| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: msn live messenger sendet nachrichten & blockiert systemWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
14.04.2010, 13:41
| #1 |
| |  msn live messenger sendet nachrichten & blockiert system hallo an alle. hab seit kurzem ein kleines problem mit dem msn live messenger. und zwar vermute ich, dass dieser sich selbständig macht und nachrichten an meine online-kontakte versendet. ich selbst bemerke das nur, indem das system für 10-15 sek nicht reagiert (weder auf maus, noch tastatur) und letztens hab ich msn fenster gesehen, die sich ganz schnell wieder schließen. kann daher nicht erkennen, was verschickt wird, noch an wen. ich benutze win xp servicepack 3. antivirus nod32 hab mich schon ein bisschen im web umgeschaut & folgendes ausprobiert: hxxp://www.techsupportforum.com/security-center/virus-trojan-spyware-help/hijackthis-log-help-inactive/244264-msn-messenger-send-automatically-trojan-files-my-contacts.html hab alle schritte durchgeführt bis zu dem punkt mit OTMoveIt2.exe. diese datei konnte ich dann unter dem angegebenen link nicht anfinden. und als ich danach gegoogelt hab, hab ich herausgefunden dass diese datei selbst malware sein soll. dann hab ich nicht mehr weiter getan. beim msncleaner ist herausgekommen dass alles sauber ist. hier die ergebnisse von rsit: log.txt: Logfile of random's system information tool 1.06 (written by random/random) Run by *** at 2010-04-14 14:18:48 Microsoft Windows XP Professional Service Pack 3 System drive C: has 781 MB (5%) free of 16 GB Total RAM: 767 MB (25% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:19:37, on 14.04.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16945) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Winamp\winampa.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PoivY.com\PoivY\PoivY.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\DOCUME~1\***\LOCALS~1\Temp\svchots.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Opera\opera.exe C:\Program Files\pdf_viewer\PDF Viewer\PDFXCview.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\Program Files\CCleaner\ccleaner.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\***\Local Settings\Application Data\Opera\Opera\temporary_downloads\RSIT.exe C:\Program Files\trend micro\***.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.at/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O1 - Hosts: 84.113.211.15 CASA O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [Windows Services] svchots.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [Windows Update] C:\DOCUME~1\***\LOCALS~1\Temp\service.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/InstFred.ocx O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/AcDcToday.ocx O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/InstBanr.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{7C3CB812-B3F1-4AB6-A8BA-F9065C7607BB}: NameServer = 195.34.133.21,195.34.133.22 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe -- End of file - 7544 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Anmelde-Hilfsprogramm - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}] AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"=C:\Program Files\Winamp\winampa.exe [2006-03-10 35328] "SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-07-22 81920] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480] "nwiz"=nwiz.exe /install [] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600] "egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-09-29 2054360] "Windows Services"=svchots.exe [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-03-29 437584] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "Messenger (Yahoo!)"=C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2008-09-19 4347120] "PoivY"=C:\Program Files\PoivY.com\PoivY\PoivY.exe [2010-02-10 9189152] "Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-09-29 21755688] "Windows Update"=C:\DOCUME~1\***\LOCALS~1\Temp\service.exe [] "msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883840] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster] C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe [2009-06-15 9017648] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\acrotray.exe [2003-05-15 217193] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Adobe Reader - Schnellstart.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\PoivY.com\PoivY\poivy.exe"="C:\Program Files\PoivY.com\PoivY\poivy.exe:*:Enabled:PoivY" "C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser" "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" ======File associations====== .scr - open - C:\WINDOWS\NOTEPAD.EXE "%1" .scr - install - .scr - config - ======List of files/folders created in the last 1 months====== 2010-04-14 14:18:56 ----D---- C:\Program Files\trend micro 2010-04-14 14:18:48 ----D---- C:\rsit 2010-04-14 14:15:42 ----D---- C:\Documents and Settings\***\Application Data\Malwarebytes 2010-04-14 14:14:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2010-04-14 14:14:39 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2010-04-14 13:27:25 ----D---- C:\MSNCleaner 2010-04-14 13:24:52 ----A---- C:\WINDOWS\ntbtlog.txt 2010-04-06 03:44:41 ----A---- C:\WINDOWS\servnt.exe 2010-04-05 16:16:27 ----D---- C:\Program Files\pdf_viewer 2010-03-25 02:23:07 ----D---- C:\Program Files\ESET 2010-03-25 02:23:06 ----D---- C:\Documents and Settings\All Users\Application Data\ESET 2010-03-17 13:16:23 ----A---- C:\WINDOWS\imsins.BAK 2010-03-17 13:15:06 ----HDC---- C:\WINDOWS\$NtUninstallKB971029$ 2010-03-17 13:00:30 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP 2010-03-17 12:32:16 ----D---- C:\Program Files\Enigma Software Group ======List of files/folders modified in the last 1 months====== 2010-04-14 14:18:59 ----D---- C:\WINDOWS\Temp 2010-04-14 14:18:56 ----D---- C:\Program Files 2010-04-14 14:18:48 ----D---- C:\WINDOWS\Prefetch 2010-04-14 14:14:52 ----D---- C:\WINDOWS\system32\drivers 2010-04-14 14:11:04 ----D---- C:\Program Files\CCleaner 2010-04-14 13:34:29 ----D---- C:\Documents and Settings\***\Application Data\Skype 2010-04-14 13:25:26 ----D---- C:\Documents and Settings 2010-04-14 13:24:52 ----D---- C:\WINDOWS 2010-04-14 13:23:19 ----A---- C:\WINDOWS\SchedLgU.Txt 2010-04-14 13:20:30 ----SHD---- C:\System Volume Information 2010-04-14 13:20:30 ----D---- C:\WINDOWS\system32\Restore 2010-04-14 11:48:03 ----D---- C:\Documents and Settings\***\Application Data\skypePM 2010-04-14 00:00:12 ----D---- C:\WINDOWS\system32 2010-04-14 00:00:12 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI 2010-04-14 00:00:04 ----D---- C:\WINDOWS\system32\CatRoot2 2010-04-13 22:04:44 ----SHD---- C:\RECYCLER 2010-04-12 16:57:51 ----A---- C:\WINDOWS\hpbafd.ini 2010-04-12 16:53:50 ----D---- C:\Documents and Settings\***\Application Data\U3 2010-04-06 21:10:15 ----D---- C:\Documents and Settings\***\Application Data\TeamViewer 2010-04-05 16:47:42 ----SHD---- C:\WINDOWS\Installer 2010-04-03 01:55:59 ----D---- C:\Documents and Settings\***\Application Data\AdobeUM 2010-03-30 02:07:37 ----D---- C:\Program Files\7-Zip 2010-03-29 09:00:27 ----D---- C:\Program Files\Cannon Smash 2010-03-29 08:57:49 ----D---- C:\Program Files\Panda Security 2010-03-29 08:57:46 ----SD---- C:\WINDOWS\Downloaded Program Files 2010-03-29 08:56:21 ----D---- C:\Program Files\Common Files 2010-03-29 08:53:55 ----D---- C:\Program Files\Common Files\Wextech Shared 2010-03-28 12:40:49 ----D---- C:\Program Files\Opera 2010-03-26 19:43:12 ----AC---- C:\Documents and Settings\All Users\Application Data\xml18.tmp 2010-03-26 19:43:12 ----AC---- C:\Documents and Settings\All Users\Application Data\xml17.tmp 2010-03-26 19:43:12 ----AC---- C:\Documents and Settings\All Users\Application Data\xml16.tmp 2010-03-25 02:23:54 ----HD---- C:\WINDOWS\inf 2010-03-17 20:26:23 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft 2010-03-17 13:16:09 ----RSHDC---- C:\WINDOWS\system32\dllcache 2010-03-17 13:11:59 ----HD---- C:\WINDOWS\$hf_mig$ 2010-03-17 13:05:37 ----D---- C:\WINDOWS\WinSxS ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-14 37760] R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-09-29 108792] R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-09-29 96408] R2 CdaC15BA;CdaC15BA; \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS [] R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-09-29 116008] R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-07-26 3644032] R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368] R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys [] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160] R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624] R3 qcusbmdm6k;WP-S1 Proprietary USB Driver; C:\WINDOWS\system32\DRIVERS\qcusbmdm6k.sys [2007-10-03 65024] R3 qcusbnmea;WP-S1 NMEA Port; C:\WINDOWS\system32\DRIVERS\qcusbnmea.sys [2007-10-03 65024] R3 qcusbpcsync;WP-S1 PCSYNC Port; C:\WINDOWS\system32\DRIVERS\qcusbpcsync.sys [2007-10-03 65024] R3 qcusbser6k;WP-S1 Diagnostic Port; C:\WINDOWS\system32\DRIVERS\qcusbser6k.sys [2007-10-03 65024] R3 teamviewervpn;TeamViewer VPN Adapter; C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys [2008-01-25 25088] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608] S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys [] S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys [] S3 abwnab9c;abwnab9c; C:\WINDOWS\system32\drivers\abwnab9c.sys [] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024] S3 DCamUSBNW802;Mustek Wcam 300; C:\WINDOWS\system32\DRIVERS\pcam.sys [2001-07-24 265904] S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-14 206976] S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928] S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880] S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\WNt500x86\Sandra.sys [] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232] S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368] S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200] S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys [] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672] R2 C-DillaCdaC11BA;C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [2010-01-19 54784] R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-29 735960] R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810] R2 SandraAgentSrv;SiSoftware Deployment Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-04-22 98488] R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912] R3 iPod Service;iPod-Dienst; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568] S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-20 133104] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240] S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-09-29 20680] -----------------EOF----------------- info.txt: info.txt logfile of random's system information tool 1.06 2010-04-14 14:19:48 ======Uninstall list====== -->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL -->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL -->C:\WINDOWS\UNNeroVision.exe /UNINSTALL -->C:\WINDOWS\UNRecode.exe /UNINSTALL -->MsiExec.exe /X{41E654A9-26D0-4EAC-854B-0FA824FFFABB} -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Acrobat 6.0 Professional-->MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001} Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 7.0 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A70000000000} Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe" Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143} Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe" AutoCAD 2004-->MsiExec.exe /I{5783F2D7-0201-040A-0002-0060B0CE6BBA} AutoCAD Express Tools Volumes 1-9-->MsiExec.exe /X{5783F2D7-0211-0409-0000-0060B0CE6BBA} Autodesk Express Viewer-->C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove CCleaner-->"C:\Program Files\CCleaner\uninst.exe" DAEMON Tools-->MsiExec.exe /I{83895843-3A51-4C93-9DF3-2BDB65C7E54A} FastStone Capture 5.3-->C:\Program Files\FastStone Capture\uninst.exe Free Video Flip and Rotate version 1.5-->"C:\Program Files\DVDVideoSoft\Free Video Flip and Rotate\unins000.exe" Free YouTube to Mp3 Converter version 3.2-->"C:\Program Files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe" FreeCommander 2008.06-->"C:\Program Files\FreeCommander\unins000.exe" FreeUndelete-->C:\Program Files\FreeUndelete\GLF205.exe /handle:fru Google Earth-->MsiExec.exe /X{2EAF7E61-068E-11DF-953C-005056806466} Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" hp deskjet 970c series (nur entfernen)-->C:\Program Files\hp deskjet 970c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=970c -huninstall HP LaserJet 1200 Deinstallationsprogramm-->C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\EnvSetup.exe uninst12.ini ImTOO 3GP Video Converter-->C:\Program Files\ImTOO\3GP Video Converter\Uninstall.exe iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5} Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Media Converter SA Edition 0.8-->C:\Program Files\Media Converter SA Edition\uninst.exe Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570} Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office 97, Professional Edition-->C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475} MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94} MusicBrainz Tagger 0.10.5-->C:\PROGRA~1\MUSICB~1\UNWISE.EXE C:\PROGRA~1\MUSICB~1\INSTALL.LOG Mustek Wcam 300-->C:\WINDOWS\pcamrm.exe Nero 7 Demo-->MsiExec.exe /I{C93369CB-B4E9-E095-9289-E6B5AE941031} NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI OpenAL-->"C:\Program Files\OpenAL\oalinst.exe" /U OpenOffice.org 3.0-->MsiExec.exe /I{7EC19307-7C22-47A8-922B-3FA965291260} Opera 10.51-->MsiExec.exe /X{05ADEEC8-BD58-43D9-A9E3-1F53B0DA117A} Passware Kit 6.1-->C:\PROGRA~1\Passware\UNWISE.EXE /U C:\PROGRA~1\Passware\kit.log PDF-Viewer-->"C:\Program Files\pdf_viewer\PDF Viewer\unins000.exe" Pinnacle VideoSpin-->MsiExec.exe /I{FEB15887-0932-4D2D-BB85-6AC03FBF1AA8} PoivY-->"C:\Program Files\PoivY.com\PoivY\unins000.exe" QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2} Real Alternative 1.9.0 Lite-->"C:\Program Files\Real Alternative\unins000.exe" RuckZuck 4.0-->C:\WINDOWS\IsUn0407.exe -f"C:\Program Files\Mursoft\RuckZuck\Uninst.isu" SafeCast Shared Components-->C:\Program Files\Common Files\Macrovision Shared\SafeCast\Install\CDAC13BA.EXE /uninstall Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe" Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe" Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe" Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe" Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe" Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe" Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe" Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe" Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe" Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe" Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe" Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe" Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe" Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe" Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe" Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe" Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe" Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe" Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe" Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe" Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe" Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe" Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe" Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7} SiSoftware Sandra Lite XII.SP2c-->"C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\unins000.exe" Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82} Table Tennis Pro V2 Lite (V2.32)-->"C:\Program Files\Table Tennis Pro V2 Lite\unins000.exe" TeamViewer 4-->C:\Program Files\TeamViewer\Version4\uninstall.exe TextPad 5-->MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64} Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe" Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB971029)-->"C:\WINDOWS\$NtUninstallKB971029$\spuninst\spuninst.exe" VDownloader 0.83-->"C:\Program Files\VDOWNLOADER\unins000.exe" VIA Rhine-Family Fast Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA VideoLAN VLC media player 0.8.5-->C:\Program Files\VideoLAN\VLC\uninstall.exe VoipBuster-->"C:\Program Files\VoipBuster.com\VoipBuster\unins000.exe" Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe" Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe" Windows Live Anmelde-Assistent-->MsiExec.exe /I{52B97218-98CB-4B8B-9283-D213C85E1AA4} Windows Live Call-->MsiExec.exe /I{5FC68772-6D56-41C6-9DF1-24E868198AE6} Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52} Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe Windows Live Essentials-->MsiExec.exe /I{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F} Windows Live-Uploadtool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238} Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinRAR Archivierer-->C:\Program Files\WinRAR\uninstall.exe WP-S1 PCSync-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF67CB0E-6E9A-49AA-805E-D7ABD15E4FCA}\setup.exe" -l0x7 -removeonly XP Codec Pack-->C:\Program Files\XP Codec Pack\Uninstall.exe Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG ======Hosts File====== **.***.211.** CASA ======Security center information====== AV: ESET NOD32 Antivirus 4.0 ======System event log====== Computer Name: CASA Event Code: 256 Message: Timed out sending notification of device interface change to window of "SAS window" Record Number: 24219 Source Name: PlugPlayManager Time Written: 20100217144843.000000+060 Event Type: warning User: Computer Name: CASA Event Code: 256 Message: Timed out sending notification of device interface change to window of "SAS window" Record Number: 24218 Source Name: PlugPlayManager Time Written: 20100217144843.000000+060 Event Type: warning User: Computer Name: CASA Event Code: 10005 Message: DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Record Number: 24198 Source Name: DCOM Time Written: 20100217121545.000000+060 Event Type: error User: NT AUTHORITY\SYSTEM Computer Name: CASA Event Code: 10005 Message: DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Record Number: 24192 Source Name: DCOM Time Written: 20100217121535.000000+060 Event Type: error User: NT AUTHORITY\SYSTEM Computer Name: CASA Event Code: 10005 Message: DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Record Number: 24188 Source Name: DCOM Time Written: 20100216203100.000000+060 Event Type: error User: NT AUTHORITY\SYSTEM =====Application event log===== Computer Name: CASA Event Code: 1524 Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. Record Number: 46 Source Name: Userenv Time Written: 20100406050312.000000+120 Event Type: warning User: C***\***** Computer Name: C**** Event Code: 1001 Message: Detection of product '{AC76BA86-7AD7-1031-7B44-A70000000000}', feature 'ReaderProgramFiles' failed during request for component '{E51A3464-94A9-4D6F-AB6A-EBB645DAA5E4}' Record Number: 41 Source Name: MsiInstaller Time Written: 20100405164712.000000+120 Event Type: warning User: C****\***** Computer Name: C*** Event Code: 1004 Message: Detection of product '{AC76BA86-7AD7-1031-7B44-A70000000000}', feature 'ReaderProgramFiles', component '{1C2E4392-FAC6-4697-99D0-9196DC75B681}' failed. The resource 'C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\' does not exist. Record Number: 40 Source Name: MsiInstaller Time Written: 20100405164712.000000+120 Event Type: warning User: C***\**** Computer Name: C*** Event Code: 1024 Message: Product: Adobe Acrobat 6.0.1 Professional - Update '{B6F867E8-F092-4C5E-ACA0-F30547DC3874}' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: hxxp://go.microsoft.com/fwlink/?LinkId=23127 Record Number: 11 Source Name: MsiInstaller Time Written: 20100402004840.000000+120 Event Type: error User: C***\*** Computer Name: C*** Event Code: 11706 Message: Product: Adobe Acrobat 6.0.1 Professional -- Error 1706.No valid source could be found for product Adobe Acrobat 6.0.1 Professional. The Windows Installer cannot continue. Record Number: 10 Source Name: MsiInstaller Time Written: 20100402004837.000000+120 Event Type: error User: C***\**** ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Pinnacle\Shared Files\;C:\Program Files\QuickTime\QTSystem\ "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 1, AuthenticAMD "PROCESSOR_REVISION"=0801 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "SAN_DIR"=C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c "CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip -----------------EOF----------------- mbam log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Datenbank Version: 3986 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 14.04.2010 14:31:32 mbam-log-2010-04-14 (14-31-32).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 115791 Laufzeit: 11 Minute(n), 50 Sekunde(n) Infizierte Speicherprozesse: 1 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 3 Infizierte Dateiobjekte der Registrierung: 4 Infizierte Verzeichnisse: 0 Infizierte Dateien: 5 Infizierte Speicherprozesse: C:\Documents and Settings\***\Local Settings\Temp\svchots.exe (Malware.Mod) -> Unloaded process successfully. Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update (Backdoor.IRCBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows services (Backdoor.Bot) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-9180908332-8809903437-961132346-5512\xpupdate.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Documents and Settings\****\Local Settings\Temp\svchots.exe (Malware.Mod) -> Quarantined and deleted successfully. C:\Documents and Settings\****\Local Settings\Temp\systems.exe (Malware.Mod) -> Quarantined and deleted successfully. C:\Documents and Settings\****\Local Settings\Temp\462.exe (Malware.Mod) -> Quarantined and deleted successfully. C:\Documents and Settings\****\Local Settings\Temp\wlcom.exe (Malware.Mod) -> Quarantined and deleted successfully. C:\Documents and Settings\****\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully. ccleaner ebenfalls ausgeführt. wie bekomm ich das jetzt ganz runter? lg hugo |
|
14.04.2010, 14:48
| #2 |
| /// Helfer-Team    | msn live messenger sendet nachrichten & blockiert system Hi und
__________________ 1.) Gehe zu virustotal und lasse dort die folgende Datei scannen (ggf. vorher sichtbar machen). Poste im Anschluss den Link zur Ergebnisseite: Code:
ATTFilter c:\windows\servnt.exe
2.) Was ist PoivY? Von dir gewünscht und installiert? Wenn ja, von der Herstellerseite bezogen? 3.) Systemscan mit OTL Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop ( falls noch nicht vorhanden)
4.) Poste ein Logfile von GMER
__________________ |
|
15.04.2010, 00:12
| #3 |
| | msn live messenger sendet nachrichten & blockiert system hallo, danke für die schnelle rückmeldung.
__________________zu 1.) hxxp://www.virustotal.com/de/analisis/e64c0094b5a0e2f214fef0ed2bcddf8ffe70e84435abbd99754c9a7ea40e72b7-1271278657 soll ich die datei löschen? zu 2.) poivy von mir gewünscht? ja, ist freeware von der herstellerseite bezogen. noch nie probleme damit gehabt. dient zum telefonieren und chatten zu 3.) OTL logfile created on: 14.04.2010 23:04:06 - Run 1 OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\***\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000C07 | Country: Austria | Language: DEA | Date Format: dd.MM.yyyy 767,00 Mb Total Physical Memory | 177,00 Mb Available Physical Memory | 23,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 48,00% Paging File free Paging file location(s): C:\pagefile.sys 384 768 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 15,93 Gb Total Space | 1,03 Gb Free Space | 6,49% Space Free | Partition Type: NTFS Drive D: | 58,59 Gb Total Space | 0,19 Gb Free Space | 0,33% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ** Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010.04.14 23:03:24 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe PRC - [2010.03.18 01:43:38 | 000,835,952 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe PRC - [2010.03.15 12:13:42 | 009,679,128 | ---- | M] (Tracker Software Products Ltd.) -- C:\Program Files\pdf_viewer\PDF Viewer\PDFXCview.exe PRC - [2010.02.10 18:33:56 | 009,189,152 | ---- | M] (PoivY) -- C:\Program Files\PoivY.com\PoivY\poivy.exe PRC - [2010.01.19 23:55:43 | 000,054,784 | ---- | M] (Macrovision) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE PRC - [2009.09.29 14:03:46 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe PRC - [2009.09.29 14:02:52 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe PRC - [2009.07.25 05:23:22 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe PRC - [2009.02.06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe PRC - [2008.04.22 19:23:02 | 000,098,488 | ---- | M] (SiSoftware) -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe PRC - [2008.04.14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006.03.10 19:45:12 | 000,035,328 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe PRC - [2005.07.22 15:00:10 | 000,081,920 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE ========== Modules (SafeList) ========== MOD - [2010.04.14 23:03:24 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe ========== Win32 Services (SafeList) ========== SRV - [2010.01.19 23:55:43 | 000,054,784 | ---- | M] (Macrovision) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA) SRV - [2009.09.29 14:11:10 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv) SRV - [2009.09.29 14:03:46 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn) SRV - [2008.04.22 19:23:02 | 000,098,488 | ---- | M] (SiSoftware) [Auto | Running] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe -- (SandraAgentSrv) ========== Driver Services (SafeList) ========== DRV - [2010.01.19 23:55:44 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS -- (CdaC15BA) DRV - [2009.09.29 14:05:54 | 000,096,408 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir) DRV - [2009.09.29 14:02:58 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv) DRV - [2009.09.29 13:56:32 | 000,116,008 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon) DRV - [2008.11.10 11:58:55 | 000,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd) DRV - [2008.04.14 01:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer) DRV - [2008.04.14 01:10:28 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc) DRV - [2008.04.14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum) DRV - [2008.03.10 20:30:36 | 000,021,408 | ---- | M] (SiSoftware) [Kernel | On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\WNt500x86\sandra.sys -- (SANDRA) DRV - [2008.01.25 11:12:34 | 000,025,088 | ---- | M] (TeamViewer GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teamviewervpn.sys -- (teamviewervpn) DRV - [2007.10.03 06:30:32 | 000,065,024 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcusbser6k.sys -- (qcusbser6k) DRV - [2007.10.03 06:30:32 | 000,065,024 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcusbpcsync.sys -- (qcusbpcsync) DRV - [2007.10.03 06:30:32 | 000,065,024 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcusbnmea.sys -- (qcusbnmea) DRV - [2007.10.03 06:30:32 | 000,065,024 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcusbmdm6k.sys -- (qcusbmdm6k) DRV - [2006.10.22 12:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv) DRV - [2005.07.26 17:03:22 | 003,644,032 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM) DRV - [2003.12.27 20:42:12 | 000,137,216 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\d344bus.sys -- (d344bus) DRV - [2003.12.27 02:38:10 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\d344prt.sys -- (d344prt) DRV - [2003.07.02 05:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1) DRV - [2001.08.17 16:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401) DRV - [2001.07.24 20:50:00 | 000,265,904 | ---- | M] (Divio Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pcam.sys -- (DCamUSBNW802) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.at/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010.03.25 02:23:10 | 000,000,000 | ---D | M] [2008.12.08 16:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Extensions [2008.12.08 16:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Firefox\Profiles\pk6rhjz4.default\extensions O1 HOSTS File: ([2010.03.29 02:58:33 | 000,000,752 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ***.***.211.*** ** O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-5736-4205-0008-F7ED0776FB27} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe () O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe () O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.) O4 - HKCU..\Run: [PoivY] C:\Program Files\PoivY.com\PoivY\PoivY.exe (PoivY) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Save YouTube Video as MP3 - C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll (DVSTeam) O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/InstFred.ocx (InstaFred) O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/AcDcToday.ocx (AcDcToday-Steuerung) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/InstBanr.ocx (NOXLATE-BANR) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/AcPreview.ocx (AcPreview-Steuerung) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.186.211.21 195.34.133.21 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008.10.05 15:29:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.04.14 23:04:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\gmer [2010.04.14 23:03:15 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe [2010.04.14 14:18:56 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro [2010.04.14 14:18:48 | 000,000,000 | ---D | C] -- C:\rsit [2010.04.14 14:15:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Application Data\Malwarebytes [2010.04.14 14:14:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.04.14 14:14:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010.04.14 14:14:43 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.04.14 14:14:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010.04.14 14:13:41 | 005,918,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\***\Desktop\mbam-setup-1.45.exe [2010.04.14 13:27:25 | 000,000,000 | ---D | C] -- C:\MSNCleaner [2010.04.14 13:21:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\MsnCleaner [2010.04.14 00:06:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\My Documents\Meine empfangenen Dateien [2010.04.13 23:52:48 | 001,167,688 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\***\Desktop\wlsetup-custom.exe [2010.04.06 00:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\2010-04-05 lakun [2010.04.05 16:16:27 | 000,000,000 | ---D | C] -- C:\Program Files\pdf_viewer [2010.03.26 04:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET [2010.03.25 03:52:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Local Settings\Application Data\ESET [2010.03.25 02:23:07 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010.03.25 02:23:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET [2010.03.17 13:11:27 | 000,135,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shsvcs.dll [2010.03.17 13:11:21 | 008,461,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll [2010.03.17 13:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP [2010.03.17 12:32:16 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group [2010.01.13 17:17:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp [2009.07.20 11:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google [2009.07.20 11:21:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google [2009.06.13 15:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2009.06.13 15:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe [2008.10.07 13:31:16 | 000,137,216 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d344bus.sys [2008.10.07 13:31:16 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d344prt.sys [2008.10.05 15:34:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2008.10.05 15:33:53 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2008.10.05 15:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2004.11.24 20:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.04.14 23:03:24 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe [2010.04.14 23:02:54 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\***\Desktop\gmer.zip [2010.04.14 22:41:00 | 000,001,096 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010.04.14 21:41:00 | 000,001,092 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010.04.14 16:58:22 | 000,002,259 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk [2010.04.14 15:05:27 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml [2010.04.14 15:04:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.04.14 15:04:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.04.14 15:04:18 | 804,835,328 | -HS- | M] () -- C:\hiberfil.sys [2010.04.14 14:52:35 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\***\NTUSER.DAT [2010.04.14 14:52:35 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\***\ntuser.ini [2010.04.14 14:14:59 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.14 14:14:05 | 005,918,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\***\Desktop\mbam-setup-1.45.exe [2010.04.14 14:11:07 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\***\Desktop\CCleaner.lnk [2010.04.14 13:54:17 | 000,011,624 | ---- | M] () -- C:\Documents and Settings\***\Desktop\bestätigung.odt [2010.04.14 13:36:13 | 000,000,054 | ---- | M] () -- C:\Documents and Settings\***\Desktop\delete.bat [2010.04.14 01:31:43 | 000,229,392 | ---- | M] () -- C:\WINDOWS\servnt.exe [2010.04.14 00:00:12 | 000,457,306 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.04.14 00:00:12 | 000,392,296 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.04.14 00:00:12 | 000,058,596 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.04.13 23:52:49 | 001,167,688 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\***\Desktop\wlsetup-custom.exe [2010.04.13 14:47:46 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\***\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.04.13 14:25:59 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [2010.04.12 16:57:51 | 000,000,338 | ---- | M] () -- C:\WINDOWS\hpbafd.ini [2010.04.12 13:04:50 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.04.05 16:47:32 | 000,001,757 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk [2010.04.04 22:31:43 | 000,245,558 | ---- | M] () -- C:\Documents and Settings\***\Desktop\emtipps-report-2009.pdf [2010.04.04 22:25:15 | 000,268,235 | ---- | M] () -- C:\Documents and Settings\***\Desktop\em-tipps-garten.pdf [2010.03.29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.03.29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.03.29 08:09:14 | 000,035,272 | ---- | M] () -- C:\WINDOWS\***.acl [2010.03.18 23:10:03 | 000,279,858 | ---- | M] () -- C:\Documents and Settings\***\Desktop\EM-Bericht_Tanzania.pdf [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.04.14 23:02:53 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\***\Desktop\gmer.zip [2010.04.14 14:14:59 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.14 13:51:45 | 000,011,624 | ---- | C] () -- C:\Documents and Settings\***\Desktop\bestätigung.odt [2010.04.14 13:36:13 | 000,000,054 | ---- | C] () -- C:\Documents and Settings\***\Desktop\delete.bat [2010.04.14 13:30:06 | 804,835,328 | -HS- | C] () -- C:\hiberfil.sys [2010.04.06 03:44:41 | 000,229,392 | ---- | C] () -- C:\WINDOWS\servnt.exe [2010.04.04 22:31:43 | 000,245,558 | ---- | C] () -- C:\Documents and Settings\***\Desktop\emtipps-report-2009.pdf [2010.04.04 22:25:15 | 000,268,235 | ---- | C] () -- C:\Documents and Settings\***\Desktop\em-tipps-garten.pdf [2010.03.18 23:10:03 | 000,279,858 | ---- | C] () -- C:\Documents and Settings\***\Desktop\EM-Bericht_Tanzania.pdf [2010.03.03 01:44:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\csmash.ini [2010.01.21 19:39:40 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI [2009.11.28 11:49:01 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\cbqozg.dat [2009.11.13 00:59:42 | 000,001,206 | ---- | C] () -- C:\WINDOWS\APDFPRP.INI [2009.11.10 03:58:09 | 000,001,868 | ---- | C] () -- C:\WINDOWS\aopr.ini [2009.08.30 00:13:33 | 000,000,279 | ---- | C] () -- C:\Documents and Settings\***\.languagetool-ooo.cfg [2008.12.30 11:04:09 | 000,000,134 | ---- | C] () -- C:\WINDOWS\AWSHKWV.INI [2008.12.30 11:01:08 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI [2008.12.19 16:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll [2008.12.17 18:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll [2008.12.17 18:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll [2008.12.17 18:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll [2008.12.17 18:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll [2008.12.17 17:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll [2008.12.11 12:27:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest [2008.11.30 17:04:18 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2008.11.22 19:18:04 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\***\CUSTOM.DICCUSTOM.DIC [2008.11.11 14:06:30 | 000,006,836 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.INI [2008.11.10 11:58:54 | 000,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2008.10.31 15:23:06 | 007,118,848 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sandra.mda [2008.10.28 14:23:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\***\initdebug.nfo [2008.10.19 16:36:36 | 000,036,864 | ---- | C] () -- C:\WINDOWS\jpgl.dll [2008.10.19 16:36:36 | 000,032,768 | ---- | C] () -- C:\WINDOWS\div_iyuv.dll [2008.10.07 09:43:05 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2008.10.06 22:46:15 | 000,000,338 | ---- | C] () -- C:\WINDOWS\hpbafd.ini [2008.10.06 09:48:49 | 000,113,152 | ---- | C] () -- C:\Documents and Settings\***\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008.10.05 16:00:25 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll [2008.10.05 15:37:06 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\***\ntuser.ini [2008.10.05 15:37:05 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\***\NTUSER.DAT.LOG [2008.10.05 15:37:04 | 007,340,032 | -H-- | C] () -- C:\Documents and Settings\***\NTUSER.DAT [2007.01.26 01:04:12 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll [2007.01.26 01:04:12 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll [2006.10.22 12:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2006.10.22 12:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll [2006.10.22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll [2006.10.22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll [2006.10.22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll [2006.10.22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2006.10.22 12:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll [2004.10.03 18:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll [2004.09.17 17:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll [2003.12.27 20:43:24 | 000,068,608 | ---- | C] () -- C:\WINDOWS\daemon.dll [2001.11.29 21:34:34 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\***\hpsfx.ini [1996.11.21 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL [1996.11.21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL [1996.11.21 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL [1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys ========== Alternate Data Streams ========== @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP  FC5A2B2@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 < End of report > OTL Extras logfile created on: 14.04.2010 23:04:06 - Run 1 OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\****\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000C07 | Country: Austria | Language: DEA | Date Format: dd.MM.yyyy 767,00 Mb Total Physical Memory | 177,00 Mb Available Physical Memory | 23,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 48,00% Paging File free Paging file location(s): C:\pagefile.sys 384 768 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 15,93 Gb Total Space | 1,03 Gb Free Space | 6,49% Space Free | Partition Type: NTFS Drive D: | 58,59 Gb Total Space | 0,19 Gb Free Space | 0,33% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ** Current User Name: **** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = Opera.HTML] -- C:\Program Files\Opera\opera.exe (Opera Software) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .scr [@ = AutoCADLTScriptFile] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. http [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software) https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft) Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft) Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusOverride" = 1 "FirewallOverride" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\PoivY.com\PoivY\poivy.exe" = C:\Program Files\PoivY.com\PoivY\poivy.exe:*:Enabled:PoivY -- (PoivY) "C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{05ADEEC8-BD58-43D9-A9E3-1F53B0DA117A}" = Opera 10.51 "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 15 "{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7 "{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent "{5783F2D7-0201-040A-0002-0060B0CE6BBA}" = AutoCAD 2004 "{5783F2D7-0211-0409-0000-0060B0CE6BBA}" = AutoCAD Express Tools Volumes 1-9 "{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8 "{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{7EC19307-7C22-47A8-922B-3FA965291260}" = OpenOffice.org 3.0 "{83895843-3A51-4C93-9DF3-2BDB65C7E54A}" = DAEMON Tools "{85C70286-A56F-4834-BD24-B34EB76A93A2}" = ESET NOD32 Antivirus "{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AC76BA86-1033-0000-7760-000000000001}" = Adobe Acrobat 6.0 Professional "{AC76BA86-7AD7-1031-7B44-A70000000000}" = Adobe Reader 7.0 - Deutsch "{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5 "{C3113E55-7BCB-4de3-8EBF-60E6CE6B2196}_is1" = SiSoftware Sandra Lite XII.SP2c "{C93369CB-B4E9-E095-9289-E6B5AE941031}" = Nero 7 Demo "{CA567AD5-33A4-403D-86D1-EE2D38251951}_is1" = VDownloader 0.83 "{CF67CB0E-6E9A-49AA-805E-D7ABD15E4FCA}" = WP-S1 PCSync "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials "{FEB15887-0932-4D2D-BB85-6AC03FBF1AA8}" = Pinnacle VideoSpin "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Audacity_is1" = Audacity 1.2.6 "Autodesk Express Viewer" = Autodesk Express Viewer "CCleaner" = CCleaner "CdaC13Ba" = SafeCast Shared Components "FastStone Capture" = FastStone Capture 5.3 "Free Video Flip and Rotate_is1" = Free Video Flip and Rotate version 1.5 "Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 3.2 "FreeCommander_is1" = FreeCommander 2008.06 "FreeUndelete" = FreeUndelete "HijackThis" = HijackThis 2.0.2 "hp deskjet 970c series" = hp deskjet 970c series (nur entfernen) "HP LaserJet 1200 Uninstaller" = HP LaserJet 1200 Deinstallationsprogramm "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ImTOO 3GP Video Converter" = ImTOO 3GP Video Converter "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Media Converter SA Edition" = Media Converter SA Edition 0.8 "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0 "MusicBrainz Tagger 0.10.5" = MusicBrainz Tagger 0.10.5 "Mustek WCam 300" = Mustek Wcam 300 "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "NVIDIA Drivers" = NVIDIA Drivers "Office8.0" = Microsoft Office 97, Professional Edition "OpenAL" = OpenAL "Passware Kit 6.1" = Passware Kit 6.1 "PoivY_is1" = PoivY "RealAlt_is1" = Real Alternative 1.9.0 Lite "RuckZuck 4.0" = RuckZuck 4.0 "Table Tennis Pro V2 Lite_is1" = Table Tennis Pro V2 Lite (V2.32) "TeamViewer 4" = TeamViewer 4 "Uninstall_is1" = Uninstall 1.0.0.1 "VLC media player" = VideoLAN VLC media player 0.8.5 "VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter "VoipBuster_is1" = VoipBuster "Winamp" = Winamp (remove only) "Windows Media Format Runtime" = Windows Media Format Runtime "Windows Media Player" = Windows Media Player 10 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR Archivierer "XP Codec Pack" = XP Codec Pack "Yahoo! Messenger" = Yahoo! Messenger ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 01.04.2010 18:48:37 | Computer Name = ** | Source = MsiInstaller | ID = 11706 Description = Product: Adobe Acrobat 6.0.1 Professional -- Error 1706.No valid source could be found for product Adobe Acrobat 6.0.1 Professional. The Windows Installer cannot continue. Error - 01.04.2010 18:48:40 | Computer Name = ** | Source = MsiInstaller | ID = 1024 Description = Product: Adobe Acrobat 6.0.1 Professional - Update '{B6F867E8-F092-4C5E-ACA0-F30547DC3874}' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: hxxp://go.microsoft.com/fwlink/?LinkId=23127 Error - 12.04.2010 07:44:59 | Computer Name = ** | Source = Google Update | ID = 20 Description = [ System Events ] Error - 14.04.2010 07:26:23 | Computer Name = ** | Source = Service Control Manager | ID = 7001 Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31 Error - 14.04.2010 07:26:23 | Computer Name = ** | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: AFD AmdK7 ehdrv epfwtdir Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Error - 14.04.2010 07:29:19 | Computer Name = ** | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 14.04.2010 07:30:31 | Computer Name = ** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 14.04.2010 07:31:37 | Computer Name = ** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 14.04.2010 09:04:33 | Computer Name = ** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 14.04.2010 09:04:33 | Computer Name = ** | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: uagp35 Error - 14.04.2010 09:04:34 | Computer Name = ** | Source = sr | ID = 1 Description = The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume. Error - 14.04.2010 09:05:20 | Computer Name = ** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 14.04.2010 15:41:00 | Computer Name = ** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} < End of report > zu 4.) logfile mit GMER war leider nicht zu erstellen. programm stürzte immer wieder ab. hab alles so gemacht wie du beschrieben hast. anbei ein screenshot vom absturz. programm sieht auch ein bisschen anders aus, als der screenshot bei eurer anleitung. liegts vielleicht auch an dem? wie gehts weiter? lg stefan Geändert von hugo7 (15.04.2010 um 00:18 Uhr) |
|
15.04.2010, 08:36
| #4 |
| /// Helfer-Team | msn live messenger sendet nachrichten & blockiert system Lade Dir von hier Avenger: Swandog46's Public Anti-Malware Tools (Download, linksseitig) 2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:  3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld (ersetze aber die *** durch deinen Benutzernamen): Code:
ATTFilter files to delete:
C:\RECYCLER\S-1-5-21-9180908332-8809903437-961132346-5512\xpupdate.exe
c:\windows\servnt.exe
C:\DOCUME~1\***\LOCALS~1\Temp\service.exe
4.) Geh in "The Avenger" nun oben auf "Load Script", dort auf "Paste from Clipboard". 5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein. 6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso. 7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier. 8.)Die Datei c:\avenger\backup.zip bei File-Upload.net - Ihr kostenloser File Hoster! hochladen und hier verlinken. Starte OTL und kopiere unten in die Custom Scans/Fixes -Box exakt das Folgende (auch ":OTL" muss mitkopiert werden!): Code:
ATTFilter :OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-5736-4205-0008-F7ED0776FB27} - No CLSID value found.
:Commands
[emptytemp]
[Reboot]
und schließlich GMER: Dass GMER zunächst nicht läuft, ist nicht außergewöhnlich. Versuche noch einmal, das Programm zu starten. Wenn das nicht geht, versuche es im abgesicherten Modus (beim Booten des Rechners F8 drücken).
__________________ Alle Tipps und Anleitungen ohne Gewähr Geändert von Franz1968 (15.04.2010 um 09:21 Uhr) |
|
15.04.2010, 13:39
| #5 |
| | msn live messenger sendet nachrichten & blockiert system Logfile of The Avenger Version 2.0, (c) by Swandog46 Swandog46's Public Anti-Malware Tools Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\RECYCLER\S-1-5-21-9180908332-8809903437-961132346-5512\xpupdate.exe" deleted successfully. File "c:\windows\servnt.exe" deleted successfully. Error: file "C:\DOCUME~1\***\LOCALS~1\Temp\service.exe" not found! Deletion of file "C:\DOCUME~1\***\LOCALS~1\Temp\service.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. hxxp://www.file-upload.net/download-2436393/backup.zip.html All processes killed ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{00000000-5736-4205-0008-F7ED0776FB27} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-5736-4205-0008-F7ED0776FB27}\ not found. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 41 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 41 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: ***** ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Opera cache emptied: 20058364 bytes ->Flash cache emptied: 405 bytes User: ***** ->Temp folder emptied: 17534061 bytes ->Temporary Internet Files folder emptied: 2439029 bytes ->Java cache emptied: 7902 bytes ->FireFox cache emptied: 2898661 bytes ->Opera cache emptied: 0 bytes ->Flash cache emptied: 6551 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2162283 bytes %systemroot%\System32 .tmp files removed: 2577 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 8708 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 43,00 mb OTL by OldTimer - Version 3.2.1.1 log created on 04152010_135117 Files\Folders moved on Reboot... Registry entries deleted on Reboot... gmer hat wieder nicht funktioniert. auch nicht im abgesicherten modus. |
|
15.04.2010, 15:44
| #6 | ||
| /// Helfer-Team | msn live messenger sendet nachrichten & blockiert systemZitat:
Lass Avenger noch einmal laufen mit folgendem Script: Code:
ATTFilter files to delete:
c:\documents and settings\dein Benutzername\local settings\temp\service.exe
Zitat:
Lade, entpacke und starte rootrepeal.exe Klicke auf den Reiter Report und dann auf den Button Scan. Mache einen Haken bei den folgenden Elementen und klicke Ok.
Wenn der Suchlauf beendet ist, klicke auf Save Report. Speichere das Logfile als RootRepeal.txt auf dem Desktop. Kopiere den Inhalt hier in den Thread.
__________________ --> msn live messenger sendet nachrichten & blockiert system |
|
15.04.2010, 17:42
| #7 |
| /// Helfer-Team | msn live messenger sendet nachrichten & blockiert system Bestehen eigentlich die Probleme noch, oder läuft der Rechner jetzt besser? Wie verhält sich der Messenger?
__________________ Alle Tipps und Anleitungen ohne Gewähr |
|
17.04.2010, 12:29
| #8 |
| | msn live messenger sendet nachrichten & blockiert system hallo, hab das alles noch mal kontrolliert. aber wieder mit dem selben ergebnis. hatte das letzte mal auch schon meinen benutzernamen eingetragen - nur hab ich diesen beim ergebnisfile wieder unkenntlich gemacht mit den Sternchen hab auch selber schon im angegebenen verzeichnis nachgeschaut - und dort befindet sich keine datei mit dem namen: service.exe hxxp://www.file-upload.net/download-2441809/backup-17.04.2010-13.16.35-31.zip.html ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/04/15 23:29 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: Image Path: Address: 0xF734E000 Size: 98304 File Visible: No Signed: - Status: - Name: Image Path: Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: atyooy49.SYS Image Path: C:\WINDOWS\System32\Drivers\atyooy49.SYS Address: 0xF697B000 Size: 425984 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF4BCF000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7A8B000 Size: 8192 File Visible: No Signed: - Status: - Name: PCI_NTPNP0478 Image Path: \Driver\PCI_NTPNP0478 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB79B0000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: c:\documents and settings\***\application data\opera\opera\sessions\autosave.win Status: Size mismatch (API: 3737, Raw: 3634) Path: c:\documents and settings\***\local settings\application data\microsoft\messenger\contactslog.txt Status: Size mismatch (API: 2333438, Raw: 2333076) SSDT ------------------- #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b0464 #: 041 Function Name: NtCreateKey Status: Hooked by "sptd.sys" at address 0xf74250d0 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b049e #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "<unknown>" at address 0x825ed100 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b0290 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b0302 #: 068 Function Name: NtDuplicateObject Status: Hooked by "<unknown>" at address 0x825ecb30 #: 071 Function Name: NtEnumerateKey Status: Hooked by "sptd.sys" at address 0xf742afb2 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "sptd.sys" at address 0xf742b340 #: 119 Function Name: NtOpenKey Status: Hooked by "sptd.sys" at address 0xf74250b0 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b07b2 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b068e #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b052a #: 160 Function Name: NtQueryKey Status: Hooked by "sptd.sys" at address 0xf742b418 #: 177 Function Name: NtQueryValueKey Status: Hooked by "sptd.sys" at address 0xf742b298 #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b0426 #: 229 Function Name: NtSetInformationThread Status: Hooked by "<unknown>" at address 0x825ec6e0 #: 237 Function Name: NtSetSecurityObject Status: Hooked by "<unknown>" at address 0x825e9700 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b038e #: 253 Function Name: NtSuspendProcess Status: Hooked by "<unknown>" at address 0x825ec420 #: 254 Function Name: NtSuspendThread Status: Hooked by "<unknown>" at address 0x825ec2c0 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b08e6 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b05ae #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf76b05e6 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x82f6bd1c Size: 11 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x82fd21e8 Size: 121 Object: Hidden Code [Driver: d344prt, IRP_MJ_CREATE] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_CLOSE] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_READ] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_WRITE] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_SET_INFORMATION] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_QUERY_EA] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_SET_EA] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_SHUTDOWN] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_CLEANUP] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_SET_SECURITY] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_POWER] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_SET_QUOTA] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: d344prt, IRP_MJ_PNP] Process: System Address: 0x82bc9008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_READ] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_POWER] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_PNP] Process: System Address: 0x82c79008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x82c53008 Size: 99 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x82baf1e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x82baf1e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82baf1e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82baf1e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x82baf1e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82baf1e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x82baf1e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x82fd41e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x82f6a1e8 Size: 121 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_CREATE] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_CLOSE] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_READ] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_WRITE] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_SET_INFORMATION] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_QUERY_EA] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_SET_EA] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_SHUTDOWN] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_CLEANUP] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_SET_SECURITY] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_POWER] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_SET_QUOTA] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: atyooy49Ѕ瑎てրЂం偘偘<zਐ, IRP_MJ_PNP] Process: System Address: 0x82716850 Size: 99 Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x8268d1e8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x8268d1e8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8268d1e8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8268d1e8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x8268d1e8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x8268d1e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x82b821e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x82b821e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82b821e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82b821e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x82b821e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82b821e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x82b821e8 Size: 121 Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ] Process: System Address: 0x825552f4 Size: 11 Object: Hidden Code [Driver: Srv, IRP_MJ_READ] Process: System Address: 0x826c8584 Size: 11 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x82546a84 Size: 11 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x825461e8 Size: 121 Object: Hidden Code [Driver: NpfsЅ剒敬旀댐Ђః扏济fsWr, IRP_MJ_READ] Process: System Address: 0x82a57a74 Size: 11 Object: Hidden Code [Driver: Msfsȅఆ剒敬ྰ, IRP_MJ_READ] Process: System Address: 0x82d5d42c Size: 11 Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ] Process: System Address: 0x82717afc Size: 11 Object: Hidden Code [Driver: SystemR, IRP_MJ_CREATE] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_CLOSE] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_READ] Process: System Address: 0x82d69fac Size: 11 Object: Hidden Code [Driver: SystemR, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_SET_INFORMATION] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_SHUTDOWN] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_CLEANUP] Process: System Address: 0x82385790 Size: 121 Object: Hidden Code [Driver: SystemR, IRP_MJ_PNP] Process: System Address: 0x82385790 Size: 121 ==EOF== aber das wichtigste ist eigentlich, dass die probleme nicht mehr auftreten. messenger funktioniert anscheinend auch wieder einwandfrei... "anscheinend" deswegen weil ich dem ganzen nicht so ganz traue. werde es aber weiterhin im auge behalten. auf jeden fall, vielen dank! hast du in den vielen verschiedenen analyse-files eigentlich andere unerwünschten gäste (viren, spamware, phisher, oder Ähnliches) entdeckt? lg hugo |
|
17.04.2010, 18:15
| #9 | |
| /// Helfer-Team | msn live messenger sendet nachrichten & blockiert systemZitat:
 CustomScan mit OTL Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
__________________ Alle Tipps und Anleitungen ohne Gewähr |
|
18.04.2010, 15:18
| #10 |
| | msn live messenger sendet nachrichten & blockiert system ah ok. dann folgt hier das ergebnis des scans. die datei extra.txt wurde diesmal nicht erstellt, deshalb kann ich nur otl.txt posten. OTL logfile created on: 18.04.2010 15:35:03 - Run 2 OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\***\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000C07 | Country: Austria | Language: DEA | Date Format: dd.MM.yyyy 767,00 Mb Total Physical Memory | 306,00 Mb Available Physical Memory | 40,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 66,00% Paging File free Paging file location(s): C:\pagefile.sys 384 768 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 15,93 Gb Total Space | 0,60 Gb Free Space | 3,74% Space Free | Partition Type: NTFS Drive D: | 58,59 Gb Total Space | 0,20 Gb Free Space | 0,33% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: *** Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010.04.14 23:03:24 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe PRC - [2010.02.10 18:33:56 | 009,189,152 | ---- | M] (PoivY) -- C:\Program Files\PoivY.com\PoivY\poivy.exe PRC - [2010.01.19 23:55:43 | 000,054,784 | ---- | M] (Macrovision) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE PRC - [2009.09.29 14:03:46 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe PRC - [2009.09.29 14:02:52 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe PRC - [2009.02.06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe PRC - [2008.04.22 19:23:02 | 000,098,488 | ---- | M] (SiSoftware) -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe PRC - [2008.04.14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006.03.10 19:45:12 | 000,035,328 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe PRC - [2005.07.22 15:00:10 | 000,081,920 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE ========== Modules (SafeList) ========== MOD - [2010.04.14 23:03:24 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe ========== Win32 Services (SafeList) ========== SRV - [2010.01.19 23:55:43 | 000,054,784 | ---- | M] (Macrovision) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA) SRV - [2009.09.29 14:11:10 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv) SRV - [2009.09.29 14:03:46 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn) SRV - [2008.04.22 19:23:02 | 000,098,488 | ---- | M] (SiSoftware) [Auto | Running] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe -- (SandraAgentSrv) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010.03.25 02:23:10 | 000,000,000 | ---D | M] [2008.12.08 16:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Extensions [2008.12.08 16:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Firefox\Profiles\pk6rhjz4.default\extensions O1 HOSTS File: ([2010.03.29 02:58:33 | 000,000,752 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 84.113.211.15 *** O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe () O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe () O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.) O4 - HKCU..\Run: [PoivY] C:\Program Files\PoivY.com\PoivY\PoivY.exe (PoivY) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Save YouTube Video as MP3 - C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll (DVSTeam) O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/InstFred.ocx (InstaFred) O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/AcDcToday.ocx (AcDcToday-Steuerung) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/InstBanr.ocx (NOXLATE-BANR) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/AcPreview.ocx (AcPreview-Steuerung) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.186.211.21 195.34.133.21 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008.10.05 15:29:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2008.10.05 15:28:49 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: Messenger - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point (16902109354000384) ========== Files/Folders - Created Within 14 Days ========== [2010.04.18 15:17:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Application Data\OfficeRecovery [2010.04.18 15:16:45 | 000,000,000 | ---D | C] -- C:\Program Files\OfficeRecovery [2010.04.18 14:52:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\undeleted [2010.04.18 14:48:31 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group [2010.04.15 13:51:17 | 000,000,000 | ---D | C] -- C:\_OTL [2010.04.15 13:42:20 | 000,000,000 | ---D | C] -- C:\Avenger [2010.04.15 13:37:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\avenger [2010.04.15 00:51:38 | 000,053,088 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys [2010.04.15 00:51:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI [2010.04.14 23:03:15 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe [2010.04.14 14:18:56 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro [2010.04.14 14:18:48 | 000,000,000 | ---D | C] -- C:\rsit [2010.04.14 14:15:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Application Data\Malwarebytes [2010.04.14 14:14:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.04.14 14:14:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010.04.14 14:14:43 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.04.14 14:14:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010.04.14 13:27:25 | 000,000,000 | ---D | C] -- C:\MSNCleaner [2010.04.14 00:06:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\My Documents\Meine empfangenen Dateien [2010.04.06 00:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\2010-04-05 lakun [2010.04.05 16:16:27 | 000,000,000 | ---D | C] -- C:\Program Files\pdf_viewer [2010.03.26 04:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET [2010.01.13 17:17:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp [2009.07.20 11:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google [2009.07.20 11:21:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google [2009.06.13 15:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2009.06.13 15:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe [2008.10.07 13:31:16 | 000,137,216 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d344bus.sys [2008.10.07 13:31:16 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d344prt.sys [2008.10.05 15:34:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2008.10.05 15:33:53 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2008.10.05 15:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2004.11.24 20:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll [3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ] ========== Files - Modified Within 14 Days ========== [2010.04.18 14:44:11 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml [2010.04.18 14:44:03 | 000,001,092 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010.04.18 14:43:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.04.18 14:43:45 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.04.18 14:43:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.04.18 14:43:41 | 804,835,328 | -HS- | M] () -- C:\hiberfil.sys [2010.04.18 02:17:22 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\***\NTUSER.DAT [2010.04.18 02:17:22 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\***\ntuser.ini [2010.04.18 02:08:26 | 000,000,116 | -H-- | M] () -- C:\Documents and Settings\***\Desktop\.~lock.bestätigung.odt# [2010.04.18 01:41:00 | 000,001,096 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010.04.17 19:48:47 | 001,013,059 | ---- | M] () -- C:\Documents and Settings\***\Desktop\test.docx [2010.04.17 18:32:47 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [2010.04.16 23:32:48 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010.04.15 14:45:47 | 003,834,006 | ---- | M] () -- C:\Documents and Settings\***\Desktop\handout2010.pdf [2010.04.15 14:04:39 | 000,008,537 | ---- | M] () -- C:\WINDOWS\***8.xlb [2010.04.15 04:10:57 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\***\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.04.15 03:00:32 | 000,002,259 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk [2010.04.15 02:33:46 | 000,000,337 | ---- | M] () -- C:\WINDOWS\hpbafd.ini [2010.04.15 00:51:47 | 000,000,049 | ---- | M] () -- C:\WINDOWS\wininit.ini [2010.04.15 00:51:38 | 000,053,088 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys [2010.04.14 23:03:24 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe [2010.04.14 14:14:59 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.14 14:11:07 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\***\Desktop\CCleaner.lnk [2010.04.14 13:54:17 | 000,011,624 | ---- | M] () -- C:\Documents and Settings\***\Desktop\bestätigung.odt [2010.04.14 00:00:12 | 000,457,306 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.04.14 00:00:12 | 000,392,296 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.04.14 00:00:12 | 000,058,596 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.04.05 16:47:32 | 000,001,757 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk [2010.04.04 22:31:43 | 000,245,558 | ---- | M] () -- C:\Documents and Settings\***\Desktop\emtipps-report-2009.pdf [2010.04.04 22:25:15 | 000,268,235 | ---- | M] () -- C:\Documents and Settings\***\Desktop\em-tipps-garten.pdf [3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.04.18 02:08:26 | 000,000,116 | -H-- | C] () -- C:\Documents and Settings\***\Desktop\.~lock.bestätigung.odt# [2010.04.17 19:47:18 | 001,013,059 | ---- | C] () -- C:\Documents and Settings\***\Desktop\test.docx [2010.04.15 14:45:45 | 003,834,006 | ---- | C] () -- C:\Documents and Settings\***\Desktop\handout2010.pdf [2010.04.15 14:14:38 | 804,835,328 | -HS- | C] () -- C:\hiberfil.sys [2010.04.15 00:51:34 | 000,000,049 | ---- | C] () -- C:\WINDOWS\wininit.ini [2010.04.14 14:14:59 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.14 13:51:45 | 000,011,624 | ---- | C] () -- C:\Documents and Settings\***\Desktop\bestätigung.odt [2010.04.04 22:31:43 | 000,245,558 | ---- | C] () -- C:\Documents and Settings\***\Desktop\emtipps-report-2009.pdf [2010.04.04 22:25:15 | 000,268,235 | ---- | C] () -- C:\Documents and Settings\***\Desktop\em-tipps-garten.pdf [2010.03.03 01:44:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\csmash.ini [2010.01.21 19:39:40 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI [2009.11.28 11:49:01 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\cbqozg.dat [2009.11.13 00:59:42 | 000,001,206 | ---- | C] () -- C:\WINDOWS\APDFPRP.INI [2009.11.10 03:58:09 | 000,001,868 | ---- | C] () -- C:\WINDOWS\aopr.ini [2009.08.30 00:13:33 | 000,000,279 | ---- | C] () -- C:\Documents and Settings\***\.languagetool-ooo.cfg [2008.12.30 11:04:09 | 000,000,134 | ---- | C] () -- C:\WINDOWS\AWSHKWV.INI [2008.12.30 11:01:08 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI [2008.12.19 16:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll [2008.12.17 18:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll [2008.12.17 18:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll [2008.12.17 18:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll [2008.12.17 18:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll [2008.12.17 17:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll [2008.12.11 12:27:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest [2008.11.30 17:04:18 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2008.11.22 19:18:04 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\***\CUSTOM.DICCUSTOM.DIC [2008.11.11 14:06:30 | 000,006,836 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.INI [2008.11.10 11:58:54 | 000,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2008.10.31 15:23:06 | 007,118,848 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sandra.mda [2008.10.28 14:23:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\***\initdebug.nfo [2008.10.19 16:36:36 | 000,036,864 | ---- | C] () -- C:\WINDOWS\jpgl.dll [2008.10.19 16:36:36 | 000,032,768 | ---- | C] () -- C:\WINDOWS\div_iyuv.dll [2008.10.07 09:43:05 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2008.10.06 22:46:15 | 000,000,337 | ---- | C] () -- C:\WINDOWS\hpbafd.ini [2008.10.06 09:48:49 | 000,113,152 | ---- | C] () -- C:\Documents and Settings\***\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008.10.05 16:00:25 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll [2008.10.05 15:37:06 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\***\ntuser.ini [2008.10.05 15:37:05 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\***\NTUSER.DAT.LOG [2008.10.05 15:37:04 | 007,340,032 | -H-- | C] () -- C:\Documents and Settings\***\NTUSER.DAT [2007.01.26 01:04:12 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll [2007.01.26 01:04:12 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll [2006.10.22 12:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2006.10.22 12:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll [2006.10.22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll [2006.10.22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll [2006.10.22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll [2006.10.22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2006.10.22 12:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll [2004.10.03 18:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll [2004.09.17 17:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll [2003.12.27 20:43:24 | 000,068,608 | ---- | C] () -- C:\WINDOWS\daemon.dll [2001.11.29 21:34:34 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\***\hpsfx.ini [1996.11.21 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL [1996.11.21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL [1996.11.21 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL [1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys ========== LOP Check ========== [2010.01.19 23:52:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk [2008.11.10 12:07:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro [2010.03.25 02:23:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET [2009.05.21 18:59:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4 [2009.08.12 08:52:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle [2009.08.13 02:01:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle VideoSpin [2010.04.15 00:52:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI [2010.03.17 20:18:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2010.01.26 00:04:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} [2008.11.17 12:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\AD ON Multimedia [2009.11.08 02:36:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\ADEPT [2010.01.19 23:52:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Autodesk [2008.11.10 12:07:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\DAEMON Tools Pro [2009.07.21 11:50:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Desktopicon [2009.11.06 01:53:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Helios [2009.10.17 19:19:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\ImTOO Software Studio [2010.04.18 15:17:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\OfficeRecovery [2008.10.29 18:27:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\OpenOffice.org [2008.10.05 16:49:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Opera [2009.11.02 19:50:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\PoivY [2008.11.11 14:15:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\SOFiSTiK [2010.04.18 00:16:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\TeamViewer [2008.10.06 09:53:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Thunderbird [2008.10.07 11:56:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\VoipBuster ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2004.08.04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2008.04.14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2008.04.14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys [2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys [2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys < MD5 for: ATAPI.SYS > [2004.08.04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2008.04.14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2008.04.14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys [2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004.08.04 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys < MD5 for: EVENTLOG.DLL > [2008.04.14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008.04.14 02:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll [2008.04.14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004.08.04 14:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: NETLOGON.DLL > [2008.04.14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008.04.14 02:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll [2008.04.14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2004.08.04 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2004.08.04 14:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008.04.14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008.04.14 02:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll [2008.04.14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > [2008.11.10 11:58:55 | 000,685,816 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys < %systemroot%\System32\config\*.sav > [2008.10.05 17:11:26 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav [2008.10.05 17:11:26 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav [2008.10.05 17:11:25 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav ========== Alternate Data Streams ========== @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP FC5A2B2@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 < End of report > |
|
18.04.2010, 18:04
| #11 | |
| /// Helfer-Team | msn live messenger sendet nachrichten & blockiert system Hatte dein Rechner "früher" schon eine Infektion, so im November/ Dezember? Da scheinen Überreste zu sein. Gehe zu Virustotal und lade dort die folgenden Dateien nacheinander hoch: Zitat:
Außerdem: Fixen mit OTL
Code:
ATTFilter :OTL
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
:Commands
[emptytemp]
__________________ Alle Tipps und Anleitungen ohne Gewähr |
|
25.04.2010, 14:50
| #12 |
| | msn live messenger sendet nachrichten & blockiert system hat ein bisschen länger gedauert. aber nun ists soweit. Virustotal. MD5: bae1ec0410e865c47ae71158374aad7b Virustotal. MD5: 7069290aed16f375edaada117dc0e97e die dritte datei konnte leider nicht hochgeladen werden - habs mehrere male versucht. aber erfolglos (C:\WINDOWS\System32\drivers\sptd.sys) All processes killed ========== OTL ========== ADS C:\Documents and Settings\All Users\Application Data\TEMP FC5A2B2 deleted successfully.ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 0 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: *** ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Opera cache emptied: 0 bytes ->Flash cache emptied: 0 bytes User: *** ->Temp folder emptied: 4413986 bytes ->Temporary Internet Files folder emptied: 507332197 bytes ->Java cache emptied: 12126614 bytes ->FireFox cache emptied: 0 bytes ->Opera cache emptied: 0 bytes ->Flash cache emptied: 28896 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 49152 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 500,00 mb OTL by OldTimer - Version 3.2.1.1 log created on 04252010_154150 Files\Folders moved on Reboot... Registry entries deleted on Reboot... |
|
25.04.2010, 16:35
| #13 |
| /// Helfer-Team | msn live messenger sendet nachrichten & blockiert system Ok soweit. Die sptd.sys kann so bleiben, sie dürfte zu den Daemon Tools gehören. Mach bitte einen weiteren Scan mit SUPERAntiSpyware und einem Online-Scanner deiner Wahl, z.B. Panda oder ESET. Poste hier die Ergebnisse und außerdem ein frisches OTL-Logfile wie oben unter "Systemscan mit OTL" beschrieben. Lade dir dazu OTL neu herunter.
__________________ Alle Tipps und Anleitungen ohne Gewähr |
|
11.05.2010, 18:01
| #14 |
| | msn live messenger sendet nachrichten & blockiert system hallo, hier die log files: SUPERAntiSpyware Scan Log SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware! Generated 05/10/2010 at 04:51 PM Application Version : 4.37.1000 Core Rules Database Version : 4911 Trace Rules Database Version: 2723 Scan type : Complete Scan Total Scan Time : 02:25:33 Memory items scanned : 376 Memory threats detected : 0 Registry items scanned : 5884 Registry threats detected : 0 File items scanned : 108541 File threats detected : 13 Adware.Tracking Cookie C:\Documents and Settings\****\Cookies\****@bluestreak[1].txt C:\Documents and Settings\****\Cookies\****@tradedoubler[2].txt C:\Documents and Settings\****\Cookies\****@weborama[2].txt C:\Documents and Settings\****\Cookies\****@doubleclick[1].txt C:\Documents and Settings\****\Cookies\****@bs.serving-sys[1].txt C:\Documents and Settings\****\Cookies\****@serving-sys[1].txt C:\Documents and Settings\****\Cookies\****@adtech[1].txt C:\Documents and Settings\****\Cookies\****@atdmt[1].txt C:\Documents and Settings\****\Cookies\****@ads.us.e-planning[1].txt Trojan.Dropper/Game C:\PROGRAM FILES\ADEPT\SPSS2DTA.DLL Trojan.Agent/Gen-Krpytik D:\F\INSTALL\DREAMWAEVER 3\KEY GENERATOR.EXE D:\PROGS_****\GRAPHIC\GSVIEW\ZLIB32.DLL D:\****\AUTOCAD_VORLAGEN\LISP\SMS\CRACK\NSLMS324.DLL C:\Documents and Settings\***\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe Variante von Win32/Adware.ADON Anwendung Gesäubert durch Löschen - in Quarantäne kopiert C:\Documents and Settings\***\Application Data\Desktopicon\eBayShortcuts.exe Variante von Win32/Adware.ADON Anwendung Gesäubert durch Löschen - in Quarantäne kopiert C:\Documents and Settings\***\Desktop\ecosan\Publications.rar Win32/Kryptik.FAV.Gen Trojaner gelöscht - in Quarantäne kopiert C:\Documents and Settings\***\Desktop\ecosan\02-Factsheets\Factsheets.rar Win32/Kryptik.FAV.Gen Trojaner gelöscht - in Quarantäne kopiert D:\c\Respaldo\programas\ACDSee 3.0\CORE99.EXE möglicherweise Variante von Win32/Agent Trojaner Gesäubert durch Löschen - in Quarantäne kopiert D:\h_gamez\Programme\eac-0.99pb4.exe Variante von Win32/Adware.ADON Anwendung gelöscht - in Quarantäne kopiert D:\h_gamez\Programme\youtube_videos_aufnehmen_vdownloader.zip Variante von Win32/Adware.ADON Anwendung gelöscht - in Quarantäne kopiert D:\h_gamez\Programme\freecommander\fc_setup_2007_10a.exe Variante von Win32/Adware.ADON Anwendung gelöscht - in Quarantäne kopiert D:\h_gamez\Programme\freecommander\fc_setup_2008_06.exe Variante von Win32/Adware.ADON Anwendung gelöscht - in Quarantäne kopiert D:\progs_***\Office97Install.zip möglicherweise Variante von Win32/Agent Trojaner gelöscht - in Quarantäne kopiert D:\progs_***\Audio\FreeRip - ev. Code notwendig\freeripmp3.exe Win32/AdInstaller Anwendung gelöscht - in Quarantäne kopiert D:\progs_***\Graphic\ACDSee 3.0\core99.exe möglicherweise Variante von Win32/Agent Trojaner Gesäubert durch Löschen - in Quarantäne kopiert D:\progs_***\System\WindowsXP SerialNr & for other Prgms\Windows XP Original Keys Keygen\Windows.XP original keygen.rar Win32/PSWTool.PWDump2 Anwendung gelöscht - in Quarantäne kopiert OTL logfile created on: 11.05.2010 17:01:31 - Run 3 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\***\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000C07 | Country: Austria | Language: DEA | Date Format: dd.MM.yyyy 767,00 Mb Total Physical Memory | 214,00 Mb Available Physical Memory | 28,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 53,00% Paging File free Paging file location(s): C:\pagefile.sys 384 768 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 15,93 Gb Total Space | 2,30 Gb Free Space | 14,44% Space Free | Partition Type: NTFS Drive D: | 58,59 Gb Total Space | 6,33 Gb Free Space | 10,80% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: *** Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Program Files\PoivY.com\PoivY\poivy.exe (PoivY) PRC - C:\Documents and Settings\***\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) PRC - C:\Program Files\Opera\opera.exe (Opera Software) PRC - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (Macrovision) PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET) PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) PRC - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe (SiSoftware) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Winamp\winampa.exe () PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\***\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (C-DillaCdaC11BA) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE (Macrovision) SRV - (EhttpSrv) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (ESET) SRV - (ekrn) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET) SRV - (SandraAgentSrv) -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe (SiSoftware) ========== Driver Services (SafeList) ========== DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (pxrts) -- C:\WINDOWS\system32\drivers\pxrts.sys (Prevx) DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (CdaC15BA) -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS (Macrovision Europe Ltd) DRV - (epfwtdir) -- C:\WINDOWS\system32\drivers\epfwtdir.sys (ESET) DRV - (ehdrv) -- C:\WINDOWS\system32\drivers\ehdrv.sys (ESET) DRV - (eamon) -- C:\WINDOWS\system32\drivers\eamon.sys (ESET) DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys () DRV - (Changer) -- C:\WINDOWS\system32\drivers\changer.sys (Microsoft Corporation) DRV - (lbrtfdc) -- C:\WINDOWS\system32\drivers\lbrtfdc.sys (Toshiba Corp.) DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation) DRV - (SANDRA) -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\WNt500x86\sandra.sys (SiSoftware) DRV - (teamviewervpn) -- C:\WINDOWS\system32\drivers\teamviewervpn.sys (TeamViewer GmbH) DRV - (qcusbser6k) -- C:\WINDOWS\system32\drivers\qcusbser6k.sys (QUALCOMM Incorporated) DRV - (qcusbpcsync) -- C:\WINDOWS\system32\drivers\qcusbpcsync.sys (QUALCOMM Incorporated) DRV - (qcusbnmea) -- C:\WINDOWS\system32\drivers\qcusbnmea.sys (QUALCOMM Incorporated) DRV - (qcusbmdm6k) -- C:\WINDOWS\system32\drivers\qcusbmdm6k.sys (QUALCOMM Incorporated) DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation) DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.) DRV - (d344bus) -- C:\WINDOWS\system32\DRIVERS\d344bus.sys ( ) DRV - (d344prt) -- C:\WINDOWS\System32\Drivers\d344prt.sys ( ) DRV - (viaagp1) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.) DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation) DRV - (DCamUSBNW802) -- C:\WINDOWS\system32\drivers\pcam.sys (Divio Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010.03.25 02:23:10 | 000,000,000 | ---D | M] [2008.12.08 16:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Extensions [2008.12.08 16:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Firefox\Profiles\pk6rhjz4.default\extensions O1 HOSTS File: ([2010.03.29 02:58:33 | 000,000,752 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 84.113.211.15 *** O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll () O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe () O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe () O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.) O4 - HKCU..\Run: [PoivY] C:\Program Files\PoivY.com\PoivY\PoivY.exe (PoivY) O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Save YouTube Video as MP3 - C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll (DVSTeam) O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/InstFred.ocx (InstaFred) O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/AcDcToday.ocx (AcDcToday-Steuerung) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/InstBanr.ocx (NOXLATE-BANR) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///C:/Program%20Files/AutoCAD%20LT%202002%20Deu/AcPreview.ocx (AcPreview-Steuerung) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.186.211.21 195.34.133.21 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com) O24 - Desktop WallPaper: C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008.10.05 15:29:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.05.07 22:07:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2010.05.07 22:07:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Application Data\SUPERAntiSpyware.com [2010.05.07 22:07:23 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2010.05.07 16:41:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp [2010.05.04 21:34:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\*** [2010.04.27 02:48:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\My Documents\RZDB [2010.04.20 01:02:39 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works [2010.04.20 01:01:28 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET [2010.04.20 00:54:59 | 000,000,000 | RH-D | C] -- C:\MSOCache [2010.04.19 23:03:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\microsoft office 2007 [2010.04.18 15:17:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Application Data\OfficeRecovery [2010.04.18 15:16:45 | 000,000,000 | ---D | C] -- C:\Program Files\OfficeRecovery [2010.04.18 14:48:31 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group [2010.04.15 13:51:17 | 000,000,000 | ---D | C] -- C:\_OTL [2010.04.15 13:42:20 | 000,000,000 | ---D | C] -- C:\Avenger [2010.04.15 13:37:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Desktop\avenger [2010.04.15 00:51:38 | 000,053,088 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys [2010.04.15 00:51:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI [2010.04.14 23:03:15 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe [2010.04.14 14:18:56 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro [2010.04.14 14:18:48 | 000,000,000 | ---D | C] -- C:\rsit [2010.04.14 14:15:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Application Data\Malwarebytes [2010.04.14 14:14:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.04.14 14:14:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010.04.14 14:14:43 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.04.14 14:14:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010.04.14 13:27:25 | 000,000,000 | ---D | C] -- C:\MSNCleaner [2010.04.14 00:06:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\My Documents\Meine empfangenen Dateien [2008.10.07 13:31:16 | 000,137,216 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d344bus.sys [2008.10.07 13:31:16 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d344prt.sys [2004.11.24 20:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll [3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.05.11 16:48:30 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml [2010.05.11 16:48:22 | 000,001,092 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010.05.11 16:48:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.05.11 16:48:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.05.11 16:48:13 | 804,835,328 | -HS- | M] () -- C:\hiberfil.sys [2010.05.11 11:17:53 | 008,650,752 | -H-- | M] () -- C:\Documents and Settings\***\NTUSER.DAT [2010.05.11 11:17:53 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\***\ntuser.ini [2010.05.11 10:41:02 | 000,001,096 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010.05.10 21:45:49 | 000,000,213 | ---- | M] () -- C:\WINDOWS\hpbafd.ini [2010.05.10 20:33:50 | 000,291,328 | ---- | M] () -- C:\Documents and Settings\***\Desktop\Niederschlags-Abfluss Modell.ppt [2010.05.10 19:51:17 | 000,002,259 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk [2010.05.08 23:10:37 | 001,413,124 | ---- | M] () -- C:\Documents and Settings\***\Desktop\RMOH 013.jpg [2010.05.08 23:06:05 | 001,508,345 | ---- | M] () -- C:\Documents and Settings\***\Desktop\RMOH 005.jpg [2010.05.08 23:05:21 | 001,510,034 | ---- | M] () -- C:\Documents and Settings\***\Desktop\RMOH 011.jpg [2010.05.07 22:08:21 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe [2010.05.07 22:07:29 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2010.05.06 19:41:42 | 001,400,793 | ---- | M] () -- C:\Documents and Settings\***\Desktop\rahnell 006.jpg [2010.05.06 19:41:36 | 001,315,622 | ---- | M] () -- C:\Documents and Settings\***\Desktop\rahnell 009.jpg [2010.05.06 19:41:31 | 001,185,859 | ---- | M] () -- C:\Documents and Settings\***\Desktop\rahnell 010.jpg [2010.05.06 19:29:20 | 001,325,729 | ---- | M] () -- C:\Documents and Settings\***\Desktop\rahnell 008.jpg [2010.05.06 19:28:57 | 001,222,760 | ---- | M] () -- C:\Documents and Settings\***\Desktop\rahnell 005.jpg [2010.05.06 19:28:56 | 001,259,466 | ---- | M] () -- C:\Documents and Settings\***\Desktop\rahnell 007.jpg [2010.05.06 10:51:25 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [2010.05.05 14:00:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.05.04 21:35:26 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\***\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.05.04 09:32:04 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010.04.26 20:38:41 | 000,009,203 | ---- | M] () -- C:\WINDOWS\***8.xlb [2010.04.20 15:02:05 | 000,431,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010.04.20 01:10:26 | 000,124,752 | ---- | M] () -- C:\Documents and Settings\***\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010.04.16 23:32:48 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010.04.15 14:45:47 | 003,834,006 | ---- | M] () -- C:\Documents and Settings\***\Desktop\handout2010.pdf [2010.04.15 00:51:47 | 000,000,049 | ---- | M] () -- C:\WINDOWS\wininit.ini [2010.04.15 00:51:38 | 000,053,088 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys [2010.04.14 14:14:59 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.14 14:11:07 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\***\Desktop\CCleaner.lnk [2010.04.14 00:00:12 | 000,457,306 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.04.14 00:00:12 | 000,392,296 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.04.14 00:00:12 | 000,058,596 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.05.10 20:33:50 | 000,291,328 | ---- | C] () -- C:\Documents and Settings\***\Desktop\Niederschlags-Abfluss Modell.ppt [2010.05.08 23:09:04 | 001,413,124 | ---- | C] () -- C:\Documents and Settings\***\Desktop\RMOH 013.jpg [2010.05.08 23:03:53 | 001,508,345 | ---- | C] () -- C:\Documents and Settings\***\Desktop\RMOH 005.jpg [2010.05.08 23:02:51 | 001,510,034 | ---- | C] () -- C:\Documents and Settings\***\Desktop\RMOH 011.jpg [2010.05.07 22:07:29 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2010.05.06 19:38:45 | 001,185,859 | ---- | C] () -- C:\Documents and Settings\***\Desktop\rahnell 010.jpg [2010.05.06 19:38:18 | 001,315,622 | ---- | C] () -- C:\Documents and Settings\***\Desktop\rahnell 009.jpg [2010.05.06 19:38:02 | 001,400,793 | ---- | C] () -- C:\Documents and Settings\***\Desktop\rahnell 006.jpg [2010.05.06 19:27:29 | 001,325,729 | ---- | C] () -- C:\Documents and Settings\***\Desktop\rahnell 008.jpg [2010.05.06 19:26:41 | 001,259,466 | ---- | C] () -- C:\Documents and Settings\***\Desktop\rahnell 007.jpg [2010.05.06 19:26:11 | 001,222,760 | ---- | C] () -- C:\Documents and Settings\***\Desktop\rahnell 005.jpg [2010.04.28 18:27:40 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010.04.15 14:45:45 | 003,834,006 | ---- | C] () -- C:\Documents and Settings\***\Desktop\handout2010.pdf [2010.04.15 14:14:38 | 804,835,328 | -HS- | C] () -- C:\hiberfil.sys [2010.04.15 00:51:34 | 000,000,049 | ---- | C] () -- C:\WINDOWS\wininit.ini [2010.04.14 14:14:59 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.03.03 01:44:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\csmash.ini [2010.01.21 19:39:40 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI [2009.11.13 00:59:42 | 000,001,206 | ---- | C] () -- C:\WINDOWS\APDFPRP.INI [2009.11.10 03:58:09 | 000,001,868 | ---- | C] () -- C:\WINDOWS\aopr.ini [2008.12.30 11:04:09 | 000,000,134 | ---- | C] () -- C:\WINDOWS\AWSHKWV.INI [2008.12.30 11:01:08 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI [2008.12.19 16:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll [2008.12.17 18:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll [2008.12.17 18:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll [2008.12.17 18:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll [2008.12.17 18:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll [2008.12.17 17:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll [2008.12.11 12:27:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest [2008.11.30 17:04:18 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2008.11.11 14:06:30 | 000,006,836 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.INI [2008.11.10 11:58:54 | 000,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2008.10.19 16:36:36 | 000,036,864 | ---- | C] () -- C:\WINDOWS\jpgl.dll [2008.10.19 16:36:36 | 000,032,768 | ---- | C] () -- C:\WINDOWS\div_iyuv.dll [2008.10.07 09:43:05 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2008.10.06 22:46:15 | 000,000,213 | ---- | C] () -- C:\WINDOWS\hpbafd.ini [2008.10.05 16:00:25 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll [2007.01.26 01:04:12 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll [2007.01.26 01:04:12 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll [2006.10.22 12:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2006.10.22 12:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll [2006.10.22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll [2006.10.22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll [2006.10.22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll [2006.10.22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2006.10.22 12:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll [2004.10.03 18:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll [2004.09.17 17:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll [2003.12.27 20:43:24 | 000,068,608 | ---- | C] () -- C:\WINDOWS\daemon.dll [1996.11.21 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL [1996.11.21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL [1996.11.21 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL [1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys < End of report > OTL Extras logfile created on: 11.05.2010 17:01:31 - Run 3 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\***\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000C07 | Country: Austria | Language: DEA | Date Format: dd.MM.yyyy 767,00 Mb Total Physical Memory | 214,00 Mb Available Physical Memory | 28,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 53,00% Paging File free Paging file location(s): C:\pagefile.sys 384 768 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 15,93 Gb Total Space | 2,30 Gb Free Space | 14,44% Space Free | Partition Type: NTFS Drive D: | 58,59 Gb Total Space | 6,33 Gb Free Space | 10,80% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: *** Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .scr [@ = AutoCADLTScriptFile] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. http [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software) https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft) Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft) Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusOverride" = 1 "FirewallOverride" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\PoivY.com\PoivY\poivy.exe" = C:\Program Files\PoivY.com\PoivY\poivy.exe:*:Enabled:PoivY -- (PoivY) "C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software) "C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe" = C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe:*:Enabled:SiSoftware Deployment Agent Service -- (SiSoftware) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{1A0D2EFC-C4FC-446A-8BC3-57A54CE5EADD}" = Opera 10.53 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 15 "{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7 "{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent "{5783F2D7-0201-040A-0002-0060B0CE6BBA}" = AutoCAD 2004 "{5783F2D7-0211-0409-0000-0060B0CE6BBA}" = AutoCAD Express Tools Volumes 1-9 "{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8 "{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call "{61B04164-0C8C-4EC2-9662-5409E4BE0AFC}" = RuckZuck Studentenversion "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{7EC19307-7C22-47A8-922B-3FA965291260}" = OpenOffice.org 3.0 "{83895843-3A51-4C93-9DF3-2BDB65C7E54A}" = DAEMON Tools "{85C70286-A56F-4834-BD24-B34EB76A93A2}" = ESET NOD32 Antivirus "{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007 "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007 "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007 "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007 "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AC76BA86-1033-0000-7760-000000000001}" = Adobe Acrobat 6.0 Professional "{AC76BA86-7AD7-1031-7B44-A70000000000}" = Adobe Reader 7.0 - Deutsch "{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5 "{C3113E55-7BCB-4de3-8EBF-60E6CE6B2196}_is1" = SiSoftware Sandra Lite XII.SP2c "{C93369CB-B4E9-E095-9289-E6B5AE941031}" = Nero 7 Demo "{CA567AD5-33A4-403D-86D1-EE2D38251951}_is1" = VDownloader 0.83 "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition "{CF67CB0E-6E9A-49AA-805E-D7ABD15E4FCA}" = WP-S1 PCSync "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials "{FEB15887-0932-4D2D-BB85-6AC03FBF1AA8}" = Pinnacle VideoSpin "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Audacity_is1" = Audacity 1.2.6 "Autodesk Express Viewer" = Autodesk Express Viewer "CCleaner" = CCleaner "CdaC13Ba" = SafeCast Shared Components "ENTERPRISE" = Microsoft Office Enterprise 2007 "ESET Online Scanner" = ESET Online Scanner v3 "FastStone Capture" = FastStone Capture 5.3 "Free Video Flip and Rotate_is1" = Free Video Flip and Rotate version 1.5 "Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 3.2 "FreeCommander_is1" = FreeCommander 2008.06 "FreeUndelete" = FreeUndelete "HijackThis" = HijackThis 2.0.2 "hp deskjet 970c series" = hp deskjet 970c series (nur entfernen) "HP LaserJet 1200 Uninstaller" = HP LaserJet 1200 Deinstallationsprogramm "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ImTOO 3GP Video Converter" = ImTOO 3GP Video Converter "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Media Converter SA Edition" = Media Converter SA Edition 0.8 "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0 "MusicBrainz Tagger 0.10.5" = MusicBrainz Tagger 0.10.5 "Mustek WCam 300" = Mustek Wcam 300 "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "NVIDIA Drivers" = NVIDIA Drivers "Office8.0" = Microsoft Office 97, Professional Edition "OpenAL" = OpenAL "Passware Kit 6.1" = Passware Kit 6.1 "PoivY_is1" = PoivY "RealAlt_is1" = Real Alternative 1.9.0 Lite "RuckZuck 4.0" = RuckZuck 4.0 "Table Tennis Pro V2 Lite_is1" = Table Tennis Pro V2 Lite (V2.32) "TeamViewer 4" = TeamViewer 4 "Uninstall_is1" = Uninstall 1.0.0.1 "VLC media player" = VideoLAN VLC media player 0.8.5 "VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter "VoipBuster_is1" = VoipBuster "Winamp" = Winamp (remove only) "Windows Media Format Runtime" = Windows Media Format Runtime "Windows Media Player" = Windows Media Player 10 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR Archivierer "XP Codec Pack" = XP Codec Pack "Yahoo! Messenger" = Yahoo! Messenger ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 04.05.2010 13:45:21 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 04.05.2010 18:44:33 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 05.05.2010 13:45:02 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 05.05.2010 18:44:36 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 06.05.2010 04:45:18 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 06.05.2010 11:45:07 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 06.05.2010 16:44:26 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 07.05.2010 04:44:23 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 07.05.2010 10:43:49 | Computer Name = *** | Source = Google Update | ID = 20 Description = Error - 07.05.2010 15:46:51 | Computer Name = *** | Source = Google Update | ID = 20 Description = [ System Events ] Error - 10.05.2010 07:47:17 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 10.05.2010 14:20:39 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 10.05.2010 14:20:44 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 10.05.2010 15:41:03 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 11.05.2010 03:03:00 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 11.05.2010 03:03:09 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 11.05.2010 04:10:30 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 11.05.2010 04:10:44 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 11.05.2010 10:48:21 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} Error - 11.05.2010 10:48:30 | Computer Name = *** | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} < End of report > |
|
| Themen zu msn live messenger sendet nachrichten & blockiert system |
| adobe, antivirus, backdoor.ircbot, bho, blockiert, browser, converter, disabled.securitycenter, enigma, entfernen, error, eset nod32, explorer, failed, flash player, gupdate, hijack.shell, hkus\s-1-5-18, internet, internet browser, internet explorer, malware, malwarebytes' anti-malware, maus, mp3, msiexec.exe, notepad.exe, notification, plug-in, problem, realtek, registry, rundll, start menu, system, taskman, tastatur, temp, usb 2.0, vlc media player, windows, windows internet, windows internet explorer, windows xp |
Textbox.
.
