Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Verdacht auf Mitglied in einem Botnetz

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 27.11.2009, 21:49   #1
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Hallo liebe Gemeinde,
mir ist ein Verdacht aufgekommen, dass ich möglicherweise in einem Botnetz als Zombie-Computer mitwirke.
Ich habe mir nähmlich Gedanken über meine Dsl-Geschwindigkeit gemacht, die nun schon seit 2 Woche nur bis zu 10% von dem erbringt, was sie eigentlich leisten sollte.
Ich habe schon mehrere Speedtests ausgeführt; an der FritzBox! liegts nicht, und die Leitungen sind auch OK. Ich werde mich morgen noch bei meinem Provider informieren.

Ich habe jetzt auf den Verdacht hin schonmal ein HijackThis Logfile erstellt, und würde mich sehr freuen, wenn ihr mir möglichweise sagen könntet, ob mein Computer infiziert und/oder ein Zombie-Computer ist.

PS: mir ist durchaus der Keylogger (KGBLogger/MPK.exe) bekannt; ich habe ihn selber installiert, um die Benutzer im Auge zu behalten, die meinen PC möglichweise unerlaubt verwenden.

Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23:36, on 27.11.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gigabyte\EasySaver\ESSVR.EXE
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MagicKey\MagicKey.exe
C:\Programme\MagicKey\OSD.EXE
C:\Programme\MagicKey\MulMouse.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\HijackThis\HijackThis.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Skype\Toolbars\Shared\SkypeNames.exe

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Mpk.exe] C:\Programme\RKlog\Mpk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-21-823518204-1993962763-839522115-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '****')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MagicKey.lnk = C:\Programme\MagicKey\MagicKey.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Programme\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe

--
End of file - 4695 bytes
         

Alt 27.11.2009, 22:23   #2
Larusso
/// Selecta Jahrusso
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz





Du installierst Dir einen Keylogger um Benutzer im Auge zu haben? Welche unerlaubten Zugriffe willst Du damit beobachten. Sag mir jz nicht du willst sehen ob da jemand übers Netz auf Deinen PC zugreift.

Runter damit.


CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Starte bitte die OTL.exe.
    Vista-User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
CREATERESTOREPOINT
         
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Quick Scan Button.
  • Klick auf .
  • Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Code-Tags in Deinen Thread
__________________

__________________

Alt 28.11.2009, 01:51   #3
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Ok, ich werde den Logger nachher entfernen...
Ich hab jetzt den OTL-Scan unterm admin gemacht (auch den HijackThis scan)
ich denke, dass macht mehr Sinn oder?

hier der Log von OTL.txt:
Code:
ATTFilter
OTL logfile created on: 28.11.2009 02:42:16 - Run 1
OTL by OldTimer - Version 3.1.11.0     Folder = C:\Dokumente und Einstellungen\admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 100,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 186,30 Gb Total Space | 153,19 Gb Free Space | 82,23% Space Free | Partition Type: NTFS
Drive D: | 745,20 Gb Total Space | 484,90 Gb Free Space | 65,07% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: PC-MARK
Current User Name: admin
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2009.11.28 02:37:51 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\admin\Desktop\OTL.exe
PRC - [2009.10.11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Java\jre6\bin\jusched.exe
PRC - [2009.10.11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Java\jre6\bin\jqs.exe
PRC - [2009.08.05 19:17:13 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2009.06.09 15:47:01 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2009.03.02 11:08:43 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009.02.04 05:41:54 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2009.02.04 05:41:54 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008.12.18 13:32:52 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008.12.18 12:19:44 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2008.12.09 15:09:30 | 00,068,136 | ---- | M] () -- C:\Programme\Gigabyte\EasySaver\essvr.exe
PRC - [2008.08.26 06:51:18 | 16,851,456 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008.04.14 06:52:46 | 01,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005.08.11 14:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation) -- C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
PRC - [2003.05.13 13:52:32 | 00,241,664 | ---- | M] (WayTech) -- C:\Programme\MagicKey\MulMouse.exe
PRC - [2003.05.09 09:33:42 | 00,155,648 | ---- | M] () -- C:\Programme\MagicKey\MagicKey.exe
PRC - [2000.11.08 19:01:58 | 00,045,056 | ---- | M] (WayTech Development, Inc.) -- C:\Programme\MagicKey\OSD.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2009.11.28 02:37:51 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\admin\Desktop\OTL.exe
MOD - [2007.12.28 15:14:52 | 00,274,432 | ---- | M] () -- C:\Programme\RKlog\Mpk.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2009.10.11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009.08.29 15:34:53 | 00,183,112 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrB.exe -- (PnkBstrB)
SRV - [2009.08.05 19:17:13 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.06.09 15:47:01 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009.02.04 05:41:54 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009.02.03 20:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008.12.09 15:09:30 | 00,068,136 | ---- | M] () -- C:\Programme\Gigabyte\EasySaver\ESSVR.EXE -- (ES lite Service)
SRV - [2008.10.22 05:29:57 | 00,063,040 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2007.05.18 20:53:29 | 00,407,152 | ---- | M] (CODEMASTERS) -- C:\WINDOWS\System32\pr2ah4nc.exe -- (pr2ah4nc) DiRT Drivers Auto Removal (pr2ah4nc)
SRV - [2007.05.15 14:55:46 | 01,550,896 | ---- | M] (Nero AG) -- C:\Programme\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2007.05.08 18:47:22 | 00,271,920 | ---- | M] (Nero AG) -- C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2007.04.13 20:09:56 | 00,792,112 | ---- | M] (Nero AG) -- C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService)
SRV - [2003.07.28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
 
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009.09.02 11:46:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Programme\Java\jre6\lib\deploy\jqs\ff [2009.05.12 15:41:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Programme\Mozilla Firefox\components [2009.11.08 00:17:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2009.11.08 00:17:14 | 00,000,000 | ---D | M]
 
[2009.05.01 20:57:48 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Mozilla\Extensions
[2009.11.27 22:32:56 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Mozilla\Firefox\Profiles\6gsqdk1n.default\extensions
[2009.09.02 17:02:49 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Mozilla\Firefox\Profiles\6gsqdk1n.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.11.27 22:22:57 | 00,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2009.11.07 15:32:15 | 00,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2008.11.24 13:35:00 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\np32dsw.dll
[2009.05.01 20:55:35 | 00,072,960 | ---- | M] (Foxit Software Company) -- C:\Programme\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2003.07.14 21:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009.11.08 00:16:26 | 00,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2009.11.08 00:16:26 | 00,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2009.11.08 00:16:26 | 00,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2009.11.08 00:16:26 | 00,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2009.11.08 00:16:26 | 00,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: (820 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\MagicKey.lnk = C:\Programme\MagicKey\MagicKey.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Mpk.exe = C:\Programme\RKlog\Mpk.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.05.01 16:54:54 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9f18c074-3689-11de-a5b0-00241d22c912}\Shell - "" = AutoRun
O33 - MountPoints2\{9f18c074-3689-11de-a5b0-00241d22c912}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f18c074-3689-11de-a5b0-00241d22c912}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{abb61bba-38d7-11de-a5b6-00241d22c912}\Shell\AutoRun\command - "" = wd_windows_tools\setup.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) -  File not found
O34 - HKLM BootExecute: (*) -  File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009.05.01 18:37:25 | 00,000,000 | ---D | M]
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)
 
========== Files/Folders - Created Within 14 Days ==========
 
[2009.11.28 02:38:04 | 00,532,992 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\admin\Desktop\OTL.exe
[2009.11.27 22:21:25 | 00,000,000 | ---D | C] -- C:\Programme\HijackThis
[2009.11.25 21:34:38 | 00,000,000 | ---D | C] -- C:\Programme\CCleaner
[2009.11.22 18:41:31 | 00,000,000 | ---D | C] -- C:\Programme\Free YouTube Download
[2009.11.22 18:40:42 | 00,000,000 | ---D | C] -- C:\Programme\DVDVideoSoft
[2009.11.22 18:40:38 | 00,000,000 | ---D | C] -- C:\Programme\Free YouTube to MP3 Converter
[2009.11.22 18:30:52 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\teamspeak2
[2009.05.15 14:12:10 | 00,047,360 | ---- | C] (VSO Software) -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\pcouffin.sys
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 14 Days ==========
 
[2009.11.28 02:39:45 | 00,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009.11.28 02:37:51 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\admin\Desktop\OTL.exe
[2009.11.27 22:58:10 | 00,121,808 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2009.11.27 22:58:01 | 03,407,872 | -H-- | M] () -- C:\Dokumente und Einstellungen\admin\ntuser.dat
[2009.11.27 22:58:01 | 00,000,300 | -HS- | M] () -- C:\Dokumente und Einstellungen\admin\ntuser.ini
[2009.11.27 15:48:31 | 00,016,608 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2009.11.27 15:48:21 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009.11.27 15:48:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009.11.27 15:46:42 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2009.10.07 22:28:42 | 00,015,960 | ---- | C] () -- C:\WINDOWS\mingwm10.dll
[2009.09.04 13:13:55 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009.08.29 15:35:00 | 00,138,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.05.15 14:19:38 | 00,000,085 | -HS- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\.zreglib
[2009.05.15 14:12:13 | 00,000,033 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\pcouffin.log
[2009.05.15 14:12:10 | 00,087,608 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\inst.exe
[2009.05.15 14:12:10 | 00,007,887 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\pcouffin.cat
[2009.05.15 14:12:10 | 00,001,144 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\pcouffin.inf
[2009.05.05 18:47:14 | 00,069,632 | R--- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2009.05.05 18:47:14 | 00,036,864 | R--- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2009.05.05 16:47:59 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009.05.04 19:45:27 | 00,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009.05.02 21:06:03 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009.05.02 21:06:03 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009.05.02 21:06:03 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009.05.02 21:03:38 | 00,000,465 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009.05.01 20:53:21 | 00,006,144 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.05.01 17:24:41 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003.02.20 16:53:42 | 00,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1997.06.14 12:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
 
========== LOP Check ==========
 
[2009.10.03 16:39:03 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Ashampoo
[2009.05.01 17:28:37 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\ATI
[2009.05.02 21:06:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Audacity
[2009.05.01 20:57:43 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Blender Foundation
[2009.11.08 15:40:33 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Dev-Cpp
[2009.05.01 20:55:51 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Foxit
[2009.05.01 21:02:09 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\fretsonfire
[2009.05.01 21:05:19 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\ICQ
[2009.08.29 15:32:38 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Leadertech
[2009.08.29 15:33:28 | 00,000,000 | RH-D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\SecuROM
[2009.05.15 14:26:27 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Vso
[2009.05.01 17:28:37 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ATI
[2009.06.02 08:33:13 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Blizzard
[2009.05.15 14:19:56 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Elaborate Bytes
[2009.11.28 02:42:13 | 00,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MPK
[2009.07.31 13:28:08 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TrackMania
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.exe >
 
< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2008.04.14 06:52:12 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008.04.14 06:52:12 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\system32\eventlog.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2008.04.14 06:52:24 | 00,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008.04.14 06:52:24 | 00,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\system32\scecli.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2008.04.14 06:52:20 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008.04.14 06:52:20 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\system32\netlogon.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >
 
< %SYSTEMDRIVE%\sceclt.dll /s /md5 >
 
< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >
 
< %SYSTEMDRIVE%\logevent.dll /s /md5 >
 
< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
 
< %SYSTEMDRIVE%\nvstor.sys /s /md5 >
 
< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2008.04.13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008.04.13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008.04.13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
[2008.04.13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
 
< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >
 
< %SYSTEMDRIVE%\viasraid.sys /s /md5 >
 
< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2008.04.13 23:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008.04.13 23:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
 
< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >
 
< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 48 bytes -> C:\WINDOWS:C738AF5F2CB03688
< End of report >
         
__________________

Alt 28.11.2009, 01:52   #4
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



und hier der Log von Extras.txt:

Code:
ATTFilter
OTL Extras logfile created on: 28.11.2009 02:42:16 - Run 1
OTL by OldTimer - Version 3.1.11.0     Folder = C:\Dokumente und Einstellungen\admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 100,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 186,30 Gb Total Space | 153,19 Gb Free Space | 82,23% Space Free | Partition Type: NTFS
Drive D: | 745,20 Gb Total Space | 484,90 Gb Free Space | 65,07% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: PC-MARK
Current User Name: admin
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Programme\Internet Explorer\iexplore.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Programme\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Programme\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Programme\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Programme\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Programme\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Programme\Internet Explorer\iexplore.exe" (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\ICQ6.5\ICQ.exe" = C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, LLC.)
"D:\Spiele\TmNationsForever\TmForever.exe" = D:\Spiele\TmNationsForever\TmForever.exe:*:Enabled:TmForever -- ()
"D:\Spiele\Prince of Persia\Prince of Persia.exe" = D:\Spiele\Prince of Persia\Prince of Persia.exe:*:Enabled:Prince of Persia Dx -- (Ubisoft)
"D:\Spiele\Prince of Persia\PrinceOfPersia_Launcher.exe" = D:\Spiele\Prince of Persia\PrinceOfPersia_Launcher.exe:*:Enabled:Prince of Persia Update -- (Ubisoft)
"D:\Spiele\Age of Empires II\EMPIRES2.EXE" = D:\Spiele\Age of Empires II\EMPIRES2.EXE:*:Enabled:EMPIRES2 -- (Microsoft Corporation)
"D:\Spiele\Age of Empires II\age2_x1\age2_x1.exe" = D:\Spiele\Age of Empires II\age2_x1\age2_x1.exe:*:Enabled:age2_x1 -- (Microsoft Corporation)
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"D:\Spiele\Empire Earth\Empire Earth.exe" = D:\Spiele\Empire Earth\Empire Earth.exe:*:Enabled:Empire Earth -- ()
"D:\Spiele\Empire Earth - Zeitalter der Eroberungen\EE-AOC.exe" = D:\Spiele\Empire Earth - Zeitalter der Eroberungen\EE-AOC.exe:*:Enabled:EE-AOC -- ()
"D:\Spiele\Counter-Strike Source\hl2.exe" = D:\Spiele\Counter-Strike Source\hl2.exe:*:Disabled:hl2 -- ()
"D:\Spiele\World of Warcraft\Launcher.exe" = D:\Spiele\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"D:\Spiele\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe" = D:\Spiele\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"D:\Spiele\ColinMcR - Dirt\DiRT.exe" = D:\Spiele\ColinMcR - Dirt\DiRT.exe:*:Disabled:DiRT Executable -- (Codemasters)
"D:\Spiele\Civilization4\Civilization4.exe" = D:\Spiele\Civilization4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)
"D:\Spiele\Civilization4\Beyond the Sword\Civ4BeyondSword.exe" = D:\Spiele\Civilization4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- (Firaxis Games)
"D:\Spiele\Civilization4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = D:\Spiele\Civilization4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- (Firaxis Games)
"C:\Programme\RKlog\Mpk.exe" = C:\Programme\RKlog\Mpk.exe:*:Enabled:TCP\IP -- ()
"C:\Programme\RKlog\MpkView.exe" = C:\Programme\RKlog\MpkView.exe:*:Enabled:TCP\IP -- ()
"C:\Programme\Java\jre6\bin\javaw.exe" = C:\Programme\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Programme\Java\jre6\bin\java.exe" = C:\Programme\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Programme\Skype\Phone\Skype.exe" = C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Programme\Eclipse\eclipse.exe" = C:\Programme\Eclipse\eclipse.exe:*:Enabled:eclipse -- File not found
"C:\Programme\Teamspeak2\Server\Teamspeak2_RC2\server_windows.exe" = C:\Programme\Teamspeak2\Server\Teamspeak2_RC2\server_windows.exe:*:Enabled:Server -- ()
"C:\Programme\Steam\Steam.exe" = C:\Programme\Steam\Steam.exe:*:Enabled:Steam -- File not found
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07300F01-89CA-4CF8-92BD-2A605EB83C95}" = EasySaver B8.1208.1 
"{0863885D-E64B-9E5A-9747-03321A2D2A49}" = CCC Help Korean
"{0C40E716-2558-01E2-4797-484E4CCB2500}" = Catalyst Control Center Localization All
"{10FDD69C-2428-0FFB-12A2-2A6907D6282F}" = CCC Help Japanese
"{139DEC1F-D380-EB76-B0DF-88BC99B3B7BB}" = Catalyst Control Center Graphics Light
"{2347E903-6299-A99F-C46C-05EB55912539}" = CCC Help Chinese Traditional
"{2447500B-22D7-47BD-9B13-1A927F43A267}" = Empire Earth
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 17
"{2B3A996D-CCBF-3D62-B0AD-EA05553D3CEE}" = CCC Help Chinese Standard
"{2E97F7E8-ABDE-4E0D-B0AD-B6B4BAD89E24}" = Rome - Total War - Gold Edition
"{300D2ECE-DA75-1623-871F-935A205FC450}" = CCC Help German
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{4BF8A8A5-B3EA-6073-0457-669CC1E929C8}" = CCC Help Hungarian
"{501C0FDB-DCA5-E211-956C-26ADC4C54B66}" = Catalyst Control Center Core Implementation
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57B89E30-0BBA-4F20-9F2C-8E8CDE1CEDB6}" = DiRT
"{57F85CF9-B9EF-6C77-8095-A2CF95738099}" = CCC Help Danish
"{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{63A17691-ABC0-E86F-5D7A-A2F7EE36145E}" = CCC Help Dutch
"{6501E9B8-77C7-7D81-7F1A-4C2D7E36B403}" = CCC Help Italian
"{65A88B75-AD8D-4B9C-92DA-FEB137463595}" = PHP 5.3.0
"{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
"{6C1804BC-094F-431A-BEA5-37A837958029}" = Rome - Total War - Alexander
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72A5824D-08E9-9A96-2104-19E4FE86E5FA}" = CCC Help Spanish
"{7907CAB0-6C4F-C554-34EA-93EAC98B42F9}" = CCC Help Turkish
"{7C11154F-3539-4CB5-979D-EF7913473E53}" = Prince of Persia
"{8046A32C-88A7-45DA-B6D7-B6191E261031}" = Nero 7 Essentials
"{82982D26-D60E-27D8-361F-F14A8F6440E7}" = Catalyst Control Center HydraVision Full
"{87934EAD-CE6F-16C6-6004-73E092AA15A6}" = Catalyst Control Center Graphics Previews Common
"{89B80F72-CCD0-95C3-21CB-89BA03D98155}" = CCC Help Finnish
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{8B9336DB-8D04-4325-BAFC-C7141D8E6CA1}" = Duke Nukem - Manhattan Project
"{906D95BA-4515-59A5-F2E4-072B1E73BB75}" = CCC Help English
"{91110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{926D0762-9C6C-4374-A481-EB308F4FC618}" = Will Rock
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D8BE52A-2C9A-91F2-310E-560CCE4FD247}" = CCC Help Russian
"{A0D62771-4353-8D52-44B8-0FCFF07D5FF1}" = ccc-core-preinstall
"{A10F7877-4276-416C-9F22-CB56C0CB2700}" = Medieval - Total War - Gold Edition
"{A250D351-A07F-4D5D-AB6C-693C69B9BFAF}" = Hercules Webcam
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3AE78AD-093F-57F1-280D-A31B0C1C1425}" = CCC Help Greek
"{A41A9C99-0029-783E-40C3-3AA0D1A6535D}" = CCC Help Polish
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A680CE58-7B2C-9A45-D05F-5AC22DFA2F76}" = CCC Help Portuguese
"{A97B911E-8B1F-3B0F-F3D1-63B04084CC0F}" = Skins
"{AD3AE2EE-E0DB-7818-3F05-7E8B2FB22C49}" = CCC Help Norwegian
"{B414174C-97E4-9E8B-018E-AC77055D0107}" = CCC Help Thai
"{B49C924C-A651-4378-94F6-5D9BF44A959F}" = EE-ZDE
"{B6D0AACC-1F01-A901-5348-FF3599EFE70D}" = CCC Help French
"{B98604A2-5229-CBE6-98A4-A6D7C63B7458}" = ccc-utility
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CBD1A47D-691E-56C2-AC6A-1B3F80E3EC14}" = CCC Help Swedish
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D208F4A7-6B73-4C2A-8B1E-8756FCBA831E}" = Hercules WebCam Station
"{D34313F7-B5E2-D3AF-FBB1-EF3ED1DEF5AB}" = CCC Help Czech
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{E3A6437F-DE5B-6F3E-7BB3-39185D0BBDCE}" = ccc-core-static
"{E6D22FE1-AB5F-42CA-9480-6F70B96DDD88}" = Need for Speed™ Undercover
"{EB1446FB-A3EF-D04D-C224-EEC74F11805F}" = Catalyst Control Center Graphics Full New
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F8718F95-21A1-44B9-97EC-679C93020BAE}" = Colin McRae Rally 04
"{FC053571-8507-44E4-8B6D-AACEAB8CA57C}" =  Sansa Media Converter
"{FE931AAE-B6D9-8A02-60C7-EF4862306F58}" = Catalyst Control Center Graphics Full Existing
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"Aspell German Dictionary_is1" = Aspell German Dictionary-0.50-2
"ATI Display Driver" = ATI Display Driver
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.5 (Unicode)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Blender" = Blender (remove only)
"CCleaner" = CCleaner
"CloneDVD2" = CloneDVD2
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"Flying Heroes" = Flying Heroes
"Foxit Reader" = Foxit Reader
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2
"Free YouTube Download_is1" = Free YouTube Download 2.3
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"Frets on Fire" = Frets On Fire
"GameSpy Arcade" = GameSpy Arcade
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (nur entfernen)
"HijackThis" = HijackThis 2.0.2
"InstallShield_{8B9336DB-8D04-4325-BAFC-C7141D8E6CA1}" = Duke Nukem - Manhattan Project
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Largo" = Largo
"MagicKey" = MagicKey
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"Mp3tag" = Mp3tag v2.44
"Pidgin" = Pidgin
"Spacetanks_is1" = Spacetanks
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"TeamSpeak 2 Server_is1" = TeamSpeak 2 Server RC2
"TmNationsForever_is1" = TmNationsForever
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VLC media player 1.0.3
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 12.11.2009 12:23:33 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung bit_verschiebung.exe, Version 0.0.0.0, fehlgeschlagenes
 Modul msvcrt.dll, Version 7.0.2600.5512, Fehleradresse 0x00037740.
 
Error - 14.11.2009 19:58:53 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung ee-aoc.exe, Version 0.0.0.0, fehlgeschlagenes
 Modul dx7hrdisplay.dll, Version 0.0.0.0, Fehleradresse 0x0000a932.
 
Error - 14.11.2009 20:08:34 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung setup.exe, Version 12.0.0.58849, fehlgeschlagenes
 Modul setup.exe, Version 12.0.0.58849, Fehleradresse 0x0001e7b9.
 
Error - 14.11.2009 20:08:44 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung setup.exe, Version 12.0.0.58849, fehlgeschlagenes
 Modul setup.exe, Version 12.0.0.58849, Fehleradresse 0x0001e7b9.
 
Error - 14.11.2009 20:08:53 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung setup.exe, Version 12.0.0.58849, fehlgeschlagenes
 Modul setup.exe, Version 12.0.0.58849, Fehleradresse 0x0001e7b9.
 
Error - 18.11.2009 18:24:31 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 1.9.1.3593, fehlgeschlagenes
 Modul xul.dll, Version 1.9.1.3593, Fehleradresse 0x003776c4.
 
Error - 21.11.2009 19:32:54 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung 0053007000690065006C007300740061006E0064005F0045006E0074007300630068006C00FC00730073006C00650072002E006500780065,
 Version 0.0.0.0, fehlgeschlagenes Modul ntdll.dll, Version 5.1.2600.5755, Fehleradresse
 0x0000100b.
 
Error - 22.11.2009 13:17:23 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung mpkview.exe, Version 4.2.2.810, fehlgeschlagenes
 Modul kernel32.dll, Version 5.1.2600.5781, Fehleradresse 0x00012afb.
 
Error - 22.11.2009 17:57:15 | Computer Name = PC-MARK | Source = MsiInstaller | ID = 11925
Description = Product: Steam -- Error 1925. You do not have sufficient privileges
 to complete this installation for all users of the machine.  Log on as administrator
 and retry this installation.
 
Error - 22.11.2009 18:24:59 | Computer Name = PC-MARK | Source = Steam Client Service | ID = 1
Description = 
 
[ System Events ]
Error - 20.11.2009 14:50:07 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:11 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:15 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:19 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:22 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:25 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:29 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:33 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:37 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
Error - 20.11.2009 14:50:40 | Computer Name = PC-MARK | Source = Cdrom | ID = 262151
Description = Fehlerhafter Block bei Gerät \Device\CdRom0.
 
 
< End of report >
         

Alt 28.11.2009, 12:46   #5
Larusso
/// Selecta Jahrusso
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Rootkit-Suche

Was sind Rootkits?

Einige Scans auf Dateien, Prozesse u2nd Registryeinträge, die vor den meisten anderen Scannern versteckt werden (durch ein sogenanntes Rootkit). Während dieser Scans soll(en):
  • alle anderen Scanner gegen Viren, Spyware, usw. deaktiviert sein,
  • keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
  • nichts am Rechner getan werden,
  • nach jedem Scan der Rechner neu gestartet werden.
Gmer scannen lassen
  • Lade Dir Gmer von dieser Seite herunter
    (auf den Button Download EXE drücken) und das Programm auf dem Desktop speichern.
  • Gmer ist geeignet für => NT/W2K/XP/VISTA.
  • Alle anderen Programme sollen geschlossen sein.
  • Starte gmer.exe (Programm hat einen willkürlichen Programm-Namen).
  • Vista-User mit Rechtsklick und als Administrator starten.
  • Sollte sich ein Fenster mit folgender Warnung öffnen:
    WARNING !!!
    GMER has found system modification, which might have been caused by ROOTKIT activity.
    Do you want to fully scan your system ?
    Unbedingt auf "No" klicken.
  • Starte den Scan mit "Scan". Mache nichts am Computer während der Scan läuft.
  • Wenn der Scan fertig ist klicke auf "Copy" um das Log in die Zwischenablage zu kopieren. Mit "Ok" wird GMER beendet.
  • Füge das Log aus der Zwischenablage in Deine Antwort hier ein.
Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!

Nun das Logfile in Code-Tags posten.

__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 28.11.2009, 14:26   #6
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Ok, hier der gmer-scan:

Code:
ATTFilter
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 15:21:38
Windows 5.1.2600 Service Pack 3
Running: stehrzr0.exe; Driver: C:\DOKUME~1\admin\LOKALE~1\Temp\ufldapoc.sys


---- System - GMER 1.0.15 ----

SSDT            BA7B819E                                                                                                        ZwCreateKey
SSDT            BA7B8194                                                                                                        ZwCreateThread
SSDT            BA7B81A3                                                                                                        ZwDeleteKey
SSDT            BA7B81AD                                                                                                        ZwDeleteValueKey
SSDT            spvi.sys                                                                                                        ZwEnumerateKey [0xB9EC6CA2]
SSDT            spvi.sys                                                                                                        ZwEnumerateValueKey [0xB9EC7030]
SSDT            BA7B81B2                                                                                                        ZwLoadKey
SSDT            spvi.sys                                                                                                        ZwOpenKey [0xB9EA80C0]
SSDT            BA7B8180                                                                                                        ZwOpenProcess
SSDT            BA7B8185                                                                                                        ZwOpenThread
SSDT            spvi.sys                                                                                                        ZwQueryKey [0xB9EC7108]
SSDT            spvi.sys                                                                                                        ZwQueryValueKey [0xB9EC6F88]
SSDT            BA7B81BC                                                                                                        ZwReplaceKey
SSDT            BA7B81B7                                                                                                        ZwRestoreKey
SSDT            BA7B81A8                                                                                                        ZwSetValueKey
SSDT            BA7B818F                                                                                                        ZwTerminateProcess

INT 0x62        ?                                                                                                               8A708BF8
INT 0x73        ?                                                                                                               8A708BF8
INT 0x73        ?                                                                                                               8A708BF8
INT 0x82        ?                                                                                                               8A708BF8
INT 0x83        ?                                                                                                               8A474BF8
INT 0x83        ?                                                                                                               8A474BF8
INT 0x83        ?                                                                                                               8A474BF8
INT 0xA4        ?                                                                                                               8A474BF8
INT 0xB4        ?                                                                                                               8A474BF8
INT 0xB4        ?                                                                                                               8A474BF8
INT 0xB4        ?                                                                                                               8A474BF8

---- Kernel code sections - GMER 1.0.15 ----

?               spvi.sys                                                                                                        Das System kann die angegebene Datei nicht finden. !
.xreloc         C:\WINDOWS\system32\drivers\ps6ah4nc.sys                                                                        unknown last section [0xB9E4E000, 0x998, 0x40000040]
.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                        section is writeable [0xB52AF000, 0x1BDE76, 0xE8000020]
.text           USBPORT.SYS!DllUnload                                                                                           B52278AC 5 Bytes  JMP 8A4741D8 

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\wscntfy.exe[1220] ntdll.dll!NtQuerySystemInformation                                        7C91D92E 5 Bytes  JMP 00B6000C 
.text           C:\WINDOWS\Explorer.EXE[1516] ntdll.dll!NtQuerySystemInformation                                                7C91D92E 5 Bytes  JMP 020B000C 
.text           C:\Dokumente und Einstellungen\admin\Desktop\stehrzr0.exe[1908] ntdll.dll!NtQuerySystemInformation              7C91D92E 5 Bytes  JMP 00B2000C 
.text           C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe[2204] ntdll.dll!NtQuerySystemInformation  7C91D92E 5 Bytes  JMP 008A000C 
.text           C:\WINDOWS\system32\ctfmon.exe[2220] ntdll.dll!NtQuerySystemInformation                                         7C91D92E 5 Bytes  JMP 00A1000C 
.text           ...                                                                                                             

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT             atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                              [B9EA9040] spvi.sys
IAT             atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                      [B9EA913C] spvi.sys
IAT             atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                             [B9EA90BE] spvi.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                     [B9EA97FC] spvi.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                             [B9EA96D2] spvi.sys
IAT             \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                              [B9EB9048] spvi.sys

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                                          8A7071F8

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                          InCDrec.SYS (InCD File System Recognizer/Nero AG)

Device          \FileSystem\Fastfat \FatCdrom                                                                                   896A2500
Device          \Driver\NetBT \Device\NetBT_Tcpip_{7A737EA4-9D41-41D8-90B7-0FD65D93350F}                                        89BFF1F8
Device          \Driver\usbohci \Device\USBPDO-0                                                                                8A4731F8
Device          \Driver\usbohci \Device\USBPDO-1                                                                                8A4731F8
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                       8A6991F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                         8A6991F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                            8A6991F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                           8A6991F8
Device          \Driver\usbehci \Device\USBPDO-2                                                                                8A45B1F8
Device          \Driver\usbohci \Device\USBPDO-3                                                                                8A4731F8
Device          \Driver\usbohci \Device\USBPDO-4                                                                                8A4731F8
Device          \Driver\usbehci \Device\USBPDO-5                                                                                8A45B1F8
Device          \Driver\usbohci \Device\USBPDO-6                                                                                8A4731F8
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                          8A7091F8
Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                          8A7091F8
Device          \Driver\Cdrom \Device\CdRom0                                                                                    8A4BC500
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                                     [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort0                                                                              [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                              [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort2                                                                              [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort3                                                                              [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e                                                                     [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                         89BFF1F8
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                89BFF1F8
Device          \Driver\usbohci \Device\USBFDO-0                                                                                8A4731F8
Device          \Driver\usbohci \Device\USBFDO-1                                                                                8A4731F8
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                               899021F8
Device          \Driver\usbehci \Device\USBFDO-2                                                                                8A45B1F8
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                     899021F8
Device          \Driver\usbohci \Device\USBFDO-3                                                                                8A4731F8
Device          \Driver\usbohci \Device\USBFDO-4                                                                                8A4731F8
Device          \Driver\Ftdisk \Device\FtControl                                                                                8A7091F8
Device          \Driver\usbehci \Device\USBFDO-5                                                                                8A45B1F8
Device          \Driver\usbohci \Device\USBFDO-6                                                                                8A4731F8
Device          \FileSystem\Fastfat \Fat                                                                                        896A2500

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                        InCDrec.SYS (InCD File System Recognizer/Nero AG)

Device          \FileSystem\Cdfs \Cdfs                                                                                          898D61F8

---- Processes - GMER 1.0.15 ----

Process         C:\Programme\RKlog\Mpk.exe (*** hidden *** )                                                                    3984                                                                                                              

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                              771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                              285507792

---- EOF - GMER 1.0.15 ----
         

Alt 28.11.2009, 14:44   #7
Larusso
/// Selecta Jahrusso
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Während dieser Scans soll(en):
  • alle anderen Scanner gegen Viren, Spyware, usw. deaktiviert sein,
  • keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
  • nichts am Rechner getan werden,
  • nach jedem Scan der Rechner neu gestartet werden.
Rootkitscan mit RootRepeal
  • Gehe hierhin, scrolle runter und downloade RootRepeal.zip.
  • Entpacke die Datei auf Deinen Desktop.
  • Doppelklicke die RootRepeal.exe, um den Scanner zu starten.
  • Klicke auf den Reiter Report und dann auf den Button Scan.
  • Mache einen Haken bei den folgenden Elementen und klicke Ok.
    .
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT

    .
  • Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.
  • Wähle C:\ und klicke wieder Ok.
  • Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.
  • Wenn der Suchlauf beendet ist, klicke auf Save Report.
  • Speichere das Logfile als RootRepeal.txt auf dem Desktop.
  • Kopiere den Inhalt hier in den Thread.
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 28.11.2009, 16:11   #8
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Ok, hier der Log für RootRepeal:

Code:
ATTFilter
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/11/28 17:02
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA751C000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5FC000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: PCI_PNP8558
Image Path: \Driver\PCI_PNP8558
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA4530000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: spml.sys
Image Path: spml.sys
Address: 0xB9EA7000	Size: 1048576	File Visible: No	Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\dokumente und einstellungen\****\anwendungsdaten\skype\****.*******\etilqs_5pwz3ypr1dcvil3gvl2o
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\dokumente und einstellungen\****\anwendungsdaten\skype\****.******\etilqs_rn7qo9aahtc9pjdrsguo
Status: Allocation size mismatch (API: 16384, Raw: 0)

Processes
-------------------
Path: C:\Programme\RKlog\MPK.exe
PID: 2804	Status: Hidden from the Windows API!

SSDT
-------------------
#: 041	Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7b7936

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7b792c

#: 063	Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7b793b

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7b7945

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "spml.sys" at address 0xb9ec6ca2

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "spml.sys" at address 0xb9ec7030

#: 098	Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7b794a

#: 119	Function Name: NtOpenKey
Status: Hooked by "spml.sys" at address 0xb9ea80c0

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba7b7918

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7b791d

#: 160	Function Name: NtQueryKey
Status: Hooked by "spml.sys" at address 0xb9ec7108

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "spml.sys" at address 0xb9ec6f88

#: 193	Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7b7954

#: 204	Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7b794f

#: 247	Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7b7940

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba7b7927

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System	Address: 0x8a7071f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x8a4931f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System	Address: 0x8a6991f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System	Address: 0x8a4841f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a4841f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a4841f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a4841f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System	Address: 0x8a4841f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a4841f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System	Address: 0x8a4841f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System	Address: 0x8a7091f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System	Address: 0x898d01f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System	Address: 0x898d01f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x898d01f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x898d01f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System	Address: 0x898d01f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System	Address: 0x898d01f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System	Address: 0x8a46c1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a46c1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a46c1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a46c1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System	Address: 0x8a46c1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a46c1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System	Address: 0x8a46c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System	Address: 0x898be1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_CREATE]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_CLOSE]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_READ]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a3681f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅భ浍瑓卨訷, IRP_MJ_PNP]
Process: System	Address: 0x8a3681f8	Size: 121

==EOF==
         
PS: An dieser Stelle möchte ich mich mal herzlich für deine tolle Hilfe bedanken, ich finds klasse, wie du dich einsetzt!

Alt 28.11.2009, 16:14   #9
Larusso
/// Selecta Jahrusso
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Dieser Keylogger immer noch installiert? Dann jz mal weg damit.

schritt 1

Bereinigung mit Malwarebytes' Anti-Malware (Quick-Scan)

Lade Malwarebytes Anti-Malware (ca. 2 MB) von einem dieser Downloadspiegel herunter:
Malwarebytes - MajorGeeks.com - BestTechie
  • Anwendbar auf Windows 2000, XP und Vista.
  • Installiere das Programm in den vorgegebenen Pfad.
  • Denke daran, bei Vista das Programm als Admin zu starten, ansonsten per Doppelklick starten.
  • Lasse es online updaten (Reiter Updates), sofern sich das Programm bereits auf dem Rechner befand.
  • Aktiviere "Quick-Scan durchführen" => Scan.
  • Wenn der Scan beendet ist, klicke auf "Ergebnisse anzeigen".
  • Bei Funden in C:\System Volume Information den Haken entfernen.
    Ansonsten wird dieser Systemwiederherstellungspunkt nicht mehr funktionieren.
    Er könnte jedoch trotz Malware noch gebraucht werden.
  • Versichere Dich, dass ansonsten alle Funde markiert sind und drücke "Löschen".
  • Poste das Logfile, welches sich in Notepad öffnet, hier in den Thread.
  • Nachträglich kannst du den Bericht unter "Scan-Berichte" finden.
  • Berichte, wie der Rechner nun läuft.
Hier findest Du eine ausführliche und bebilderte Anleitung


schritt 2

Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop ( falls noch nicht vorhanden)
  • Doppelklick auf die OTL.exe
  • Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
  • Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
  • Unter Extra Registry, wähle bitte Use SafeList
  • Klicke nun auf Run Scan links oben
  • Wenn der Scan beendet wurde werden 2 Logfiles erstellt
  • Poste die Logfiles in Code-Tags hier in den Thread.
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 28.11.2009, 17:27   #10
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Uff, der Keylogger war ganz schön hartnäckig, konnte ihn erst im abgesicherten Modus entfernen...^^

Ok, Malewarebytes hat nichts gefunden:

Code:
ATTFilter
Malwarebytes' Anti-Malware 1.41
Datenbank Version: 3251
Windows 5.1.2600 Service Pack 3

28.11.2009 18:25:50
mbam-log-2009-11-28 (18-25-50).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 123067
Laufzeit: 2 minute(s), 46 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
         
werde jetzt nochmal die OTL.exe starten...

Alt 28.11.2009, 17:33   #11
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



So hier der Log von OTL.txt:

Code:
ATTFilter
OTL logfile created on: 28.11.2009 18:29:38 - Run 2
OTL by OldTimer - Version 3.1.11.0     Folder = C:\Dokumente und Einstellungen\admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 100,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 186,30 Gb Total Space | 153,28 Gb Free Space | 82,28% Space Free | Partition Type: NTFS
Drive D: | 745,20 Gb Total Space | 484,90 Gb Free Space | 65,07% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: PC-MARK
Current User Name: admin
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Processes (SafeList) ==========
 
PRC - C:\Dokumente und Einstellungen\admin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Programme\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc.)
PRC - C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (ATI Technologies Inc.)
PRC - C:\Programme\Gigabyte\EasySaver\essvr.exe ()
PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
PRC - C:\Programme\MagicKey\MulMouse.exe (WayTech)
PRC - C:\Programme\MagicKey\MagicKey.exe ()
PRC - C:\Programme\MagicKey\OSD.exe (WayTech Development, Inc.)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Dokumente und Einstellungen\admin\Desktop\OTL.exe (OldTimer Tools)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (JavaQuickStarterService) -- C:\Programme\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (PnkBstrB) -- C:\WINDOWS\system32\PnkBstrB.exe ()
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (ES lite Service) -- C:\Programme\Gigabyte\EasySaver\ESSVR.EXE ()
SRV - (PnkBstrA) -- C:\WINDOWS\system32\PnkBstrA.exe ()
SRV - (pr2ah4nc) DiRT Drivers Auto Removal (pr2ah4nc) -- C:\WINDOWS\System32\pr2ah4nc.exe (CODEMASTERS)
SRV - (InCDsrv) -- C:\Programme\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
SRV - (NMIndexingService) -- C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (NBService) -- C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe (Nero AG)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows (R) 2000 DDK provider)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (PnkBstrK) -- C:\WINDOWS\system32\drivers\PnkBstrK.sys ()
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (pcouffin) -- C:\WINDOWS\system32\drivers\pcouffin.sys (VSO Software)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (ElbyCDIO) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RTHDMIAzAudService) -- C:\WINDOWS\system32\drivers\RtHDMI.sys (Realtek Semiconductor Corp.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation                           )
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (amdide) -- C:\WINDOWS\system32\DRIVERS\amdide.sys (Advanced Micro Devices)
DRV - (pe3ah4nc) DiRT Environment Driver (pe3ah4nc) -- C:\WINDOWS\system32\drivers\pe3ah4nc.sys (CODEMASTERS)
DRV - (ps6ah4nc) DiRT Synchronization Driver (ps6ah4nc) -- C:\WINDOWS\system32\drivers\ps6ah4nc.sys (CODEMASTERS)
DRV - (InCDfs) -- C:\WINDOWS\system32\drivers\InCDfs.sys (Nero AG)
DRV - (incdrm) -- C:\WINDOWS\system32\drivers\InCDRm.sys (Nero AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\InCDPass.sys (Nero AG)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ovt530) -- C:\WINDOWS\system32\drivers\ov530vid.sys (OmniVision Technologies, Inc.)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (kbfilter) -- C:\WINDOWS\system32\drivers\kbfilter.sys (WayTech Development, Inc.)
DRV - (UsbFltr) -- C:\WINDOWS\system32\drivers\UsbFltr.sys (Waytech Development, Inc.)
DRV - (moufiltr) -- C:\WINDOWS\system32\drivers\Moufiltr.sys (Windows (R) 2000 DDK provider)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
 
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009.09.02 11:46:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Programme\Java\jre6\lib\deploy\jqs\ff [2009.05.12 15:41:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Programme\Mozilla Firefox\components [2009.11.08 00:17:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2009.11.08 00:17:14 | 00,000,000 | ---D | M]
 
[2009.05.01 20:57:48 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Mozilla\Extensions
[2009.11.27 22:32:56 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Mozilla\Firefox\Profiles\6gsqdk1n.default\extensions
[2009.09.02 17:02:49 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Mozilla\Firefox\Profiles\6gsqdk1n.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.11.28 18:17:53 | 00,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2009.11.07 15:32:15 | 00,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2008.11.24 13:35:00 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\np32dsw.dll
[2009.05.01 20:55:35 | 00,072,960 | ---- | M] (Foxit Software Company) -- C:\Programme\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2003.07.14 21:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Programme\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009.11.08 00:16:26 | 00,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2009.11.08 00:16:26 | 00,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2009.11.08 00:16:26 | 00,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2009.11.08 00:16:26 | 00,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2009.11.08 00:16:26 | 00,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: (820 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\MagicKey.lnk = C:\Programme\MagicKey\MagicKey.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Mpk.exe = C:\Programme\RKlog\Mpk.exe File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.05.01 16:54:54 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9f18c074-3689-11de-a5b0-00241d22c912}\Shell - "" = AutoRun
O33 - MountPoints2\{9f18c074-3689-11de-a5b0-00241d22c912}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f18c074-3689-11de-a5b0-00241d22c912}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{abb61bba-38d7-11de-a5b6-00241d22c912}\Shell\AutoRun\command - "" = wd_windows_tools\setup.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) -  File not found
O34 - HKLM BootExecute: (*) -  File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found
 
========== Files/Folders - Created Within 30 Days ==========
 
[2009.11.28 18:21:26 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Malwarebytes
[2009.11.28 18:21:23 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009.11.28 18:21:21 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009.11.28 18:21:21 | 00,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2009.11.28 18:21:21 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2009.11.28 17:47:07 | 00,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\admin\Recent
[2009.11.28 17:40:17 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\vlc
[2009.11.28 17:30:37 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\admin\Desktop\RKlog
[2009.11.28 17:00:59 | 00,472,064 | ---- | C] ( ) -- C:\Dokumente und Einstellungen\admin\Desktop\RootRepeal.exe
[2009.11.28 02:38:04 | 00,532,992 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\admin\Desktop\OTL.exe
[2009.11.27 22:21:25 | 00,000,000 | ---D | C] -- C:\Programme\HijackThis
[2009.11.25 21:34:38 | 00,000,000 | ---D | C] -- C:\Programme\CCleaner
[2009.11.22 18:41:31 | 00,000,000 | ---D | C] -- C:\Programme\Free YouTube Download
[2009.11.22 18:40:42 | 00,000,000 | ---D | C] -- C:\Programme\DVDVideoSoft
[2009.11.22 18:40:38 | 00,000,000 | ---D | C] -- C:\Programme\Free YouTube to MP3 Converter
[2009.11.22 18:30:52 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\teamspeak2
[2009.11.08 15:46:35 | 00,000,000 | ---D | C] -- C:\Programme\Dev-Cpp
[2009.11.08 14:28:45 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\Dev-Cpp
[2009.11.07 15:32:07 | 00,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Skype
[2009.05.15 14:12:10 | 00,047,360 | ---- | C] (VSO Software) -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\pcouffin.sys
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2009.11.28 18:19:24 | 01,050,716 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009.11.28 18:19:24 | 00,452,300 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2009.11.28 18:19:24 | 00,435,396 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009.11.28 18:19:24 | 00,081,132 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2009.11.28 18:19:24 | 00,068,292 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009.11.28 18:15:06 | 00,016,608 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2009.11.28 18:15:02 | 00,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009.11.28 18:14:53 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009.11.28 18:14:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009.11.28 18:14:51 | 00,121,808 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2009.11.28 18:03:23 | 03,407,872 | -H-- | M] () -- C:\Dokumente und Einstellungen\admin\ntuser.dat
[2009.11.28 18:03:23 | 00,000,300 | -HS- | M] () -- C:\Dokumente und Einstellungen\admin\ntuser.ini
[2009.11.28 17:02:43 | 00,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\admin\Desktop\settings.dat
[2009.11.28 14:30:34 | 00,292,352 | ---- | M] () -- C:\Dokumente und Einstellungen\admin\Desktop\stehrzr0.exe
[2009.11.28 02:37:51 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\admin\Desktop\OTL.exe
[2009.11.13 15:43:55 | 00,200,144 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009.11.07 15:27:15 | 00,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2009.11.28 17:02:43 | 00,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Desktop\settings.dat
[2009.11.28 14:30:34 | 00,292,352 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Desktop\stehrzr0.exe
[2009.11.07 15:27:15 | 00,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009.10.07 22:28:42 | 00,015,960 | ---- | C] () -- C:\WINDOWS\mingwm10.dll
[2009.09.04 13:13:55 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009.08.29 15:35:00 | 00,138,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.05.15 14:19:38 | 00,000,085 | -HS- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\.zreglib
[2009.05.15 14:12:13 | 00,000,033 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\pcouffin.log
[2009.05.15 14:12:10 | 00,087,608 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\inst.exe
[2009.05.15 14:12:10 | 00,007,887 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\pcouffin.cat
[2009.05.15 14:12:10 | 00,001,144 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Anwendungsdaten\pcouffin.inf
[2009.05.05 18:47:14 | 00,069,632 | R--- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2009.05.05 18:47:14 | 00,036,864 | R--- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2009.05.05 16:47:59 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009.05.04 19:45:27 | 00,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009.05.02 21:06:03 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009.05.02 21:06:03 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009.05.02 21:06:03 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009.05.02 21:03:38 | 00,000,465 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009.05.01 20:53:21 | 00,006,144 | ---- | C] () -- C:\Dokumente und Einstellungen\admin\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.05.01 17:24:41 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003.02.20 16:53:42 | 00,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1997.06.14 12:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 48 bytes -> C:\WINDOWS:C738AF5F2CB03688
< End of report >
         

Alt 28.11.2009, 17:40   #12
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



und hier der Log von Extras.txt:

Code:
ATTFilter
OTL Extras logfile created on: 28.11.2009 18:29:38 - Run 2
OTL by OldTimer - Version 3.1.11.0     Folder = C:\Dokumente und Einstellungen\admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 100,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 186,30 Gb Total Space | 153,28 Gb Free Space | 82,28% Space Free | Partition Type: NTFS
Drive D: | 745,20 Gb Total Space | 484,90 Gb Free Space | 65,07% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: PC-MARK
Current User Name: admin
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Programme\Internet Explorer\iexplore.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Programme\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Programme\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Programme\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Programme\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Programme\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Programme\Internet Explorer\iexplore.exe" (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\ICQ6.5\ICQ.exe" = C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, LLC.)
"D:\Spiele\TmNationsForever\TmForever.exe" = D:\Spiele\TmNationsForever\TmForever.exe:*:Enabled:TmForever -- ()
"D:\Spiele\Prince of Persia\Prince of Persia.exe" = D:\Spiele\Prince of Persia\Prince of Persia.exe:*:Enabled:Prince of Persia Dx -- (Ubisoft)
"D:\Spiele\Prince of Persia\PrinceOfPersia_Launcher.exe" = D:\Spiele\Prince of Persia\PrinceOfPersia_Launcher.exe:*:Enabled:Prince of Persia Update -- (Ubisoft)
"D:\Spiele\Age of Empires II\EMPIRES2.EXE" = D:\Spiele\Age of Empires II\EMPIRES2.EXE:*:Enabled:EMPIRES2 -- (Microsoft Corporation)
"D:\Spiele\Age of Empires II\age2_x1\age2_x1.exe" = D:\Spiele\Age of Empires II\age2_x1\age2_x1.exe:*:Enabled:age2_x1 -- (Microsoft Corporation)
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"D:\Spiele\Empire Earth\Empire Earth.exe" = D:\Spiele\Empire Earth\Empire Earth.exe:*:Enabled:Empire Earth -- ()
"D:\Spiele\Empire Earth - Zeitalter der Eroberungen\EE-AOC.exe" = D:\Spiele\Empire Earth - Zeitalter der Eroberungen\EE-AOC.exe:*:Enabled:EE-AOC -- ()
"D:\Spiele\Counter-Strike Source\hl2.exe" = D:\Spiele\Counter-Strike Source\hl2.exe:*:Disabled:hl2 -- ()
"D:\Spiele\World of Warcraft\Launcher.exe" = D:\Spiele\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"D:\Spiele\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe" = D:\Spiele\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"D:\Spiele\ColinMcR - Dirt\DiRT.exe" = D:\Spiele\ColinMcR - Dirt\DiRT.exe:*:Disabled:DiRT Executable -- (Codemasters)
"D:\Spiele\Civilization4\Civilization4.exe" = D:\Spiele\Civilization4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)
"D:\Spiele\Civilization4\Beyond the Sword\Civ4BeyondSword.exe" = D:\Spiele\Civilization4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- (Firaxis Games)
"D:\Spiele\Civilization4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = D:\Spiele\Civilization4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- (Firaxis Games)
"C:\Programme\RKlog\Mpk.exe" = C:\Programme\RKlog\Mpk.exe:*:Enabled:TCP\IP -- File not found
"C:\Programme\RKlog\MpkView.exe" = C:\Programme\RKlog\MpkView.exe:*:Enabled:TCP\IP -- File not found
"C:\Programme\Java\jre6\bin\javaw.exe" = C:\Programme\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Programme\Java\jre6\bin\java.exe" = C:\Programme\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Programme\Skype\Phone\Skype.exe" = C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Programme\Eclipse\eclipse.exe" = C:\Programme\Eclipse\eclipse.exe:*:Enabled:eclipse -- File not found
"C:\Programme\Teamspeak2\Server\Teamspeak2_RC2\server_windows.exe" = C:\Programme\Teamspeak2\Server\Teamspeak2_RC2\server_windows.exe:*:Enabled:Server -- ()
"C:\Programme\Steam\Steam.exe" = C:\Programme\Steam\Steam.exe:*:Enabled:Steam -- File not found
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07300F01-89CA-4CF8-92BD-2A605EB83C95}" = EasySaver B8.1208.1 
"{0863885D-E64B-9E5A-9747-03321A2D2A49}" = CCC Help Korean
"{0C40E716-2558-01E2-4797-484E4CCB2500}" = Catalyst Control Center Localization All
"{10FDD69C-2428-0FFB-12A2-2A6907D6282F}" = CCC Help Japanese
"{139DEC1F-D380-EB76-B0DF-88BC99B3B7BB}" = Catalyst Control Center Graphics Light
"{2347E903-6299-A99F-C46C-05EB55912539}" = CCC Help Chinese Traditional
"{2447500B-22D7-47BD-9B13-1A927F43A267}" = Empire Earth
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 17
"{2B3A996D-CCBF-3D62-B0AD-EA05553D3CEE}" = CCC Help Chinese Standard
"{2E97F7E8-ABDE-4E0D-B0AD-B6B4BAD89E24}" = Rome - Total War - Gold Edition
"{300D2ECE-DA75-1623-871F-935A205FC450}" = CCC Help German
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{4BF8A8A5-B3EA-6073-0457-669CC1E929C8}" = CCC Help Hungarian
"{501C0FDB-DCA5-E211-956C-26ADC4C54B66}" = Catalyst Control Center Core Implementation
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57B89E30-0BBA-4F20-9F2C-8E8CDE1CEDB6}" = DiRT
"{57F85CF9-B9EF-6C77-8095-A2CF95738099}" = CCC Help Danish
"{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{63A17691-ABC0-E86F-5D7A-A2F7EE36145E}" = CCC Help Dutch
"{6501E9B8-77C7-7D81-7F1A-4C2D7E36B403}" = CCC Help Italian
"{65A88B75-AD8D-4B9C-92DA-FEB137463595}" = PHP 5.3.0
"{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
"{6C1804BC-094F-431A-BEA5-37A837958029}" = Rome - Total War - Alexander
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72A5824D-08E9-9A96-2104-19E4FE86E5FA}" = CCC Help Spanish
"{7907CAB0-6C4F-C554-34EA-93EAC98B42F9}" = CCC Help Turkish
"{7C11154F-3539-4CB5-979D-EF7913473E53}" = Prince of Persia
"{8046A32C-88A7-45DA-B6D7-B6191E261031}" = Nero 7 Essentials
"{82982D26-D60E-27D8-361F-F14A8F6440E7}" = Catalyst Control Center HydraVision Full
"{87934EAD-CE6F-16C6-6004-73E092AA15A6}" = Catalyst Control Center Graphics Previews Common
"{89B80F72-CCD0-95C3-21CB-89BA03D98155}" = CCC Help Finnish
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{8B9336DB-8D04-4325-BAFC-C7141D8E6CA1}" = Duke Nukem - Manhattan Project
"{906D95BA-4515-59A5-F2E4-072B1E73BB75}" = CCC Help English
"{91110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{926D0762-9C6C-4374-A481-EB308F4FC618}" = Will Rock
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D8BE52A-2C9A-91F2-310E-560CCE4FD247}" = CCC Help Russian
"{A0D62771-4353-8D52-44B8-0FCFF07D5FF1}" = ccc-core-preinstall
"{A10F7877-4276-416C-9F22-CB56C0CB2700}" = Medieval - Total War - Gold Edition
"{A250D351-A07F-4D5D-AB6C-693C69B9BFAF}" = Hercules Webcam
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3AE78AD-093F-57F1-280D-A31B0C1C1425}" = CCC Help Greek
"{A41A9C99-0029-783E-40C3-3AA0D1A6535D}" = CCC Help Polish
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A680CE58-7B2C-9A45-D05F-5AC22DFA2F76}" = CCC Help Portuguese
"{A97B911E-8B1F-3B0F-F3D1-63B04084CC0F}" = Skins
"{AD3AE2EE-E0DB-7818-3F05-7E8B2FB22C49}" = CCC Help Norwegian
"{B414174C-97E4-9E8B-018E-AC77055D0107}" = CCC Help Thai
"{B49C924C-A651-4378-94F6-5D9BF44A959F}" = EE-ZDE
"{B6D0AACC-1F01-A901-5348-FF3599EFE70D}" = CCC Help French
"{B98604A2-5229-CBE6-98A4-A6D7C63B7458}" = ccc-utility
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CBD1A47D-691E-56C2-AC6A-1B3F80E3EC14}" = CCC Help Swedish
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D208F4A7-6B73-4C2A-8B1E-8756FCBA831E}" = Hercules WebCam Station
"{D34313F7-B5E2-D3AF-FBB1-EF3ED1DEF5AB}" = CCC Help Czech
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{E3A6437F-DE5B-6F3E-7BB3-39185D0BBDCE}" = ccc-core-static
"{E6D22FE1-AB5F-42CA-9480-6F70B96DDD88}" = Need for Speed™ Undercover
"{EB1446FB-A3EF-D04D-C224-EEC74F11805F}" = Catalyst Control Center Graphics Full New
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F8718F95-21A1-44B9-97EC-679C93020BAE}" = Colin McRae Rally 04
"{FC053571-8507-44E4-8B6D-AACEAB8CA57C}" =  Sansa Media Converter
"{FE931AAE-B6D9-8A02-60C7-EF4862306F58}" = Catalyst Control Center Graphics Full Existing
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"Aspell German Dictionary_is1" = Aspell German Dictionary-0.50-2
"ATI Display Driver" = ATI Display Driver
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.5 (Unicode)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"CloneDVD2" = CloneDVD2
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"Flying Heroes" = Flying Heroes
"Foxit Reader" = Foxit Reader
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2
"Free YouTube Download_is1" = Free YouTube Download 2.3
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"Frets on Fire" = Frets On Fire
"GameSpy Arcade" = GameSpy Arcade
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (nur entfernen)
"HijackThis" = HijackThis 2.0.2
"InstallShield_{8B9336DB-8D04-4325-BAFC-C7141D8E6CA1}" = Duke Nukem - Manhattan Project
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"MagicKey" = MagicKey
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"Mp3tag" = Mp3tag v2.44
"Pidgin" = Pidgin
"Spacetanks_is1" = Spacetanks
"TeamSpeak 2 Server_is1" = TeamSpeak 2 Server RC2
"TmNationsForever_is1" = TmNationsForever
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VLC media player 1.0.3
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 14.11.2009 20:08:34 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung setup.exe, Version 12.0.0.58849, fehlgeschlagenes
 Modul setup.exe, Version 12.0.0.58849, Fehleradresse 0x0001e7b9.
 
Error - 14.11.2009 20:08:44 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung setup.exe, Version 12.0.0.58849, fehlgeschlagenes
 Modul setup.exe, Version 12.0.0.58849, Fehleradresse 0x0001e7b9.
 
Error - 14.11.2009 20:08:53 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung setup.exe, Version 12.0.0.58849, fehlgeschlagenes
 Modul setup.exe, Version 12.0.0.58849, Fehleradresse 0x0001e7b9.
 
Error - 18.11.2009 18:24:31 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 1.9.1.3593, fehlgeschlagenes
 Modul xul.dll, Version 1.9.1.3593, Fehleradresse 0x003776c4.
 
Error - 21.11.2009 19:32:54 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung 0053007000690065006C007300740061006E0064005F0045006E0074007300630068006C00FC00730073006C00650072002E006500780065,
 Version 0.0.0.0, fehlgeschlagenes Modul ntdll.dll, Version 5.1.2600.5755, Fehleradresse
 0x0000100b.
 
Error - 22.11.2009 13:17:23 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung mpkview.exe, Version 4.2.2.810, fehlgeschlagenes
 Modul kernel32.dll, Version 5.1.2600.5781, Fehleradresse 0x00012afb.
 
Error - 22.11.2009 17:57:15 | Computer Name = PC-MARK | Source = MsiInstaller | ID = 11925
Description = Product: Steam -- Error 1925. You do not have sufficient privileges
 to complete this installation for all users of the machine.  Log on as administrator
 and retry this installation.
 
Error - 22.11.2009 18:24:59 | Computer Name = PC-MARK | Source = Steam Client Service | ID = 1
Description = 
 
Error - 28.11.2009 12:29:47 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung mpkview.exe, Version 4.2.2.810, fehlgeschlagenes
 Modul kernel32.dll, Version 5.1.2600.5781, Fehleradresse 0x00012afb.
 
Error - 28.11.2009 12:39:10 | Computer Name = PC-MARK | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung mpkview.exe, Version 4.2.2.810, fehlgeschlagenes
 Modul kernel32.dll, Version 5.1.2600.5781, Fehleradresse 0x00012afb.
 
[ System Events ]
Error - 28.11.2009 13:07:23 | Computer Name = PC-MARK | Source = ps6ah4nc | ID = 262145
Description = Protection Synchronization Driver detected an internal error, contact
 the customer support service.
 
Error - 28.11.2009 13:07:39 | Computer Name = PC-MARK | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "EventSystem"
 mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 28.11.2009 13:07:43 | Computer Name = PC-MARK | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "netman"
 mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error - 28.11.2009 13:08:09 | Computer Name = PC-MARK | Source = Service Control Manager | ID = 7001
Description = Der Dienst "DHCP-Client" ist vom Dienst "NetBios über TCP/IP" abhängig,
 der aufgrund folgenden Fehlers nicht gestartet wurde:   %%31
 
Error - 28.11.2009 13:08:09 | Computer Name = PC-MARK | Source = Service Control Manager | ID = 7001
Description = Der Dienst "DNS-Client" ist vom Dienst "TCP/IP-Protokolltreiber" abhängig,
 der aufgrund folgenden Fehlers nicht gestartet wurde:   %%31
 
Error - 28.11.2009 13:08:09 | Computer Name = PC-MARK | Source = Service Control Manager | ID = 7001
Description = Der Dienst "TCP/IP-NetBIOS-Hilfsprogramm" ist vom Dienst "AFD" abhängig,
 der aufgrund folgenden Fehlers nicht gestartet wurde:   %%31
 
Error - 28.11.2009 13:08:09 | Computer Name = PC-MARK | Source = Service Control Manager | ID = 7001
Description = Der Dienst "IPSEC-Dienste" ist vom Dienst "IPSEC-Treiber" abhängig,
 der aufgrund folgenden Fehlers nicht gestartet wurde:   %%31
 
Error - 28.11.2009 13:08:09 | Computer Name = PC-MARK | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   AFD  AmdPPM  avgio  avipbb  ElbyCDIO  Fips  IPSec  MRxSmb  NetBIOS  NetBT  RasAcd  Rdbss  ssmdrv  Tcpip
 
Error - 28.11.2009 13:13:38 | Computer Name = PC-MARK | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "netman"
 mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error - 28.11.2009 13:13:43 | Computer Name = PC-MARK | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "EventSystem"
 mit den Argumenten ""  gestartet wurde, um den folgenden Server zu verwenden:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
 
< End of report >
         

Alt 28.11.2009, 17:42   #13
Larusso
/// Selecta Jahrusso
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



  • ESET Online Scanner
    • Unterstützte Betriebssysteme: Microsoft Windows 98/ME/NT 4.0/2000/XP und Windows Vista
    • Anmerkung für Vista-User: Bitte den Browser unbedingt als Administrator starten.
    • Dein Anti-Virus-Programm während des Scans deaktivieren.
    • Button "ESET Online Scanner" drücken.
    • Firefox-User müssen ein zusätzliches Addon (esetsmartinstaller_enu.exe) installieren.
    • Das Firefox-Addon auf dem Desktop speichern und dann installieren.
    • IE-User müssen das Installieren eines ActiveX Elements erlauben.
    • Einen Haken bei "Remove found threads" und "Scan archives" machen.
    • Start drücken.
    • Signaturen werden heruntergeladen.
    • Der Scan beginnt automatisch.
    • Finish drücken.
    • Browser schließen.
    • Explorer öffnen.
    • C:\Programme\Eset\EsetOnlineScanner\log.txt suchen und mit Deinem Editor öffnen.
    • Logfile hier posten.
    • Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
    • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset
    • IE-User zusätzlich: mit HJT folgenden Eintrag fixen:
    • O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 28.11.2009, 18:52   #14
ruelzzzi
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Log file (log.txt) von ESET Online-Scanner:

Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6c92d867d1a92c428cc871e74c9ae28c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-28 06:31:42
# local_time=2009-11-28 07:31:42 (+0100, Westeuropäische Normalzeit)
# country="Germany"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 182050 58926336 68476 0
# compatibility_mode=8192 67108863 100 0 3774 3774 0 0
# scanned=220535
# found=0
# cleaned=0
# scan_time=2227
         

Alt 28.11.2009, 19:03   #15
Larusso
/// Selecta Jahrusso
 
Verdacht auf Mitglied in einem Botnetz - Standard

Verdacht auf Mitglied in einem Botnetz



Zweiter Lauf mit Gmer
  • Starte GMER erneut.
  • Dieses Mal machst Du einen Rechtsklick links in das weiße Feld und wählst im Kontext-Menü "Only non MS files".
  • Dann klickst Du auf "Scan" und erlaubst damit GMER erneut zu scannen.
  • Wenn der Scan fertig ist, klickst Du auf den "Copy"-Button, womit der Inhalt ins Clipboard kopiert wird.
  • Nun einen Rechtsklick auf den Desktop, wähle "Textdokument", was ein leeres Dokument auf dem Desktop erstellt.
  • Öffne das Textdokument per Doppelklick, Rechtsklick im Textfeld und "Einfügen".
  • Speichere das Dokument und poste mir den Inhalt hier in den Thread.
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Antwort

Themen zu Verdacht auf Mitglied in einem Botnetz
antivir, antivir guard, avira, bho, bot, botnet, botnetz, desktop, excel, explorer, firefox, gigabyte, gservice, helper, hijack, hijackthis, hijackthis logfile, hkus\s-1-5-18, hotkey, icq, infiziert, internet, internet explorer, logfile, microsoft, mozilla, programme, system, toolbars, windows, windows xp



Ähnliche Themen: Verdacht auf Mitglied in einem Botnetz


  1. Mail von einem Bekannten mit einem Link auf eine fremde Seite
    Plagegeister aller Art und deren Bekämpfung - 04.08.2015 (3)
  2. Botnetz-Baukasten im Web veröffentlicht
    Nachrichten - 19.07.2015 (0)
  3. Mögliches Botnetz?
    Plagegeister aller Art und deren Bekämpfung - 05.07.2014 (10)
  4. Vielen Dank an Mitglied "deeprybka"
    Lob, Kritik und Wünsche - 06.05.2014 (1)
  5. Danke an das Mitglied Schrauber
    Lob, Kritik und Wünsche - 06.05.2014 (0)
  6. Verbindungsprobleme trotz aktiver Verbindung zum Router mit einem Gerät in einem bestimmten Netz
    Plagegeister aller Art und deren Bekämpfung - 08.07.2013 (13)
  7. Neues Mitglied der Gruppe "my start incredibar" - Ich möchte bitte weg :-)
    Log-Analyse und Auswertung - 01.05.2013 (24)
  8. Botnetz zombie ?
    Plagegeister aller Art und deren Bekämpfung - 15.12.2011 (35)
  9. Ich vermute das ich in einem botnetz bin
    Plagegeister aller Art und deren Bekämpfung - 02.10.2011 (3)
  10. [doppelt] Ich vermute das ich in einem botnetz bin
    Mülltonne - 01.10.2011 (2)
  11. Verdacht auf Botnetz
    Antiviren-, Firewall- und andere Schutzprogramme - 07.04.2011 (19)
  12. Platzverweis für CCC-Mitglied auf europäischem Polizeikongress
    Nachrichten - 03.02.2010 (0)
  13. Könnte ein Hilfreiches Forum Mitglied meinen Log aus lesen?
    Log-Analyse und Auswertung - 28.11.2007 (0)
  14. Sperrt Microsoft die FEstplatte nach einem Update mit einem nicht gekauften System??
    Alles rund um Windows - 14.11.2007 (1)
  15. Trojaner.Mitglied
    Plagegeister aller Art und deren Bekämpfung - 06.02.2004 (2)

Zum Thema Verdacht auf Mitglied in einem Botnetz - Hallo liebe Gemeinde, mir ist ein Verdacht aufgekommen, dass ich möglicherweise in einem Botnetz als Zombie-Computer mitwirke. Ich habe mir nähmlich Gedanken über meine Dsl-Geschwindigkeit gemacht, die nun schon seit - Verdacht auf Mitglied in einem Botnetz...
Archiv
Du betrachtest: Verdacht auf Mitglied in einem Botnetz auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.