| |
| |||||||
Log-Analyse und Auswertung: Avira Antivir findet WORM/Dorkbot.I.388Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
29.10.2012, 19:47
| #1 |
| |  Avira Antivir findet WORM/Dorkbot.I.388 Hallo zusammen, meine Mutter wollte gestern Skypen und hatte folgenden Nachricht erhalten: moin, kaum zu glauben was für schöne fotos von dir auf deinem profil? (plus einem Link) auf den sie leider auch geklickt hat. Wie sie mir sagte startete danach ein Download und dann hing sich Skype auf. Programm dann über den Task Manager beendet und Neugestartet. Da danach keine weiteren Probleme auftraten hat sie weder weitere Schritte unternommen noch irgendwem etwas gesagt. Da ich momentan selber keinen PC habe nutze ich den meiner Eltern und es hing wie fast immer meine externe HDD dran, als ich da heute drauf zugreifen wollte gabs die große Überraschung. Alle Ordner sind durch Verküpfungen ersetzt worden. Die Ordner selber befinden sich versteckt immer noch auf der Festplatte. Zudem gabs 2 neue Ordner bzw. auch diese als Verknüpfung: $RECYCLE.BIN und System Volume Information Erstmal große Verwirrung meinerseits, bei den Eltern nachgefragt was passiert ist und dann die Geschichte mit Skype gehört. Avira Antivir hat sich in der zwischenzeit gemeldet und den oben im Betreff genannten WORM/Dorkbot.I.388 erkannt. Auf der Suche im Netz nach Informationen/Hilfe bin ich auf euch gestoßen und ich hoffe ihr könnt Helfen. Habe auch schon die Logfiles für euch zusammen. (Hoffentlich habe ich nix vergessen) Malwarebytes Anti-Malware : Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.65.1.1000 www.malwarebytes.org Datenbank Version: v2012.10.29.04 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 DAHLMANN :: GERO-PC [Administrator] Schutz: Deaktiviert 29.10.2012 17:04:32 mbam-log-2012-10-29 (17-04-32).txt Art des Suchlaufs: Vollständiger Suchlauf (B:\|C:\|D:\|R:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 413769 Laufzeit: 1 Stunde(n), 27 Minute(n), 31 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{20C28584-8F10-4D92-987C-0A1008E2435A} (Trojan.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter OTL logfile created on: 29.10.2012 11:19:45 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\DAHLMANN\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,36 Gb Available Physical Memory | 67,92% Memory free 4,24 Gb Paging File | 3,08 Gb Available in Paging File | 72,71% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 453,55 Gb Total Space | 173,99 Gb Free Space | 38,36% Space Free | Partition Type: NTFS Drive D: | 12,21 Gb Total Space | 1,67 Gb Free Space | 13,66% Space Free | Partition Type: NTFS Drive R: | 465,75 Gb Total Space | 444,78 Gb Free Space | 95,50% Space Free | Partition Type: NTFS Computer Name: GERO-PC | User Name: DAHLMANN | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.10.29 10:28:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\DAHLMANN\Downloads\OTL.exe PRC - [2012.09.29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe PRC - [2012.09.13 14:26:52 | 001,006,448 | ---- | M] () -- C:\Windows\System32\dmwu.exe PRC - [2012.08.23 14:40:04 | 000,188,760 | ---- | M] () -- C:\Programme\Web Assistant\ExtensionUpdaterService.exe PRC - [2012.08.08 10:28:00 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.06.11 18:19:36 | 000,468,992 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe PRC - [2012.06.11 18:19:02 | 000,217,600 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe PRC - [2012.05.08 10:28:13 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.08 10:28:12 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.05.08 10:28:12 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2011.10.15 09:53:00 | 001,328,960 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\nvxdsync.exe PRC - [2009.08.11 13:51:32 | 005,586,664 | ---- | M] () -- C:\Windows\System32\WTMKM.exe PRC - [2009.08.06 15:34:36 | 000,397,032 | ---- | M] () -- C:\Windows\System32\atwtusb.exe PRC - [2009.04.11 07:28:06 | 000,304,128 | ---- | M] (Microsoft Corporation) -- C:\Programme\Common Files\microsoft shared\ink\TabTip.exe PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 07:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2009.03.31 09:39:36 | 000,233,472 | ---- | M] (Teruten) -- C:\Windows\System32\FsUsbExService.Exe PRC - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 03:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2008.01.21 03:25:32 | 000,198,656 | ---- | M] (Microsoft Corporation) -- C:\Programme\Common Files\microsoft shared\ink\InputPersonalization.exe PRC - [2008.01.21 03:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe ========== Modules (No Company Name) ========== MOD - [2012.06.12 21:34:34 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll MOD - [2012.06.12 21:34:27 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll MOD - [2012.06.12 21:34:03 | 014,329,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7343fbab1ba137db2f8b284047ef3f3c\PresentationFramework.ni.dll MOD - [2012.06.12 21:33:43 | 012,219,392 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\7b6293b0c23321c255c2530aea8e32bb\PresentationCore.ni.dll MOD - [2012.06.11 17:24:32 | 000,037,376 | ---- | M] () -- C:\Windows\System32\atitmpxx.dll MOD - [2012.06.11 11:45:06 | 000,369,152 | ---- | M] () -- C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll MOD - [2012.05.11 18:24:22 | 000,187,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\5ebaa15cccc356bc3afba0c8f56977f7\UIAutomationTypes.ni.dll MOD - [2012.05.11 18:24:22 | 000,060,928 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\5fd0071c259b92078ced7cd752a14730\UIAutomationProvider.ni.dll MOD - [2012.05.11 18:23:00 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll MOD - [2012.05.11 18:22:47 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll MOD - [2012.05.11 05:03:01 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll MOD - [2012.05.11 05:02:07 | 002,295,296 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\0f2b877ed16daa577f95be735a63d19c\System.Core.ni.dll MOD - [2012.05.11 05:02:00 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c8c3ab08933fef9fb6657da871395c46\PresentationFramework.Aero.ni.dll MOD - [2012.05.11 05:01:29 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\54426ee1881b42af5b090e223f43823c\WindowsBase.ni.dll MOD - [2012.05.11 05:01:26 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll MOD - [2012.05.11 05:01:20 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll MOD - [2011.12.27 03:51:23 | 005,251,072 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll MOD - [2009.08.11 13:51:32 | 005,586,664 | ---- | M] () -- C:\Windows\System32\WTMKM.exe MOD - [2009.03.30 05:42:12 | 000,434,176 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_de_b77a5c561934e089\System.Windows.Forms.resources.dll MOD - [2009.03.30 05:42:12 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_de_b77a5c561934e089\System.resources.dll MOD - [2009.03.30 05:42:11 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll MOD - [2009.02.25 02:16:56 | 000,249,856 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework.resources\3.0.0.0_de_31bf3856ad364e35\PresentationFramework.resources.dll MOD - [2009.02.18 19:39:19 | 000,094,208 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\WindowsFormsIntegration\3.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll MOD - [2006.08.29 08:29:00 | 000,180,224 | ---- | M] () -- C:\Windows\System32\ATWTINK.DLL ========== Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- C:\Windows\system32\HPZipm12.dll -- (Pml Driver HPZ12) SRV - File not found [Auto | Stopped] -- C:\Windows\system32\HPZinw12.dll -- (Net Driver HPZ12) SRV - [2012.10.27 20:56:54 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.10.24 14:34:15 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2012.10.09 15:53:24 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.09.29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.09.29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012.09.13 14:26:52 | 001,006,448 | ---- | M] () [Auto | Running] -- C:\Windows\System32\dmwu.exe -- (WebOptimizer) SRV - [2012.08.23 14:40:04 | 000,188,760 | ---- | M] () [Auto | Running] -- C:\Programme\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater) SRV - [2012.07.13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012.06.11 18:19:02 | 000,217,600 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2012.05.08 10:28:13 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.08 10:28:12 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2009.08.06 15:34:36 | 000,397,032 | ---- | M] () [Auto | Running] -- C:\Windows\System32\atwtusb.exe -- (WTService) SRV - [2009.03.31 09:39:36 | 000,233,472 | ---- | M] (Teruten) [Auto | Running] -- C:\Windows\System32\FsUsbExService.Exe -- (FsUsbExService) SRV - [2008.04.07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Programme\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2008.02.03 12:00:00 | 000,129,992 | ---- | M] (EasyBits Sofware AS) [Auto | Running] -- C:\Windows\System32\ezsvc7.dll -- (ezSharedSvc) SRV - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\pcdrndisuio.sys -- (PcdrNdisuio) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2012.09.29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012.06.11 19:58:44 | 008,733,696 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag) DRV - [2012.06.11 17:25:48 | 000,295,936 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap) DRV - [2012.05.08 10:28:13 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.05.08 10:28:13 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.02.23 13:31:36 | 000,083,984 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtihdLH3.sys -- (AtiHDAudioService) DRV - [2011.10.15 09:53:00 | 010,327,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2011.09.16 15:08:07 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2009.10.08 15:55:33 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.04.17 02:17:54 | 000,006,144 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\walvhid.sys -- (vhidmini) DRV - [2009.03.31 09:39:36 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk) DRV - [2009.03.20 10:01:26 | 000,121,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_bmdm.sys -- (ss_bmdm) DRV - [2009.03.20 10:01:26 | 000,090,112 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_bbus.sys -- (ss_bbus) DRV - [2009.03.20 10:01:26 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_bmdfl.sys -- (ss_bmdfl) DRV - [2009.03.08 18:15:14 | 000,006,144 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\moufiltr.sys -- (moufiltr) DRV - [2008.09.10 01:58:08 | 000,020,640 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- C:\Programme\PC-Doctor for Windows\pcd5srvc.pkms -- (PCD5SRVC{BD6912E3-AC9D80E8-05040000}) DRV - [2008.08.06 17:26:08 | 000,124,928 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2008.01.18 06:43:16 | 000,016,128 | ---- | M] (Razer USA Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Lycosa.sys -- (LycoFltr) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=91&bd=Presario&pf=cndt IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=91&bd=Presario&pf=cndt IE - HKLM\..\SearchScopes,DefaultScope = {40D3AC7A-E5B4-4F36-827B-059A97D6CEE5} IE - HKLM\..\SearchScopes\{40D3AC7A-E5B4-4F36-827B-059A97D6CEE5}: "URL" = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1145&query={searchTerms}&invocationType=tb50hpcndtie7-de-de IE - HKLM\..\SearchScopes\{6A8F6064-A36C-4557-9A6C-51786DD4DADA}: "URL" = hxxp://de.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913933 IE - HKLM\..\SearchScopes\{D96191B8-3232-4398-9473-7DF4A20811F6}: "URL" = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06&type=ie2008 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.web.de/br/ie9_startpage IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://web.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{09038620-190C-402B-A92F-18864E6AB22F}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\..\SearchScopes\{40064957-18EB-412d-9146-3F57E8D92EEC}: "URL" = hxxp://go.web.de/br/ie9_search_pic/?su={searchTerms} IE - HKCU\..\SearchScopes\{40D3AC7A-E5B4-4F36-827B-059A97D6CEE5}: "URL" = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1145&query={searchTerms}&invocationType=tb50hpcndtie7-de-de IE - HKCU\..\SearchScopes\{5A817CF6-92D5-4DE5-AC38-82DF8A73EF28}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\..\SearchScopes\{6A8F6064-A36C-4557-9A6C-51786DD4DADA}: "URL" = hxxp://de.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913933 IE - HKCU\..\SearchScopes\{6B1D1FB7-7233-4F7C-802C-21A1DDB12754}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\..\SearchScopes\{8D27B32E-89EE-460e-82D2-5FC354078EAD}: "URL" = hxxp://go.web.de/br/ie9_search_produkte/?su={searchTerms} IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = hxxp://mystart.incredibar.com/mb165/?search={searchTerms}&loc=IB_DS&a=6R8vUSfg15&i=26 IE - HKCU\..\SearchScopes\{D96191B8-3232-4398-9473-7DF4A20811F6}: "URL" = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06&type=ie2008 IE - HKCU\..\SearchScopes\{DAE8DCE8-B0E5-44F4-96E8-F2B9DA8D0546}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie IE - HKCU\..\SearchScopes\{DCE59F23-A446-45a5-9459-E68FDC0DE38D}: "URL" = hxxp://go.web.de/br/ie9_search_maps/?su={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "MyStart Search" FF - prefs.js..browser.search.defaulturl: "" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "google.de" FF - prefs.js..extensions.enabledAddons: {0e3dbc69-a682-48da-84e1-82c63a5d678e}:3.15.1.0 FF - prefs.js..extensions.enabledAddons: {9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}:1.0 FF - prefs.js..extensions.enabledAddons: {336D0C35-8A85-403a-B9D2-65C292C39087}:2.0.0.478 FF - prefs.js..extensions.enabledAddons: zigboom555@aol.com:2.0.7 FF - prefs.js..keyword.URL: "hxxp://mystart.incredibar.com/mb165/?loc=IB_DS&a=6R8vUSfg15&&i=26&search=" FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011.12.15 22:30:19 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012.08.30 00:21:29 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012.09.17 10:48:35 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}: C:\Users\DAHLMANN\AppData\Roaming\13001.016 [2012.07.05 14:21:32 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.10.27 20:56:55 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.27 20:56:49 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}: C:\Users\DAHLMANN\AppData\Roaming\13001.016 [2012.07.05 14:21:32 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.10.27 20:56:55 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.27 20:56:49 | 000,000,000 | ---D | M] [2011.11.23 19:38:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\Extensions [2012.10.23 19:36:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\Firefox\Profiles\8wsknoc1.default\extensions [2012.08.22 18:05:28 | 000,000,000 | ---D | M] (Bigpoint Games DE Community Toolbar) -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\Firefox\Profiles\8wsknoc1.default\extensions\{0e3dbc69-a682-48da-84e1-82c63a5d678e} [2012.03.04 21:35:39 | 000,000,000 | ---D | M] ("Free YouTube Download (Free Studio) Menu") -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\Firefox\Profiles\8wsknoc1.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [2012.10.23 08:03:13 | 000,000,000 | ---D | M] (LavaFox V2-Purple) -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\Firefox\Profiles\8wsknoc1.default\extensions\zigboom555@aol.com [2012.08.22 13:21:07 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\firefox\profiles\8wsknoc1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011.12.26 22:08:30 | 000,000,933 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\firefox\profiles\8wsknoc1.default\searchplugins\11-suche.xml [2011.12.26 22:08:31 | 000,002,419 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\firefox\profiles\8wsknoc1.default\searchplugins\englische-ergebnisse.xml [2011.12.26 22:08:30 | 000,010,525 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\firefox\profiles\8wsknoc1.default\searchplugins\gmx-suche.xml [2011.12.26 22:08:30 | 000,002,457 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\firefox\profiles\8wsknoc1.default\searchplugins\lastminute.xml [2012.06.13 23:53:08 | 000,002,203 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\firefox\profiles\8wsknoc1.default\searchplugins\MyStart Search.xml [2012.04.07 19:44:07 | 000,003,992 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\firefox\profiles\8wsknoc1.default\searchplugins\sweetim.xml [2011.12.26 22:08:30 | 000,005,508 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\mozilla\firefox\profiles\8wsknoc1.default\searchplugins\webde-suche.xml [2012.10.27 20:56:47 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.09.17 10:48:35 | 000,000,000 | ---D | M] (Web Assistant) -- C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX [2012.07.05 14:21:32 | 000,000,000 | ---D | M] (Java Link Helper) -- C:\USERS\DAHLMANN\APPDATA\ROAMING\13001.016 [2009.07.20 09:26:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION [2012.10.27 20:56:54 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.02.10 23:27:02 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.10.24 08:47:17 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.02.10 23:27:02 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.02.10 23:27:02 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.02.10 23:27:02 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.02.10 23:27:02 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Programme\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC) O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Programme\Web Assistant\Extension32.dll () O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: (no name) - {DFEFCDEE-CF1A-4FC8-89AF-189327213627} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [MacrokeyManager] C:\Windows\System32\WTMKM.exe () O4 - HKLM..\Run: [NPSStartup] File not found O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [Nllklx] C:\Users\DAHLMANN\AppData\Roaming\Nllklx.exe (www.novell.com) O8 - Extra context menu item: Free YouTube Download - C:\Users\DAHLMANN\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm () O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\DAHLMANN\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm () O8 - Extra context menu item: Web-Suche - C:\Program Files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html File not found O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} hxxp://kitchenplanner.ikea.com/DE/Core/Player/2020PlayerAX_IKEA_Win32.cab (20-20 3D Viewer for IKEA) O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class) O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} hxxp://www.o2c.de/download/o2cplayer.cab (o2c Player (ELECO Software GmbH)) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.7.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1203B36D-2B94-4182-B849-2B0372C74BAE}: NameServer = 62.220.18.8 89.246.64.8 O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\DAHLMANN\Pictures\Da bin ich.JPG O24 - Desktop BackupWallPaper: C:\Users\DAHLMANN\Pictures\Da bin ich.JPG O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{b8204fbe-bfc1-11e1-a8f1-861e98592deb}\Shell - "" = AutoRun O33 - MountPoints2\{b8204fbe-bfc1-11e1-a8f1-861e98592deb}\Shell\AutoRun\command - "" = F:\Start.exe 1 O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012.10.29 10:26:59 | 000,000,000 | ---D | C] -- C:\Program Files\AMD APP [2012.10.29 10:19:04 | 000,165,888 | R--- | C] (www.novell.com) -- C:\Users\DAHLMANN\AppData\Roaming\Nllklx.exe [2012.10.28 21:49:14 | 000,000,000 | ---D | C] -- C:\Users\DAHLMANN\AppData\Roaming\Malwarebytes [2012.10.28 21:49:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.10.28 21:49:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.10.28 21:49:02 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.10.28 21:49:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.10.27 20:56:46 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2012.10.19 20:22:47 | 000,000,000 | ---D | C] -- C:\Users\DAHLMANN\AppData\Roaming\Alien Skin [2012.10.06 21:17:02 | 000,000,000 | ---D | C] -- C:\Users\DAHLMANN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox [2012.10.06 21:15:29 | 000,000,000 | ---D | C] -- C:\Users\DAHLMANN\AppData\Roaming\Dropbox [2012.10.01 19:48:58 | 000,000,000 | ---D | C] -- C:\Users\DAHLMANN\AppData\Roaming\Skype [2012.10.01 19:48:48 | 000,000,000 | R--D | C] -- C:\Program Files\Skype [2012.10.01 19:48:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype [2012.10.01 19:48:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype [2012.10.01 19:48:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype [2012.10.01 09:40:13 | 000,000,000 | ---D | C] -- C:\Users\DAHLMANN\Neuer Ordner [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] [1 C:\Users\DAHLMANN\AppData\Roaming\*.tmp files -> C:\Users\DAHLMANN\AppData\Roaming\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.10.29 10:53:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.10.29 10:27:09 | 000,000,000 | ---- | M] () -- C:\Users\DAHLMANN\defogger_reenable [2012.10.29 10:24:13 | 000,618,204 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.10.29 10:24:13 | 000,586,980 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.10.29 10:24:13 | 000,122,636 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.10.29 10:24:13 | 000,101,052 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.10.29 10:19:04 | 000,165,888 | R--- | M] (www.novell.com) -- C:\Users\DAHLMANN\AppData\Roaming\Nllklx.exe [2012.10.29 10:17:48 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl [2012.10.29 10:17:41 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.10.29 10:17:41 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.10.29 10:17:37 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.10.29 10:17:31 | 2145,574,912 | -HS- | M] () -- C:\hiberfil.sys [2012.10.28 21:28:59 | 000,040,760 | ---- | M] () -- C:\Users\DAHLMANN\Desktop\Biblographie Roberts_Robb.odt [2012.10.28 20:59:09 | 002,402,837 | ---- | M] () -- C:\Users\DAHLMANN\Adventkaffee.png [2012.10.28 20:59:09 | 000,394,221 | ---- | M] () -- C:\Users\DAHLMANN\.recently-used.xbel [2012.10.28 18:53:48 | 000,000,000 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\CE96.exe [2012.10.28 18:13:40 | 000,049,664 | ---- | M] () -- C:\Users\DAHLMANN\AppData\Roaming\11CB.exe [2012.10.24 08:44:49 | 000,397,272 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.10.08 07:37:11 | 000,020,690 | ---- | M] () -- C:\Users\DAHLMANN\Documents\cc_20121008_083706.reg [2012.09.29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] [1 C:\Users\DAHLMANN\AppData\Roaming\*.tmp files -> C:\Users\DAHLMANN\AppData\Roaming\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.10.29 10:27:09 | 000,000,000 | ---- | C] () -- C:\Users\DAHLMANN\defogger_reenable [2012.10.28 20:59:09 | 000,394,221 | ---- | C] () -- C:\Users\DAHLMANN\.recently-used.xbel [2012.10.28 20:59:03 | 002,402,837 | ---- | C] () -- C:\Users\DAHLMANN\Adventkaffee.png [2012.10.28 18:53:48 | 000,000,000 | ---- | C] () -- C:\Users\DAHLMANN\AppData\Roaming\CE96.exe [2012.10.28 18:13:40 | 000,049,664 | ---- | C] () -- C:\Users\DAHLMANN\AppData\Roaming\11CB.exe [2012.10.21 23:44:07 | 000,040,760 | ---- | C] () -- C:\Users\DAHLMANN\Desktop\Biblographie Roberts_Robb.odt [2012.10.19 19:08:30 | 000,001,093 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xenofex 2 Manual.lnk [2012.10.08 07:37:09 | 000,020,690 | ---- | C] () -- C:\Users\DAHLMANN\Documents\cc_20121008_083706.reg [2012.09.28 15:36:56 | 000,180,224 | ---- | C] () -- C:\Windows\System32\clinfo.exe [2012.09.17 10:48:41 | 001,006,448 | ---- | C] () -- C:\Windows\System32\dmwu.exe [2012.09.17 10:48:41 | 000,028,160 | ---- | C] () -- C:\Windows\System32\ImHttpComm.dll [2012.08.16 19:49:23 | 000,160,831 | ---- | C] () -- C:\Windows\Sqirlz Water Reflections Uninstaller.exe [2012.07.05 18:20:15 | 000,000,013 | ---- | C] () -- C:\Users\DAHLMANN\AppData\Roaming\urhtps.dat [2012.07.04 16:23:54 | 000,000,051 | ---- | C] () -- C:\Users\DAHLMANN\AppData\Roaming\blckdom.res [2012.06.13 23:24:32 | 005,586,664 | ---- | C] () -- C:\Windows\System32\WTMKM.exe [2012.06.13 23:24:32 | 000,397,032 | ---- | C] () -- C:\Windows\System32\atwtusb.exe [2012.06.13 23:24:32 | 000,118,432 | ---- | C] () -- C:\Windows\System32\Calibration.exe [2012.06.13 23:24:32 | 000,045,056 | ---- | C] () -- C:\Windows\System32\InstallService.exe [2012.06.13 23:24:31 | 000,180,224 | ---- | C] () -- C:\Windows\System32\ATWTINK.DLL [2012.06.13 23:24:31 | 000,106,216 | ---- | C] () -- C:\Windows\RmTablet.exe [2012.06.13 23:24:31 | 000,010,251 | ---- | C] () -- C:\Windows\System32\Default_2.ini [2012.06.13 23:24:31 | 000,009,868 | ---- | C] () -- C:\Windows\System32\Default_1.ini [2012.06.13 23:24:31 | 000,008,229 | ---- | C] () -- C:\Windows\aiptbl.ini [2012.06.13 23:24:31 | 000,000,677 | ---- | C] () -- C:\Windows\System32\MKProfile.ini [2012.04.12 20:30:10 | 000,637,743 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat [2011.12.12 11:48:40 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011.11.21 21:35:22 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat [2011.10.26 02:20:30 | 000,037,376 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll [2011.10.25 21:21:34 | 000,056,832 | ---- | C] () -- C:\Windows\System32\OVDecoder.dll [2011.09.12 23:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\System32\atipblag.dat [2011.07.14 10:21:38 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll [2011.04.03 23:12:22 | 000,000,038 | ---- | C] () -- C:\Windows\System32\ZX9EQJT7_{7163EAD3-00C3-454F-A6D3-D2F9BE5F046E}.dat [2011.02.22 16:18:42 | 000,000,192 | ---- | C] () -- C:\Users\DAHLMANN\AppData\Roaming\wklnhst.dat [2011.02.06 14:59:53 | 000,018,432 | ---- | C] () -- C:\Users\DAHLMANN\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011.02.06 13:03:26 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll [2011.02.06 13:03:26 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys [2009.07.12 14:54:00 | 000,002,032 | ---- | C] () -- C:\Users\DAHLMANN\AppData\Local\d3d9caps.dat ========== ZeroAccess Check ========== [2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 18:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 07:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 07:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.12.26 15:46:09 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\1&1 Mail & Media GmbH [2012.07.04 16:24:06 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\13001.014 [2012.07.04 17:22:40 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\13001.015 [2012.07.05 14:21:32 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\13001.016 [2012.10.19 20:22:47 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\Alien Skin [2011.10.07 10:23:35 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\Canneverbe Limited [2012.10.24 20:07:34 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\Dropbox [2012.03.04 21:35:48 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\DVDVideoSoft [2012.03.04 21:35:38 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\DVDVideoSoftIEHelpers [2011.02.28 19:35:53 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\EPSON [2011.01.09 14:28:44 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\FloodLightGames [2011.11.08 00:43:37 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\FOG Downloader [2012.10.28 20:59:09 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\gtk-2.0 [2012.07.04 16:23:45 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\kock [2011.07.14 10:37:54 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\OpenOffice.org [2011.02.06 13:21:16 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\PC Suite [2011.06.27 22:26:06 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\Pogo Games [2011.02.06 13:03:11 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\Samsung [2011.07.14 10:00:03 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\Template [2012.01.10 12:39:42 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\toolplugin [2012.07.05 17:41:27 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\UAs [2010.04.02 18:18:00 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\WinBatch [2012.07.05 17:41:53 | 000,000,000 | ---D | M] -- C:\Users\DAHLMANN\AppData\Roaming\xmldm ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 184 bytes -> C:\ProgramData\Temp:0888F409 @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:588B60C7 < End of report > Code:
ATTFilter OTL Extras logfile created on: 29.10.2012 11:19:45 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\DAHLMANN\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,00 Gb Total Physical Memory | 1,36 Gb Available Physical Memory | 67,92% Memory free
4,24 Gb Paging File | 3,08 Gb Available in Paging File | 72,71% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 453,55 Gb Total Space | 173,99 Gb Free Space | 38,36% Space Free | Partition Type: NTFS
Drive D: | 12,21 Gb Total Space | 1,67 Gb Free Space | 13,66% Space Free | Partition Type: NTFS
Drive R: | 465,75 Gb Total Space | 444,78 Gb Free Space | 95,50% Space Free | Partition Type: NTFS
Computer Name: GERO-PC | User Name: DAHLMANN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0068029A-B116-4D49-8678-A984FFDED2EF}" = lport=445 | protocol=6 | dir=in | app=system |
"{2F84DDA7-B8DC-4F99-9CD7-CDE2DF2CEC43}" = lport=139 | protocol=6 | dir=in | app=system |
"{33CFB0F7-598F-48C3-BC6A-2CA741E8EBB3}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{3761CBA1-1873-4D87-8752-121C983C4B93}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{4846AAC2-DACC-4B93-840A-5B781946501E}" = rport=138 | protocol=17 | dir=out | app=system |
"{4B084D7E-1726-487A-B47F-BE1AAE5C75BD}" = lport=138 | protocol=17 | dir=in | app=system |
"{55B3A1F4-4494-44C5-9CE8-922BB5AE638B}" = lport=137 | protocol=17 | dir=in | app=system |
"{C0AC44FA-1CF1-40FD-AC98-3E795C41D02F}" = rport=445 | protocol=6 | dir=out | app=system |
"{D0A0C0FB-319D-4AF9-9623-80E4247C9113}" = rport=137 | protocol=17 | dir=out | app=system |
"{EFFB3AD1-553C-42D7-B728-B4DDE1268E08}" = rport=139 | protocol=6 | dir=out | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{080DE684-EDEF-4CD9-9579-0DD7D9EB3A27}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{08BD93D2-8ACE-4BB1-B878-D2FAA8E855AC}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
"{1075F1D0-1DB8-44C1-8FB1-99D76155F610}" = protocol=6 | dir=in | app=r:\games\steam\steam.exe |
"{10E976F7-3713-4D68-9707-79F661D8A7DD}" = protocol=6 | dir=in | app=r:\games\steam\steamapps\common\blades of time\bladesoftime.exe |
"{158863FB-48B6-4F9D-A02D-FBB7E966E793}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{1D3CD3ED-2D97-4747-96CB-CF2FCABEEDA4}" = protocol=17 | dir=in | app=r:\games\steam\steamapps\common\blades of time\bladesoftime.exe |
"{3F13BDBD-A749-4B2D-90E8-0B7032DC4F6A}" = protocol=6 | dir=in | app=c:\windows\system32\arfc\wrtc.exe |
"{4C1DB663-9628-4562-B1A4-D105C57977E0}" = protocol=17 | dir=in | app=c:\windows\system32\dmwu.exe |
"{523E50CA-C6D0-446A-BDE7-35E56695AEAB}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{6AC4E75A-79B8-4DB4-991E-9E55E61869CE}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{6B65A8FC-C84C-4439-B15E-1DB3B06DBD18}" = protocol=17 | dir=in | app=r:\games\steam\steam.exe |
"{6B7672D5-88BD-46E9-8399-E2B1798D01DE}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
"{874D150C-4275-4F2F-BFD0-0744157062EC}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{944F65A9-07B6-4C77-9157-50A7772B4577}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
"{9FC1EC6B-2E73-447E-8649-157FD94E70D2}" = protocol=6 | dir=in | app=c:\windows\system32\msiexec.exe |
"{A981034D-3AB5-4867-BF7C-C4AF0DED76A5}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{A9B1A99E-5F29-431D-97F5-3C968DE1205B}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{B3E35E8B-A3E5-4120-92CB-EEC80ACCADDD}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{E29DC291-523F-40D8-B36B-F6B952546ADA}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
"{F2222BEF-5631-4A8F-BC91-17473D714F06}" = protocol=17 | dir=in | app=c:\windows\system32\arfc\wrtc.exe |
"{F3BBFF7B-87A4-4371-9B81-F260F7AEA9C4}" = protocol=17 | dir=in | app=c:\windows\system32\msiexec.exe |
"{F7C61352-3691-4AFB-9FDD-D1E339DC04BF}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{FD046431-D388-4BE4-85B3-A84A6F26B0BA}" = protocol=6 | dir=in | app=c:\windows\system32\dmwu.exe |
"TCP Query User{041F4DC0-498C-4BC4-B331-1FC635395B50}C:\program files\rom\client.exe" = protocol=6 | dir=in | app=c:\program files\rom\client.exe |
"TCP Query User{7DC6E08F-CBDD-45B4-952C-F86CBACDAED8}C:\stick rebby\eclipse\eclipse.exe" = protocol=6 | dir=in | app=c:\stick rebby\eclipse\eclipse.exe |
"TCP Query User{CF96DD63-8382-4A3B-8A12-A699CB7A2A7E}C:\program files\rom\launcher.exe" = protocol=6 | dir=in | app=c:\program files\rom\launcher.exe |
"UDP Query User{0179A92A-5CC5-4798-85AB-AD5D05D0D229}C:\stick rebby\eclipse\eclipse.exe" = protocol=17 | dir=in | app=c:\stick rebby\eclipse\eclipse.exe |
"UDP Query User{2404FF9F-5DA9-4BFB-8098-D56786A68837}C:\program files\rom\launcher.exe" = protocol=17 | dir=in | app=c:\program files\rom\launcher.exe |
"UDP Query User{6EF4AA18-0635-43A4-B7F9-841B397215CF}C:\program files\rom\client.exe" = protocol=17 | dir=in | app=c:\program files\rom\client.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{14DDF23F-414A-46DB-4762-56569080292C}" = CCC Help Russian
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21D6A73A-48E6-2195-C408-2158273A914E}" = Catalyst Control Center Localization All
"{2222706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0 SDK
"{2596DB11-997F-FC5B-F5C2-737623D9D8B6}" = Catalyst Control Center
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{28904D9A-13A6-ECA2-48D8-21542759D998}" = CCC Help Polish
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2C8BBDA6-79A7-B2DE-3E5B-287E7F667C67}" = CCC Help Danish
"{2E119961-E99B-C147-9AC3-A93683172DC1}" = CCC Help Swedish
"{2FA75B40-17C9-4D22-88CA-80A5D52FAB13}" = LightScribe System Software
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0170040}" = Java SE Development Kit 7 Update 4
"{336D0C35-8A85-403a-B9D2-65C292C39087}_is1" = Web Assistant 2.0.0.478
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3
"{44ED90A1-453B-5C9A-D9ED-80D8AB0258B8}" = CCC Help Thai
"{45E00595-897E-64B6-28F9-5D0927EBA4A5}" = CCC Help Chinese Standard
"{46DE5F4E-BA8B-AC9E-0EED-05B7D93AD215}" = CCC Help Spanish
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5B04E832-4530-B8FF-F742-8BE25ADD43BD}" = CCC Help German
"{5ED93D68-5EAA-9343-9B74-B1E276217264}" = CCC Help Dutch
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
"{6D185295-DE89-9C39-18E6-310C148836EB}" = CCC Help Chinese Traditional
"{71A8F958-D272-E262-7C9A-7B8F713EE0C3}" = CCC Help French
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7513D3F0-55BC-273C-7A53-488394EDBFCC}" = CCC Help Italian
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{79AA9BFA-F962-A1E9-71CE-D0887A92444C}" = CCC Help Portuguese
"{7ACEF1BF-9306-5AD7-5F30-ECE72A81E924}" = CCC Help Finnish
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{83721450-E604-4C37-ABEB-CE7F18C587C8}" = LightScribe Template Labeler
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C1EC871-05B9-03B7-96F6-9BD5C0D8F41D}" = Catalyst Control Center Graphics Previews Common
"{A0640EC2-B97E-4FC1-AD14-227C9E386BB4}" = HP Recovery Manager RSS
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A2F166A0-F031-4E27-A057-C69733219434}_is1" = Runes of Magic
"{A48B9CD8-C2BA-4EC9-0081-7260D238C7CF}" = Need for Speed™ Most Wanted
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.2 - Deutsch
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B83FC356-B7C0-441F-8A4D-D71E088E7974}" = NVIDIA PhysX
"{C028F57F-603A-AB6E-F2D0-1374EA538F8A}" = ccc-utility
"{C4129D57-5C83-3BF0-A11A-3798C008C6C7}" = CCC Help Greek
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0BC4101-6C30-ECFF-F693-63408134F29B}" = CCC Help Czech
"{D2402DAD-B180-A4A0-261D-4A8933BFBFEE}" = CCC Help Japanese
"{D5068813-9F8D-9F7A-92C0-A3EECBA2D82B}" = AMD Catalyst Install Manager
"{DA7E8D81-2B14-415B-8FC5-02CE4CF9F839}" = CCC Help Hungarian
"{DB3FBD3C-A061-34C9-0A2B-6CCDD8C96640}" = CCC Help Turkish
"{E086E914-2928-48F9-364B-0C715DFF6A45}" = CCC Help Korean
"{E2F0AF23-FE2F-4222-9A43-55E63CC41EF1}" = Catalyst Control Center - Branding
"{E8F30BD6-ABAB-C24E-E9A7-BF67EB96152C}" = CCC Help Norwegian
"{E9A5B6CD-7ABB-F295-2E11-F25BC322FF80}" = CCC Help English
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 9.20
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"CCleaner" = CCleaner
"Defraggler" = Defraggler
"DivX Setup" = DivX-Setup
"DVD Flick_is1" = DVD Flick 1.3.0.7
"EPSON BX300F Series" = EPSON BX300F Series Printer Uninstall
"EPSON Scanner" = EPSON Scan
"FormatFactory" = FormatFactory 2.70
"Free ISO Creator (by minidvdsoft)_is1" = Free ISO Creator version 2.8
"Free Video Dub_is1" = Free Video Dub version 1.8.12.804
"Free YouTube Download_is1" = Free YouTube Download version 3.0.13.815
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.10.17.221
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.65.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 16.0.2 (x86 de)" = Mozilla Firefox 16.0.2 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NirSoft IE PassView" = NirSoft IE PassView
"PC-Doctor for Windows" = Hardware Diagnose Tools
"RealPlayer 15.0" = RealPlayer
"Rmtablet" = Pen Pad Driver with Macro Key Manager
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile Modem Device" = Samsung Mobile Modem Device Software
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SAMSUNG USB Mobile Device" = SAMSUNG USB Mobile Device Software
"Sqirlz Water Reflections" = Sqirlz Water Reflections
"Steam App 208670" = Blades of Time
"SystemRequirementsLab" = System Requirements Lab
"Venetica_is1" = Venetica
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VLC media player 1.1.11
"WildTangent hp Master Uninstall" = My HP Games
"WinGimp-2.0_is1" = GIMP 2.6.11
"WNLT" = Web Optimizer
"Xenofex2" = Alien Skin Xenofex 2.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 18.05.2012 02:20:23 | Computer Name = Gero-PC | Source = WinMgmt | ID = 10
Description =
Error - 18.05.2012 06:55:09 | Computer Name = Gero-PC | Source = WinMgmt | ID = 10
Description =
Error - 18.05.2012 06:56:42 | Computer Name = Gero-PC | Source = RasClient | ID = 20227
Description =
Error - 18.05.2012 08:48:03 | Computer Name = Gero-PC | Source = WinMgmt | ID = 10
Description =
Error - 19.05.2012 03:01:42 | Computer Name = Gero-PC | Source = WinMgmt | ID = 10
Description =
Error - 19.05.2012 03:29:51 | Computer Name = Gero-PC | Source = WinMgmt | ID = 10
Description =
Error - 19.05.2012 15:34:41 | Computer Name = Gero-PC | Source = WinMgmt | ID = 10
Description =
Error - 20.05.2012 02:55:38 | Computer Name = Gero-PC | Source = WinMgmt | ID = 10
Description =
Error - 20.05.2012 02:56:42 | Computer Name = Gero-PC | Source = RasClient | ID = 20227
Description =
Error - 20.05.2012 05:33:56 | Computer Name = Gero-PC | Source = WinMgmt | ID = 10
Description =
[ System Events ]
Error - 28.10.2012 13:09:02 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7023
Description =
Error - 28.10.2012 13:09:02 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7026
Description =
Error - 28.10.2012 16:27:49 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7023
Description =
Error - 28.10.2012 16:27:49 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7023
Description =
Error - 28.10.2012 16:27:49 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7026
Description =
Error - 29.10.2012 05:19:14 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7023
Description =
Error - 29.10.2012 05:19:14 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7023
Description =
Error - 29.10.2012 05:19:14 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7026
Description =
Error - 29.10.2012 05:19:14 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7011
Description =
Error - 29.10.2012 05:19:39 | Computer Name = Gero-PC | Source = Service Control Manager | ID = 7011
Description =
< End of report >
Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-10-29 16:06:14
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-2 Hitachi_HDP725050GLA360 rev.GM4OA57A
Running: jc88shrb.exe; Driver: C:\Users\DAHLMANN\AppData\Local\Temp\kwldqpog.sys
---- System - GMER 1.0.15 ----
SSDT 89118186 ZwCreateSection
SSDT 89118190 ZwRequestWaitReplyPort
SSDT 8911818B ZwSetContextThread
SSDT 89118195 ZwSetSecurityObject
SSDT 8911819A ZwSystemDebugControl
SSDT 89118127 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 215 828AE8D8 4 Bytes [86, 81, 11, 89]
.text ntkrnlpa.exe!KeSetEvent + 539 828AEBFC 4 Bytes [90, 81, 11, 89]
.text ntkrnlpa.exe!KeSetEvent + 56D 828AEC30 4 Bytes [8B, 81, 11, 89]
.text ntkrnlpa.exe!KeSetEvent + 5D1 828AEC94 4 Bytes [95, 81, 11, 89]
.text ntkrnlpa.exe!KeSetEvent + 619 828AECDC 4 Bytes [9A, 81, 11, 89]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8C802000, 0x1456A8, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\taskeng.exe[2056] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 020F5300
.text C:\Windows\system32\taskeng.exe[2056] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 020F6390
.text C:\Windows\system32\taskeng.exe[2056] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 020F6640
.text C:\Windows\system32\taskeng.exe[2056] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 020F53D0
.text C:\Windows\system32\taskeng.exe[2056] kernel32.dll!MoveFileW 76E2A2F2 5 Bytes JMP 020F2570
.text C:\Windows\system32\taskeng.exe[2056] kernel32.dll!CopyFileW 76E302A9 5 Bytes JMP 020F10A0
.text C:\Windows\system32\taskeng.exe[2056] kernel32.dll!CreateFileW 76E6B0EB 5 Bytes JMP 020F1290
.text C:\Windows\system32\taskeng.exe[2056] kernel32.dll!CreateFileA 76E6D07F 5 Bytes JMP 020F11C0
.text C:\Windows\system32\taskeng.exe[2056] kernel32.dll!CopyFileA 76E72653 5 Bytes JMP 020F1000
.text C:\Windows\system32\taskeng.exe[2056] kernel32.dll!MoveFileA 76EAF7A1 5 Bytes JMP 020F2510
.text C:\Windows\system32\taskeng.exe[2056] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 020F1D10
.text C:\Windows\system32\taskeng.exe[2056] WS2_32.dll!send 77B9659B 5 Bytes JMP 020F7250
.text C:\Windows\system32\taskeng.exe[2056] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 020F2160
.text C:\Windows\system32\taskeng.exe[2056] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 020F23A0
.text C:\Windows\system32\taskeng.exe[2056] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 020F20A0
.text C:\Windows\system32\Dwm.exe[2076] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 00E15300
.text C:\Windows\system32\Dwm.exe[2076] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 00E16390
.text C:\Windows\system32\Dwm.exe[2076] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 00E16640
.text C:\Windows\system32\Dwm.exe[2076] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 00E153D0
.text C:\Windows\system32\Dwm.exe[2076] kernel32.dll!MoveFileW 76E2A2F2 5 Bytes JMP 00E12570
.text C:\Windows\system32\Dwm.exe[2076] kernel32.dll!CopyFileW 76E302A9 5 Bytes JMP 00E110A0
.text C:\Windows\system32\Dwm.exe[2076] kernel32.dll!CreateFileW 76E6B0EB 5 Bytes JMP 00E11290
.text C:\Windows\system32\Dwm.exe[2076] kernel32.dll!CreateFileA 76E6D07F 5 Bytes JMP 00E111C0
.text C:\Windows\system32\Dwm.exe[2076] kernel32.dll!CopyFileA 76E72653 5 Bytes JMP 00E11000
.text C:\Windows\system32\Dwm.exe[2076] kernel32.dll!MoveFileA 76EAF7A1 5 Bytes JMP 00E12510
.text C:\Windows\system32\Dwm.exe[2076] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 00E11D10
.text C:\Windows\system32\Dwm.exe[2076] WS2_32.dll!send 77B9659B 5 Bytes JMP 00E17250
.text C:\Windows\system32\Dwm.exe[2076] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 00E12160
.text C:\Windows\system32\Dwm.exe[2076] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 00E123A0
.text C:\Windows\system32\Dwm.exe[2076] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 00E120A0
.text C:\Windows\Explorer.EXE[2200] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 04395300
.text C:\Windows\Explorer.EXE[2200] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 04396390
.text C:\Windows\Explorer.EXE[2200] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 04396640
.text C:\Windows\Explorer.EXE[2200] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 043953D0
.text C:\Windows\Explorer.EXE[2200] kernel32.dll!MoveFileW 76E2A2F2 5 Bytes JMP 04392570
.text C:\Windows\Explorer.EXE[2200] kernel32.dll!CopyFileW 76E302A9 5 Bytes JMP 043910A0
.text C:\Windows\Explorer.EXE[2200] kernel32.dll!CreateFileW 76E6B0EB 5 Bytes JMP 04391290
.text C:\Windows\Explorer.EXE[2200] kernel32.dll!CreateFileA 76E6D07F 5 Bytes JMP 043911C0
.text C:\Windows\Explorer.EXE[2200] kernel32.dll!CopyFileA 76E72653 5 Bytes JMP 04391000
.text C:\Windows\Explorer.EXE[2200] kernel32.dll!MoveFileA 76EAF7A1 5 Bytes JMP 04392510
.text C:\Windows\Explorer.EXE[2200] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 04391D10
.text C:\Windows\Explorer.EXE[2200] WS2_32.dll!send 77B9659B 5 Bytes JMP 04397250
.text C:\Windows\Explorer.EXE[2200] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 04392160
.text C:\Windows\Explorer.EXE[2200] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 043923A0
.text C:\Windows\Explorer.EXE[2200] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 043920A0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 00A15300
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 00A16390
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 00A16640
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 00A153D0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] KERNEL32.dll!MoveFileW 76E2A2F2 5 Bytes JMP 00A12570
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] KERNEL32.dll!CopyFileW 76E302A9 5 Bytes JMP 00A110A0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] KERNEL32.dll!CreateFileW 76E6B0EB 5 Bytes JMP 00A11290
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] KERNEL32.dll!CreateFileA 76E6D07F 5 Bytes JMP 00A111C0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] KERNEL32.dll!CopyFileA 76E72653 5 Bytes JMP 00A11000
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] KERNEL32.dll!MoveFileA 76EAF7A1 5 Bytes JMP 00A12510
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 00A11D10
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] WS2_32.dll!send 77B9659B 5 Bytes JMP 00A17250
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 00A12160
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 00A123A0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2440] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 00A120A0
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 000E5300
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 000E6390
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 000E6640
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 000E53D0
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] kernel32.dll!MoveFileW 76E2A2F2 5 Bytes JMP 000E2570
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] kernel32.dll!CopyFileW 76E302A9 5 Bytes JMP 000E10A0
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] kernel32.dll!CreateFileW 76E6B0EB 5 Bytes JMP 000E1290
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] kernel32.dll!CreateFileA 76E6D07F 5 Bytes JMP 000E11C0
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] kernel32.dll!CopyFileA 76E72653 5 Bytes JMP 000E1000
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] kernel32.dll!MoveFileA 76EAF7A1 5 Bytes JMP 000E2510
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 000E1D10
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] WS2_32.dll!send 77B9659B 5 Bytes JMP 000E7250
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 000E2160
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 000E23A0
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2536] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 000E20A0
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 00065300
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 00066390
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 00066640
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 000653D0
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] kernel32.dll!MoveFileW 76E2A2F2 5 Bytes JMP 00062570
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] kernel32.dll!CopyFileW 76E302A9 5 Bytes JMP 000610A0
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] kernel32.dll!CreateFileW 76E6B0EB 5 Bytes JMP 00061290
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] kernel32.dll!CreateFileA 76E6D07F 5 Bytes JMP 000611C0
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] kernel32.dll!CopyFileA 76E72653 5 Bytes JMP 00061000
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] kernel32.dll!MoveFileA 76EAF7A1 5 Bytes JMP 00062510
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 00062160
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 000623A0
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 000620A0
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 00061D10
.text C:\Program Files\Windows Defender\MSASCui.exe[3256] WS2_32.dll!send 77B9659B 5 Bytes JMP 00067250
.text C:\Windows\System32\WTMKM.exe[4060] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 020A5300
.text C:\Windows\System32\WTMKM.exe[4060] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 020A6390
.text C:\Windows\System32\WTMKM.exe[4060] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 020A6640
.text C:\Windows\System32\WTMKM.exe[4060] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 020A53D0
.text C:\Windows\System32\WTMKM.exe[4060] kernel32.dll!MoveFileW 76E2A2F2 5 Bytes JMP 020A2570
.text C:\Windows\System32\WTMKM.exe[4060] kernel32.dll!CopyFileW 76E302A9 5 Bytes JMP 020A10A0
.text C:\Windows\System32\WTMKM.exe[4060] kernel32.dll!CreateFileW 76E6B0EB 5 Bytes JMP 020A1290
.text C:\Windows\System32\WTMKM.exe[4060] kernel32.dll!CreateFileA 76E6D07F 5 Bytes JMP 020A11C0
.text C:\Windows\System32\WTMKM.exe[4060] kernel32.dll!CopyFileA 76E72653 5 Bytes JMP 020A1000
.text C:\Windows\System32\WTMKM.exe[4060] kernel32.dll!MoveFileA 76EAF7A1 5 Bytes JMP 020A2510
.text C:\Windows\System32\WTMKM.exe[4060] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 020A1D10
.text C:\Windows\System32\WTMKM.exe[4060] WS2_32.dll!send 77B9659B 5 Bytes JMP 020A7250
.text C:\Windows\System32\WTMKM.exe[4060] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 020A2160
.text C:\Windows\System32\WTMKM.exe[4060] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 020A23A0
.text C:\Windows\System32\WTMKM.exe[4060] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 020A20A0
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 00065300
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 00066390
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 00066640
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 000653D0
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] kernel32.dll!MoveFileW 76E2A2F2 5 Bytes JMP 00062570
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] kernel32.dll!CopyFileW 76E302A9 5 Bytes JMP 000610A0
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] kernel32.dll!CreateFileW 76E6B0EB 5 Bytes JMP 00061290
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] kernel32.dll!CreateFileA 76E6D07F 5 Bytes JMP 000611C0
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] kernel32.dll!CopyFileA 76E72653 5 Bytes JMP 00061000
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] kernel32.dll!MoveFileA 76EAF7A1 5 Bytes JMP 00062510
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 00061D10
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] WS2_32.dll!send 77B9659B 5 Bytes JMP 00067250
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 00062160
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 000623A0
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[4964] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 000620A0
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] ntdll.dll!LdrLoadDll 779B9378 5 Bytes JMP 5B275B00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] ntdll.dll!NtEnumerateValueKey 779F4704 5 Bytes JMP 00066390
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] ntdll.dll!NtQueryDirectoryFile 779F4C24 5 Bytes JMP 00066640
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] ntdll.dll!NtResumeThread 779F5024 5 Bytes JMP 000653D0
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] kernel32.dll!HeapSetInformation + 26 76E4A8C0 7 Bytes JMP 5B27EF12 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] kernel32.dll!LockResource + C 76E66B0B 7 Bytes JMP 5B4B7B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] kernel32.dll!VirtualAllocEx + 54 76E6AF70 7 Bytes JMP 5B4B7B58 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] GDI32.dll!SetStretchBltMode + 256 7717745C 7 Bytes JMP 5B4B7AB6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] WS2_32.dll!GetAddrInfoW 77B93D12 5 Bytes JMP 00061D10
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] WS2_32.dll!send 77B9659B 5 Bytes JMP 00067250
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] WININET.dll!HttpSendRequestW 76C0632D 5 Bytes JMP 00062160
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] WININET.dll!InternetWriteFile 76C1F6C6 5 Bytes JMP 000623A0
.text C:\Program Files\Mozilla Firefox\firefox.exe[5288] WININET.dll!HttpSendRequestA 76C3525A 5 Bytes JMP 000620A0
---- EOF - GMER 1.0.15 ----
Edit: Seid der Fund von MBAM in Quarantäne verschoben wurde komme ich an die Daten auf der Externen HDD nicht mehr dran. Geändert von Gwedhwen (29.10.2012 um 20:36 Uhr) |
| Themen zu Avira Antivir findet WORM/Dorkbot.I.388 |
| 7-zip, antivir, autorun, avira, bho, bonjour, browser, converter, desktop, error, firefox, flash player, google, helper, home, install.exe, mom.exe, mozilla, mp3, msiexec.exe, ntdll.dll, origin, plug-in, programm, realtek, recycle.bin, registry, scan, security, software, stick, system, vista |
Baum-Darstellung