| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: tr/ dropper.genWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
21.03.2010, 15:55
| #1 |
 |  tr/ dropper.gen hallo ihr lieben, hoffe ihr könnt mir helfen, denn ich habe leider keine ahnung wie ich den trojaner auf meinem pc entfernen kann. In der Datei 'C:\Windows\Temp\ooek.tmp\svchost.exe' wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden. diese meldung taucht ca. alle 10-20 min bei antivir auf und geht mir nicht nur auf die nerven, sondern macht mir auch sorgen... hier die daten von hijack this: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:27:14, on 21.03.2010 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskhost.exe C:\Windows\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\pdf24\pdf24.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2269050 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe -- End of file - 4955 bytes könnt ihr mir helfen? wenn ja bitte so einfach wie möglich erklären, was ich zu tun oder zu lassen habe, denn ich kenne mich nicht so gut aus. vielen lieben dank schon mal im voraus! anna |
|
21.03.2010, 16:16
| #2 |
| /// Helfer-Team  | tr/ dropper.gen Hallo und
__________________ Zu besseren Einsicht in Dein System, bitte folgende Schritte ausführen: 1.) Malwarebytes Anti-Malware
__________________ |
|
22.03.2010, 14:50
| #3 |
| | tr/ dropper.gen vielen dank schon mal für die ersten schritte... also folgendes hab ich beim malware-scan:
__________________Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|) Durchsuchte Objekte: 471495 Laufzeit: 3 hour(s), 27 minute(s), 12 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 1 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: D:\C alt\Users\Anna\Downloads\ALLES ALTE\CryptLoad_1.1.5\ocr\netload.in\asmCaptcha\test.exe (Malware.Packer) -> Quarantined and deleted successfully. bei dem zweiten schritt, komm ich nicht bis zum schluss, es taucht zwischendrin immer wieder die meldung auf : AutoIt Error Line -1 Error : Variable used without being declared also hab ich da leider keine ahnung firewall hatte ich auf aus gestellt. die meldung von antivir (1.nachricht) taucht aber nach dem maleware-löschen immer noch auf. habe festegestellt, dass immer wenn die meldung bei antivir auftaucht bei C:/Windows/temp neue ordner erstellt werden, die vollkommen leer sind und die datei die antivir als infiziert anzeigt sehe ich auch nirgends. glg anna |
|
22.03.2010, 15:09
| #4 |
| /// Helfer-Team | tr/ dropper.gen Beim Malwarebytes-Log fehlt oben ein Stück - bitte nachreichen. Versuch mal, RSIT als Administrator ausführen (Rechtsklick -> Als Administrator ausführen). Dann sollte es klappen. |
|
22.03.2010, 16:39
| #5 |
 | tr/ dropper.gen *kurz reinhüpf* RSIT laüft auf Windows 7 nicht. DU musst Rechtsklick auf rsit.exe und dann "Eigenschaften" und bei Kompatibiltät auf "XP" stellen. So ungefähr müsste es gehen, hab kein Windows 7  *raushüpf* |
|
22.03.2010, 19:22
| #6 |
| | tr/ dropper.gen so also jetzt hat es funktioniert... : Logfile of random's system information tool 1.06 (written by random/random) Run by Anna at 2010-03-22 19:17:15 Microsoft Windows 7 Ultimate Service Pack 3 System drive C: has 31 GB (27%) free of 114 GB Total RAM: 3070 MB (79% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:17:25, on 22.03.2010 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskhost.exe C:\Windows\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\pdf24\pdf24.exe C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Anna\Downloads\RSIT(2).exe C:\Program Files\Trend Micro\HijackThis\Anna.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe -- End of file - 5016 bytes p.s. finds total lieb, dass ihr euch die zeit nehmt und mir helft! nochmals danke!  |
|
22.03.2010, 19:59
| #7 |
| /// Helfer-Team | tr/ dropper.gen Sorry, hatte vorhin überlesen, dass Du Windows 7 nutzt. Daher bitte einen Durchgang mit OTL machen: Systemscan mit OTL von Oldtimer
|
|
22.03.2010, 20:55
| #8 |
| | tr/ dropper.gen bitteschön : OTL logfile created on: 3/22/2010 8:49:39 PM - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free 6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 111.44 Gb Total Space | 30.03 Gb Free Space | 26.95% Space Free | Partition Type: NTFS Drive D: | 104.90 Gb Total Space | 22.82 Gb Free Space | 21.76% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ANNA-PC Current User Name: Anna Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe PRC - [2010/03/17 12:56:54 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2009/12/15 10:40:54 | 000,207,504 | ---- | M] (Geek Software GmbH) -- C:\Program Files\pdf24\pdf24.exe PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009/08/18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe PRC - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe PRC - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe PRC - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2009/03/02 12:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe ========== Modules (SafeList) ========== MOD - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - [2010/03/10 17:29:28 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2010/01/04 20:55:00 | 003,404,560 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc) SRV - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service) SRV - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc) SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc) SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power) SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes) SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify) SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper) SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc) SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc) SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider) SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg) SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener) SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache) SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp) SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc) SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC) SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV) SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc) SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc) SRV - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) ========== Driver Services (SafeList) ========== DRV - [2010/03/19 19:05:05 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd) DRV - [2009/12/07 19:03:21 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2009/08/18 03:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag) DRV - [2009/07/14 02:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide) DRV - [2009/07/14 02:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci) DRV - [2009/07/14 02:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx) DRV - [2009/07/14 02:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs) DRV - [2009/07/14 02:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320) DRV - [2009/07/14 02:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas) DRV - [2009/07/14 02:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata) DRV - [2009/07/14 02:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc) DRV - [2009/07/14 02:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata) DRV - [2009/07/14 02:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide) DRV - [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor) DRV - [2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid) DRV - [2009/07/14 02:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960) DRV - [2009/07/14 02:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS) DRV - [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV) DRV - [2009/07/14 02:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR) DRV - [2009/07/14 02:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg) DRV - [2009/07/14 02:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI) DRV - [2009/07/14 02:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC) DRV - [2009/07/14 02:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2) DRV - [2009/07/14 02:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp) DRV - [2009/07/14 02:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas) DRV - [2009/07/14 02:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy) DRV - [2009/07/14 02:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor) DRV - [2009/07/14 02:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx) DRV - [2009/07/14 02:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD) DRV - [2009/07/14 02:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends) DRV - [2009/07/14 02:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid) DRV - [2009/07/14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus) DRV - [2009/07/14 02:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp) DRV - [2009/07/14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt) DRV - [2009/07/14 02:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot) DRV - [2009/07/14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc) DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount) DRV - [2009/07/14 02:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide) DRV - [2009/07/14 02:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300) DRV - [2009/07/14 02:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost) DRV - [2009/07/14 02:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx) DRV - [2009/07/14 02:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4) DRV - [2009/07/14 02:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw) DRV - [2009/07/14 02:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2) DRV - [2009/07/14 02:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor) DRV - [2009/07/14 02:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG) DRV - [2009/07/14 01:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM) DRV - [2009/07/14 01:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus) DRV - [2009/07/14 01:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP) DRV - [2009/07/14 00:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2) DRV - [2009/07/14 00:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf) DRV - [2009/07/14 00:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap) DRV - [2009/07/14 00:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus) DRV - [2009/07/14 00:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci) DRV - [2009/07/14 00:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass) DRV - [2009/07/14 00:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb) DRV - [2009/07/14 00:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf) DRV - [2009/07/14 00:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig) DRV - [2009/07/14 00:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus) DRV - [2009/07/14 00:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID) DRV - [2009/07/14 00:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter) DRV - [2009/07/14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap) DRV - [2009/07/14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID) DRV - [2009/07/14 00:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache) DRV - [2009/07/14 00:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt) DRV - [2009/07/14 00:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi) DRV - [2009/07/14 00:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM) DRV - [2009/07/13 23:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2009/07/13 23:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm) DRV - [2009/07/13 23:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer) DRV - [2009/07/13 23:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm) DRV - [2009/07/13 23:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo) DRV - [2009/07/13 23:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp) DRV - [2009/07/13 23:13:48 | 001,035,776 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2009/07/13 23:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel(R) DRV - [2009/07/13 23:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x) DRV - [2009/07/13 23:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv) DRV - [2009/07/13 23:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv) DRV - [2009/07/13 23:02:47 | 000,047,104 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1E62x86.sys -- (L1E) NDIS Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller(NDIS6.20) DRV - [2009/05/11 09:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009/03/30 09:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2009/02/13 11:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ IE - HKCU\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "ICQ Search" FF - prefs.js..browser.search.defaultthis.engineName: "Search" FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.search.selectedEngine: "ICQ Search" FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13" FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.5 FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198 FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=" FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/17 12:57:09 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/17 12:57:06 | 000,000,000 | ---D | M] [2009/12/03 18:22:00 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Extensions [2010/03/22 19:29:03 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions [2009/12/08 13:30:11 | 000,000,000 | ---D | M] (DVDVideoSoft Toolbar) -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} [2009/12/08 18:38:56 | 000,000,881 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\conduit.xml [2010/03/21 10:33:54 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-1.xml [2010/02/20 12:54:17 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-2.xml [2010/03/18 21:32:48 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-3.xml [2008/03/31 09:52:00 | 000,000,168 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.gif [2008/03/31 09:52:00 | 000,000,618 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.src [2009/12/31 17:13:23 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.xml [2010/02/13 15:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2009/12/05 21:12:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07} [2010/02/13 15:54:35 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2010/03/17 12:56:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/03/17 12:56:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/03/17 12:56:57 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/03/17 12:56:57 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/03/17 12:56:57 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKLM\..\Toolbar: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoft Toolbar) - {E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe (Geek Software GmbH) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/03/22 14:53:10 | 000,000,000 | ---D | C] -- C:\Windows\Sun [2010/03/22 14:11:25 | 000,000,000 | ---D | C] -- C:\Windows\temp [2010/03/22 03:59:43 | 000,000,000 | ---D | C] -- C:\rsit [2010/03/21 20:07:01 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Malwarebytes [2010/03/21 20:06:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/03/21 20:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/03/21 20:06:54 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/03/21 20:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/03/21 12:55:00 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\Diagnostics [2010/03/21 12:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/03/21 11:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/03/20 04:30:08 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll [2010/03/20 04:30:08 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_5.dll [2010/03/20 04:30:08 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_5.dll [2010/03/20 04:30:07 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dcsx_42.dll [2010/03/20 04:30:07 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_41.dll [2010/03/20 04:30:07 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll [2010/03/20 04:30:07 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_41.dll [2010/03/20 04:30:07 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll [2010/03/20 04:30:07 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_41.dll [2010/03/20 04:30:07 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_42.dll [2010/03/20 04:30:06 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_4.dll [2010/03/20 04:30:06 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_4.dll [2010/03/20 04:30:06 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_3.dll [2010/03/20 04:30:06 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_6.dll [2010/03/20 04:30:05 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_40.dll [2010/03/20 04:30:05 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_40.dll [2010/03/20 04:30:05 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_3.dll [2010/03/20 04:30:05 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_2.dll [2010/03/20 04:30:05 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_40.dll [2010/03/20 04:30:05 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_3.dll [2010/03/20 04:30:05 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_2.dll [2010/03/20 04:30:05 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_1.dll [2010/03/20 04:30:05 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_5.dll [2010/03/20 04:30:04 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_39.dll [2010/03/20 04:30:04 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_39.dll [2010/03/20 04:30:04 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_1.dll [2010/03/20 04:30:04 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_39.dll [2010/03/20 04:30:04 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_2.dll [2010/03/20 04:30:04 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_1.dll [2010/03/20 04:30:04 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_0.dll [2010/03/20 04:30:04 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_4.dll [2010/03/20 04:30:03 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_38.dll [2010/03/20 04:30:03 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_38.dll [2010/03/20 04:30:03 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_37.dll [2010/03/20 04:30:03 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_0.dll [2010/03/20 04:30:03 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_38.dll [2010/03/20 04:30:03 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_37.dll [2010/03/20 04:30:03 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_0.dll [2010/03/20 04:30:03 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_3.dll [2010/03/20 04:30:02 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_37.dll [2010/03/20 04:30:02 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_36.dll [2010/03/20 04:30:02 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_36.dll [2010/03/20 04:30:02 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_10.dll [2010/03/20 04:30:01 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_36.dll [2010/03/20 04:30:01 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_35.dll [2010/03/20 04:30:01 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_35.dll [2010/03/20 04:30:01 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_35.dll [2010/03/20 04:30:01 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_9.dll [2010/03/20 04:30:01 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_8.dll [2010/03/20 04:30:01 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_2.dll [2010/03/19 21:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\THQ [2010/03/19 21:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra [2010/03/19 19:28:57 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_34.dll [2010/03/19 19:28:57 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_34.dll [2010/03/19 19:28:56 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_34.dll [2010/03/19 19:28:56 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_33.dll [2010/03/19 19:28:56 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_33.dll [2010/03/19 19:28:56 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_7.dll [2010/03/19 19:28:56 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll [2010/03/19 19:28:55 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_33.dll [2010/03/19 19:28:55 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll [2010/03/19 19:28:55 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_31.dll [2010/03/19 19:28:55 | 000,440,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10.dll [2010/03/19 19:28:55 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_6.dll [2010/03/19 19:28:55 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_5.dll [2010/03/19 19:28:55 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_4.dll [2010/03/19 19:28:55 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_1.dll [2010/03/19 19:28:54 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_3.dll [2010/03/19 19:28:54 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_2.dll [2010/03/19 19:28:54 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_1.dll [2010/03/19 19:28:54 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_2.dll [2010/03/19 19:28:54 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_1.dll [2010/03/19 19:28:50 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll [2010/03/19 19:28:50 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_29.dll [2010/03/19 19:28:50 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_0.dll [2010/03/19 19:28:50 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_0.dll [2010/03/19 19:28:49 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_25.dll [2010/03/19 19:28:49 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_28.dll [2010/03/19 19:28:49 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_27.dll [2010/03/19 19:28:49 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_26.dll [2010/03/19 19:28:49 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_24.dll [2010/03/19 19:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Activision [2010/03/19 19:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam [2010/03/19 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite [2010/03/19 19:04:03 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite [2010/03/19 18:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Steam [2010/03/14 20:17:52 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe [2010/03/14 17:30:48 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\SPIELE + CHAT MATTHIAS [2010/03/14 17:22:23 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Bewerbung etc [2010/02/28 16:56:49 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Advanced Chemistry Development [2010/02/28 14:02:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Advanced Chemistry Development [2010/02/28 14:01:07 | 000,000,000 | ---D | C] -- C:\Program Files\ACDFREE12 [2010/02/25 09:56:27 | 003,955,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2010/02/25 09:56:27 | 003,899,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2010/02/24 17:24:14 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll [2010/02/24 17:24:12 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll [2010/02/23 11:22:41 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0 [2010/02/22 16:04:43 | 000,000,000 | ---D | C] -- C:\ProgramData\CambridgeSoft [2010/02/22 15:47:31 | 000,000,000 | ---D | C] -- C:\Program Files\CambridgeSoft [2010/02/22 15:47:08 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations [2010/02/22 15:47:01 | 000,000,000 | ---D | C] -- C:\CSTEMP ========== Files - Modified Within 30 Days ========== [2010/03/22 20:51:28 | 001,572,864 | -HS- | M] () -- C:\Users\Anna\NTUSER.DAT [2010/03/22 19:23:19 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/03/22 19:23:19 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/03/22 19:16:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/03/22 19:16:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/03/22 19:15:56 | 2414,682,112 | -HS- | M] () -- C:\hiberfil.sys [2010/03/22 19:14:01 | 002,592,635 | -H-- | M] () -- C:\Users\Anna\AppData\Local\IconCache.db [2010/03/22 03:55:30 | 000,020,992 | ---- | M] () -- C:\Users\Anna\Desktop\Scan.doc [2010/03/21 20:06:59 | 000,000,987 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/03/21 13:30:29 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/03/21 13:30:29 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/03/21 13:30:29 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/03/21 12:35:51 | 000,002,047 | ---- | M] () -- C:\Users\Anna\Desktop\HijackThis.lnk [2010/03/21 11:52:53 | 000,001,839 | ---- | M] () -- C:\Users\Anna\Desktop\CCleaner.lnk [2010/03/20 03:03:14 | 000,022,328 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2010/03/19 19:27:11 | 000,000,319 | ---- | M] () -- C:\Windows\game.ini [2010/03/19 19:05:05 | 000,691,696 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys [2010/03/07 12:35:29 | 000,000,584 | ---- | M] () -- C:\Users\Anna\Documents\grstyles.stl [2010/02/24 10:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe ========== Files Created - No Company Name ========== [2010/03/22 03:55:28 | 000,020,992 | ---- | C] () -- C:\Users\Anna\Desktop\Scan.doc [2010/03/21 20:06:59 | 000,000,987 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/03/21 12:32:19 | 000,002,047 | ---- | C] () -- C:\Users\Anna\Desktop\HijackThis.lnk [2010/03/21 11:52:53 | 000,001,839 | ---- | C] () -- C:\Users\Anna\Desktop\CCleaner.lnk [2010/03/19 19:27:52 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2010/03/19 19:27:17 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe [2010/03/19 19:27:14 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe [2010/03/19 19:27:11 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini [2010/03/19 19:05:05 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys [2010/02/28 19:34:01 | 000,000,584 | ---- | C] () -- C:\Users\Anna\Documents\grstyles.stl [2010/02/13 16:05:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2009/12/04 19:19:37 | 000,000,403 | ---- | C] () -- C:\Windows\ODBC.INI [2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll [1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL < End of report > OTL Extras logfile created on: 3/22/2010 8:49:39 PM - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free 6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 111.44 Gb Total Space | 30.03 Gb Free Space | 26.95% Space Free | Partition Type: NTFS Drive D: | 104.90 Gb Total Space | 22.82 Gb Free Space | 21.76% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ANNA-PC Current User Name: Anna Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 0 ========== Authorized Applications List ========== ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00010407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional "{00040407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2 "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate "{20533183-D42D-4261-A125-956736FBEA8C}" = Dawn of War - Soulstorm "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17 "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker "{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger "{45B78E92-FFB3-4A78-B0B5-2EA6B6E9B915}" = CambridgeSoft ChemDraw Pro 11.0 "{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent "{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call "{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5 "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762 "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec "{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator "{863F58EF-467F-4BCC-A40B-D2304630DEA1}" = CambridgeSoft Activation Client "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player "{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4 "{90120000-00B2-0407-0000-0000000FF1CE}" = Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars "{99A37AC7-E724-4621-B167-500B5A52B69C}" = LastChaosGER "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A2B3C27C-1F09-47C6-9A90-9683BEFD7963}" = Dawn of War - Soulstorm "{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder "{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter "{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch "{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}" = Warhammer 40,000: Dawn Of War - Gold Edition "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1 "{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM) "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials "{FF39FC01-819B-42E4-AE49-1968AF12DDD4}" = Dawn of War - Dark Crusade "ACDLabs in C__Program_Files_ACDFREE12_" = ACD/Labs Software in C:\Program Files\ACDFREE12\ "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Photoshop 7.0" = Adobe Photoshop 7.0 "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "CCleaner" = CCleaner "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters "DVDVideoSoft Toolbar" = DVDVideoSoft Toolbar "Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2 "Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2 "HijackThis" = HijackThis 2.0.2 "ICQToolbar" = ICQ Toolbar "InstallShield_{45B78E92-FFB3-4A78-B0B5-2EA6B6E9B915}" = CambridgeSoft ChemDraw Pro 11.0 "InstallShield_{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4 "InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Mozilla Firefox (3.6)" = Mozilla Firefox (3.6) "SopCast" = SopCast 3.2.4 "Steam App 3730" = Aliens versus Predator Classic 2000 "Uninstall_is1" = Uninstall 1.0.0.1 "Warcraft III" = Warcraft III "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 3/19/2010 7:08:02 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1000 Description = Faulting application name: Steam.exe, version: 0.0.0.0, time stamp: 0x4b22b67a Faulting module name: SteamUI.dll, version: 0.0.0.0, time stamp: 0x4b7d926f Exception code: 0xc0000006 Fault offset: 0x001f1233 Faulting process id: 0x8a8 Faulting application start time: 0x01cac7a5461f5b80 Faulting application path: G:\Steam\Steam.exe Faulting module path: G:\Steam\SteamUI.dll Report Id: 43f5960a-33ac-11df-957f-00a0d1a91b4c Error - 3/19/2010 7:08:02 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1005 Description = Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Steam.exe because of this error. Program: Steam.exe File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C0000098 Disk type: 0 Error - 3/19/2010 7:08:05 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1000 Description = Faulting application name: SteamService.exe, version: 8.0.76.84, time stamp: 0x4b74a82a Faulting module name: SteamService.dll, version: 0.0.0.0, time stamp: 0x4b74a81e Exception code: 0xc0000006 Fault offset: 0x00011980 Faulting process id: 0x7f4 Faulting application start time: 0x01cac7a54a4e86bc Faulting application path: C:\Program Files\Common Files\Steam\SteamService.exe Faulting module path: G:\Steam\bin\SteamService.dll Report Id: 45b7fef2-33ac-11df-957f-00a0d1a91b4c Error - 3/19/2010 7:08:05 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1005 Description = Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Steam Client Service because of this error. Program: Steam Client Service File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C0000098 Disk type: 0 Error - 3/20/2010 8:17:45 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1000 Description = Faulting application name: Steam.exe, version: 0.0.0.0, time stamp: 0x4b22b67a Faulting module name: Steam.dll, version: 2.0.816.923, time stamp: 0x4b8d7a09 Exception code: 0xc0000006 Fault offset: 0x001b5c78 Faulting process id: 0x83c Faulting application start time: 0x01cac7c72cde319d Faulting application path: G:\Steam\Steam.exe Faulting module path: G:\Steam\Steam.dll Report Id: 967d24ec-341a-11df-957f-00a0d1a91b4c Error - 3/20/2010 8:17:45 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1005 Description = Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Steam.exe because of this error. Program: Steam.exe File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C000000E Disk type: 0 Error - 3/20/2010 8:17:46 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1000 Description = Faulting application name: SteamService.exe, version: 8.0.76.84, time stamp: 0x4b74a82a Faulting module name: SteamService.dll, version: 0.0.0.0, time stamp: 0x4b74a81e Exception code: 0xc0000006 Fault offset: 0x00011980 Faulting process id: 0xd64 Faulting application start time: 0x01cac7c72e1ac8a1 Faulting application path: C:\Program Files\Common Files\Steam\SteamService.exe Faulting module path: G:\Steam\bin\SteamService.dll Report Id: 97119ee9-341a-11df-957f-00a0d1a91b4c Error - 3/20/2010 8:17:46 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1005 Description = Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Steam Client Service because of this error. Program: Steam Client Service File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C000000E Disk type: 0 Error - 3/22/2010 1:40:13 PM | Computer Name = Anna-PC | Source = Application Hang | ID = 1002 Description = The program iexplore.exe version 8.0.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: c5c Start Time: 01cac9e6872fa342 Termination Time: 16 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: Error - 3/22/2010 2:12:34 PM | Computer Name = Anna-PC | Source = EventSystem | ID = 4621 Description = [ Media Center Events ] Error - 1/27/2010 2:59:13 AM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0 Description = 07:59:05 - Error connecting to the internet. 07:59:06 - Unable to contact server.. Error - 3/14/2010 12:23:39 PM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0 Description = 17:23:39 - Error connecting to the internet. 17:23:39 - Unable to contact server.. Error - 3/14/2010 12:23:48 PM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0 Description = 17:23:44 - Error connecting to the internet. 17:23:44 - Unable to contact server.. [ System Events ] Error - 3/22/2010 3:14:12 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:14:18 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:24:49 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:24:53 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:30:13 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:30:16 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:40:52 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:40:55 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:45:25 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:46:46 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active < End of report > |
|
23.03.2010, 19:02
| #10 |
| | tr/ dropper.gen so da hab ich nun folgendes: GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-03-23 19:00:46 Windows 6.1.7600 Running: cgcd6oer.exe; Driver: C:\Users\Anna\AppData\Local\Temp\kgtdrpow.sys ---- System - GMER 1.0.15 ---- SSDT 8ED40964 ZwCreateThread SSDT 8ED40950 ZwOpenProcess SSDT 8ED40955 ZwOpenThread SSDT 8ED4095F ZwTerminateProcess INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E333F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B634 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E331DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E336F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E341A8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82A4C5C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A71052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 37C 82A7897C 4 Bytes [64, 09, D4, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 518 82A78B18 4 Bytes [50, 09, D4, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 538 82A78B38 4 Bytes [55, 09, D4, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 7E8 82A78DE8 4 Bytes [5F, 09, D4, 8E] ? System32\Drivers\spfb.sys The system cannot find the path specified. ! PAGE ataport.SYS!DllUnload + 1 8B38AAD7 2 Bytes JMP 853781D9 PAGE ataport.SYS!DllUnload + 4 8B38AADA 1 Byte [F9] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90E27000, 0x2D5378, 0xE8000020] .text USBPORT.SYS!DllUnload 91A50CA0 5 Bytes JMP 8661D4E0 .text am1q0gcd.SYS 93C4D00D 9 Bytes [C7, E1, 82, 48, EB, E1, 82, ...] .text am1q0gcd.SYS 93C4D017 20 Bytes [00, DE, A7, 1A, 8B, E6, A5, ...] .text am1q0gcd.SYS 93C4D02C 77 Bytes [00, 00, 00, 00, 00, 72, A4, ...] .text am1q0gcd.SYS 93C4D07A 19 Bytes [B2, 82, FB, 54, A2, 82, 23, ...] .text am1q0gcd.SYS 93C4D08E 51 Bytes [A7, 82, CC, 00, A5, 82, 78, ...] .text ... .text peauth.sys 9929BC9D 28 Bytes [5E, 06, 66, D2, E4, DD, 1F, ...] .text peauth.sys 9929BCC1 28 Bytes [5E, 06, 66, D2, E4, DD, 1F, ...] PAGE peauth.sys 992A1B9B 72 Bytes [27, EF, 65, 90, D5, 69, 8A, ...] PAGE peauth.sys 992A1BEC 111 Bytes [10, DC, E7, 3E, 7D, 74, ED, ...] PAGE peauth.sys 992A1E20 101 Bytes [66, AF, C1, 74, 48, 77, 6A, ...] PAGE ... .text iertutil.dll!ResetIEExtensibility + FFF4F9A7 76A8FA00 493 Bytes [00, 00, 00, 00, FF, FF, FF, ...] .text iertutil.dll!ResetIEExtensibility + FFF4FB95 76A8FBEE 759 Bytes [00, 00, 01, 00, 00, 00, 01, ...] .text iertutil.dll!ResetIEExtensibility + FFF4FE8D 76A8FEE6 333 Bytes [FF, FF, FF, 00, 00, 00, 00, ...] .text iertutil.dll!ResetIEExtensibility + FFF4FFDB 76A90034 872 Bytes [01, 00, 00, 00, EC, 1E, 97, ...] .text iertutil.dll!ResetIEExtensibility + FFF50344 76A9039D 42 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory 76F25360 5 Bytes JMP 002D000A .text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory 76F25EE0 5 Bytes JMP 002E000A .text C:\Windows\system32\svchost.exe[996] ntdll.dll!KiUserExceptionDispatcher 76F26448 5 Bytes JMP 0020000A .text C:\Windows\system32\svchost.exe[996] ole32.dll!CoCreateInstance 762957FC 5 Bytes JMP 0035000A .text C:\Windows\system32\svchost.exe[996] USER32.dll!GetCursorPos 76CDC198 5 Bytes JMP 0036000A ? C:\Windows\TEMP\riog.tmp\svchost.exe[2628] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; .text C:\Windows\Explorer.EXE[5456] ntdll.dll!NtProtectVirtualMemory 76F25360 5 Bytes JMP 0079000A .text C:\Windows\Explorer.EXE[5456] ntdll.dll!NtWriteVirtualMemory 76F25EE0 5 Bytes JMP 007A000A .text C:\Windows\Explorer.EXE[5456] ntdll.dll!KiUserExceptionDispatcher 76F26448 5 Bytes JMP 0025000A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8B0AE042] \SystemRoot\System32\Drivers\spfb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8B0AE6D6] \SystemRoot\System32\Drivers\spfb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8B0AE800] \SystemRoot\System32\Drivers\spfb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8B0AE13E] \SystemRoot\System32\Drivers\spfb.sys IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!BitBlt] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteObject] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetTextMetricsW] 00010000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!CreateCompatibleDC] 0000000A IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetDeviceCaps] 80000018 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkColor] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00010000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetStockObject] 0000223A IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetStockObject] 80000030 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SelectObject] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SelectObject] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00010000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteObject] 00000409 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000048 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!MoveToEx] 00006060 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteDC] 00001C00 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!CreateCompatibleDC] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00905A4D IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!MoveToEx] 00000003 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00000004 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 0000FFFF IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 000000B8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000040 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteDC] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleHandleW] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentThreadId] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetEvent] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!VirtualAlloc] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleFileNameA] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetUnhandledExceptionFilter] 000000C8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCommandLineA] 0EBA1F0E IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleHandleA] CD09B400 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!FormatMessageW] 4C01B821 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!MultiByteToWideChar] 685421CD IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!WaitForSingleObject] 70207369 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleFileNameA] 72676F72 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentThreadId] 63206D61 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetUnhandledExceptionFilter] 6F6E6E61 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!VirtualAlloc] 65622074 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCommandLineA] 6E757220 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!QueryPerformanceCounter] 206E6920 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!FormatMessageW] 20534F44 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 65646F6D IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetTickCount] 0A0D0D2E IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetProcessHeap] 00000024 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!LoadIconW] 2C56ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C56ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!LoadIconW] 2C56ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ReleaseDC] 2C0BA30B IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetSystemMetrics] 2C56ACC5 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetTimer] 2C57ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 2C56ACEE IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C386AEF IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C56ACC9 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SendMessageW] 2C2E6AEF IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetTimer] 2C56ACC9 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!PostMessageW] 68636952 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDC] 2C56ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ShowWindow] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SendMessageW] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetSystemMenu] 00004550 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 0003014C IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 4BA36135 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDlgItem] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ReleaseDC] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ShowWindow] 210200E0 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 0008010B IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!PostMessageW] 00001600 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDC] 00000400 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetSystemMetrics] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetWindowRect] 00002323 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDlgItem] 00001000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 00003000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 10000000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8537F1F8 Device \Driver\volmgr \Device\VolMgrControl 8537A1F8 Device \Driver\usbuhci \Device\USBPDO-0 8661F4D8 Device \Driver\usbuhci \Device\USBPDO-1 8661F4D8 Device \Driver\usbehci \Device\USBPDO-2 86134500 Device \Driver\usbuhci \Device\USBPDO-3 8661F4D8 Device \Driver\usbuhci \Device\USBPDO-4 8661F4D8 Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-5 8661F4D8 Device \Driver\usbehci \Device\USBPDO-6 86134500 Device \Driver\volmgr \Device\HarddiskVolume1 8537A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume2 8537A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 864751F8 Device \Driver\PCI_PNP4954 \Device\00000059 spfb.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{24324C87-9CDC-4711-B98D-0BF68DC6F68C} 8658F1F8 Device \Driver\volmgr \Device\HarddiskVolume3 8537A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 864751F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort0 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort1 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort2 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort3 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort4 8537C1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel0 8537D1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel1 8537D1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel2 8537D1F8 Device \Driver\volmgr \Device\HarddiskVolume4 8537A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 8658F1F8 Device \Driver\usbuhci \Device\USBFDO-0 8661F4D8 Device \Driver\usbuhci \Device\USBFDO-1 8661F4D8 Device \Driver\usbehci \Device\USBFDO-2 86134500 Device \Driver\usbuhci \Device\USBFDO-3 8661F4D8 Device \Driver\sptd \Device\592010956 spfb.sys Device \Driver\usbuhci \Device\USBFDO-4 8661F4D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{15E17943-BAB4-4B09-AAFF-DF2D183D862B} 8658F1F8 Device \Driver\usbuhci \Device\USBFDO-5 8661F4D8 Device \Driver\usbehci \Device\USBFDO-6 86134500 Device \Driver\am1q0gcd \Device\Scsi\am1q0gcd1Port5Path0Target0Lun0 866691F8 Device \Driver\am1q0gcd \Device\Scsi\am1q0gcd1 866691F8 Device -> \Driver\atapi \Device\Harddisk0\DR0 86151CA1 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f1c50b Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x87 0xE4 0xF5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x29 0x60 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7A 0x40 0xF0 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f1c50b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x33 0xE1 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x29 0x60 0x18 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7A 0x40 0xF0 0xD8 ... ---- Files - GMER 1.0.15 ---- File C:\Windows\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- |
|
26.03.2010, 14:57
| #11 |
| /// Selecta Jahrusso   | tr/ dropper.gen STLb??? User hängen lassen ist nicht die feine Art  Anna, bitte folgendes Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg. Solltest Du Dich für eine Bereinigung entscheiden, arbeite bitte folgendes ab. Vista und Win7 User Alle Tools mit Rechtsklick "als Administrator ausführen" starten. schritt 1 Temp File Cleaner Downloade Dir bitte TFC ( von Oldtimer ) und speichere die Datei auf dem Desktop. Schließe nun alle offenen Programme und trenne Dich von dem Internet. Doppelklick auf die TFC.exe Sollte TFC nicht alle Dateien löschen können wird es einen Neustart verlangen. Dies bitte zulassen. schritt 2 Downloade Dir bitte defogger von jpshortstuff auf Deinem Desktop.
schritt 3 Solltest du noch irgendetwas mit dem Computer verbinden, wie Memorysticks, Speicherkarten, Digitalkameras, Handy, externe Laufwerke, ... dann stecke vor dem Scan alles an. ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren. schritt 4 CustomScan mit OTL Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Bitte poste in Deiner nächsten Antwort Cofi.txt OTL.txt extras.txt defogger_disable
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
27.03.2010, 10:27
| #12 |
| | tr/ dropper.gen als ich den otl-scan durchgeführt habe, habe ich aber nicht die zweite textdatei extras.txt bekommen hier die restlichen logs: DEFOGGER defogger_disable by jpshortstuff (23.02.10.1) Log created at 09:30 on 27/03/2010 (Anna) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... Unable to read sptd.sys SPTD -> Disabled (Service running -> reboot required) -=E.O.F=- COFIX ComboFix 10-03-26.02 - Anna 27.03.2010 9:43.1.2 - x86 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.49.1033.18.3070.2541 [GMT 1:00] ausgeführt von:: c:\users\Anna\Desktop\cofi.exe . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . Infizierte Kopie von c:\windows\system32\DRIVERS\atapi.sys wurde gefunden und desinfiziert Kopie von - Kitty ate it  wurde wiederhergestellt . ((((((((((((((((((((((( Dateien erstellt von 2010-02-27 bis 2010-03-27 )))))))))))))))))))))))))))))) . 2010-03-27 08:38 . 2010-03-27 08:39 -------- d-----w- C:\32788R22FWJFW 2010-03-22 13:53 . 2010-03-22 13:53 -------- d-----w- c:\windows\Sun 2010-03-22 02:59 . 2010-03-22 18:09 -------- d-----w- C:\rsit 2010-03-21 19:07 . 2010-03-21 19:07 -------- d-----w- c:\users\Anna\AppData\Roaming\Malwarebytes 2010-03-21 19:06 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-21 19:06 . 2010-03-21 19:06 -------- d-----w- c:\programdata\Malwarebytes 2010-03-21 19:06 . 2010-03-21 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-21 19:06 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-21 11:55 . 2010-03-21 11:55 -------- d-----w- c:\users\Anna\AppData\Local\Diagnostics 2010-03-21 11:32 . 2010-03-21 11:32 -------- d-----w- c:\program files\Trend Micro 2010-03-21 10:52 . 2010-03-21 10:52 -------- d-----w- c:\program files\CCleaner 2010-03-19 21:22 . 2010-03-19 21:22 -------- d-----w- c:\users\Matthias\AppData\Roaming\InstallShield 2010-03-19 21:04 . 2010-03-19 21:04 8192 ----a-r- c:\users\Matthias\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\IconD0B36BAF3.exe 2010-03-19 21:04 . 2010-03-19 21:04 6144 ----a-r- c:\users\Matthias\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\Icon83F12F734.exe 2010-03-19 21:04 . 2010-03-19 21:04 11264 ----a-r- c:\users\Matthias\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\Icon8F99E711.exe 2010-03-19 20:57 . 2010-03-19 22:15 -------- d-----w- c:\program files\THQ 2010-03-19 20:46 . 2010-03-19 20:46 -------- d-----w- c:\users\Matthias\AppData\Local\Diagnostics 2010-03-19 20:41 . 2010-03-19 20:41 -------- d-----w- c:\program files\Sierra 2010-03-19 18:34 . 2010-03-19 18:34 -------- d-----w- c:\users\Matthias\AppData\Local\PunkBuster 2010-03-19 18:27 . 2010-03-20 02:03 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2010-03-19 18:27 . 2010-03-19 18:27 22328 ----a-w- c:\users\Matthias\AppData\Roaming\PnkBstrK.sys 2010-03-19 18:27 . 2010-03-20 02:03 103736 ----a-w- c:\windows\system32\PnkBstrB.exe 2010-03-19 18:27 . 2010-03-19 18:34 66872 ----a-w- c:\windows\system32\PnkBstrA.exe 2010-03-19 18:22 . 2010-03-19 18:22 -------- d-----w- c:\program files\Activision 2010-03-19 18:10 . 2010-03-19 18:10 -------- d-----w- c:\program files\Common Files\Steam 2010-03-19 18:05 . 2010-03-19 18:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2010-03-19 18:04 . 2010-03-19 18:05 -------- d-----w- c:\program files\DAEMON Tools Lite 2010-03-19 18:04 . 2010-03-19 18:19 -------- d-----w- c:\users\Matthias\AppData\Roaming\DAEMON Tools Lite 2010-03-19 18:04 . 2010-03-19 18:04 -------- d-----w- c:\programdata\DAEMON Tools Lite 2010-03-19 17:55 . 2010-03-19 18:05 -------- d-----w- c:\program files\Steam 2010-03-14 19:17 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe 2010-03-14 17:36 . 2010-03-14 17:36 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll 2010-02-28 15:56 . 2010-02-28 18:27 -------- d-----w- c:\users\Anna\AppData\Roaming\Advanced Chemistry Development 2010-02-28 13:02 . 2010-02-28 13:02 -------- d-----w- c:\programdata\Advanced Chemistry Development 2010-02-28 13:01 . 2010-02-28 13:01 -------- d-----w- c:\program files\ACDFREE12 2010-02-28 13:00 . 2010-02-28 13:02 -------- d-----w- c:\users\Matthias\AppData\Roaming\Advanced Chemistry Development 2010-02-25 08:56 . 2009-12-08 11:40 3955288 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-25 08:56 . 2009-12-08 11:40 3899464 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-25 08:56 . 2009-12-08 11:32 292864 ----a-w- c:\windows\system32\apphelp.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-26 12:48 . 2009-12-05 20:04 -------- d-----w- c:\users\Matthias\AppData\Roaming\ICQ 2010-03-26 12:47 . 2010-02-13 15:00 -------- d-----w- c:\users\Matthias\AppData\Roaming\Skype 2010-03-26 12:46 . 2010-02-13 15:05 -------- d-----w- c:\users\Matthias\AppData\Roaming\skypePM 2010-03-22 19:45 . 2010-01-06 14:33 -------- d-----w- c:\program files\Warcraft III 2010-03-19 22:15 . 2009-12-05 20:12 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-19 20:39 . 2010-01-04 18:33 -------- d-----w- c:\program files\Common Files\InstallShield 2010-02-24 09:16 . 2009-12-03 17:34 181632 ------w- c:\windows\system32\MpSigStub.exe 2010-02-23 10:22 . 2010-02-23 10:22 -------- d-----w- c:\program files\MSXML 4.0 2010-02-22 15:04 . 2010-02-22 15:04 -------- d-----w- c:\programdata\CambridgeSoft 2010-02-22 14:47 . 2010-02-22 14:47 -------- d-----w- c:\program files\CambridgeSoft 2010-02-18 15:07 . 2010-02-18 15:07 1170240 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll 2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\users\Matthias\AppData\Roaming\teamspeak2 2010-02-17 15:28 . 2010-02-17 15:28 -------- d-----w- c:\program files\Common Files\INCA Shared 2010-02-17 15:11 . 2010-02-17 15:11 -------- d-----w- c:\program files\gPotato.eu 2010-02-17 12:40 . 2010-02-17 12:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2010-02-15 10:11 . 2010-02-13 15:00 -------- d-----w- c:\users\Anna\AppData\Roaming\Skype 2010-02-13 15:05 . 2010-02-13 15:05 56 ---ha-w- c:\programdata\ezsidmv.dat 2010-02-13 14:54 . 2010-02-13 14:54 -------- d-----r- c:\program files\Skype 2010-02-13 14:54 . 2010-02-13 14:54 -------- d-----w- c:\program files\Common Files\Skype 2010-02-13 14:54 . 2010-02-13 14:54 -------- d-----w- c:\programdata\Skype 2010-02-02 07:45 . 2010-02-24 16:24 2048 ----a-w- c:\windows\system32\tzres.dll 2010-01-31 11:54 . 2010-01-31 11:54 -------- d-----w- c:\users\Matthias\AppData\Roaming\ratiopharm 2010-01-17 21:00 . 2010-01-17 21:00 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll 2010-01-17 21:00 . 2010-01-17 21:00 1195328 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll 2010-01-16 08:49 . 2010-01-16 08:44 7827616 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate34.exe 2010-01-16 08:49 . 2010-01-16 08:44 7209992 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate33.exe 2010-01-16 08:49 . 2010-01-16 08:44 8478264 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate32.exe 2010-01-16 08:49 . 2010-01-16 08:44 8411368 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate31.exe 2010-01-16 08:48 . 2010-01-16 08:43 7969976 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate30.exe 2010-01-16 08:48 . 2010-01-16 08:43 7582984 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate29.exe 2010-01-16 08:48 . 2010-01-16 08:41 7565760 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate28.exe 2010-01-08 03:18 . 2010-02-11 08:54 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2010-01-08 03:17 . 2010-02-11 08:54 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-01-06 14:47 . 2010-01-06 14:39 55368 ----a-w- c:\windows\War3Unin.dat 2010-01-06 14:46 . 2010-01-06 14:39 2829 ----a-w- c:\windows\War3Unin.pif 2010-01-06 14:46 . 2010-01-06 14:39 139264 ----a-w- c:\windows\War3Unin.exe 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat 2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2009-11-09 2331672] [HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}] 2009-11-09 17:38 2331672 ----a-w- c:\program files\DVDVideoSoft\tbDVDV.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2009-11-09 2331672] [HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2009-11-09 2331672] [HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-13 149280] "PDFPrint"="c:\program files\pdf24\pdf24.exe" [2009-12-15 207504] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] " Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-4 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux1"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys] @="FSFilter System Recovery" R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-01-04 3404560] R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-19 691696] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128] S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2009-08-16 222968] S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168] . . ------- Zusätzlicher Suchlauf ------- . FF - ProfilePath - c:\users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - ICQ Search FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13 FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q= FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL ---- FIREFOX Richtlinien ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "hxxp://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - Entfernte verwaiste Registrierungseinträge - - - - SafeBoot-dmboot.sys SafeBoot-dmio.sys SafeBoot-dmload.sys SafeBoot-dmadmin SafeBoot-dmserver SafeBoot-SRService AddRemove-Steam App 3730 - g:\steam\steam.exe [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Weitere laufende Prozesse ------------------------ . c:\windows\system32\atieclxx.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe c:\windows\system32\sppsvc.exe c:\program files\Windows Media Player\wmpnetwk.exe . ************************************************************************** . Zeit der Fertigstellung: 2010-03-27 09:54:58 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2010-03-27 08:54 Vor Suchlauf: 33.872.986.112 bytes free Nach Suchlauf: 33.770.127.360 bytes free - - End Of File - - 4273F35DC451A9984738F8B106155EAD OTL OTL logfile created on: 3/27/2010 10:13:09 AM - Run 3 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free 6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 111.44 Gb Total Space | 31.52 Gb Free Space | 28.28% Space Free | Partition Type: NTFS Drive D: | 104.90 Gb Total Space | 22.86 Gb Free Space | 21.79% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ANNA-PC Current User Name: Anna Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe PRC - [2009/12/15 10:40:54 | 000,207,504 | ---- | M] (Geek Software GmbH) -- C:\Program Files\pdf24\pdf24.exe PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009/08/18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe PRC - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe PRC - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe PRC - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2009/03/02 12:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe ========== Modules (SafeList) ========== MOD - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll MOD - [2009/07/14 02:15:21 | 000,093,696 | ---- | M] (Windows (R) Codename Longhorn DDK provider) -- C:\Windows\System32\fms.dll MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - [2010/03/10 17:29:28 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2010/01/04 20:55:00 | 003,404,560 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc) SRV - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service) SRV - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc) SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc) SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power) SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes) SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify) SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper) SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc) SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc) SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider) SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg) SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener) SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache) SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp) SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc) SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC) SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV) SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc) SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc) SRV - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ IE - HKCU\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "ICQ Search" FF - prefs.js..browser.search.defaultthis.engineName: "Search" FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.search.selectedEngine: "ICQ Search" FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13" FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.5 FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198 FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=" FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/17 12:57:09 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/17 12:57:06 | 000,000,000 | ---D | M] [2009/12/03 18:22:00 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Extensions [2010/03/23 19:50:53 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions [2009/12/08 13:30:11 | 000,000,000 | ---D | M] (DVDVideoSoft Toolbar) -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} [2009/12/08 18:38:56 | 000,000,881 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\conduit.xml [2010/03/21 10:33:54 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-1.xml [2010/02/20 12:54:17 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-2.xml [2010/03/18 21:32:48 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-3.xml [2008/03/31 09:52:00 | 000,000,168 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.gif [2008/03/31 09:52:00 | 000,000,618 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.src [2009/12/31 17:13:23 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.xml [2010/02/13 15:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2009/12/05 21:12:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07} [2010/02/13 15:54:35 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2010/03/17 12:56:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/03/17 12:56:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/03/17 12:56:57 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/03/17 12:56:57 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/03/17 12:56:57 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010/03/27 09:51:52 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKLM\..\Toolbar: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoft Toolbar) - {E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe (Geek Software GmbH) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 14 Days ========== [2010/03/27 09:51:57 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN [2010/03/27 09:50:40 | 000,000,000 | ---D | C] -- C:\Windows\temp [2010/03/27 09:50:40 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\temp [2010/03/27 09:39:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2010/03/27 09:39:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2010/03/27 09:39:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2010/03/27 09:39:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT [2010/03/27 09:39:13 | 000,000,000 | ---D | C] -- C:\cofi [2010/03/27 09:38:46 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/03/27 09:38:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe [2010/03/27 09:38:23 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW [2010/03/27 09:33:02 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Trojaner [2010/03/24 21:23:57 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2010/03/22 14:53:10 | 000,000,000 | ---D | C] -- C:\Windows\Sun [2010/03/22 03:59:43 | 000,000,000 | ---D | C] -- C:\rsit [2010/03/21 20:07:01 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Malwarebytes [2010/03/21 20:06:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/03/21 20:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/03/21 20:06:54 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/03/21 20:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/03/21 12:55:00 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\Diagnostics [2010/03/21 12:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/03/21 11:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/03/19 21:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\THQ [2010/03/19 21:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra [2010/03/19 19:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Activision [2010/03/19 19:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam [2010/03/19 19:05:05 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys [2010/03/19 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite [2010/03/19 19:04:03 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite [2010/03/19 18:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Steam [2010/03/14 17:30:48 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\SPIELE + CHAT MATTHIAS [2010/03/14 17:22:23 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Bewerbung etc ========== Files - Modified Within 14 Days ========== [2010/03/27 10:13:30 | 001,572,864 | -HS- | M] () -- C:\Users\Anna\NTUSER.DAT [2010/03/27 09:58:58 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/03/27 09:58:58 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/03/27 09:52:03 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini [2010/03/27 09:51:52 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2010/03/27 09:51:26 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/03/27 09:51:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/03/27 09:51:17 | 2414,682,112 | -HS- | M] () -- C:\hiberfil.sys [2010/03/27 09:35:07 | 003,903,606 | R--- | M] () -- C:\Users\Anna\Desktop\cofi.exe [2010/03/27 09:30:43 | 001,292,140 | -H-- | M] () -- C:\Users\Anna\AppData\Local\IconCache.db [2010/03/27 09:30:25 | 000,000,020 | ---- | M] () -- C:\Users\Anna\defogger_reenable [2010/03/24 21:23:52 | 508,247,827 | ---- | M] () -- C:\Windows\MEMORY.DMP [2010/03/22 21:26:54 | 000,132,608 | ---- | M] () -- C:\Users\Anna\Desktop\Scan.doc [2010/03/21 20:06:59 | 000,000,987 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/03/21 13:30:29 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/03/21 13:30:29 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/03/21 13:30:29 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/03/21 12:35:51 | 000,002,047 | ---- | M] () -- C:\Users\Anna\Desktop\HijackThis.lnk [2010/03/21 11:52:53 | 000,001,839 | ---- | M] () -- C:\Users\Anna\Desktop\CCleaner.lnk [2010/03/20 03:03:14 | 000,022,328 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2010/03/19 19:27:11 | 000,000,319 | ---- | M] () -- C:\Windows\game.ini [2010/03/19 19:05:05 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys ========== Files Created - No Company Name ========== [2010/03/27 09:39:34 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe [2010/03/27 09:39:34 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2010/03/27 09:39:34 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2010/03/27 09:39:34 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe [2010/03/27 09:39:34 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2010/03/27 09:35:03 | 003,903,606 | R--- | C] () -- C:\Users\Anna\Desktop\cofi.exe [2010/03/27 09:30:12 | 000,000,020 | ---- | C] () -- C:\Users\Anna\defogger_reenable [2010/03/24 21:23:52 | 508,247,827 | ---- | C] () -- C:\Windows\MEMORY.DMP [2010/03/22 03:55:28 | 000,132,608 | ---- | C] () -- C:\Users\Anna\Desktop\Scan.doc [2010/03/21 20:06:59 | 000,000,987 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/03/21 12:32:19 | 000,002,047 | ---- | C] () -- C:\Users\Anna\Desktop\HijackThis.lnk [2010/03/21 11:52:53 | 000,001,839 | ---- | C] () -- C:\Users\Anna\Desktop\CCleaner.lnk [2010/03/19 19:27:52 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2010/03/19 19:27:17 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe [2010/03/19 19:27:14 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe [2010/03/19 19:27:11 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini [2010/02/13 16:05:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2009/12/04 19:19:37 | 000,000,403 | ---- | C] () -- C:\Windows\ODBC.INI [2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll [1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL ========== LOP Check ========== [2010/02/28 19:27:29 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Advanced Chemistry Development [2009/12/20 18:48:54 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\ICQ [2010/01/16 09:40:23 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\ratiopharm [2010/02/16 08:51:38 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\ERDNT\cache\AGP440.sys [2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys [2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys [2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys < MD5 for: ATAPI.SYS > [2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\ERDNT\cache\atapi.sys [2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys [2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys [2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys < MD5 for: CNGAUDIT.DLL > [2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache\cngaudit.dll [2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll [2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll < MD5 for: IASTORV.SYS > [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys < MD5 for: NETLOGON.DLL > [2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache\netlogon.dll [2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll [2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll < MD5 for: NVSTOR.SYS > [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys < MD5 for: SCECLI.DLL > [2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache\scecli.dll [2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll [2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\System32\config\*.sav > < End of report > glg anna |
|
27.03.2010, 12:38
| #13 |
| /// Selecta Jahrusso | tr/ dropper.gen Well done  Ich sehe du hast ja OTL schon laufen lassen, dann gibts keine neue extras.txt schritt 1 Deinstalliere bitte DVDVideoSoft Toolbar schritt 2
Code:
ATTFilter :OTL
IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13"
FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q="
[2009/12/08 13:30:11 | 000,000,000 | ---D | M] (DVDVideoSoft Toolbar) -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}
O2 - BHO: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoft Toolbar) - {E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
:Commands
[purity]
[emptytemp]
schritt 3 Update bitte Malwarebytes und lass es erneut laufen (Quickscan reicht) schritt 4 Bitte während der Online-Scans evtl. vorhandene externe Festplatten einschalten! Bitte während der Scans alle Hintergrundwächter (Anti-Virus-Programm, Firewall, Skriptblocking und ähnliches) abstellen und nicht vergessen, alles hinterher wieder einzuschalten.
schritt 5 Starte OTL.exe und klicke auf den Quickscan Button Bitte poste in Deiner nächsten Antwort Log von MBAM Log von ESET OTL.txt Berichte ob der Rechner noch Probleme macht
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
27.03.2010, 18:37
| #14 |
| | tr/ dropper.gen OTL All processes killed ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found. File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found. File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found. Prefs.js: "Search" removed from browser.search.defaultthis.engineName Prefs.js: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl Prefs.js: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13" removed from browser.startup.homepage Prefs.js: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=" removed from keyword.URL C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\searchplugin folder moved successfully. C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\META-INF folder moved successfully. C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\lib folder moved successfully. C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\defaults folder moved successfully. C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\components folder moved successfully. C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\chrome folder moved successfully. C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} folder moved successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found. File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found. File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F}\ not found. File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found. Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Anna ->Temp folder emptied: 157053 bytes ->Temporary Internet Files folder emptied: 413390 bytes ->Java cache emptied: 12118713 bytes ->FireFox cache emptied: 47128006 bytes ->Flash cache emptied: 434 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Matthias ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 57.00 mb OTL by OldTimer - Version 3.1.37.3 log created on 03272010_132744 Files\Folders moved on Reboot... Registry entries deleted on Reboot... MBAM Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3920 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 27.03.2010 13:39:36 mbam-log-2010-03-27 (13-39-36).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 118106 Laufzeit: 4 minute(s), 4 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) ESET ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=d102974ad4e93e438a82bf422985e46d # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-03-27 04:30:05 # local_time=2010-03-27 05:30:05 (+0100, W. Europe Standard Time) # country="Germany" # lang=1033 # osver=6.1.7600 NT # compatibility_mode=512 16777215 100 0 526431 526431 0 0 # compatibility_mode=1797 16775165 100 94 4665 45209276 5813 0 # compatibility_mode=5893 16776573 100 94 99278 22146560 0 0 # compatibility_mode=8192 67108863 100 0 3694 3694 0 0 # scanned=320926 # found=7 # cleaned=7 # scan_time=13435 C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan (cleaned - quarantined) 00000000000000000000000000000000 C D:\C alt\Program Files\Acer Arcade Deluxe\PlayMovie\CBS.dll probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C D:\C alt\Program Files\Acer Arcade Deluxe\PlayMovie\VideoFilter\cl264dec.ax probably a variant of Win32/Hupigon trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C D:\C alt\Program Files\Acer Arcade Deluxe\PlayMovie\VideoFilter\cldabc.dll probably a variant of Win32/Hupigon trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C D:\C alt\Users\Anna\AppData\Local\Temp\NERO1003378\unit_app_75\Toolbar.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C D:\C alt\Users\Anna\Downloads\ALLES ALTE\Nero-9.2.6.0_trial(3).exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C D:\C alt\Users\Anna\Downloads\ALLES ALTE\Nero-9.2.6.0_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C OTL SCHRITT 5 OTL logfile created on: 3/27/2010 6:28:58 PM - Run 4 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free 6.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 111.44 Gb Total Space | 29.82 Gb Free Space | 26.76% Space Free | Partition Type: NTFS Drive D: | 104.90 Gb Total Space | 23.60 Gb Free Space | 22.50% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ANNA-PC Current User Name: Anna Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/03/27 13:30:30 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe PRC - [2010/01/07 16:07:10 | 001,394,000 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe PRC - [2009/12/15 10:40:54 | 000,207,504 | ---- | M] (Geek Software GmbH) -- C:\Program Files\pdf24\pdf24.exe PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009/08/18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe PRC - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe PRC - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe PRC - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2009/03/02 12:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [1999/04/23 22:45:44 | 008,441,907 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office\WINWORD.EXE PRC - [1998/10/13 20:08:18 | 000,274,497 | ---- | M] (Microsoft Corporation) -- C:\Windows\Msagent\AGENTSVR.EXE ========== Modules (SafeList) ========== MOD - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - [2010/03/10 17:29:28 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2010/01/04 20:55:00 | 003,404,560 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc) SRV - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service) SRV - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc) SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc) SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power) SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes) SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify) SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper) SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc) SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc) SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider) SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg) SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener) SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache) SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp) SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc) SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC) SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV) SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc) SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc) SRV - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "ICQ Search" FF - prefs.js..browser.search.defaultthis.engineName: "" FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.search.selectedEngine: "ICQ Search" FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13" FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.5 FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198 FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=" FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/27 13:30:32 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/27 13:30:32 | 000,000,000 | ---D | M] [2009/12/03 18:22:00 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Extensions [2010/03/27 13:30:44 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions [2009/12/08 18:38:56 | 000,000,881 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\conduit.xml [2010/03/21 10:33:54 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-1.xml [2010/02/20 12:54:17 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-2.xml [2010/03/18 21:32:48 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-3.xml [2010/03/27 13:30:46 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-4.xml [2010/03/27 13:35:29 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-5.xml [2009/12/31 17:13:23 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.xml [2010/02/13 15:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2009/12/05 21:12:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07} [2010/02/13 15:54:35 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2010/03/17 12:56:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/03/17 12:56:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/03/17 12:56:57 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/03/17 12:56:57 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/03/17 12:56:57 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010/03/27 09:51:52 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe (Geek Software GmbH) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 14 Days ========== [2010/03/27 13:44:35 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/03/27 13:27:44 | 000,000,000 | ---D | C] -- C:\_OTL [2010/03/27 09:51:57 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN [2010/03/27 09:50:40 | 000,000,000 | ---D | C] -- C:\Windows\temp [2010/03/27 09:50:40 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\temp [2010/03/27 09:39:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2010/03/27 09:39:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2010/03/27 09:39:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2010/03/27 09:39:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT [2010/03/27 09:39:13 | 000,000,000 | ---D | C] -- C:\cofi [2010/03/27 09:38:46 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/03/27 09:38:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe [2010/03/27 09:38:23 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW [2010/03/27 09:33:02 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Trojaner [2010/03/24 21:23:57 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2010/03/22 14:53:10 | 000,000,000 | ---D | C] -- C:\Windows\Sun [2010/03/22 03:59:43 | 000,000,000 | ---D | C] -- C:\rsit [2010/03/21 20:07:01 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Malwarebytes [2010/03/21 20:06:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/03/21 20:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/03/21 20:06:54 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/03/21 20:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/03/21 12:55:00 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\Diagnostics [2010/03/21 12:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/03/21 11:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/03/19 21:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\THQ [2010/03/19 21:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra [2010/03/19 19:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Activision [2010/03/19 19:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam [2010/03/19 19:05:05 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys [2010/03/19 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite [2010/03/19 19:04:03 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite [2010/03/19 18:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Steam [2010/03/14 17:30:48 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\SPIELE + CHAT MATTHIAS [2010/03/14 17:22:23 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Bewerbung etc ========== Files - Modified Within 14 Days ========== [2010/03/27 18:30:42 | 001,572,864 | -HS- | M] () -- C:\Users\Anna\NTUSER.DAT [2010/03/27 14:29:46 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/03/27 14:29:46 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/03/27 13:28:33 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/03/27 13:28:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/03/27 13:28:25 | 2414,682,112 | -HS- | M] () -- C:\hiberfil.sys [2010/03/27 11:17:55 | 000,029,184 | ---- | M] () -- C:\Users\Anna\Desktop\Scan.doc [2010/03/27 09:52:03 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini [2010/03/27 09:51:52 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2010/03/27 09:35:07 | 003,903,606 | R--- | M] () -- C:\Users\Anna\Desktop\cofi.exe [2010/03/27 09:30:43 | 001,292,140 | -H-- | M] () -- C:\Users\Anna\AppData\Local\IconCache.db [2010/03/27 09:30:25 | 000,000,020 | ---- | M] () -- C:\Users\Anna\defogger_reenable [2010/03/24 21:23:52 | 508,247,827 | ---- | M] () -- C:\Windows\MEMORY.DMP [2010/03/21 20:06:59 | 000,000,987 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/03/21 13:30:29 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/03/21 13:30:29 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/03/21 13:30:29 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/03/21 12:35:51 | 000,002,047 | ---- | M] () -- C:\Users\Anna\Desktop\HijackThis.lnk [2010/03/21 11:52:53 | 000,001,839 | ---- | M] () -- C:\Users\Anna\Desktop\CCleaner.lnk [2010/03/20 03:03:14 | 000,022,328 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2010/03/19 19:27:11 | 000,000,319 | ---- | M] () -- C:\Windows\game.ini [2010/03/19 19:05:05 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys ========== Files Created - No Company Name ========== [2010/03/27 09:39:34 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe [2010/03/27 09:39:34 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2010/03/27 09:39:34 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2010/03/27 09:39:34 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe [2010/03/27 09:39:34 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2010/03/27 09:35:03 | 003,903,606 | R--- | C] () -- C:\Users\Anna\Desktop\cofi.exe [2010/03/27 09:30:12 | 000,000,020 | ---- | C] () -- C:\Users\Anna\defogger_reenable [2010/03/24 21:23:52 | 508,247,827 | ---- | C] () -- C:\Windows\MEMORY.DMP [2010/03/22 03:55:28 | 000,029,184 | ---- | C] () -- C:\Users\Anna\Desktop\Scan.doc [2010/03/21 20:06:59 | 000,000,987 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/03/21 12:32:19 | 000,002,047 | ---- | C] () -- C:\Users\Anna\Desktop\HijackThis.lnk [2010/03/21 11:52:53 | 000,001,839 | ---- | C] () -- C:\Users\Anna\Desktop\CCleaner.lnk [2010/03/19 19:27:52 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2010/03/19 19:27:17 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe [2010/03/19 19:27:14 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe [2010/03/19 19:27:11 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini [2010/02/13 16:05:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2009/12/04 19:19:37 | 000,000,403 | ---- | C] () -- C:\Windows\ODBC.INI [2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll [1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL ========== LOP Check ========== [2010/02/28 19:27:29 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Advanced Chemistry Development [2009/12/20 18:48:54 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\ICQ [2010/01/16 09:40:23 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\ratiopharm [2010/02/16 08:51:38 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > hehe hier hab ich dir mal wieder nen netten roman da gelassen danke daniel, dass du dir die mühe machst und mir hilfst, weiß das wirklich zu schätzen!!! bis jetzt hat mein laptop nicht mehr rumgezickt seit ich morgens die ersten paar schritte erledigt hatte. bin total froh und erleichtert glg anna |
|
27.03.2010, 19:00
| #15 |
| /// Selecta Jahrusso | tr/ dropper.gen Sieht gut aus Combofix deinstallieren Bitte vor der folgenden Aktion wieder temporär Antivirus-Programm, evtl. vorhandenes Skript-Blocking und Anti-Malware Programme deaktivieren. Start => Ausführen (bei Vista (Windows-Taste + R) => dort reinschreiben ComboFix.exe /uninstall => Enter drücken - damit wird Combofix komplett entfernt und der Cache der Systemwiederherstellung geleert, damit auch auch dieser die Schädlinge verschwinden. Nun die eben deaktivierten Programme wieder aktivieren. schritt 2
Code:
ATTFilter :OTL
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT2269050&SearchSource=13"
:Commands
[purity]
[emptytemp]
schritt 3 Starte OTL erneut --> Quickscan und poste mir die Logfile
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
| Themen zu tr/ dropper.gen |
| adobe, antivir, antivir guard, avg, avira, bho, c:\windows\temp, desktop, dropper.gen, entfernen, explorer, hijack, hijack this, hijackthis, internet, internet explorer, object, plug-in, programm, software, svchost.exe, system, temp, tr/dropper.gen, trojaner, virus, windows |
Textbox.
.
Linear-Darstellung
