| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: tr/ dropper.genWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
| |
21.03.2010, 15:55
| #1 |
 |  tr/ dropper.gen hallo ihr lieben, hoffe ihr könnt mir helfen, denn ich habe leider keine ahnung wie ich den trojaner auf meinem pc entfernen kann. In der Datei 'C:\Windows\Temp\ooek.tmp\svchost.exe' wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden. diese meldung taucht ca. alle 10-20 min bei antivir auf und geht mir nicht nur auf die nerven, sondern macht mir auch sorgen... hier die daten von hijack this: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:27:14, on 21.03.2010 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskhost.exe C:\Windows\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\pdf24\pdf24.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2269050 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe -- End of file - 4955 bytes könnt ihr mir helfen? wenn ja bitte so einfach wie möglich erklären, was ich zu tun oder zu lassen habe, denn ich kenne mich nicht so gut aus. vielen lieben dank schon mal im voraus! anna |
|
21.03.2010, 16:16
| #2 |
| /// Helfer-Team  | tr/ dropper.gen Hallo und
__________________ Zu besseren Einsicht in Dein System, bitte folgende Schritte ausführen: 1.) Malwarebytes Anti-Malware
__________________ |
|
22.03.2010, 14:50
| #3 |
| | tr/ dropper.gen vielen dank schon mal für die ersten schritte... also folgendes hab ich beim malware-scan:
__________________Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|) Durchsuchte Objekte: 471495 Laufzeit: 3 hour(s), 27 minute(s), 12 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 1 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: D:\C alt\Users\Anna\Downloads\ALLES ALTE\CryptLoad_1.1.5\ocr\netload.in\asmCaptcha\test.exe (Malware.Packer) -> Quarantined and deleted successfully. bei dem zweiten schritt, komm ich nicht bis zum schluss, es taucht zwischendrin immer wieder die meldung auf : AutoIt Error Line -1 Error : Variable used without being declared also hab ich da leider keine ahnung firewall hatte ich auf aus gestellt. die meldung von antivir (1.nachricht) taucht aber nach dem maleware-löschen immer noch auf. habe festegestellt, dass immer wenn die meldung bei antivir auftaucht bei C:/Windows/temp neue ordner erstellt werden, die vollkommen leer sind und die datei die antivir als infiziert anzeigt sehe ich auch nirgends. glg anna |
|
22.03.2010, 15:09
| #4 |
| /// Helfer-Team | tr/ dropper.gen Beim Malwarebytes-Log fehlt oben ein Stück - bitte nachreichen. Versuch mal, RSIT als Administrator ausführen (Rechtsklick -> Als Administrator ausführen). Dann sollte es klappen. |
|
22.03.2010, 16:39
| #5 |
 | tr/ dropper.gen *kurz reinhüpf* RSIT laüft auf Windows 7 nicht. DU musst Rechtsklick auf rsit.exe und dann "Eigenschaften" und bei Kompatibiltät auf "XP" stellen. So ungefähr müsste es gehen, hab kein Windows 7  *raushüpf* |
|
22.03.2010, 19:22
| #6 |
| | tr/ dropper.gen so also jetzt hat es funktioniert... : Logfile of random's system information tool 1.06 (written by random/random) Run by Anna at 2010-03-22 19:17:15 Microsoft Windows 7 Ultimate Service Pack 3 System drive C: has 31 GB (27%) free of 114 GB Total RAM: 3070 MB (79% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:17:25, on 22.03.2010 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskhost.exe C:\Windows\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\pdf24\pdf24.exe C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Anna\Downloads\RSIT(2).exe C:\Program Files\Trend Micro\HijackThis\Anna.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: DVDVideoSoft Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe -- End of file - 5016 bytes p.s. finds total lieb, dass ihr euch die zeit nehmt und mir helft! nochmals danke!  |
|
22.03.2010, 19:59
| #7 |
| /// Helfer-Team | tr/ dropper.gen Sorry, hatte vorhin überlesen, dass Du Windows 7 nutzt. Daher bitte einen Durchgang mit OTL machen: Systemscan mit OTL von Oldtimer
|
|
22.03.2010, 20:55
| #8 |
| | tr/ dropper.gen bitteschön : OTL logfile created on: 3/22/2010 8:49:39 PM - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free 6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 111.44 Gb Total Space | 30.03 Gb Free Space | 26.95% Space Free | Partition Type: NTFS Drive D: | 104.90 Gb Total Space | 22.82 Gb Free Space | 21.76% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ANNA-PC Current User Name: Anna Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe PRC - [2010/03/17 12:56:54 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2009/12/15 10:40:54 | 000,207,504 | ---- | M] (Geek Software GmbH) -- C:\Program Files\pdf24\pdf24.exe PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009/08/18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe PRC - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe PRC - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe PRC - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2009/03/02 12:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe ========== Modules (SafeList) ========== MOD - [2010/03/22 20:48:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anna\Downloads\OTL.exe MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - [2010/03/10 17:29:28 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2010/01/04 20:55:00 | 003,404,560 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc) SRV - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2009/08/16 14:01:16 | 000,222,968 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service) SRV - [2009/07/21 13:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc) SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc) SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power) SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes) SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify) SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper) SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc) SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc) SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider) SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg) SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener) SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache) SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp) SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc) SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC) SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV) SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc) SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc) SRV - [2009/05/13 15:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) ========== Driver Services (SafeList) ========== DRV - [2010/03/19 19:05:05 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd) DRV - [2009/12/07 19:03:21 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2009/08/18 03:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag) DRV - [2009/07/14 02:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide) DRV - [2009/07/14 02:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci) DRV - [2009/07/14 02:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx) DRV - [2009/07/14 02:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs) DRV - [2009/07/14 02:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320) DRV - [2009/07/14 02:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas) DRV - [2009/07/14 02:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata) DRV - [2009/07/14 02:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc) DRV - [2009/07/14 02:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata) DRV - [2009/07/14 02:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide) DRV - [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor) DRV - [2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid) DRV - [2009/07/14 02:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960) DRV - [2009/07/14 02:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS) DRV - [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV) DRV - [2009/07/14 02:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR) DRV - [2009/07/14 02:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg) DRV - [2009/07/14 02:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI) DRV - [2009/07/14 02:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC) DRV - [2009/07/14 02:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2) DRV - [2009/07/14 02:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp) DRV - [2009/07/14 02:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas) DRV - [2009/07/14 02:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy) DRV - [2009/07/14 02:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor) DRV - [2009/07/14 02:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx) DRV - [2009/07/14 02:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD) DRV - [2009/07/14 02:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends) DRV - [2009/07/14 02:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid) DRV - [2009/07/14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus) DRV - [2009/07/14 02:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp) DRV - [2009/07/14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt) DRV - [2009/07/14 02:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot) DRV - [2009/07/14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc) DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount) DRV - [2009/07/14 02:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide) DRV - [2009/07/14 02:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300) DRV - [2009/07/14 02:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost) DRV - [2009/07/14 02:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx) DRV - [2009/07/14 02:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4) DRV - [2009/07/14 02:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw) DRV - [2009/07/14 02:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2) DRV - [2009/07/14 02:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor) DRV - [2009/07/14 02:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG) DRV - [2009/07/14 01:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM) DRV - [2009/07/14 01:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus) DRV - [2009/07/14 01:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP) DRV - [2009/07/14 00:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2) DRV - [2009/07/14 00:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf) DRV - [2009/07/14 00:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap) DRV - [2009/07/14 00:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus) DRV - [2009/07/14 00:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci) DRV - [2009/07/14 00:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass) DRV - [2009/07/14 00:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb) DRV - [2009/07/14 00:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf) DRV - [2009/07/14 00:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig) DRV - [2009/07/14 00:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus) DRV - [2009/07/14 00:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID) DRV - [2009/07/14 00:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter) DRV - [2009/07/14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap) DRV - [2009/07/14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID) DRV - [2009/07/14 00:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache) DRV - [2009/07/14 00:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt) DRV - [2009/07/14 00:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi) DRV - [2009/07/14 00:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM) DRV - [2009/07/13 23:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2009/07/13 23:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm) DRV - [2009/07/13 23:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer) DRV - [2009/07/13 23:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm) DRV - [2009/07/13 23:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo) DRV - [2009/07/13 23:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp) DRV - [2009/07/13 23:13:48 | 001,035,776 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2009/07/13 23:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel(R) DRV - [2009/07/13 23:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x) DRV - [2009/07/13 23:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv) DRV - [2009/07/13 23:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv) DRV - [2009/07/13 23:02:47 | 000,047,104 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1E62x86.sys -- (L1E) NDIS Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller(NDIS6.20) DRV - [2009/05/11 09:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009/03/30 09:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2009/02/13 11:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ IE - HKCU\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "ICQ Search" FF - prefs.js..browser.search.defaultthis.engineName: "Search" FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.search.selectedEngine: "ICQ Search" FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13" FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.5 FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198 FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=" FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/17 12:57:09 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/17 12:57:06 | 000,000,000 | ---D | M] [2009/12/03 18:22:00 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Extensions [2010/03/22 19:29:03 | 000,000,000 | ---D | M] -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions [2009/12/08 13:30:11 | 000,000,000 | ---D | M] (DVDVideoSoft Toolbar) -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} [2009/12/08 18:38:56 | 000,000,881 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\conduit.xml [2010/03/21 10:33:54 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-1.xml [2010/02/20 12:54:17 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-2.xml [2010/03/18 21:32:48 | 000,000,950 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin-3.xml [2008/03/31 09:52:00 | 000,000,168 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.gif [2008/03/31 09:52:00 | 000,000,618 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.src [2009/12/31 17:13:23 | 000,000,961 | ---- | M] () -- C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\m9ckct9e.default\searchplugins\icqplugin.xml [2010/02/13 15:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2009/12/05 21:12:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07} [2010/02/13 15:54:35 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2010/03/17 12:56:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/03/17 12:56:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/03/17 12:56:57 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/03/17 12:56:57 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/03/17 12:56:57 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKLM\..\Toolbar: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoft Toolbar) - {E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe (Geek Software GmbH) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/03/22 14:53:10 | 000,000,000 | ---D | C] -- C:\Windows\Sun [2010/03/22 14:11:25 | 000,000,000 | ---D | C] -- C:\Windows\temp [2010/03/22 03:59:43 | 000,000,000 | ---D | C] -- C:\rsit [2010/03/21 20:07:01 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Malwarebytes [2010/03/21 20:06:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/03/21 20:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/03/21 20:06:54 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/03/21 20:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/03/21 12:55:00 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Local\Diagnostics [2010/03/21 12:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/03/21 11:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/03/20 04:30:08 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll [2010/03/20 04:30:08 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_5.dll [2010/03/20 04:30:08 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_5.dll [2010/03/20 04:30:07 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dcsx_42.dll [2010/03/20 04:30:07 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_41.dll [2010/03/20 04:30:07 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll [2010/03/20 04:30:07 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_41.dll [2010/03/20 04:30:07 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll [2010/03/20 04:30:07 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_41.dll [2010/03/20 04:30:07 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_42.dll [2010/03/20 04:30:06 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_4.dll [2010/03/20 04:30:06 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_4.dll [2010/03/20 04:30:06 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_3.dll [2010/03/20 04:30:06 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_6.dll [2010/03/20 04:30:05 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_40.dll [2010/03/20 04:30:05 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_40.dll [2010/03/20 04:30:05 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_3.dll [2010/03/20 04:30:05 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_2.dll [2010/03/20 04:30:05 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_40.dll [2010/03/20 04:30:05 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_3.dll [2010/03/20 04:30:05 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_2.dll [2010/03/20 04:30:05 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_1.dll [2010/03/20 04:30:05 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_5.dll [2010/03/20 04:30:04 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_39.dll [2010/03/20 04:30:04 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_39.dll [2010/03/20 04:30:04 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_1.dll [2010/03/20 04:30:04 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_39.dll [2010/03/20 04:30:04 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_2.dll [2010/03/20 04:30:04 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_1.dll [2010/03/20 04:30:04 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_0.dll [2010/03/20 04:30:04 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_4.dll [2010/03/20 04:30:03 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_38.dll [2010/03/20 04:30:03 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_38.dll [2010/03/20 04:30:03 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_37.dll [2010/03/20 04:30:03 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_0.dll [2010/03/20 04:30:03 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_38.dll [2010/03/20 04:30:03 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_37.dll [2010/03/20 04:30:03 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_0.dll [2010/03/20 04:30:03 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_3.dll [2010/03/20 04:30:02 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_37.dll [2010/03/20 04:30:02 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_36.dll [2010/03/20 04:30:02 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_36.dll [2010/03/20 04:30:02 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_10.dll [2010/03/20 04:30:01 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_36.dll [2010/03/20 04:30:01 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_35.dll [2010/03/20 04:30:01 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_35.dll [2010/03/20 04:30:01 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_35.dll [2010/03/20 04:30:01 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_9.dll [2010/03/20 04:30:01 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_8.dll [2010/03/20 04:30:01 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_2.dll [2010/03/19 21:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\THQ [2010/03/19 21:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra [2010/03/19 19:28:57 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_34.dll [2010/03/19 19:28:57 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_34.dll [2010/03/19 19:28:56 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_34.dll [2010/03/19 19:28:56 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_33.dll [2010/03/19 19:28:56 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_33.dll [2010/03/19 19:28:56 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_7.dll [2010/03/19 19:28:56 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll [2010/03/19 19:28:55 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_33.dll [2010/03/19 19:28:55 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll [2010/03/19 19:28:55 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_31.dll [2010/03/19 19:28:55 | 000,440,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10.dll [2010/03/19 19:28:55 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_6.dll [2010/03/19 19:28:55 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_5.dll [2010/03/19 19:28:55 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_4.dll [2010/03/19 19:28:55 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_1.dll [2010/03/19 19:28:54 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_3.dll [2010/03/19 19:28:54 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_2.dll [2010/03/19 19:28:54 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_1.dll [2010/03/19 19:28:54 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_2.dll [2010/03/19 19:28:54 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_1.dll [2010/03/19 19:28:50 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll [2010/03/19 19:28:50 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_29.dll [2010/03/19 19:28:50 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_0.dll [2010/03/19 19:28:50 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_0.dll [2010/03/19 19:28:49 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_25.dll [2010/03/19 19:28:49 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_28.dll [2010/03/19 19:28:49 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_27.dll [2010/03/19 19:28:49 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_26.dll [2010/03/19 19:28:49 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_24.dll [2010/03/19 19:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Activision [2010/03/19 19:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam [2010/03/19 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite [2010/03/19 19:04:03 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite [2010/03/19 18:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Steam [2010/03/14 20:17:52 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe [2010/03/14 17:30:48 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\SPIELE + CHAT MATTHIAS [2010/03/14 17:22:23 | 000,000,000 | ---D | C] -- C:\Users\Anna\Desktop\Bewerbung etc [2010/02/28 16:56:49 | 000,000,000 | ---D | C] -- C:\Users\Anna\AppData\Roaming\Advanced Chemistry Development [2010/02/28 14:02:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Advanced Chemistry Development [2010/02/28 14:01:07 | 000,000,000 | ---D | C] -- C:\Program Files\ACDFREE12 [2010/02/25 09:56:27 | 003,955,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2010/02/25 09:56:27 | 003,899,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2010/02/24 17:24:14 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll [2010/02/24 17:24:12 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll [2010/02/23 11:22:41 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0 [2010/02/22 16:04:43 | 000,000,000 | ---D | C] -- C:\ProgramData\CambridgeSoft [2010/02/22 15:47:31 | 000,000,000 | ---D | C] -- C:\Program Files\CambridgeSoft [2010/02/22 15:47:08 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations [2010/02/22 15:47:01 | 000,000,000 | ---D | C] -- C:\CSTEMP ========== Files - Modified Within 30 Days ========== [2010/03/22 20:51:28 | 001,572,864 | -HS- | M] () -- C:\Users\Anna\NTUSER.DAT [2010/03/22 19:23:19 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/03/22 19:23:19 | 000,025,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/03/22 19:16:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/03/22 19:16:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/03/22 19:15:56 | 2414,682,112 | -HS- | M] () -- C:\hiberfil.sys [2010/03/22 19:14:01 | 002,592,635 | -H-- | M] () -- C:\Users\Anna\AppData\Local\IconCache.db [2010/03/22 03:55:30 | 000,020,992 | ---- | M] () -- C:\Users\Anna\Desktop\Scan.doc [2010/03/21 20:06:59 | 000,000,987 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/03/21 13:30:29 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/03/21 13:30:29 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/03/21 13:30:29 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/03/21 12:35:51 | 000,002,047 | ---- | M] () -- C:\Users\Anna\Desktop\HijackThis.lnk [2010/03/21 11:52:53 | 000,001,839 | ---- | M] () -- C:\Users\Anna\Desktop\CCleaner.lnk [2010/03/20 03:03:14 | 000,022,328 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2010/03/19 19:27:11 | 000,000,319 | ---- | M] () -- C:\Windows\game.ini [2010/03/19 19:05:05 | 000,691,696 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys [2010/03/07 12:35:29 | 000,000,584 | ---- | M] () -- C:\Users\Anna\Documents\grstyles.stl [2010/02/24 10:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe ========== Files Created - No Company Name ========== [2010/03/22 03:55:28 | 000,020,992 | ---- | C] () -- C:\Users\Anna\Desktop\Scan.doc [2010/03/21 20:06:59 | 000,000,987 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/03/21 12:32:19 | 000,002,047 | ---- | C] () -- C:\Users\Anna\Desktop\HijackThis.lnk [2010/03/21 11:52:53 | 000,001,839 | ---- | C] () -- C:\Users\Anna\Desktop\CCleaner.lnk [2010/03/19 19:27:52 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2010/03/19 19:27:17 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe [2010/03/19 19:27:14 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe [2010/03/19 19:27:11 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini [2010/03/19 19:05:05 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys [2010/02/28 19:34:01 | 000,000,584 | ---- | C] () -- C:\Users\Anna\Documents\grstyles.stl [2010/02/13 16:05:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2009/12/04 19:19:37 | 000,000,403 | ---- | C] () -- C:\Windows\ODBC.INI [2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll [1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL < End of report > OTL Extras logfile created on: 3/22/2010 8:49:39 PM - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anna\Downloads Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free 6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 111.44 Gb Total Space | 30.03 Gb Free Space | 26.95% Space Free | Partition Type: NTFS Drive D: | 104.90 Gb Total Space | 22.82 Gb Free Space | 21.76% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ANNA-PC Current User Name: Anna Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 0 ========== Authorized Applications List ========== ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00010407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional "{00040407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2 "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate "{20533183-D42D-4261-A125-956736FBEA8C}" = Dawn of War - Soulstorm "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17 "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker "{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger "{45B78E92-FFB3-4A78-B0B5-2EA6B6E9B915}" = CambridgeSoft ChemDraw Pro 11.0 "{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent "{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call "{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5 "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762 "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec "{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator "{863F58EF-467F-4BCC-A40B-D2304630DEA1}" = CambridgeSoft Activation Client "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player "{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4 "{90120000-00B2-0407-0000-0000000FF1CE}" = Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars "{99A37AC7-E724-4621-B167-500B5A52B69C}" = LastChaosGER "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A2B3C27C-1F09-47C6-9A90-9683BEFD7963}" = Dawn of War - Soulstorm "{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder "{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter "{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch "{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}" = Warhammer 40,000: Dawn Of War - Gold Edition "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1 "{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM) "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials "{FF39FC01-819B-42E4-AE49-1968AF12DDD4}" = Dawn of War - Dark Crusade "ACDLabs in C__Program_Files_ACDFREE12_" = ACD/Labs Software in C:\Program Files\ACDFREE12\ "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Photoshop 7.0" = Adobe Photoshop 7.0 "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "CCleaner" = CCleaner "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters "DVDVideoSoft Toolbar" = DVDVideoSoft Toolbar "Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2 "Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2 "HijackThis" = HijackThis 2.0.2 "ICQToolbar" = ICQ Toolbar "InstallShield_{45B78E92-FFB3-4A78-B0B5-2EA6B6E9B915}" = CambridgeSoft ChemDraw Pro 11.0 "InstallShield_{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4 "InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Mozilla Firefox (3.6)" = Mozilla Firefox (3.6) "SopCast" = SopCast 3.2.4 "Steam App 3730" = Aliens versus Predator Classic 2000 "Uninstall_is1" = Uninstall 1.0.0.1 "Warcraft III" = Warcraft III "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 3/19/2010 7:08:02 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1000 Description = Faulting application name: Steam.exe, version: 0.0.0.0, time stamp: 0x4b22b67a Faulting module name: SteamUI.dll, version: 0.0.0.0, time stamp: 0x4b7d926f Exception code: 0xc0000006 Fault offset: 0x001f1233 Faulting process id: 0x8a8 Faulting application start time: 0x01cac7a5461f5b80 Faulting application path: G:\Steam\Steam.exe Faulting module path: G:\Steam\SteamUI.dll Report Id: 43f5960a-33ac-11df-957f-00a0d1a91b4c Error - 3/19/2010 7:08:02 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1005 Description = Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Steam.exe because of this error. Program: Steam.exe File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C0000098 Disk type: 0 Error - 3/19/2010 7:08:05 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1000 Description = Faulting application name: SteamService.exe, version: 8.0.76.84, time stamp: 0x4b74a82a Faulting module name: SteamService.dll, version: 0.0.0.0, time stamp: 0x4b74a81e Exception code: 0xc0000006 Fault offset: 0x00011980 Faulting process id: 0x7f4 Faulting application start time: 0x01cac7a54a4e86bc Faulting application path: C:\Program Files\Common Files\Steam\SteamService.exe Faulting module path: G:\Steam\bin\SteamService.dll Report Id: 45b7fef2-33ac-11df-957f-00a0d1a91b4c Error - 3/19/2010 7:08:05 PM | Computer Name = Anna-PC | Source = Application Error | ID = 1005 Description = Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Steam Client Service because of this error. Program: Steam Client Service File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C0000098 Disk type: 0 Error - 3/20/2010 8:17:45 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1000 Description = Faulting application name: Steam.exe, version: 0.0.0.0, time stamp: 0x4b22b67a Faulting module name: Steam.dll, version: 2.0.816.923, time stamp: 0x4b8d7a09 Exception code: 0xc0000006 Fault offset: 0x001b5c78 Faulting process id: 0x83c Faulting application start time: 0x01cac7c72cde319d Faulting application path: G:\Steam\Steam.exe Faulting module path: G:\Steam\Steam.dll Report Id: 967d24ec-341a-11df-957f-00a0d1a91b4c Error - 3/20/2010 8:17:45 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1005 Description = Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Steam.exe because of this error. Program: Steam.exe File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C000000E Disk type: 0 Error - 3/20/2010 8:17:46 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1000 Description = Faulting application name: SteamService.exe, version: 8.0.76.84, time stamp: 0x4b74a82a Faulting module name: SteamService.dll, version: 0.0.0.0, time stamp: 0x4b74a81e Exception code: 0xc0000006 Fault offset: 0x00011980 Faulting process id: 0xd64 Faulting application start time: 0x01cac7c72e1ac8a1 Faulting application path: C:\Program Files\Common Files\Steam\SteamService.exe Faulting module path: G:\Steam\bin\SteamService.dll Report Id: 97119ee9-341a-11df-957f-00a0d1a91b4c Error - 3/20/2010 8:17:46 AM | Computer Name = Anna-PC | Source = Application Error | ID = 1005 Description = Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Steam Client Service because of this error. Program: Steam Client Service File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C000000E Disk type: 0 Error - 3/22/2010 1:40:13 PM | Computer Name = Anna-PC | Source = Application Hang | ID = 1002 Description = The program iexplore.exe version 8.0.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: c5c Start Time: 01cac9e6872fa342 Termination Time: 16 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: Error - 3/22/2010 2:12:34 PM | Computer Name = Anna-PC | Source = EventSystem | ID = 4621 Description = [ Media Center Events ] Error - 1/27/2010 2:59:13 AM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0 Description = 07:59:05 - Error connecting to the internet. 07:59:06 - Unable to contact server.. Error - 3/14/2010 12:23:39 PM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0 Description = 17:23:39 - Error connecting to the internet. 17:23:39 - Unable to contact server.. Error - 3/14/2010 12:23:48 PM | Computer Name = Anna-PC | Source = MCUpdate | ID = 0 Description = 17:23:44 - Error connecting to the internet. 17:23:44 - Unable to contact server.. [ System Events ] Error - 3/22/2010 3:14:12 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:14:18 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:24:49 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:24:53 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:30:13 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:30:16 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:40:52 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:40:55 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:45:25 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 3/22/2010 3:46:46 PM | Computer Name = Anna-PC | Source = atikmdag | ID = 43029 Description = Display is not active < End of report > |
|
23.03.2010, 19:02
| #10 |
| | tr/ dropper.gen so da hab ich nun folgendes: GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-03-23 19:00:46 Windows 6.1.7600 Running: cgcd6oer.exe; Driver: C:\Users\Anna\AppData\Local\Temp\kgtdrpow.sys ---- System - GMER 1.0.15 ---- SSDT 8ED40964 ZwCreateThread SSDT 8ED40950 ZwOpenProcess SSDT 8ED40955 ZwOpenThread SSDT 8ED4095F ZwTerminateProcess INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E333F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B634 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E331DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E336F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E33F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E341A8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82A4C5C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A71052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 37C 82A7897C 4 Bytes [64, 09, D4, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 518 82A78B18 4 Bytes [50, 09, D4, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 538 82A78B38 4 Bytes [55, 09, D4, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 7E8 82A78DE8 4 Bytes [5F, 09, D4, 8E] ? System32\Drivers\spfb.sys The system cannot find the path specified. ! PAGE ataport.SYS!DllUnload + 1 8B38AAD7 2 Bytes JMP 853781D9 PAGE ataport.SYS!DllUnload + 4 8B38AADA 1 Byte [F9] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90E27000, 0x2D5378, 0xE8000020] .text USBPORT.SYS!DllUnload 91A50CA0 5 Bytes JMP 8661D4E0 .text am1q0gcd.SYS 93C4D00D 9 Bytes [C7, E1, 82, 48, EB, E1, 82, ...] .text am1q0gcd.SYS 93C4D017 20 Bytes [00, DE, A7, 1A, 8B, E6, A5, ...] .text am1q0gcd.SYS 93C4D02C 77 Bytes [00, 00, 00, 00, 00, 72, A4, ...] .text am1q0gcd.SYS 93C4D07A 19 Bytes [B2, 82, FB, 54, A2, 82, 23, ...] .text am1q0gcd.SYS 93C4D08E 51 Bytes [A7, 82, CC, 00, A5, 82, 78, ...] .text ... .text peauth.sys 9929BC9D 28 Bytes [5E, 06, 66, D2, E4, DD, 1F, ...] .text peauth.sys 9929BCC1 28 Bytes [5E, 06, 66, D2, E4, DD, 1F, ...] PAGE peauth.sys 992A1B9B 72 Bytes [27, EF, 65, 90, D5, 69, 8A, ...] PAGE peauth.sys 992A1BEC 111 Bytes [10, DC, E7, 3E, 7D, 74, ED, ...] PAGE peauth.sys 992A1E20 101 Bytes [66, AF, C1, 74, 48, 77, 6A, ...] PAGE ... .text iertutil.dll!ResetIEExtensibility + FFF4F9A7 76A8FA00 493 Bytes [00, 00, 00, 00, FF, FF, FF, ...] .text iertutil.dll!ResetIEExtensibility + FFF4FB95 76A8FBEE 759 Bytes [00, 00, 01, 00, 00, 00, 01, ...] .text iertutil.dll!ResetIEExtensibility + FFF4FE8D 76A8FEE6 333 Bytes [FF, FF, FF, 00, 00, 00, 00, ...] .text iertutil.dll!ResetIEExtensibility + FFF4FFDB 76A90034 872 Bytes [01, 00, 00, 00, EC, 1E, 97, ...] .text iertutil.dll!ResetIEExtensibility + FFF50344 76A9039D 42 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory 76F25360 5 Bytes JMP 002D000A .text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory 76F25EE0 5 Bytes JMP 002E000A .text C:\Windows\system32\svchost.exe[996] ntdll.dll!KiUserExceptionDispatcher 76F26448 5 Bytes JMP 0020000A .text C:\Windows\system32\svchost.exe[996] ole32.dll!CoCreateInstance 762957FC 5 Bytes JMP 0035000A .text C:\Windows\system32\svchost.exe[996] USER32.dll!GetCursorPos 76CDC198 5 Bytes JMP 0036000A ? C:\Windows\TEMP\riog.tmp\svchost.exe[2628] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; .text C:\Windows\Explorer.EXE[5456] ntdll.dll!NtProtectVirtualMemory 76F25360 5 Bytes JMP 0079000A .text C:\Windows\Explorer.EXE[5456] ntdll.dll!NtWriteVirtualMemory 76F25EE0 5 Bytes JMP 007A000A .text C:\Windows\Explorer.EXE[5456] ntdll.dll!KiUserExceptionDispatcher 76F26448 5 Bytes JMP 0025000A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8B0AE042] \SystemRoot\System32\Drivers\spfb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8B0AE6D6] \SystemRoot\System32\Drivers\spfb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8B0AE800] \SystemRoot\System32\Drivers\spfb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8B0AE13E] \SystemRoot\System32\Drivers\spfb.sys IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\am1q0gcd.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!BitBlt] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteObject] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetTextMetricsW] 00010000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!CreateCompatibleDC] 0000000A IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetDeviceCaps] 80000018 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkColor] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00010000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetStockObject] 0000223A IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetStockObject] 80000030 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SelectObject] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SelectObject] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00010000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteObject] 00000409 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000048 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!MoveToEx] 00006060 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteDC] 00001C00 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!CreateCompatibleDC] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetBkMode] 00905A4D IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!MoveToEx] 00000003 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!SetTextColor] 00000004 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 0000FFFF IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!PatBlt] 000000B8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!LineTo] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!GetObjectW] 00000040 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [GDI32.DLL!DeleteDC] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleHandleW] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentThreadId] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetEvent] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!VirtualAlloc] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleFileNameA] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetUnhandledExceptionFilter] 000000C8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCommandLineA] 0EBA1F0E IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleHandleA] CD09B400 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!FormatMessageW] 4C01B821 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!MultiByteToWideChar] 685421CD IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!WaitForSingleObject] 70207369 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetModuleFileNameA] 72676F72 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentThreadId] 63206D61 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!SetUnhandledExceptionFilter] 6F6E6E61 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!VirtualAlloc] 65622074 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCommandLineA] 6E757220 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!QueryPerformanceCounter] 206E6920 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!FormatMessageW] 20534F44 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 65646F6D IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetTickCount] 0A0D0D2E IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetProcessHeap] 00000024 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [KERNEL32.DLL!GetCurrentProcessId] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!LoadIconW] 2C56ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C56ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!LoadIconW] 2C56ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ReleaseDC] 2C0BA30B IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetSystemMetrics] 2C56ACC5 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetTimer] 2C57ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 2C56ACEE IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C386AEF IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 2C56ACC9 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SendMessageW] 2C2E6AEF IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetTimer] 2C56ACC9 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!PostMessageW] 68636952 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDC] 2C56ACC8 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ShowWindow] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SendMessageW] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!CreateWindowExW] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!SetSystemMenu] 00004550 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 0003014C IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 4BA36135 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDlgItem] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ReleaseDC] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!ShowWindow] 210200E0 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 0008010B IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!PostMessageW] 00001600 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDC] 00000400 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetSystemMetrics] 00000000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetWindowRect] 00002323 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetDlgItem] 00001000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!GetMessageW] 00003000 IAT C:\Windows\TEMP\riog.tmp\svchost.exe[2628] @ C:\Windows\TEMP\riog.tmp\svchost.exe [USER32.DLL!DestroyWindow] 10000000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8537F1F8 Device \Driver\volmgr \Device\VolMgrControl 8537A1F8 Device \Driver\usbuhci \Device\USBPDO-0 8661F4D8 Device \Driver\usbuhci \Device\USBPDO-1 8661F4D8 Device \Driver\usbehci \Device\USBPDO-2 86134500 Device \Driver\usbuhci \Device\USBPDO-3 8661F4D8 Device \Driver\usbuhci \Device\USBPDO-4 8661F4D8 Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-5 8661F4D8 Device \Driver\usbehci \Device\USBPDO-6 86134500 Device \Driver\volmgr \Device\HarddiskVolume1 8537A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume2 8537A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 864751F8 Device \Driver\PCI_PNP4954 \Device\00000059 spfb.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{24324C87-9CDC-4711-B98D-0BF68DC6F68C} 8658F1F8 Device \Driver\volmgr \Device\HarddiskVolume3 8537A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 864751F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort0 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort1 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort2 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort3 8537C1F8 Device \Driver\atapi \Device\Ide\IdePort4 8537C1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel0 8537D1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel1 8537D1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel2 8537D1F8 Device \Driver\volmgr \Device\HarddiskVolume4 8537A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 8658F1F8 Device \Driver\usbuhci \Device\USBFDO-0 8661F4D8 Device \Driver\usbuhci \Device\USBFDO-1 8661F4D8 Device \Driver\usbehci \Device\USBFDO-2 86134500 Device \Driver\usbuhci \Device\USBFDO-3 8661F4D8 Device \Driver\sptd \Device\592010956 spfb.sys Device \Driver\usbuhci \Device\USBFDO-4 8661F4D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{15E17943-BAB4-4B09-AAFF-DF2D183D862B} 8658F1F8 Device \Driver\usbuhci \Device\USBFDO-5 8661F4D8 Device \Driver\usbehci \Device\USBFDO-6 86134500 Device \Driver\am1q0gcd \Device\Scsi\am1q0gcd1Port5Path0Target0Lun0 866691F8 Device \Driver\am1q0gcd \Device\Scsi\am1q0gcd1 866691F8 Device -> \Driver\atapi \Device\Harddisk0\DR0 86151CA1 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f1c50b Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x87 0xE4 0xF5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x29 0x60 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7A 0x40 0xF0 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f1c50b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x33 0xE1 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x29 0x60 0x18 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7A 0x40 0xF0 0xD8 ... ---- Files - GMER 1.0.15 ---- File C:\Windows\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- |
|
| Themen zu tr/ dropper.gen |
| adobe, antivir, antivir guard, avg, avira, bho, c:\windows\temp, desktop, dropper.gen, entfernen, explorer, hijack, hijack this, hijackthis, internet, internet explorer, object, plug-in, programm, software, svchost.exe, system, temp, tr/dropper.gen, trojaner, virus, windows |
Hybrid-Darstellung
