Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: tr/ dropper.gen

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 21.03.2010, 15:55   #1
annaswelten
 
tr/ dropper.gen - Standard

tr/ dropper.gen



hallo ihr lieben,

hoffe ihr könnt mir helfen, denn ich habe leider keine ahnung wie ich den trojaner auf meinem pc entfernen kann.

In der Datei 'C:\Windows\Temp\ooek.tmp\svchost.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden.

diese meldung taucht ca. alle 10-20 min bei antivir auf und geht mir nicht nur auf die nerven, sondern macht mir auch sorgen... hier die daten von hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27:14, on 21.03.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\pdf24\pdf24.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2269050
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 4955 bytes

könnt ihr mir helfen? wenn ja bitte so einfach wie möglich erklären, was ich zu tun oder zu lassen habe, denn ich kenne mich nicht so gut aus.
vielen lieben dank schon mal im voraus!

anna

Alt 21.03.2010, 16:16   #2
StLB
/// Helfer-Team
 
tr/ dropper.gen - Standard

tr/ dropper.gen



Hallo und

Zu besseren Einsicht in Dein System, bitte folgende Schritte ausführen:

1.) Malwarebytes Anti-Malware
  • Bitte nach obiger Anleitung vorgehen und das Logfile hier posten (findest Du im Reiter "Scan-Berichte").
2.) Systemscan mit RSIT
  • Bitte nach obiger Anleitung vorgehen und die Logfiles hier posten (log.txt und info.txt).
__________________

__________________

Alt 22.03.2010, 14:50   #3
annaswelten
 
tr/ dropper.gen - Standard

tr/ dropper.gen



vielen dank schon mal für die ersten schritte... also folgendes hab ich beim malware-scan:

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|)
Durchsuchte Objekte: 471495
Laufzeit: 3 hour(s), 27 minute(s), 12 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
D:\C alt\Users\Anna\Downloads\ALLES ALTE\CryptLoad_1.1.5\ocr\netload.in\asmCaptcha\test.exe (Malware.Packer) -> Quarantined and deleted successfully.

bei dem zweiten schritt, komm ich nicht bis zum schluss, es taucht zwischendrin immer wieder die meldung auf :

AutoIt Error

Line -1
Error : Variable used without being declared

also hab ich da leider keine ahnung firewall hatte ich auf aus gestellt.

die meldung von antivir (1.nachricht) taucht aber nach dem maleware-löschen immer noch auf.
habe festegestellt, dass immer wenn die meldung bei antivir auftaucht bei C:/Windows/temp

neue ordner erstellt werden, die vollkommen leer sind und die datei die antivir als infiziert anzeigt sehe ich auch nirgends.

glg

anna
__________________

Alt 22.03.2010, 15:09   #4
StLB
/// Helfer-Team
 
tr/ dropper.gen - Standard

tr/ dropper.gen



Beim Malwarebytes-Log fehlt oben ein Stück - bitte nachreichen.

Versuch mal, RSIT als Administrator ausführen (Rechtsklick -> Als Administrator ausführen). Dann sollte es klappen.
__________________
Gruß, Julian

Kein Support per PM!

Spendemöglichkeit: Make a Donation

Alt 22.03.2010, 16:39   #5
Moritz009
 

tr/ dropper.gen - Standard

tr/ dropper.gen



*kurz reinhüpf*

RSIT laüft auf Windows 7 nicht.
DU musst Rechtsklick auf rsit.exe und dann "Eigenschaften" und bei Kompatibiltät auf "XP" stellen. So ungefähr müsste es gehen, hab kein Windows 7

*raushüpf*

__________________
Grüße,
Moritz

Trojaner-Board Spendenkonto

Alt 22.03.2010, 19:22   #6
annaswelten
 
tr/ dropper.gen - Standard

tr/ dropper.gen



so also jetzt hat es funktioniert... :

Logfile of random's system information tool 1.06 (written by random/random)
Run by Anna at 2010-03-22 19:17:15
Microsoft Windows 7 Ultimate Service Pack 3
System drive C: has 31 GB (27%) free of 114 GB
Total RAM: 3070 MB (79% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:25, on 22.03.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\pdf24\pdf24.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Anna\Downloads\RSIT(2).exe
C:\Program Files\Trend Micro\HijackThis\Anna.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5016 bytes

p.s. finds total lieb, dass ihr euch die zeit nehmt und mir helft! nochmals danke!

Alt 22.03.2010, 19:59   #7
StLB
/// Helfer-Team
 
tr/ dropper.gen - Standard

tr/ dropper.gen



Sorry, hatte vorhin überlesen, dass Du Windows 7 nutzt.

Daher bitte einen Durchgang mit OTL machen:

Systemscan mit OTL von Oldtimer
  • OTL.exe herunterladen und auf dem Desktop speichern.
  • OTL.exe ausführen (evtl. wieder im Kompatibiltätsmodus ausführen)
  • Im Block "Extra Registry" den Button auf "UseSafeList" stellen
  • Weiterhin bitte "LOP Check" und "Purity Check" anhaken.
  • Dann mit "Run Scan" links oben scannen.
  • Die erstellten Logfiles OTL.txt und Extras.txt finden sich entweder auf dem Desktop oder unter c:\_OTL\
  • Beide Logfiles dann hier zur Auswertung posten.
__________________
Gruß, Julian

Kein Support per PM!

Spendemöglichkeit: Make a Donation

Alt 22.03.2010, 20:55   #8
annaswelten
 
tr/ dropper.gen - Standard

tr/ dropper.gen



bitteschön :

OTL logfile created on: 3/22/2010 8:49:39 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.44 Gb Total Space | 30.03 Gb Free Space | 26.95% Space Free | Partition Type: NTFS
Drive D: | 104.90 Gb Total Space | 22.82 Gb Free Space | 21.76% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANNA-PC
Current User Name: Anna
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe
PRC - [2010/03/17 12:56:54 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/15 10:40:54 | 000,207,504 | ---- | M] (Geek Software GmbH) -- C:\Program Files\pdf24\pdf24.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe
PRC - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe


========== Modules (SafeList) ==========

MOD - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/10 17:29:28 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/01/04 20:55:00 | 003,404,560 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service)
SRV - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


========== Driver Services (SafeList) ==========

DRV - [2010/03/19 19:05:05 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/12/07 19:03:21 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/08/18 03:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/07/14 02:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 02:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/14 02:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/14 02:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/14 02:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/14 02:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/14 02:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/14 02:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/14 02:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 02:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 02:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 02:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 02:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 02:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/14 02:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 02:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 02:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 02:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 02:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 02:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 02:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/14 02:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/14 02:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 02:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 02:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 02:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 02:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 02:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 02:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 02:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 02:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 02:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 02:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 02:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 02:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 02:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 01:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/14 01:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 01:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 00:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 00:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 00:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 00:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 00:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 00:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 00:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/14 00:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 00:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 00:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 00:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 00:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/14 00:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 00:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/14 00:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/14 00:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 23:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 23:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 23:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 23:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 23:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 23:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 23:13:48 | 001,035,776 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/07/13 23:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel(R)
DRV - [2009/07/13 23:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 23:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 23:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/07/13 23:02:47 | 000,047,104 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1E62x86.sys -- (L1E) NDIS Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller(NDIS6.20)
DRV - [2009/05/11 09:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
IE - HKCU\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "ICQ Search"
FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/17 12:57:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/17 12:57:06 | 000,000,000 | ---D | M]

[2009/12/03 18:22:00 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Extensions
[2010/03/22 19:29:03 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions
[2009/12/08 13:30:11 | 000,000,000 | ---D | M] (DVDVideoSoft Toolbar) -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}
[2009/12/08 18:38:56 | 000,000,881 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\conduit.xml
[2010/03/21 10:33:54 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-1.xml
[2010/02/20 12:54:17 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-2.xml
[2010/03/18 21:32:48 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-3.xml
[2008/03/31 09:52:00 | 000,000,168 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.gif
[2008/03/31 09:52:00 | 000,000,618 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.src
[2009/12/31 17:13:23 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.xml
[2010/02/13 15:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/05 21:12:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
[2010/02/13 15:54:35 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/03/17 12:56:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010/03/17 12:56:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml
[2010/03/17 12:56:57 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010/03/17 12:56:57 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010/03/17 12:56:57 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKLM\..\Toolbar: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoft Toolbar) - {E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe (Geek Software GmbH)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/22 14:53:10 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/03/22 14:11:25 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/03/22 03:59:43 | 000,000,000 | ---D | C] -- C:\rsit
[2010/03/21 20:07:01 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Malwarebytes
[2010/03/21 20:06:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/21 20:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/21 20:06:54 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/21 20:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/21 12:55:00 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\Diagnostics
[2010/03/21 12:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/21 11:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/03/20 04:30:08 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll
[2010/03/20 04:30:08 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_5.dll
[2010/03/20 04:30:08 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_5.dll
[2010/03/20 04:30:07 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dcsx_42.dll
[2010/03/20 04:30:07 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_41.dll
[2010/03/20 04:30:07 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll
[2010/03/20 04:30:07 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_41.dll
[2010/03/20 04:30:07 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll
[2010/03/20 04:30:07 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_41.dll
[2010/03/20 04:30:07 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_42.dll
[2010/03/20 04:30:06 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_4.dll
[2010/03/20 04:30:06 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_4.dll
[2010/03/20 04:30:06 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_3.dll
[2010/03/20 04:30:06 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_6.dll
[2010/03/20 04:30:05 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_40.dll
[2010/03/20 04:30:05 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_40.dll
[2010/03/20 04:30:05 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_3.dll
[2010/03/20 04:30:05 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_2.dll
[2010/03/20 04:30:05 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_40.dll
[2010/03/20 04:30:05 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_3.dll
[2010/03/20 04:30:05 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_2.dll
[2010/03/20 04:30:05 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_1.dll
[2010/03/20 04:30:05 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_5.dll
[2010/03/20 04:30:04 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_39.dll
[2010/03/20 04:30:04 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_39.dll
[2010/03/20 04:30:04 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_1.dll
[2010/03/20 04:30:04 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_39.dll
[2010/03/20 04:30:04 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_2.dll
[2010/03/20 04:30:04 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_1.dll
[2010/03/20 04:30:04 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_0.dll
[2010/03/20 04:30:04 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_4.dll
[2010/03/20 04:30:03 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_38.dll
[2010/03/20 04:30:03 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_38.dll
[2010/03/20 04:30:03 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_37.dll
[2010/03/20 04:30:03 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_0.dll
[2010/03/20 04:30:03 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_38.dll
[2010/03/20 04:30:03 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_37.dll
[2010/03/20 04:30:03 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_0.dll
[2010/03/20 04:30:03 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_3.dll
[2010/03/20 04:30:02 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_37.dll
[2010/03/20 04:30:02 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_36.dll
[2010/03/20 04:30:02 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_36.dll
[2010/03/20 04:30:02 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_10.dll
[2010/03/20 04:30:01 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_36.dll
[2010/03/20 04:30:01 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_35.dll
[2010/03/20 04:30:01 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_35.dll
[2010/03/20 04:30:01 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_35.dll
[2010/03/20 04:30:01 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_9.dll
[2010/03/20 04:30:01 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_8.dll
[2010/03/20 04:30:01 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_2.dll
[2010/03/19 21:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\THQ
[2010/03/19 21:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra
[2010/03/19 19:28:57 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_34.dll
[2010/03/19 19:28:57 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_34.dll
[2010/03/19 19:28:56 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_34.dll
[2010/03/19 19:28:56 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_33.dll
[2010/03/19 19:28:56 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_33.dll
[2010/03/19 19:28:56 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_7.dll
[2010/03/19 19:28:56 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll
[2010/03/19 19:28:55 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_33.dll
[2010/03/19 19:28:55 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll
[2010/03/19 19:28:55 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_31.dll
[2010/03/19 19:28:55 | 000,440,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10.dll
[2010/03/19 19:28:55 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_6.dll
[2010/03/19 19:28:55 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_5.dll
[2010/03/19 19:28:55 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_4.dll
[2010/03/19 19:28:55 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_1.dll
[2010/03/19 19:28:54 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_3.dll
[2010/03/19 19:28:54 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_2.dll
[2010/03/19 19:28:54 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_1.dll
[2010/03/19 19:28:54 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_2.dll
[2010/03/19 19:28:54 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_1.dll
[2010/03/19 19:28:50 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll
[2010/03/19 19:28:50 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_29.dll
[2010/03/19 19:28:50 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_0.dll
[2010/03/19 19:28:50 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_0.dll
[2010/03/19 19:28:49 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_25.dll
[2010/03/19 19:28:49 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_28.dll
[2010/03/19 19:28:49 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_27.dll
[2010/03/19 19:28:49 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_26.dll
[2010/03/19 19:28:49 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_24.dll
[2010/03/19 19:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Activision
[2010/03/19 19:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam
[2010/03/19 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite
[2010/03/19 19:04:03 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2010/03/19 18:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2010/03/14 20:17:52 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe
[2010/03/14 17:30:48 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\SPIELE + CHAT MATTHIAS
[2010/03/14 17:22:23 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Bewerbung etc
[2010/02/28 16:56:49 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Advanced Chemistry Development
[2010/02/28 14:02:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Advanced Chemistry Development
[2010/02/28 14:01:07 | 000,000,000 | ---D | C] -- C:\Program Files\ACDFREE12
[2010/02/25 09:56:27 | 003,955,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/02/25 09:56:27 | 003,899,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/02/24 17:24:14 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/02/24 17:24:12 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/02/23 11:22:41 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2010/02/22 16:04:43 | 000,000,000 | ---D | C] -- C:\ProgramData\CambridgeSoft
[2010/02/22 15:47:31 | 000,000,000 | ---D | C] -- C:\Program Files\CambridgeSoft
[2010/02/22 15:47:08 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2010/02/22 15:47:01 | 000,000,000 | ---D | C] -- C:\CSTEMP

========== Files - Modified Within 30 Days ==========

[2010/03/22 20:51:28 | 001,572,864 | -HS- | M] () -- C:\Users\Anna\NTUSER.DAT
[2010/03/22 19:23:19 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/22 19:23:19 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/22 19:16:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/22 19:16:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/22 19:15:56 | 2414,682,112 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/22 19:14:01 | 002,592,635 | -H-- | M] () -- C:\Users\Anna\AppData\Local\IconCache.db
[2010/03/22 03:55:30 | 000,020,992 | ---- | M] () -- C:\Users\Anna\Desktop\Scan.doc
[2010/03/21 20:06:59 | 000,000,987 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/21 13:30:29 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/21 13:30:29 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/21 13:30:29 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/21 12:35:51 | 000,002,047 | ---- | M] () -- C:\Users\Anna\Desktop\HijackThis.lnk
[2010/03/21 11:52:53 | 000,001,839 | ---- | M] () -- C:\Users\Anna\Desktop\CCleaner.lnk
[2010/03/20 03:03:14 | 000,022,328 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/03/19 19:27:11 | 000,000,319 | ---- | M] () -- C:\Windows\game.ini
[2010/03/19 19:05:05 | 000,691,696 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys
[2010/03/07 12:35:29 | 000,000,584 | ---- | M] () -- C:\Users\Anna\Documents\grstyles.stl
[2010/02/24 10:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe

========== Files Created - No Company Name ==========

[2010/03/22 03:55:28 | 000,020,992 | ---- | C] () -- C:\Users\Anna\Desktop\Scan.doc
[2010/03/21 20:06:59 | 000,000,987 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/21 12:32:19 | 000,002,047 | ---- | C] () -- C:\Users\Anna\Desktop\HijackThis.lnk
[2010/03/21 11:52:53 | 000,001,839 | ---- | C] () -- C:\Users\Anna\Desktop\CCleaner.lnk
[2010/03/19 19:27:52 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/03/19 19:27:17 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2010/03/19 19:27:14 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2010/03/19 19:27:11 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini
[2010/03/19 19:05:05 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2010/02/28 19:34:01 | 000,000,584 | ---- | C] () -- C:\Users\Anna\Documents\grstyles.stl
[2010/02/13 16:05:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/12/04 19:19:37 | 000,000,403 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL
< End of report >


OTL Extras logfile created on: 3/22/2010 8:49:39 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.44 Gb Total Space | 30.03 Gb Free Space | 26.95% Space Free | Partition Type: NTFS
Drive D: | 104.90 Gb Total Space | 22.82 Gb Free Space | 21.76% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANNA-PC
Current User Name: Anna
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{00040407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{20533183-D42D-4261-A125-956736FBEA8C}" = Dawn of War - Soulstorm
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{45B78E92-FFB3-4A78-B0B5-2EA6B6E9B915}" = CambridgeSoft ChemDraw Pro 11.0
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator
"{863F58EF-467F-4BCC-A40B-D2304630DEA1}" = CambridgeSoft Activation Client
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4
"{90120000-00B2-0407-0000-0000000FF1CE}" = Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{99A37AC7-E724-4621-B167-500B5A52B69C}" = LastChaosGER
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2B3C27C-1F09-47C6-9A90-9683BEFD7963}" = Dawn of War - Soulstorm
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}" = Warhammer 40,000: Dawn Of War - Gold Edition
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"{FF39FC01-819B-42E4-AE49-1968AF12DDD4}" = Dawn of War - Dark Crusade
"ACDLabs in C__Program_Files_ACDFREE12_" = ACD/Labs Software in C:\Program Files\ACDFREE12\
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVDVideoSoft Toolbar" = DVDVideoSoft Toolbar
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"HijackThis" = HijackThis 2.0.2
"ICQToolbar" = ICQ Toolbar
"InstallShield_{45B78E92-FFB3-4A78-B0B5-2EA6B6E9B915}" = CambridgeSoft ChemDraw Pro 11.0
"InstallShield_{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"SopCast" = SopCast 3.2.4
"Steam App 3730" = Aliens versus Predator Classic 2000
"Uninstall_is1" = Uninstall 1.0.0.1
"Warcraft III" = Warcraft III
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/19/2010 7:08:02 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Steam.exe, version: 0.0.0.0, time stamp:
0x4b22b67a Faulting module name: SteamUI.dll, version: 0.0.0.0, time stamp: 0x4b7d926f
Exception
code: 0xc0000006 Fault offset: 0x001f1233 Faulting process id: 0x8a8 Faulting application
start time: 0x01cac7a5461f5b80 Faulting application path: G:\Steam\Steam.exe Faulting
module path: G:\Steam\SteamUI.dll Report Id: 43f5960a-33ac-11df-957f-00a0d1a91b4c

Error - 3/19/2010 7:08:02 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on,
or the storage drivers installed on this computer; or the disk is missing. Windows
closed the program Steam.exe because of this error. Program: Steam.exe File: The
error value is listed in the Additional Data section. User Action 1. Open the file
again. This situation might be a temporary problem that corrects itself when the
program runs again. 2. If the file still cannot be accessed and - It is on the network,
your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C0000098 Disk
type: 0

Error - 3/19/2010 7:08:05 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1000
Description = Faulting application name: SteamService.exe, version: 8.0.76.84, time
stamp: 0x4b74a82a Faulting module name: SteamService.dll, version: 0.0.0.0, time
stamp: 0x4b74a81e Exception code: 0xc0000006 Fault offset: 0x00011980 Faulting process
id: 0x7f4 Faulting application start time: 0x01cac7a54a4e86bc Faulting application
path: C:\Program Files\Common Files\Steam\SteamService.exe Faulting module path:
G:\Steam\bin\SteamService.dll Report Id: 45b7fef2-33ac-11df-957f-00a0d1a91b4c

Error - 3/19/2010 7:08:05 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on,
or the storage drivers installed on this computer; or the disk is missing. Windows
closed the program Steam Client Service because of this error. Program: Steam Client
Service File: The error value is listed in the Additional Data section. User Action
1.
Open the file again. This situation might be a temporary problem that corrects itself
when the program runs again. 2. If the file still cannot be accessed and - It is on
the network, your network administrator should verify that there is not a problem
with the network and that the server can be contacted. - It is on a removable disk,
for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into
the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK,
click Start, click Run, type CMD, and then click OK. At the command prompt, type
CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from
a backup copy. 5. Determine whether other files on the same disk can be opened.
If not, the disk might be damaged. If it is a hard disk, contact your administrator
or computer hardware vendor for further assistance. Additional Data Error value: C0000098
Disk
type: 0

Error - 3/20/2010 8:17:45 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Steam.exe, version: 0.0.0.0, time stamp:
0x4b22b67a Faulting module name: Steam.dll, version: 2.0.816.923, time stamp: 0x4b8d7a09
Exception
code: 0xc0000006 Fault offset: 0x001b5c78 Faulting process id: 0x83c Faulting application
start time: 0x01cac7c72cde319d Faulting application path: G:\Steam\Steam.exe Faulting
module path: G:\Steam\Steam.dll Report Id: 967d24ec-341a-11df-957f-00a0d1a91b4c

Error - 3/20/2010 8:17:45 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on,
or the storage drivers installed on this computer; or the disk is missing. Windows
closed the program Steam.exe because of this error. Program: Steam.exe File: The
error value is listed in the Additional Data section. User Action 1. Open the file
again. This situation might be a temporary problem that corrects itself when the
program runs again. 2. If the file still cannot be accessed and - It is on the network,
your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C000000E Disk
type: 0

Error - 3/20/2010 8:17:46 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1000
Description = Faulting application name: SteamService.exe, version: 8.0.76.84, time
stamp: 0x4b74a82a Faulting module name: SteamService.dll, version: 0.0.0.0, time
stamp: 0x4b74a81e Exception code: 0xc0000006 Fault offset: 0x00011980 Faulting process
id: 0xd64 Faulting application start time: 0x01cac7c72e1ac8a1 Faulting application
path: C:\Program Files\Common Files\Steam\SteamService.exe Faulting module path:
G:\Steam\bin\SteamService.dll Report Id: 97119ee9-341a-11df-957f-00a0d1a91b4c

Error - 3/20/2010 8:17:46 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on,
or the storage drivers installed on this computer; or the disk is missing. Windows
closed the program Steam Client Service because of this error. Program: Steam Client
Service File: The error value is listed in the Additional Data section. User Action
1.
Open the file again. This situation might be a temporary problem that corrects itself
when the program runs again. 2. If the file still cannot be accessed and - It is on
the network, your network administrator should verify that there is not a problem
with the network and that the server can be contacted. - It is on a removable disk,
for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into
the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK,
click Start, click Run, type CMD, and then click OK. At the command prompt, type
CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from
a backup copy. 5. Determine whether other files on the same disk can be opened.
If not, the disk might be damaged. If it is a hard disk, contact your administrator
or computer hardware vendor for further assistance. Additional Data Error value: C000000E
Disk
type: 0

Error - 3/22/2010 1:40:13 PM | Computer Name = Anna-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.7600.16385 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: c5c Start
Time: 01cac9e6872fa342 Termination Time: 16 Application Path: C:\Program Files\Internet
Explorer\iexplore.exe Report Id:

Error - 3/22/2010 2:12:34 PM | Computer Name = Anna-PC | Source = EventSystem | ID = 4621
Description =

[ Media Center Events ]
Error - 1/27/2010 2:59:13 AM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0
Description = 07:59:05 - Error connecting to the internet. 07:59:06 - Unable
to contact server..

Error - 3/14/2010 12:23:39 PM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0
Description = 17:23:39 - Error connecting to the internet. 17:23:39 - Unable
to contact server..

Error - 3/14/2010 12:23:48 PM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0
Description = 17:23:44 - Error connecting to the internet. 17:23:44 - Unable
to contact server..

[ System Events ]
Error - 3/22/2010 3:14:12 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:14:18 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:24:49 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:24:53 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:30:13 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:30:16 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:40:52 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:40:55 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:45:25 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/22/2010 3:46:46 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029
Description = Display is not active


< End of report >

Alt 23.03.2010, 18:23   #9
StLB
/// Helfer-Team
 
tr/ dropper.gen - Standard

tr/ dropper.gen



Bitte einen Rootkitscan mit GMER machen.
__________________
Gruß, Julian

Kein Support per PM!

Spendemöglichkeit: Make a Donation

Alt 23.03.2010, 19:02   #10
annaswelten
 
tr/ dropper.gen - Standard

tr/ dropper.gen



so da hab ich nun folgendes:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-03-23 19:00:46
Windows 6.1.7600
Running: cgcd6oer.exe; Driver: C:\Users\Anna\AppData\Local\Temp\kgtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT 8ED40964 ZwCreateThread
SSDT 8ED40950 ZwOpenProcess
SSDT 8ED40955 ZwOpenThread
SSDT 8ED4095F ZwTerminateProcess

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E333F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E331DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E336F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E341A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82A4C5C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A71052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 37C 82A7897C 4 Bytes [64, 09, D4, 8E]
.text ntkrnlpa.exe!RtlSidHashLookup + 518 82A78B18 4 Bytes [50, 09, D4, 8E]
.text ntkrnlpa.exe!RtlSidHashLookup + 538 82A78B38 4 Bytes [55, 09, D4, 8E]
.text ntkrnlpa.exe!RtlSidHashLookup + 7E8 82A78DE8 4 Bytes [5F, 09, D4, 8E]
? System32\Drivers\spfb.sys The system cannot find the path specified. !
PAGE ataport.SYS!DllUnload + 1 8B38AAD7 2 Bytes JMP 853781D9
PAGE ataport.SYS!DllUnload + 4 8B38AADA 1 Byte [F9]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90E27000, 0x2D5378, 0xE8000020]
.text USBPORT.SYS!DllUnload 91A50CA0 5 Bytes JMP 8661D4E0
.text am1q0gcd.SYS 93C4D00D 9 Bytes [C7, E1, 82, 48, EB, E1, 82, ...]
.text am1q0gcd.SYS 93C4D017 20 Bytes [00, DE, A7, 1A, 8B, E6, A5, ...]
.text am1q0gcd.SYS 93C4D02C 77 Bytes [00, 00, 00, 00, 00, 72, A4, ...]
.text am1q0gcd.SYS 93C4D07A 19 Bytes [B2, 82, FB, 54, A2, 82, 23, ...]
.text am1q0gcd.SYS 93C4D08E 51 Bytes [A7, 82, CC, 00, A5, 82, 78, ...]
.text ...
.text peauth.sys 9929BC9D 28 Bytes [5E, 06, 66, D2, E4, DD, 1F, ...]
.text peauth.sys 9929BCC1 28 Bytes [5E, 06, 66, D2, E4, DD, 1F, ...]
PAGE peauth.sys 992A1B9B 72 Bytes [27, EF, 65, 90, D5, 69, 8A, ...]
PAGE peauth.sys 992A1BEC 111 Bytes [10, DC, E7, 3E, 7D, 74, ED, ...]
PAGE peauth.sys 992A1E20 101 Bytes [66, AF, C1, 74, 48, 77, 6A, ...]
PAGE ...
.text iertutil.dll!ResetIEExtensibility + FFF4F9A7 76A8FA00 493 Bytes [00, 00, 00, 00, FF, FF, FF, ...]
.text iertutil.dll!ResetIEExtensibility + FFF4FB95 76A8FBEE 759 Bytes [00, 00, 01, 00, 00, 00, 01, ...]
.text iertutil.dll!ResetIEExtensibility + FFF4FE8D 76A8FEE6 333 Bytes [FF, FF, FF, 00, 00, 00, 00, ...]
.text iertutil.dll!ResetIEExtensibility + FFF4FFDB 76A90034 872 Bytes [01, 00, 00, 00, EC, 1E, 97, ...]
.text iertutil.dll!ResetIEExtensibility + FFF50344 76A9039D 42 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory 76F25360 5 Bytes JMP 002D000A
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory 76F25EE0 5 Bytes JMP 002E000A
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!KiUserExceptionDispatcher 76F26448 5 Bytes JMP 0020000A
.text C:\Windows\system32\svchost.exe[996] ole32.dll!CoCreateInstance 762957FC 5 Bytes JMP 0035000A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!GetCursorPos 76CDC198 5 Bytes JMP 0036000A
? C:\Windows\TEMP\riog.tmp\svchost.exe[2628] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
.text C:\Windows\Explorer.EXE[5456] ntdll.dll!NtProtectVirtualMemory 76F25360 5 Bytes JMP 0079000A
.text C:\Windows\Explorer.EXE[5456] ntdll.dll!NtWriteVirtualMemory 76F25EE0 5 Bytes JMP 007A000A
.text C:\Windows\Explorer.EXE[5456] ntdll.dll!KiUserExceptionDispatcher 76F26448 5 Bytes JMP 0025000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8B0AE042] \SystemRoot\System32\Drivers\spfb.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8B0AE6D6] \SystemRoot\System32\Drivers\spfb.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8B0AE800] \SystemRoot\System32\Drivers\spfb.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8B0AE13E] \SystemRoot\System32\Drivers\spfb.sys
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!BitBlt] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteObject] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetTextMetricsW] 00010000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!CreateCompatibleDC] 0000000A
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetDeviceCaps] 80000018
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkColor] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00010000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetStockObject] 0000223A
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetStockObject] 80000030
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SelectObject] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SelectObject] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00010000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteObject] 00000409
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000048
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!MoveToEx] 00006060
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteDC] 00001C00
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!CreateCompatibleDC] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00905A4D
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!MoveToEx] 00000003
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00000004
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 0000FFFF
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 000000B8
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000040
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteDC] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleHandleW] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentThreadId] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetEvent] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!VirtualAlloc] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleFileNameA] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetUnhandledExceptionFilter] 000000C8
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCommandLineA] 0EBA1F0E
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleHandleA] CD09B400
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!FormatMessageW] 4C01B821
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!MultiByteToWideChar] 685421CD
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!WaitForSingleObject] 70207369
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleFileNameA] 72676F72
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentThreadId] 63206D61
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetUnhandledExceptionFilter] 6F6E6E61
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!VirtualAlloc] 65622074
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCommandLineA] 6E757220
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!QueryPerformanceCounter] 206E6920
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!FormatMessageW] 20534F44
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 65646F6D
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetTickCount] 0A0D0D2E
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetProcessHeap] 00000024
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!LoadIconW] 2C56ACC8
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C56ACC8
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!LoadIconW] 2C56ACC8
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ReleaseDC] 2C0BA30B
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetSystemMetrics] 2C56ACC5
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetTimer] 2C57ACC8
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 2C56ACEE
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C386AEF
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C56ACC9
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SendMessageW] 2C2E6AEF
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetTimer] 2C56ACC9
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!PostMessageW] 68636952
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDC] 2C56ACC8
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ShowWindow] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SendMessageW] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetSystemMenu] 00004550
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 0003014C
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 4BA36135
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDlgItem] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ReleaseDC] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ShowWindow] 210200E0
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 0008010B
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!PostMessageW] 00001600
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDC] 00000400
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetSystemMetrics] 00000000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetWindowRect] 00002323
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDlgItem] 00001000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 00003000
IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 10000000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8537F1F8
Device \Driver\volmgr \Device\VolMgrControl 8537A1F8
Device \Driver\usbuhci \Device\USBPDO-0 8661F4D8
Device \Driver\usbuhci \Device\USBPDO-1 8661F4D8
Device \Driver\usbehci \Device\USBPDO-2 86134500
Device \Driver\usbuhci \Device\USBPDO-3 8661F4D8
Device \Driver\usbuhci \Device\USBPDO-4 8661F4D8
Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-5 8661F4D8
Device \Driver\usbehci \Device\USBPDO-6 86134500
Device \Driver\volmgr \Device\HarddiskVolume1 8537A1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 8537A1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 864751F8
Device \Driver\PCI_PNP4954 \Device\00000059 spfb.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{24324C87-9CDC-4711-B98D-0BF68DC6F68C} 8658F1F8
Device \Driver\volmgr \Device\HarddiskVolume3 8537A1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 864751F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8537C1F8
Device \Driver\atapi \Device\Ide\IdePort0 8537C1F8
Device \Driver\atapi \Device\Ide\IdePort1 8537C1F8
Device \Driver\atapi \Device\Ide\IdePort2 8537C1F8
Device \Driver\atapi \Device\Ide\IdePort3 8537C1F8
Device \Driver\atapi \Device\Ide\IdePort4 8537C1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 8537D1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel1 8537D1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel2 8537D1F8
Device \Driver\volmgr \Device\HarddiskVolume4 8537A1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 8658F1F8
Device \Driver\usbuhci \Device\USBFDO-0 8661F4D8
Device \Driver\usbuhci \Device\USBFDO-1 8661F4D8
Device \Driver\usbehci \Device\USBFDO-2 86134500
Device \Driver\usbuhci \Device\USBFDO-3 8661F4D8
Device \Driver\sptd \Device\592010956 spfb.sys
Device \Driver\usbuhci \Device\USBFDO-4 8661F4D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{15E17943-BAB4-4B09-AAFF-DF2D183D862B} 8658F1F8
Device \Driver\usbuhci \Device\USBFDO-5 8661F4D8
Device \Driver\usbehci \Device\USBFDO-6 86134500
Device \Driver\am1q0gcd \Device\Scsi\am1q0gcd1Port5Path0Target0Lun0 866691F8
Device \Driver\am1q0gcd \Device\Scsi\am1q0gcd1 866691F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 86151CA1

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f1c50b
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x87 0xE4 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x29 0x60 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7A 0x40 0xF0 0xD8 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f1c50b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x33 0xE1 0xB1 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x29 0x60 0x18 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7A 0x40 0xF0 0xD8 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Alt 26.03.2010, 14:57   #11
Larusso
/// Selecta Jahrusso
 
tr/ dropper.gen - Standard

tr/ dropper.gen



STLb???
User hängen lassen ist nicht die feine Art


Anna, bitte folgendes

Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
  • Bitte arbeite alle Schritte der Reihe nach ab.
  • Sollte es Probleme geben, bitte stoppen und hier so gut es geht beschreiben.
  • Nur Scanns durchführen zu denen Du von einem Helfer aufgefordert wirst.
  • Bitte kein Crossposting ( posten in mehreren Foren).

Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg.
Solltest Du Dich für eine Bereinigung entscheiden, arbeite bitte folgendes ab.


Vista und Win7 User
Alle Tools mit Rechtsklick "als Administrator ausführen" starten.


schritt 1

Temp File Cleaner

Downloade Dir bitte TFC ( von Oldtimer ) und speichere die Datei auf dem Desktop.
Schließe nun alle offenen Programme und trenne Dich von dem Internet.
Doppelklick auf die TFC.exe
Sollte TFC nicht alle Dateien löschen können wird es einen Neustart verlangen. Dies bitte zulassen.


schritt 2

Downloade Dir bitte defogger von jpshortstuff auf Deinem Desktop.
  • Starte das Tool mit Doppelklick.
    Vista User: Bitte mit Rechtsklick "als Administrator starten".
  • Klicke nun auf den Disable Button um die Treiber gewisser Emulatoren zu deaktivieren.
  • Wenn der Scan beendet wurde ( Finished ), klicke auf OK.
  • Defogger fordert nun zum Neustart auf. Bestätige dies mit OK.
  • DeFogger erstellt nun ein Logfile auf dem Desktop (defogger_disable).
Poste bitte den Inhalt der Logfile in Deiner nächsten Antwort.


schritt 3

Solltest du noch irgendetwas mit dem Computer verbinden, wie Memorysticks, Speicherkarten, Digitalkameras, Handy, externe Laufwerke, ... dann stecke vor dem Scan alles an.

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, lese die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:[indent]Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.


schritt 4

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Starte bitte die OTL.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
         
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Quick Scan Button.
  • Klick auf .
  • Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread


Bitte poste in Deiner nächsten Antwort
Cofi.txt
OTL.txt
extras.txt
defogger_disable
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 27.03.2010, 10:27   #12
annaswelten
 
tr/ dropper.gen - Standard

tr/ dropper.gen



als ich den otl-scan durchgeführt habe, habe ich aber nicht die zweite textdatei extras.txt bekommen

hier die restlichen logs:

DEFOGGER


defogger_disable by jpshortstuff (23.02.10.1)
Log created at 09:30 on 27/03/2010 (Anna)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-


COFIX


ComboFix 10-03-26.02 - Anna 27.03.2010 9:43.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.49.1033.18.3070.2541 [GMT 1:00]
ausgeführt von:: c:\users\Anna\Desktop\cofi.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

Infizierte Kopie von c:\windows\system32\DRIVERS\atapi.sys wurde gefunden und desinfiziert
Kopie von - Kitty ate it wurde wiederhergestellt
.
((((((((((((((((((((((( Dateien erstellt von 2010-02-27 bis 2010-03-27 ))))))))))))))))))))))))))))))
.

2010-03-27 08:38 . 2010-03-27 08:39 -------- d-----w- C:\32788R22FWJFW
2010-03-22 13:53 . 2010-03-22 13:53 -------- d-----w- c:\windows\Sun
2010-03-22 02:59 . 2010-03-22 18:09 -------- d-----w- C:\rsit
2010-03-21 19:07 . 2010-03-21 19:07 -------- d-----w- c:\users\Anna\AppData\Roaming\Malwarebytes
2010-03-21 19:06 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 19:06 . 2010-03-21 19:06 -------- d-----w- c:\programdata\Malwarebytes
2010-03-21 19:06 . 2010-03-21 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 19:06 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 11:55 . 2010-03-21 11:55 -------- d-----w- c:\users\Anna\AppData\Local\Diagnostics
2010-03-21 11:32 . 2010-03-21 11:32 -------- d-----w- c:\program files\Trend Micro
2010-03-21 10:52 . 2010-03-21 10:52 -------- d-----w- c:\program files\CCleaner
2010-03-19 21:22 . 2010-03-19 21:22 -------- d-----w- c:\users\Matthias\AppData\Roaming\InstallShield
2010-03-19 21:04 . 2010-03-19 21:04 8192 ----a-r- c:\users\Matthias\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\IconD0B36BAF3.exe
2010-03-19 21:04 . 2010-03-19 21:04 6144 ----a-r- c:\users\Matthias\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\Icon83F12F734.exe
2010-03-19 21:04 . 2010-03-19 21:04 11264 ----a-r- c:\users\Matthias\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\Icon8F99E711.exe
2010-03-19 20:57 . 2010-03-19 22:15 -------- d-----w- c:\program files\THQ
2010-03-19 20:46 . 2010-03-19 20:46 -------- d-----w- c:\users\Matthias\AppData\Local\Diagnostics
2010-03-19 20:41 . 2010-03-19 20:41 -------- d-----w- c:\program files\Sierra
2010-03-19 18:34 . 2010-03-19 18:34 -------- d-----w- c:\users\Matthias\AppData\Local\PunkBuster
2010-03-19 18:27 . 2010-03-20 02:03 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-19 18:27 . 2010-03-19 18:27 22328 ----a-w- c:\users\Matthias\AppData\Roaming\PnkBstrK.sys
2010-03-19 18:27 . 2010-03-20 02:03 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-19 18:27 . 2010-03-19 18:34 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-19 18:22 . 2010-03-19 18:22 -------- d-----w- c:\program files\Activision
2010-03-19 18:10 . 2010-03-19 18:10 -------- d-----w- c:\program files\Common Files\Steam
2010-03-19 18:05 . 2010-03-19 18:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-19 18:04 . 2010-03-19 18:05 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-19 18:04 . 2010-03-19 18:19 -------- d-----w- c:\users\Matthias\AppData\Roaming\DAEMON Tools Lite
2010-03-19 18:04 . 2010-03-19 18:04 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-03-19 17:55 . 2010-03-19 18:05 -------- d-----w- c:\program files\Steam
2010-03-14 19:17 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-14 17:36 . 2010-03-14 17:36 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2010-02-28 15:56 . 2010-02-28 18:27 -------- d-----w- c:\users\Anna\AppData\Roaming\Advanced Chemistry Development
2010-02-28 13:02 . 2010-02-28 13:02 -------- d-----w- c:\programdata\Advanced Chemistry Development
2010-02-28 13:01 . 2010-02-28 13:01 -------- d-----w- c:\program files\ACDFREE12
2010-02-28 13:00 . 2010-02-28 13:02 -------- d-----w- c:\users\Matthias\AppData\Roaming\Advanced Chemistry Development
2010-02-25 08:56 . 2009-12-08 11:40 3955288 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-25 08:56 . 2009-12-08 11:40 3899464 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-25 08:56 . 2009-12-08 11:32 292864 ----a-w- c:\windows\system32\apphelp.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 12:48 . 2009-12-05 20:04 -------- d-----w- c:\users\Matthias\AppData\Roaming\ICQ
2010-03-26 12:47 . 2010-02-13 15:00 -------- d-----w- c:\users\Matthias\AppData\Roaming\Skype
2010-03-26 12:46 . 2010-02-13 15:05 -------- d-----w- c:\users\Matthias\AppData\Roaming\skypePM
2010-03-22 19:45 . 2010-01-06 14:33 -------- d-----w- c:\program files\Warcraft III
2010-03-19 22:15 . 2009-12-05 20:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-19 20:39 . 2010-01-04 18:33 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-24 09:16 . 2009-12-03 17:34 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 10:22 . 2010-02-23 10:22 -------- d-----w- c:\program files\MSXML 4.0
2010-02-22 15:04 . 2010-02-22 15:04 -------- d-----w- c:\programdata\CambridgeSoft
2010-02-22 14:47 . 2010-02-22 14:47 -------- d-----w- c:\program files\CambridgeSoft
2010-02-18 15:07 . 2010-02-18 15:07 1170240 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\users\Matthias\AppData\Roaming\teamspeak2
2010-02-17 15:28 . 2010-02-17 15:28 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-02-17 15:11 . 2010-02-17 15:11 -------- d-----w- c:\program files\gPotato.eu
2010-02-17 12:40 . 2010-02-17 12:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-02-15 10:11 . 2010-02-13 15:00 -------- d-----w- c:\users\Anna\AppData\Roaming\Skype
2010-02-13 15:05 . 2010-02-13 15:05 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-02-13 14:54 . 2010-02-13 14:54 -------- d-----r- c:\program files\Skype
2010-02-13 14:54 . 2010-02-13 14:54 -------- d-----w- c:\program files\Common Files\Skype
2010-02-13 14:54 . 2010-02-13 14:54 -------- d-----w- c:\programdata\Skype
2010-02-02 07:45 . 2010-02-24 16:24 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-31 11:54 . 2010-01-31 11:54 -------- d-----w- c:\users\Matthias\AppData\Roaming\ratiopharm
2010-01-17 21:00 . 2010-01-17 21:00 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2010-01-17 21:00 . 2010-01-17 21:00 1195328 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-16 08:49 . 2010-01-16 08:44 7827616 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate34.exe
2010-01-16 08:49 . 2010-01-16 08:44 7209992 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate33.exe
2010-01-16 08:49 . 2010-01-16 08:44 8478264 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate32.exe
2010-01-16 08:49 . 2010-01-16 08:44 8411368 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate31.exe
2010-01-16 08:48 . 2010-01-16 08:43 7969976 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate30.exe
2010-01-16 08:48 . 2010-01-16 08:43 7582984 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate29.exe
2010-01-16 08:48 . 2010-01-16 08:41 7565760 ----a-w- c:\users\Anna\AppData\Roaming\ratiopharm\keinebange\kbupdate28.exe
2010-01-08 03:18 . 2010-02-11 08:54 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-11 08:54 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-01-06 14:47 . 2010-01-06 14:39 55368 ----a-w- c:\windows\War3Unin.dat
2010-01-06 14:46 . 2010-01-06 14:39 2829 ----a-w- c:\windows\War3Unin.pif
2010-01-06 14:46 . 2010-01-06 14:39 139264 ----a-w- c:\windows\War3Unin.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
2009-11-09 17:38 2331672 ----a-w- c:\program files\DVDVideoSoft\tbDVDV.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-13 149280]
"PDFPrint"="c:\program files\pdf24\pdf24.exe" [2009-12-15 207504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
" Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-4 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-01-04 3404560]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-19 691696]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2009-08-16 222968]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

.
.
------- Zusätzlicher Suchlauf -------
.
FF - ProfilePath - c:\users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "hxxp://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-Steam App 3730 - g:\steam\steam.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-03-27 09:54:58 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-03-27 08:54

Vor Suchlauf: 33.872.986.112 bytes free
Nach Suchlauf: 33.770.127.360 bytes free

- - End Of File - - 4273F35DC451A9984738F8B106155EAD



OTL


OTL logfile created on: 3/27/2010 10:13:09 AM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.44 Gb Total Space | 31.52 Gb Free Space | 28.28% Space Free | Partition Type: NTFS
Drive D: | 104.90 Gb Total Space | 22.86 Gb Free Space | 21.79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANNA-PC
Current User Name: Anna
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe
PRC - [2009/12/15 10:40:54 | 000,207,504 | ---- | M] (Geek Software GmbH) -- C:\Program Files\pdf24\pdf24.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe
PRC - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe


========== Modules (SafeList) ==========

MOD - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:21 | 000,093,696 | ---- | M] (Windows (R) Codename Longhorn DDK provider) -- C:\Windows\System32\fms.dll
MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/10 17:29:28 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/01/04 20:55:00 | 003,404,560 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service)
SRV - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
IE - HKCU\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "ICQ Search"
FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/17 12:57:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/17 12:57:06 | 000,000,000 | ---D | M]

[2009/12/03 18:22:00 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Extensions
[2010/03/23 19:50:53 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions
[2009/12/08 13:30:11 | 000,000,000 | ---D | M] (DVDVideoSoft Toolbar) -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}
[2009/12/08 18:38:56 | 000,000,881 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\conduit.xml
[2010/03/21 10:33:54 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-1.xml
[2010/02/20 12:54:17 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-2.xml
[2010/03/18 21:32:48 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-3.xml
[2008/03/31 09:52:00 | 000,000,168 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.gif
[2008/03/31 09:52:00 | 000,000,618 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.src
[2009/12/31 17:13:23 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.xml
[2010/02/13 15:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/05 21:12:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
[2010/02/13 15:54:35 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/03/17 12:56:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010/03/17 12:56:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml
[2010/03/17 12:56:57 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010/03/17 12:56:57 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010/03/17 12:56:57 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2010/03/27 09:51:52 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKLM\..\Toolbar: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoft Toolbar) - {E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe (Geek Software GmbH)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/27 09:51:57 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010/03/27 09:50:40 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/03/27 09:50:40 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\temp
[2010/03/27 09:39:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/03/27 09:39:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/03/27 09:39:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/03/27 09:39:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/03/27 09:39:13 | 000,000,000 | ---D | C] -- C:\cofi
[2010/03/27 09:38:46 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/27 09:38:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/27 09:38:23 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/03/27 09:33:02 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Trojaner
[2010/03/24 21:23:57 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/03/22 14:53:10 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/03/22 03:59:43 | 000,000,000 | ---D | C] -- C:\rsit
[2010/03/21 20:07:01 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Malwarebytes
[2010/03/21 20:06:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/21 20:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/21 20:06:54 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/21 20:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/21 12:55:00 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\Diagnostics
[2010/03/21 12:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/21 11:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/03/19 21:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\THQ
[2010/03/19 21:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra
[2010/03/19 19:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Activision
[2010/03/19 19:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam
[2010/03/19 19:05:05 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys
[2010/03/19 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite
[2010/03/19 19:04:03 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2010/03/19 18:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2010/03/14 17:30:48 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\SPIELE + CHAT MATTHIAS
[2010/03/14 17:22:23 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Bewerbung etc

========== Files - Modified Within 14 Days ==========

[2010/03/27 10:13:30 | 001,572,864 | -HS- | M] () -- C:\Users\Anna\NTUSER.DAT
[2010/03/27 09:58:58 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/27 09:58:58 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/27 09:52:03 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/03/27 09:51:52 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/03/27 09:51:26 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/27 09:51:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/27 09:51:17 | 2414,682,112 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/27 09:35:07 | 003,903,606 | R--- | M] () -- C:\Users\Anna\Desktop\cofi.exe
[2010/03/27 09:30:43 | 001,292,140 | -H-- | M] () -- C:\Users\Anna\AppData\Local\IconCache.db
[2010/03/27 09:30:25 | 000,000,020 | ---- | M] () -- C:\Users\Anna\defogger_reenable
[2010/03/24 21:23:52 | 508,247,827 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/03/22 21:26:54 | 000,132,608 | ---- | M] () -- C:\Users\Anna\Desktop\Scan.doc
[2010/03/21 20:06:59 | 000,000,987 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/21 13:30:29 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/21 13:30:29 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/21 13:30:29 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/21 12:35:51 | 000,002,047 | ---- | M] () -- C:\Users\Anna\Desktop\HijackThis.lnk
[2010/03/21 11:52:53 | 000,001,839 | ---- | M] () -- C:\Users\Anna\Desktop\CCleaner.lnk
[2010/03/20 03:03:14 | 000,022,328 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/03/19 19:27:11 | 000,000,319 | ---- | M] () -- C:\Windows\game.ini
[2010/03/19 19:05:05 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys

========== Files Created - No Company Name ==========

[2010/03/27 09:39:34 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/03/27 09:39:34 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/03/27 09:39:34 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/03/27 09:39:34 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/03/27 09:39:34 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/03/27 09:35:03 | 003,903,606 | R--- | C] () -- C:\Users\Anna\Desktop\cofi.exe
[2010/03/27 09:30:12 | 000,000,020 | ---- | C] () -- C:\Users\Anna\defogger_reenable
[2010/03/24 21:23:52 | 508,247,827 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/03/22 03:55:28 | 000,132,608 | ---- | C] () -- C:\Users\Anna\Desktop\Scan.doc
[2010/03/21 20:06:59 | 000,000,987 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/21 12:32:19 | 000,002,047 | ---- | C] () -- C:\Users\Anna\Desktop\HijackThis.lnk
[2010/03/21 11:52:53 | 000,001,839 | ---- | C] () -- C:\Users\Anna\Desktop\CCleaner.lnk
[2010/03/19 19:27:52 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/03/19 19:27:17 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2010/03/19 19:27:14 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2010/03/19 19:27:11 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini
[2010/02/13 16:05:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/12/04 19:19:37 | 000,000,403 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/02/28 19:27:29 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Advanced Chemistry Development
[2009/12/20 18:48:54 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\ICQ
[2010/01/16 09:40:23 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\ratiopharm
[2010/02/16 08:51:38 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\ERDNT\cache\AGP440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\ERDNT\cache\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache\cngaudit.dll
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
< End of report >



glg
anna

Alt 27.03.2010, 12:38   #13
Larusso
/// Selecta Jahrusso
 
tr/ dropper.gen - Standard

tr/ dropper.gen



Well done

Ich sehe du hast ja OTL schon laufen lassen, dann gibts keine neue extras.txt

schritt 1

Deinstalliere bitte
DVDVideoSoft Toolbar


schritt 2
  • Starte bitte die OTL.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
:OTL
IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13"
FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q="
[2009/12/08 13:30:11 | 000,000,000 | ---D | M] (DVDVideoSoft Toolbar) -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}
O2 - BHO: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoft Toolbar) - {E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
:Commands
[purity]
[emptytemp]
         
  • Schliesse bitte nun alle Programme.
  • Klicke nun bitte auf den Run Fix Button.
  • Klick auf .
  • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
  • Nach dem Neustart findest Du ein Textdokument auf deinem Desktop.
    ( Auch zu finden unter C:\_OTL\MovedFiles\<time_date>.txt)
    Kopiere nun den Inhalt hier in Deinen Thread


schritt 3

Update bitte Malwarebytes und lass es erneut laufen (Quickscan reicht)


schritt 4
Bitte während der Online-Scans evtl. vorhandene externe Festplatten einschalten! Bitte während der Scans alle Hintergrundwächter (Anti-Virus-Programm, Firewall, Skriptblocking und ähnliches) abstellen und nicht vergessen, alles hinterher wieder einzuschalten.
  • Unterstützte Betriebssysteme: Microsoft Windows 98/ME/NT 4.0/2000/XP und Windows Vista
  • Anmerkung für Vista-User: Bitte den Browser unbedingt als Administrator starten.
  • Dein Anti-Virus-Programm während des Scans deaktivieren.
  • Button "ESET Online Scanner" drücken.
  • Firefox-User müssen ein zusätzliches Addon (esetsmartinstaller_enu.exe) installieren.
  • Das Firefox-Addon auf dem Desktop speichern und dann installieren.
  • IE-User müssen das Installieren eines ActiveX Elements erlauben.
  • Einen Haken bei "Remove found threads" und "Scan archives" machen.
  • Start drücken.
  • Signaturen werden heruntergeladen.
  • Der Scan beginnt automatisch.
  • Finish drücken.
  • Browser schließen.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt suchen und mit Deinem Editor öffnen.
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset
  • IE-User zusätzlich: mit HJT folgenden Eintrag fixen:
  • O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)


schritt 5

Starte OTL.exe und klicke auf den Quickscan Button


Bitte poste in Deiner nächsten Antwort
Log von MBAM
Log von ESET
OTL.txt

Berichte ob der Rechner noch Probleme macht
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 27.03.2010, 18:37   #14
annaswelten
 
tr/ dropper.gen - Standard

tr/ dropper.gen



OTL


All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found.
File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found.
File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found.
Prefs.js: "Search" removed from browser.search.defaultthis.engineName
Prefs.js: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl
Prefs.js: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13" removed from browser.startup.homepage
Prefs.js: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=" removed from keyword.URL
C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\searchplugin folder moved successfully.
C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\META-INF folder moved successfully.
C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\lib folder moved successfully.
C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\defaults folder moved successfully.
C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\components folder moved successfully.
C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\chrome folder moved successfully.
C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found.
File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}\ not found.
File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F}\ not found.
File C:\Program Files\DVDVideoSoft\tbDVDV.dll not found.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Anna
->Temp folder emptied: 157053 bytes
->Temporary Internet Files folder emptied: 413390 bytes
->Java cache emptied: 12118713 bytes
->FireFox cache emptied: 47128006 bytes
->Flash cache emptied: 434 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Matthias
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 57.00 mb


OTL by OldTimer - Version 3.1.37.3 log created on 03272010_132744

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

MBAM


Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3920
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

27.03.2010 13:39:36
mbam-log-2010-03-27 (13-39-36).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 118106
Laufzeit: 4 minute(s), 4 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)




ESET

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d102974ad4e93e438a82bf422985e46d
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-27 04:30:05
# local_time=2010-03-27 05:30:05 (+0100, W. Europe Standard Time)
# country="Germany"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 526431 526431 0 0
# compatibility_mode=1797 16775165 100 94 4665 45209276 5813 0
# compatibility_mode=5893 16776573 100 94 99278 22146560 0 0
# compatibility_mode=8192 67108863 100 0 3694 3694 0 0
# scanned=320926
# found=7
# cleaned=7
# scan_time=13435
C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan (cleaned - quarantined) 00000000000000000000000000000000 C
D:\C alt\Program Files\Acer Arcade Deluxe\PlayMovie\CBS.dll probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\C alt\Program Files\Acer Arcade Deluxe\PlayMovie\VideoFilter\cl264dec.ax probably a variant of Win32/Hupigon trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\C alt\Program Files\Acer Arcade Deluxe\PlayMovie\VideoFilter\cldabc.dll probably a variant of Win32/Hupigon trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\C alt\Users\Anna\AppData\Local\Temp\NERO1003378\unit_app_75\Toolbar.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\C alt\Users\Anna\Downloads\ALLES ALTE\Nero-9.2.6.0_trial(3).exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
D:\C alt\Users\Anna\Downloads\ALLES ALTE\Nero-9.2.6.0_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C


OTL SCHRITT 5


OTL logfile created on: 3/27/2010 6:28:58 PM - Run 4
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.44 Gb Total Space | 29.82 Gb Free Space | 26.76% Space Free | Partition Type: NTFS
Drive D: | 104.90 Gb Total Space | 23.60 Gb Free Space | 22.50% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANNA-PC
Current User Name: Anna
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/27 13:30:30 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe
PRC - [2010/01/07 16:07:10 | 001,394,000 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/12/15 10:40:54 | 000,207,504 | ---- | M] (Geek Software GmbH) -- C:\Program Files\pdf24\pdf24.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe
PRC - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [1999/04/23 22:45:44 | 008,441,907 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office\WINWORD.EXE
PRC - [1998/10/13 20:08:18 | 000,274,497 | ---- | M] (Microsoft Corporation) -- C:\Windows\Msagent\AGENTSVR.EXE


========== Modules (SafeList) ==========

MOD - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/10 17:29:28 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/01/04 20:55:00 | 003,404,560 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service)
SRV - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "ICQ Search"
FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/27 13:30:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/27 13:30:32 | 000,000,000 | ---D | M]

[2009/12/03 18:22:00 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Extensions
[2010/03/27 13:30:44 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions
[2009/12/08 18:38:56 | 000,000,881 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\conduit.xml
[2010/03/21 10:33:54 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-1.xml
[2010/02/20 12:54:17 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-2.xml
[2010/03/18 21:32:48 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-3.xml
[2010/03/27 13:30:46 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-4.xml
[2010/03/27 13:35:29 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-5.xml
[2009/12/31 17:13:23 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.xml
[2010/02/13 15:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/05 21:12:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
[2010/02/13 15:54:35 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/03/17 12:56:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010/03/17 12:56:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml
[2010/03/17 12:56:57 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010/03/17 12:56:57 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010/03/17 12:56:57 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2010/03/27 09:51:52 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe (Geek Software GmbH)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/27 13:44:35 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/03/27 13:27:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/27 09:51:57 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010/03/27 09:50:40 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/03/27 09:50:40 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\temp
[2010/03/27 09:39:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/03/27 09:39:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/03/27 09:39:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/03/27 09:39:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/03/27 09:39:13 | 000,000,000 | ---D | C] -- C:\cofi
[2010/03/27 09:38:46 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/27 09:38:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/27 09:38:23 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/03/27 09:33:02 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Trojaner
[2010/03/24 21:23:57 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/03/22 14:53:10 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/03/22 03:59:43 | 000,000,000 | ---D | C] -- C:\rsit
[2010/03/21 20:07:01 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Malwarebytes
[2010/03/21 20:06:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/21 20:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/21 20:06:54 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/21 20:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/21 12:55:00 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\Diagnostics
[2010/03/21 12:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/21 11:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/03/19 21:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\THQ
[2010/03/19 21:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra
[2010/03/19 19:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Activision
[2010/03/19 19:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam
[2010/03/19 19:05:05 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys
[2010/03/19 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite
[2010/03/19 19:04:03 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2010/03/19 18:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2010/03/14 17:30:48 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\SPIELE + CHAT MATTHIAS
[2010/03/14 17:22:23 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Bewerbung etc

========== Files - Modified Within 14 Days ==========

[2010/03/27 18:30:42 | 001,572,864 | -HS- | M] () -- C:\Users\Anna\NTUSER.DAT
[2010/03/27 14:29:46 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/27 14:29:46 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/27 13:28:33 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/27 13:28:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/27 13:28:25 | 2414,682,112 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/27 11:17:55 | 000,029,184 | ---- | M] () -- C:\Users\Anna\Desktop\Scan.doc
[2010/03/27 09:52:03 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/03/27 09:51:52 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/03/27 09:35:07 | 003,903,606 | R--- | M] () -- C:\Users\Anna\Desktop\cofi.exe
[2010/03/27 09:30:43 | 001,292,140 | -H-- | M] () -- C:\Users\Anna\AppData\Local\IconCache.db
[2010/03/27 09:30:25 | 000,000,020 | ---- | M] () -- C:\Users\Anna\defogger_reenable
[2010/03/24 21:23:52 | 508,247,827 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/03/21 20:06:59 | 000,000,987 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/21 13:30:29 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/21 13:30:29 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/21 13:30:29 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/21 12:35:51 | 000,002,047 | ---- | M] () -- C:\Users\Anna\Desktop\HijackThis.lnk
[2010/03/21 11:52:53 | 000,001,839 | ---- | M] () -- C:\Users\Anna\Desktop\CCleaner.lnk
[2010/03/20 03:03:14 | 000,022,328 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/03/19 19:27:11 | 000,000,319 | ---- | M] () -- C:\Windows\game.ini
[2010/03/19 19:05:05 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys

========== Files Created - No Company Name ==========

[2010/03/27 09:39:34 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/03/27 09:39:34 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/03/27 09:39:34 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/03/27 09:39:34 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/03/27 09:39:34 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/03/27 09:35:03 | 003,903,606 | R--- | C] () -- C:\Users\Anna\Desktop\cofi.exe
[2010/03/27 09:30:12 | 000,000,020 | ---- | C] () -- C:\Users\Anna\defogger_reenable
[2010/03/24 21:23:52 | 508,247,827 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/03/22 03:55:28 | 000,029,184 | ---- | C] () -- C:\Users\Anna\Desktop\Scan.doc
[2010/03/21 20:06:59 | 000,000,987 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/21 12:32:19 | 000,002,047 | ---- | C] () -- C:\Users\Anna\Desktop\HijackThis.lnk
[2010/03/21 11:52:53 | 000,001,839 | ---- | C] () -- C:\Users\Anna\Desktop\CCleaner.lnk
[2010/03/19 19:27:52 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/03/19 19:27:17 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2010/03/19 19:27:14 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2010/03/19 19:27:11 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini
[2010/02/13 16:05:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/12/04 19:19:37 | 000,000,403 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/02/28 19:27:29 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Advanced Chemistry Development
[2009/12/20 18:48:54 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\ICQ
[2010/01/16 09:40:23 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\ratiopharm
[2010/02/16 08:51:38 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >




hehe hier hab ich dir mal wieder nen netten roman da gelassen
danke daniel, dass du dir die mühe machst und mir hilfst, weiß das wirklich zu schätzen!!! bis jetzt hat mein laptop nicht mehr rumgezickt seit ich morgens die ersten paar schritte erledigt hatte. bin total froh und erleichtert

glg
anna

Alt 27.03.2010, 19:00   #15
Larusso
/// Selecta Jahrusso
 
tr/ dropper.gen - Standard

tr/ dropper.gen



Sieht gut aus

Combofix deinstallieren

Bitte vor der folgenden Aktion wieder temporär Antivirus-Programm, evtl. vorhandenes Skript-Blocking und Anti-Malware Programme deaktivieren.

Start => Ausführen (bei Vista (Windows-Taste + R) => dort reinschreiben ComboFix.exe /uninstall => Enter drücken - damit wird Combofix komplett entfernt und der Cache der Systemwiederherstellung geleert, damit auch auch dieser die Schädlinge verschwinden.

Nun die eben deaktivierten Programme wieder aktivieren.

schritt 2
  • Starte bitte die OTL.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
:OTL
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT2269050&SearchSource=13"
:Commands
[purity]
[emptytemp]
         
  • Schliesse bitte nun alle Programme.
  • Klicke nun bitte auf den Run Fix Button.
  • Klick auf .
  • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.


schritt 3

Starte OTL erneut --> Quickscan und poste mir die Logfile
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Antwort

Themen zu tr/ dropper.gen
adobe, antivir, antivir guard, avg, avira, bho, c:\windows\temp, desktop, dropper.gen, entfernen, explorer, hijack, hijack this, hijackthis, internet, internet explorer, object, programm, software, svchost.exe, system, temp, tr/dropper.gen, trojaner, virus, windows



Ähnliche Themen: tr/ dropper.gen


  1. (mehrere) Trojanermeldung(en) AVG (Win8.1) : "Trojaner: Dropper.Generic2.ANGG.dropper"
    Log-Analyse und Auswertung - 11.07.2014 (3)
  2. TR/Dropper.Gen
    Log-Analyse und Auswertung - 01.12.2011 (15)
  3. TR/Dropper.Gen
    Log-Analyse und Auswertung - 17.05.2011 (7)
  4. Trojaner TR/ Dropper.Gen u. Trojaner TR/ Dropper.Gen2 entfernt, dennoch überlastung
    Plagegeister aller Art und deren Bekämpfung - 14.05.2010 (9)
  5. TR/Dropper.gen
    Plagegeister aller Art und deren Bekämpfung - 12.01.2010 (11)
  6. TR/Dropper.gen
    Log-Analyse und Auswertung - 16.12.2009 (20)
  7. Dropper.Gen Log
    Log-Analyse und Auswertung - 12.12.2009 (1)
  8. TR/Dropper.Gen
    Plagegeister aller Art und deren Bekämpfung - 13.11.2009 (10)
  9. TR / Dropper :gen
    Log-Analyse und Auswertung - 12.11.2009 (1)
  10. TR/Dropper.Gen
    Plagegeister aller Art und deren Bekämpfung - 06.11.2009 (3)
  11. 2x TR/dropper.gen
    Plagegeister aller Art und deren Bekämpfung - 29.10.2009 (2)
  12. TR/Dropper.gen
    Plagegeister aller Art und deren Bekämpfung - 21.10.2009 (0)
  13. TR/dropper.gen
    Plagegeister aller Art und deren Bekämpfung - 05.08.2009 (1)
  14. Dropper.gen
    Log-Analyse und Auswertung - 16.04.2009 (7)
  15. TR\Dropper.Gen
    Plagegeister aller Art und deren Bekämpfung - 14.04.2009 (57)
  16. Dropper.Gen
    Log-Analyse und Auswertung - 06.04.2009 (0)
  17. tr/dropper gen
    Mülltonne - 23.09.2008 (0)

Zum Thema tr/ dropper.gen - hallo ihr lieben, hoffe ihr könnt mir helfen, denn ich habe leider keine ahnung wie ich den trojaner auf meinem pc entfernen kann. In der Datei 'C:\Windows\Temp\ooek.tmp\svchost.exe' wurde ein Virus - tr/ dropper.gen...
Archiv
Du betrachtest: tr/ dropper.gen auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.