx, OpenEventW, OpenProcess

API_MS_Win_Core_Interlocked_L1_1_0.dll
	InterlockedCompareExchange, InterlockedExchange, InterlockedCompareExchange64

profapi.dll
	-, -, -, -

API_MS_Win_Core_LibraryLoader_L1_1_0.dll
	GetModuleHandleW, GetProcAddress, FreeLibrary, LoadLibraryExW, GetModuleHandleA, LoadStringW

RPCRT4.dll
	UuidCreate, RpcAsyncAbortCall, RpcServerUnsubscribeForNotification, UuidEqual, RpcServerUseProtseqEpW, RpcServerRegisterIfEx, RpcServerUseProtseqW, RpcServerInqBindings, RpcBindingToStringBindingW, RpcStringBindingParseW, RpcStringFreeW, RpcEpRegisterW, RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, UuidCreateNil, I_RpcMapWin32Status, RpcServerInqCallAttributesW, RpcAsyncCompleteCall, RpcServerInqBindingHandle, RpcImpersonateClient, RpcRevertToSelf, I_RpcBindingInqLocalClientPID, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, NdrServerCall2, NdrAsyncServerCall, RpcSsGetContextBinding, RpcServerInqCallAttributesA, RpcBindingServerFromClient, RpcBindingFree, RpcBindingVectorFree, RpcServerSubscribeForNotification, UuidFromStringW

API_MS_Win_Security_Base_L1_1_0.dll
	SetSecurityDescriptorDacl, AdjustTokenPrivileges, EqualSid, ImpersonateLoggedOnUser, RevertToSelf, GetLengthSid, CopySid, CheckTokenMembership, GetTokenInformation, AddAce, InitializeAcl, GetSecurityDescriptorDacl, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, SetTokenInformation, AddAccessAllowedAce, AllocateAndInitializeSid, AllocateLocallyUniqueId, FreeSid, SetKernelObjectSecurity, GetKernelObjectSecurity

msvcrt.dll
	__p__commode, __p__fmode, __set_app_type, _except_handler4_common, _terminate@@YAXXZ, __setusermatherr, _wtol, _initterm, _controlfp, _ltow, wcscspn, exit, _XcptFilter, _exit, _cexit, __getmainargs, _ltow_s, wcschr, _wcslwr, memmove, _ultow_s, time, wcsrchr, _vsnwprintf, _wcsnicmp, memset, wcsstr, wcstoul, memcpy, _wcsicmp, _ultow, wcsncmp, _amsg_exit

API_MS_Win_Core_IO_L1_1_0.dll
	DeviceIoControl

API_MS_Win_Core_ProcessEnvironment_L1_1_0.dll
	GetEnvironmentVariableW, ExpandEnvironmentStringsW


PE Exports....................:

Symantec Reputation
Suspicious.Insight
First seen by VirusTotal
2012-05-31 20:33:36 UTC ( 1 Monat, 1 Woche ago )
Last seen by VirusTotal
2012-07-13 02:55:10 UTC ( 26 Minuten ago )
File names (max. 25)

    services.exe.rootkit
    services.exe1
    services.exe
    Services.exe
    _services.ex_
    services.exe_
    C:\Documents and Settings\na-gra461\Desktop\services.exe.000
    C:\Windows\System32\services.exevr
    C:\Windows\System32\services.exe
    services.exe.vir
    50029693
    1342036897.services(3).exe
    services.exe$
    services
    C:\Users\Den\Desktop\services.exe
    file-4038672_exe
    services-b.exe
         

filefind

Code:
ATTFilter
SystemLook 30.07.11 by jpshortstuff
Log created at 05:30 on 13/07/2012 by fpueck
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\Windows\System32\services.exe	--a---- 259072 bytes	[23:11 13/07/2009]	[01:14 14/07/2009] A302BBFF2A7278C0E239EE5D471D86A9
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe	--a---- 259072 bytes	[23:11 13/07/2009]	[01:14 14/07/2009] 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

Searching for "         "
No files found.

-= EOF =-
         
Dann harre ich mal der Dinge, die da kommen und bedanke mich schonmal im Vorfeld für den Enthusiasmus und die Selbstlosigkeit, mit der hier armen Trollos wie mir geholfen wird.

Gruß,
fpueck

Alt 13.07.2012, 17:13   #2
markusg
/// Malware-holic
 
W32/Patched.UB in services.exe (Win7 32-Bit) - Standard

W32/Patched.UB in services.exe (Win7 32-Bit)



hi
wenn du onlinebanking machst, rufe die bank an onlinebanking wegen zero access rootkits sperren lassen
da dieses rootkit gefährlich ist:
der pc muss neu aufgesetzt und dann abgesichert werden
1. Datenrettung:2. Formatieren, Windows neu instalieren:3. PC absichern: http://www.trojaner-board.de/96344-a...-rechners.html
ich werde außerdem noch weitere punkte dazu posten.
4. alle Passwörter ändern!
5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen.
6. werde ich dann noch was zum absichern von Onlinebanking mit Chip Card Reader + Star Money sagen.
__________________

__________________

Alt 13.07.2012, 18:09   #3
fpueck
 
W32/Patched.UB in services.exe (Win7 32-Bit) - Standard

W32/Patched.UB in services.exe (Win7 32-Bit)



Vielen Dank schonmal, dass Du Dich so schnell meines Problems angenommen hast!

Dazu muss ich vielleicht noch erläuternd/weiterführend sagen, dass es sich beim befallenen PC um einen reinen "Spaß-PC" handelt, auf dem ausser alten Unterlagen (die noch nostalgischen Wert haben) eigentlich nur Spiele liegen. Das ist dann aber auch schon der Knackpunkt - diese liegen mir allesamt nur als digitale Downloads vor (d.h. ohne Datenträger) und meine Leitung ist unglaublich langsam und eigentlich ein Fall fürs Antiquiariat.
Ein neu aufsetzen dieses Systems (Das mit meinem PC für die Büroarbeit und wichtige Dokumente nicht verbunden ist) würde - wenn ichs so zusammenzähle - wochenlanges runterladen von Daten bedeuten - das ist etwas, was ich eigentlich nach Möglichkeit gerne vermeiden würde.

Gibt es - auch wenn sich Dir jetzt vermutlich die Nackenhaare kräuseln - eine Möglichkeit, dieses Rootkit zu entfernen?
(Die technische Komponente sagt mir in dem Fall leider so gar nix - 0-access klingt irgendwie nach "kann alles, darf alles, und das uneingeschränkt").

Der Rechner ist vorerst vom Netz getrennt und bleibt das auch, nachdem ich mir die relevanten tools, die hier im Forum genannt wurden, gezogen habe.

Hoffnungsfroher Gruß,
fpueck, der seinen unbedachten müdigkeitsinduzierten Fehlklick bereits zutiefst bedauert
__________________

Alt 15.07.2012, 21:24   #4
markusg
/// Malware-holic
 
W32/Patched.UB in services.exe (Win7 32-Bit) - Standard

W32/Patched.UB in services.exe (Win7 32-Bit)



hi
solche pcs können für straftaten wie spam versand oder schlimmeres genutzt werden, ich garantiere also für nichts.
Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich
ziehen und eine Bereinigung der Infektion noch erschweren.
Downloade dir bitte Combofix von einem dieser Downloadspiegel

Link 1
Link 2


WICHTIG - Speichere Combofix auf deinem Desktop
  • Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.
Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.


Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Zitat:
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.
__________________
-Verdächtige mails bitte an uns zur Analyse weiterleiten:
markusg.trojaner-board@web.de
Weiterleiten
Anleitung:
http://markusg.trojaner-board.de
Mails bitte vorerst nach obiger Anleitung an
markusg.trojaner-board@web.de
Weiterleiten
Wenn Ihr uns unterstützen möchtet

Antwort

Themen zu W32/Patched.UB in services.exe (Win7 32-Bit)
ad-aware, alternate, autorun, avira, behandlung, bho, browser, c:\windows\system32\cmd.exe, error, fehlermeldung, firefox, format, home, homepage, install.exe, kaspersky, langs, league of legends, logfile, mozilla, programm, realtek, registry, required, rundll, schädling, searchscopes, security, services.exe, spielen, starten, super, systemlook, systemprozess, t-mobile, taskmanager, teamspeak, usb 3.0



Ähnliche Themen: W32/Patched.UB in services.exe (Win7 32-Bit)


  1. Win7 - TR\Patched.ren.gen
    Log-Analyse und Auswertung - 15.05.2015 (17)
  2. Virus: Win64/Patched.A in c:\windows\system32\services.exe
    Log-Analyse und Auswertung - 23.07.2014 (19)
  3. Echtzeitscanner meldet Problem: services.exe w32/patched.uc
    Plagegeister aller Art und deren Bekämpfung - 22.08.2013 (1)
  4. W32/Patched.UC - services.exe anscheinend infiziert.
    Log-Analyse und Auswertung - 02.07.2013 (17)
  5. Echtzeitscanner meldet Problem: services.exe w32/patched.uc
    Log-Analyse und Auswertung - 30.06.2013 (29)
  6. Infektion mit TR/Crypt.X.PACK.Gen bzw. w32.patched.uc in services.exe
    Log-Analyse und Auswertung - 01.06.2013 (33)
  7. Virus Win64/Patched.A in c:\Windows\System32\services.exe
    Log-Analyse und Auswertung - 29.05.2013 (11)
  8. W32/Patched.UC' [virus] in 'C:\Windows\System32\services.exe
    Log-Analyse und Auswertung - 23.05.2013 (54)
  9. 'W32/Patched.UC' [virus] in 'C:\Windows\System32\services.exe'
    Log-Analyse und Auswertung - 15.05.2013 (24)
  10. W32/Patched.UC in C:\windows\system32\services.exe gefunden! (Avira)
    Plagegeister aller Art und deren Bekämpfung - 13.02.2013 (23)
  11. Avira findet W32/Patched.UC in C:\windows\system32\services.exe
    Log-Analyse und Auswertung - 08.01.2013 (19)
  12. W32/Patched.UA in services.exe
    Log-Analyse und Auswertung - 27.08.2012 (3)
  13. Trojan.Patched.Sirefef.B in C:\Windows\System32\services.exe
    Plagegeister aller Art und deren Bekämpfung - 07.08.2012 (3)
  14. W32/Patched.UB in c:\windows\system32\services.exe
    Log-Analyse und Auswertung - 02.08.2012 (7)
  15. Datei C:\Windows\System32\services.exe infiziert: W32/Patched.UB, Patched.UA, Patched.ZA
    Plagegeister aller Art und deren Bekämpfung - 19.07.2012 (5)
  16. W32/Patched.ZA - services.exe
    Plagegeister aller Art und deren Bekämpfung - 10.07.2012 (2)
  17. avira antivirus premium meldet in c:\windows\system32\services.exe Virus w32/patched.ub
    Plagegeister aller Art und deren Bekämpfung - 05.07.2012 (22)

Zum Thema W32/Patched.UB in services.exe (Win7 32-Bit) - Ahoy, Heute nacht hats mich auch mal erwischt - irgendwann ist immer das erste Mal. War auf einer Forenseite, die ich nicht allzuhäufig frequentiere und wurde von einem adobe-flashplayer-update-Fenster auf - W32/Patched.UB in services.exe (Win7 32-Bit)...
Archiv
Du betrachtest: W32/Patched.UB in services.exe (Win7 32-Bit) auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.