Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Win32.fraudload.edt und Laptop spinnt

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 23.04.2010, 16:25   #1
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Hallo,

ich hoffe auf eure Hilfe. Eine Freundin von mir hat diverse Probleme mit ihrem Laptop. Firefox und der Internetexplorer hängen sich immer wieder auf, der Rechner geht einfach aus, einen bluescreen gabs auch schon mal, er piept die ganze Zeit, Antivir braucht Ewigkeiten bis er durchläuft und das Internet verabschiedet sich immer wieder (wlan).
Spyboot hat folgendes gefunden: win32.fraudload.edt
Kann es aber nicht löschen.

Hier mal ihr Logfile

Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:07:31, on 23.04.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=91&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=91&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=91&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://go.web.de/suchbox/webdesuche?su=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [FRITZ!protect] FwebProt.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [FRITZ!protect] FwebProt.exe (User 'Default user')
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - hxxp://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - hxxp://www.pcwelt.de/_misc/bitdefender/scan8/oscan8.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Update Service (gupdate1ca2aef4d239b90) (gupdate1ca2aef4d239b90) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: AVM IGD CTRL Service (IGDCTRL) - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.exe
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
 
--
End of file - 9505 bytes
         
Fällt euch irgendwas auf?
Und wie wird man win32.fraudload.edt los.
Ich hab das Gefühl, dass da noch mehr nicht stimmt.
Vielen lieben Dank!

Ein Log von Malwarebytes, nach eurer Anleitung habe ich auch noch zubieten.
Der hat auch was gefunden.

Code:
ATTFilter
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
 
Datenbank Version: 4026
 
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
 
23.04.2010 17:57:59
mbam-log-2010-04-23 (17-57-59).txt
 
Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 108856
Laufzeit: 4 Minute(n), 24 Sekunde(n)
 
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 3
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
 
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
 
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
 
Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\Typelib\{c20ee2d6-81c3-6a08-79c5-1989da43bc19} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d032570a-5f63-4812-a094-87d007c23012} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
 
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
 
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
 
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
 
Infizierte Dateien:
         
(Keine bösartigen Objekte gefunden)

Alt 23.04.2010, 18:29   #2
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Sorry, hab das hijack-logfile vor dem Malewarebytesscan gemacht. Hier ein neues. Kann meinen alten Beitrag nicht mehr editieren.

Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:23:06, on 23.04.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=91&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=91&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=91&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://go.web.de/suchbox/webdesuche?su=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [FRITZ!protect] FwebProt.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [FRITZ!protect] FwebProt.exe (User 'Default user')
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - hxxp://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - hxxp://www.pcwelt.de/_misc/bitdefender/scan8/oscan8.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Update Service (gupdate1ca2aef4d239b90) (gupdate1ca2aef4d239b90) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: AVM IGD CTRL Service (IGDCTRL) - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.exe
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9368 bytes
         
Spyboot findet nach dem Scan von Malwarebytes Win32.fraudload.edt nicht mehr.
Aber vielleicht mag ja trotzdem noch jemand drüber gucken.

Sorry nochmal
__________________


Alt 24.04.2010, 10:22   #3
Sion
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Alle Progs mit Rechtsklick "Als Administrator ausführen" starten.

1. http://www.trojaner-board.de/74908-a...t-scanner.html
Log posten.

2. Hol dir OTL
Starte OTL
Kopiere unten in das Skript-Feld rein:

Zitat:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
ndis.sys
ftdisk.sys
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

Schließe alle anderen Programme.
Klicke auf Quick Scan.
Poste die beiden Logs - OTL.txt und Extras.txt (werden im gleichen Verzeichnis erstellt, in dem OTL ausgeführt wurde).
__________________

Alt 26.04.2010, 15:25   #4
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Hallo!

Danke für die Antwort.
Nach dem Scan mit GMER kommt ein Bluescreen, pfn-list corrupt. Noch bevor die Log-Datei gespeichert werden kann. Während des Scans piept der Laptop während er System32 scannt.
Auch im abgesicherten Modus meldet Windows ein Problem und schliesst das Programm.
Gmer unbennenen hat auch nichts gebracht.
Haben mit Müh und Not ein "halbes" log file erstellt. Weiss nicht obs was hilft.


Code:
ATTFilter
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-26 15:46:55
Windows 6.0.6002 Service Pack 2
Running: rettemich.com; Driver: C:\Users\Franz\AppData\Local\Temp\pglcypog.sys


---- System - GMER 1.0.15 ----

SSDT   9D5459A4                                            ZwCreateThread
SSDT   9D545990                                            ZwOpenProcess
SSDT   9D545995                                            ZwOpenThread
SSDT   9D54599F                                            ZwTerminateProcess

Code   \??\C:\Windows\system32\drivers\aiplrquo.sys        ZwResumeThread [0x90604ADA]

---- Kernel code sections - GMER 1.0.15 ----

.text  ntkrnlpa.exe!KeSetEvent + 221                       820F2984 4 Bytes  [A4, 59, 54, 9D] {MOVSB ; POP ECX; PUSH ESP; POPF }
.text  ntkrnlpa.exe!KeSetEvent + 3F1                       820F2B54 4 Bytes  [90, 59, 54, 9D] {NOP ; POP ECX; PUSH ESP; POPF }
.text  ntkrnlpa.exe!KeSetEvent + 40D                       820F2B70 4 Bytes  [95, 59, 54, 9D] {XCHG EBP, EAX; POP ECX; PUSH ESP; POPF }
.text  ntkrnlpa.exe!KeSetEvent + 621                       820F2D84 4 Bytes  [9F, 59, 54, 9D] {LAHF ; POP ECX; PUSH ESP; POPF }
PAGE   ntkrnlpa.exe!ZwResumeThread                         822617A5 7 Bytes  JMP 90604ADE \??\C:\Windows\system32\drivers\aiplrquo.sys
.text  C:\Windows\system32\DRIVERS\nvlddmkm.sys            section is writeable [0x8F005340, 0x3E0487, 0xE8000020]
       C:\Program Files\Hewlett-Packard\Media\DVD\000.fcl  entry point in "" section [0xA311441C]
.clc   C:\Program Files\Hewlett-Packard\Media\DVD\000.fcl  unknown last code section [0xA3115000, 0x1000, 0xE0000020]
         

Alt 26.04.2010, 15:29   #5
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



hier das OTL logfile im Anhang.

Liebe Grüsse und nochmals Danke!!

Angehängte Dateien
Dateityp: txt OTL.Txt (96,1 KB, 229x aufgerufen)

Alt 26.04.2010, 19:15   #6
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



OTL Extras:

Code:
ATTFilter
OTL Extras logfile created on: 26.04.2010 16:08:24 - Run 1
OTL by OldTimer - Version 3.2.3.0     Folder = c:\Users\Franz\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 64,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 454,56 Gb Total Space | 271,13 Gb Free Space | 59,65% Space Free | Partition Type: NTFS
Drive D: | 11,20 Gb Total Space | 1,84 Gb Free Space | 16,46% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: FRANZ-PC
Current User Name: Franz
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02207246-4F3C-43C1-B3DA-E609C667758A}" = rport=137 | protocol=17 | dir=out | app=system | 
"{2804E73E-0FF6-4F60-9504-ADBF8F03B638}" = rport=139 | protocol=6 | dir=out | app=system | 
"{2F209019-BAD4-4849-905B-3D2FF35901E0}" = rport=138 | protocol=17 | dir=out | app=system | 
"{30CB5AC4-86BB-425E-8726-689EF6704E22}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | 
"{4C60C6F0-4006-479A-AC5F-58C12CA09F1D}" = rport=445 | protocol=6 | dir=out | app=system | 
"{623E5066-2F44-4AA1-BC88-6B0D02BC9CE1}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{7516D101-90F8-49E0-9864-0FE6B61FA2C1}" = lport=138 | protocol=17 | dir=in | app=system | 
"{BDCFED65-25BB-47EC-A90E-11C7412ADE26}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{C3AA5EB2-0798-498A-8B83-F3CDC48A20DF}" = lport=137 | protocol=17 | dir=in | app=system | 
"{CAFB905C-4A28-469A-9F4E-171BDA7E9CF5}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{E6D443E7-31CB-4E69-B92A-73D1F6A58ECF}" = lport=139 | protocol=6 | dir=in | app=system | 
"{F7E36FDB-495C-4514-A5D2-0461E89B8E66}" = lport=445 | protocol=6 | dir=in | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{06FAC55D-6D39-4EA2-820F-5ED6448533A9}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{0AA754AE-3C36-4E75-8FD3-8DBAE29997A0}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartmusic.exe | 
"{0E7577F4-9C86-4DD9-8F3B-C4FDA0D50F36}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\kernel\clml\clmlsvc.exe | 
"{1221E528-364F-4479-9380-E3B91F6C99C8}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe | 
"{128F0C7E-6386-4F1F-8DE9-12CC16EE57F8}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\tsmagent.exe | 
"{13FB7EE9-194D-48B1-A2AF-0C1F770A392B}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | 
"{2B759265-0FAF-419D-9D94-841FAB2AD748}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hpdvdsmart.exe | 
"{3124E067-D4AF-4C1C-A5AF-B8341F8CEF21}" = dir=in | app=c:\program files\skype\phone\skype.exe | 
"{313F0AA4-7012-4777-AD96-337B93E3EBC5}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{380905D5-9744-446E-97A0-756CBB92789D}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartvideo.exe | 
"{384F0801-8E6B-4937-9B75-7B5A43B32A96}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{3BEEE0A7-0B01-4B9D-ACC2-DDA75692A12B}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartvideo.exe | 
"{3D6204E4-3900-4AEE-8762-6E3757FACE96}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{3F9CB834-3040-4606-B636-D9BD3243E7F8}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{41482EAE-F8C8-48E0-9C10-A27B0E495710}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartphoto.exe | 
"{4282502B-60A4-48D2-9321-85778B695B85}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | 
"{43FE02D4-A2C7-4E98-8687-4C21A55D49C1}" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe | 
"{51C43DA1-4C2A-4194-A22C-B186CC20FD10}" = dir=in | app=c:\program files\hewlett-packard\media\tv\qpservice.exe | 
"{5ABE8BA7-7D70-4530-BF8A-4472A105A094}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{5CDE8FC5-ED5E-4EEB-8D53-91BA3C0DE850}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\tsmagent.exe | 
"{64E10C38-1707-41C5-B640-FB4850601446}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartmusic.exe | 
"{89995A93-826D-400D-A06B-6994E1DF1C0C}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartphoto.exe | 
"{9DE4CB89-5A8D-490F-8BCB-8C512DAE5384}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | 
"{ABABE1C2-5BD4-46A5-A669-3117048D01DA}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{B52772B2-3180-4CCB-BD7A-D1BF0688E04D}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | 
"{BDF43BB3-D7ED-4BC0-9F69-5A059AEC9C3F}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\kernel\clml\clmlsvc.exe | 
"{C29E06AC-A8E4-472E-BF70-46CBDF6FB2B1}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{C4293751-4FAA-4EC6-996A-05F448296343}" = dir=in | app=c:\program files\hewlett-packard\media\tv\qp.exe | 
"{CE61EBD4-8DAF-4592-AF60-BC4ADDA95743}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | 
"{CEA7E5D6-6D3C-4315-944D-879B89CBEF93}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{D05A2959-FF80-4652-AF43-D790E875D6BE}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | 
"{D81F9ED3-D27B-4CB0-AEFC-A86346AC5F00}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{E1FF77C6-5191-4B4F-A280-D797AE228E52}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | 
"{EBD8E55B-5DD4-4909-836B-7AEF2B344FAD}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{F3A0A009-5D65-4B68-B3FF-7881A0C1AB3C}" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe | 
"{F5AC493D-EF0B-4D68-8A2A-CBB9A9CB80AE}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{F5C622AB-44FA-4E02-8987-379BDA6C4BF5}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | 
"{FC6A6FA8-2AE2-41D7-B387-564F51E2A080}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{FE0F81B1-7FE8-4653-B02D-9B47251BC326}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"TCP Query User{06D5AAD8-F330-4597-94EE-177BF62A1AF7}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"TCP Query User{71D1894F-CB5F-48A5-9FA2-8DCCA7E3DEA1}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | 
"TCP Query User{76664820-624C-4C98-B00B-E2C2C0FA64E7}C:\users\franz\documents\desktop\sopcast\sopcast.exe" = protocol=6 | dir=in | app=c:\users\franz\documents\desktop\sopcast\sopcast.exe | 
"TCP Query User{78330666-3619-424A-8A05-A1C855DAFD7F}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"TCP Query User{B0AA524C-CB4E-4EAB-BEDA-F7B66944F72D}C:\program files\windows sidebar\sidebar.exe" = protocol=6 | dir=in | app=c:\program files\windows sidebar\sidebar.exe | 
"TCP Query User{B16AAE83-B05D-4B73-9B8B-CBBD5FB02851}C:\users\franz\documents\desktop\routerclient.exe" = protocol=6 | dir=in | app=c:\users\franz\documents\desktop\routerclient.exe | 
"TCP Query User{FC9B4AA7-F313-4342-A317-4F49B17D6A43}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | 
"TCP Query User{FCC2BF21-A5F6-47DA-A58A-CBADFC21018A}C:\users\franz\documents\desktop\sopcast\adv\sopadver.exe" = protocol=6 | dir=in | app=c:\users\franz\documents\desktop\sopcast\adv\sopadver.exe | 
"UDP Query User{5987C3D1-524D-477D-BDEB-D2F732F8C4BA}C:\program files\windows sidebar\sidebar.exe" = protocol=17 | dir=in | app=c:\program files\windows sidebar\sidebar.exe | 
"UDP Query User{5C64A20E-9E18-41E4-9799-1F7819ED62F7}C:\users\franz\documents\desktop\routerclient.exe" = protocol=17 | dir=in | app=c:\users\franz\documents\desktop\routerclient.exe | 
"UDP Query User{6DD3BAF2-9A97-47F8-9C43-F9058DAC1DCB}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"UDP Query User{6FA46BF1-717D-4381-B4E2-B7C1670A1CE3}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | 
"UDP Query User{7DC1ECF4-F874-41F0-9C0D-BDF0C9D45F1E}C:\users\franz\documents\desktop\sopcast\adv\sopadver.exe" = protocol=17 | dir=in | app=c:\users\franz\documents\desktop\sopcast\adv\sopadver.exe | 
"UDP Query User{BC9569A2-01D1-41E4-9D1A-82D6E008A5C4}C:\users\franz\documents\desktop\sopcast\sopcast.exe" = protocol=17 | dir=in | app=c:\users\franz\documents\desktop\sopcast\sopcast.exe | 
"UDP Query User{D70D6D0F-C425-4B69-96FC-B1E886C170A0}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | 
"UDP Query User{FDC8C7CB-B10F-4FC8-925D-C2D5BE4009AE}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = HP MediaSmart Webcam
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{08C0729E-3E50-11DF-9D81-005056806466}" = Google Earth
"{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}" = LightScribe System Software  1.14.17.1
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{149BBCB8-674F-48D2-969C-9D0EA88DA7D6}" = HP User Guides 0129
"{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}" = HP Total Care Advisor
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check
"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 17
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{30D3B7BC-5798-45D9-822D-05CA18F39E99}" = HPTCSSetup
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{332CC6BF-E6C7-48EE-BA3D-435E576AD67F}" = PaperPort Image Printer
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4C3EF687-803F-4825-B815-04AE32DDEB41}" = YAVIDO
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{5DAA9C36-8F8B-462F-8CCA-E205BC3751F5}" = HP Active Support Library
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{67626E09-5366-4480-8F1E-93FADF50CA15}" = HP MediaSmart TV
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74A929E2-FBD8-4736-A84E-2ABBB2ABADF2}" = AVM FRITZ!DSL
"{7617FC2E-EA1B-4F07-A0F5-5D5F437CB32D}" = MioMore Desktop 2008
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{99E862CC-6F69-4D39-99AA-DBF71BF3B585}" = OpenOffice.org 3.1
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{9B8E1C10-3952-48D3-BC66-F223DDC3A556}" = Firefox 3.6 WEB.DE Edition
"{A3FEC306-FBFF-4B0D-95B9-F9C67C65079E}" = Brother MFL-Pro Suite
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.2 - Deutsch
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B6C89654-A6A2-477C-873B-724EC1C56407}" = ScanSoft PaperPort 11
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CB71A20E-B1B4-4562-81FA-33E1DBD0342F}" = ProtectSmart Hard Drive Protection
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{EFC5939F-470F-454E-B3DA-F51FDD83F6CE}" = HP MediaSmart SmartMenu
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"5D38134BF8A10D640B30E6B014EECDBC5F881E3D" = Windows Driver Package - ENE (enecir) HIDClass  (04/29/2008 2.5.0.0)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ALUpdate_is1" = ALTools Update
"ALZip_is1" = ALZip
"Ashampoo Burning Studio 6 FREE_is1" = Ashampoo Burning Studio 6 FREE
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.11 (Unicode)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Shrink_is1" = DVD Shrink 3.1.7
"Firebird SQL Server D" = Firebird SQL Server - MAGIX Edition
"Firefox 3.6 WEB.DE Edition" = Firefox 3.6 WEB.DE Edition
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = HP MediaSmart Webcam
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{67626E09-5366-4480-8F1E-93FADF50CA15}" = HP MediaSmart TV
"InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McDonald's Fairies " = McDonald's Fairies
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mufin MusicFinder Base D" = Mufin MusicFinder Base 1.5.3.250 (D)
"NVIDIA Drivers" = NVIDIA Drivers
"PlagiarismFinder 2.0" = PlagiarismFinder 2.0
"SecureW2 EAP Suite" = SecureW2 EAP Suite 1.0.6 for Windows
"softonic-de3 Toolbar" = softonic-de3 Toolbar
"SopCast" = SopCast 3.2.9
"Streamripper" = Streamripper (Remove only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 0.9.9
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
"XMedia Recode" = XMedia Recode 2.2.1.6
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 23.04.2010 10:35:25 | Computer Name = Franz-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 23.04.2010 10:35:25 | Computer Name = Franz-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 23.04.2010 12:19:02 | Computer Name = Franz-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 23.04.2010 12:19:14 | Computer Name = Franz-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 23.04.2010 12:19:14 | Computer Name = Franz-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 23.04.2010 12:21:48 | Computer Name = Franz-PC | Source = EventSystem | ID = 4609
Description = 
 
Error - 23.04.2010 12:22:26 | Computer Name = Franz-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 23.04.2010 12:37:20 | Computer Name = Franz-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 23.04.2010 12:37:38 | Computer Name = Franz-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 23.04.2010 12:37:38 | Computer Name = Franz-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
[ System Events ]
Error - 26.04.2010 09:51:49 | Computer Name = Franz-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 26.04.2010 09:51:49 | Computer Name = Franz-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 26.04.2010 09:51:53 | Computer Name = Franz-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 26.04.2010 09:55:12 | Computer Name = Franz-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 26.04.2010 09:56:01 | Computer Name = Franz-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 26.04.2010 09:57:26 | Computer Name = Franz-PC | Source = Service Control Manager | ID = 7031
Description = 
 
Error - 26.04.2010 09:59:47 | Computer Name = Franz-PC | Source = PlugPlayManager | ID = 12
Description = Das Gerät "JMB38X SD/MMC Host Controller" (PCI\VEN_197B&DEV_2382&SUBSYS_30F4103C&REV_00\4&120488ab&0&01E4)
 wurde ohne vorbereitende Maßnahmen vom System entfernt.
 
Error - 26.04.2010 09:59:47 | Computer Name = Franz-PC | Source = PlugPlayManager | ID = 12
Description = Das Gerät "JMB38X SD Host Controller" (PCI\VEN_197B&DEV_2381&SUBSYS_30F4103C&REV_00\4&120488ab&0&02E4)
 wurde ohne vorbereitende Maßnahmen vom System entfernt.
 
Error - 26.04.2010 09:59:47 | Computer Name = Franz-PC | Source = PlugPlayManager | ID = 12
Description = Das Gerät "JMB38X MS Host Controller" (PCI\VEN_197B&DEV_2383&SUBSYS_30F4103C&REV_00\4&120488ab&0&03E4)
 wurde ohne vorbereitende Maßnahmen vom System entfernt.
 
Error - 26.04.2010 09:59:47 | Computer Name = Franz-PC | Source = PlugPlayManager | ID = 12
Description = Das Gerät "JMB38X xD Host Controller" (PCI\VEN_197B&DEV_2384&SUBSYS_30F4103C&REV_00\4&120488ab&0&04E4)
 wurde ohne vorbereitende Maßnahmen vom System entfernt.
 
 
< End of report >
         

Alt 26.04.2010, 19:56   #7
Sion
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Sieht nach einem Rootkit aus. Aber so ein halbes Log ist keine gute Grundlage. Versuchen wir einen anderen Scanner:

1. Hol dir Sophos Anti-Rootkit. Eine Registrierung ist notwendig. Du bekommst eine Installationsdatei sarsfx.exe
  • Starte diese, akzeptiere die Lizenz und lass das Programm installieren, ändere den Pfad C:\SOPHTEMP nicht.
  • Gehe mit dem Explorer in diesen Ordner und starte sargui.exe, schließe danach alle anderen Programme.
  • Lass unter Area alles angehakt und starte den Scan mit "Start scan". Der Scan dauert einige Zeit, wenn er fertig ist poppt ein Fenster auf mit einer Zusammenfassung, klicke dort "Ok". Beende den Sophos Rootkitscanner, dieser Scan dient nur der Analyse.
  • Starte den Explorer und gib in der Adresszeile "%temp%" ein (ohne Anführungsstriche), dort gibt es eine Datei sarscan.log, deren Inhalt bitte posten.

Alt 27.04.2010, 10:01   #8
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Hier das Logfile von Sophos!

Code:
ATTFilter
Sophos Anti-Rootkit Version 1.5.0  (c) 2009 Sophos Plc
Started logging on 27.04.2010 at 08:59:03
User "Franz" on computer "FRANZ-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 Win32
Info:	Starting process scan.
Info:	Starting registry scan.
Hidden:	registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409
Info:	Starting disk scan of C: (NTFS).
Hidden:	file C:\Users\Franz\Downloads\[Torrentsworld.net] - Jamie Foxx Ft Timbaland-I Dont Need It-Promo CDS-2009-XXL.torrent 
Hidden:	file C:\Users\Franz\AppData\Roaming\Skype\XX_XX\etilqs_qeQ01E18y8YJgLR87oUM
Info:	Starting disk scan of D: (NTFS).
Info:	Starting disk scan of G: (FAT).
Stopped logging on 27.04.2010 at 10:13:45
         

Alt 27.04.2010, 19:55   #9
Sion
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Hm, versuchen wir es mal so:

1. Hol dir Avenger
Entpacke Avenger auf den Desktop.
Starte Avenger.
Setze unten beide Häkchen.
Kopiere in das Skript-Feld rein:

Zitat:
files to delete:
C:\Users\Franz\Downloads\[Torrentsworld.net] - Jamie Foxx Ft Timbaland-I Dont Need It-Promo CDS-2009-XXL.torrent
C:\Users\Franz\AppData\Roaming\Skype\XX_XX\etilqs_qeQ01E18y8YJgLR87oUM

drivers to delete:
aiplrquo
Klicke auf Execute
Neustart zulassen.
Nach dem Neustart sollte ein Log eingeblendet werden, poste es.

Alt 27.04.2010, 20:13   #10
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



wird gemacht.
Zitat:
C:\Users\Franz\AppData\Roaming\Skype\XX_XX\etilqs_qeQ01E18y8YJgLR87oUM
Hier habe ich den Benutzernamen von Skype durch XX_XX ersetzt. Nur zur Info.

Alt 27.04.2010, 20:27   #11
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Beim Hochfahren gab es kurz einen blauen Bildschirm, war leider zu schnell zum lesen.
Windows ist nicht von allein hochgefahren, sondern gab zur Option "mit Starthilfe starten" oder normal
Hier ist es:

Code:
ATTFilter
Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\Users\Franz\Downloads\[Torrentsworld.net] - Jamie Foxx Ft Timbaland-I Dont Need It-Promo CDS-2009-XXL.torrent" not found!
Deletion of file "C:\Users\Franz\Downloads\[Torrentsworld.net] - Jamie Foxx Ft Timbaland-I Dont Need It-Promo CDS-2009-XXL.torrent" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\Users\Franz\AppData\Roaming\Skype\XX_XX\etilqs_qeQ01E18y8YJgLR87oUM" deleted successfully.
Driver "aiplrquo" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
         

Alt 27.04.2010, 21:01   #12
Sion
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



So.. Irgendwas haben wir weggelöscht, die Frage ist was es war. Sieh bitte nach, ob unter C:\Windows\system32\drivers\ eine Datei namens aiplrquo.sys zu finden ist und lade sie bei VirusTotal hoch, falls dem so ist. Poste dann den Link zum Ergebnis der Auswertung.

1. http://www.trojaner-board.de/51187-a...i-malware.html (Quick Scan)
Denk daran die evt. Funde zu entfernen (s. Anleitung).
Log posten (wenn sich was finden lässt).

2. Versuche GMER noch einmal laufen zu lassen, vielleicht haben wir das Richtige erwischt und es klappt jetzt.


Zitat:
Hier habe ich den Benutzernamen von Skype durch XX_XX ersetzt. Nur zur Info.
Unter Umständen haben wir übrigens Skype zerschossen. Wüsste nicht, warum im Skype vesteckte Dateien sein sollten, also wurde es gekillt. Prüf mal, ob Skype noch geht. Überprüfe später auch, ob Windows sich normal starten lässt.

Alt 27.04.2010, 21:07   #13
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Skype funktioniert noch, mal schauen was der Dauertest sagt
Rest wird erledigt.

Alt 28.04.2010, 08:21   #14
Pipocas
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



so, datei gefunden, hier der Link:

hxxp://www.virustotal.com/de/analisis/04ba5eaa2571df1d3db45ced75a0ea47647993bfb8ce6a33f9f080e659f54590-1272435206

Gmer verursacht immer noch einen bluescreen.
Im Abgesicherten Modus kommt der hinweis,
dass das Programm GMER nicht weiter ausgeführt werden kann. Ohne Bluescreen.
Malwarebytes findet nichts.
Windows liess sich wieder normal starten.
LG und Danke!

Alt 28.04.2010, 10:31   #15
Sion
 
Win32.fraudload.edt und Laptop spinnt - Standard

Win32.fraudload.edt und Laptop spinnt



Sagt dir AIPTEK PocketCinema irgendwas? War wohl ein Treiber davon.

Machen wir noch einen, dann isses aber gut mit der Rootkitsuche, Gmer läuft manchmal einfach nicht.

http://www.trojaner-board.de/85306-anleitung-osam.html (Erstellung des Logfiles)

Wie geht es eigentlich dem Rechner?

Antwort

Themen zu Win32.fraudload.edt und Laptop spinnt
antivir, antivir guard, avg, avira, bho, bluescree, bluescreen, bonjour, desktop, dsl, firefox, gupdate, hijack, hijackthis, hkus\s-1-5-18, hängen, internet explorer, laptop spinnt, launch, magix, malwarebytes' anti-malware, mozilla, object, rundll, safer networking, security, senden, server, software, system, trojan.downloader, vista, windows, wlan, worm.allaple



Ähnliche Themen: Win32.fraudload.edt und Laptop spinnt


  1. Keine Ahnung, was da los ist (Laptop spinnt)
    Log-Analyse und Auswertung - 02.03.2015 (23)
  2. Laptop: DVD Laufwerk spinnt
    Netzwerk und Hardware - 01.10.2014 (15)
  3. Laptop spinnt......
    Log-Analyse und Auswertung - 09.09.2011 (2)
  4. Trojan-Downloader.Win32.Fraudload.yasp
    Plagegeister aller Art und deren Bekämpfung - 11.02.2011 (5)
  5. Win32.Fraudload (?) eingefangen. Bereinigung
    Plagegeister aller Art und deren Bekämpfung - 06.02.2011 (12)
  6. Win32.Fraudload.yasp
    Plagegeister aller Art und deren Bekämpfung - 04.02.2011 (1)
  7. Laptop spinnt nach Standby - Malware?
    Plagegeister aller Art und deren Bekämpfung - 23.10.2010 (1)
  8. nach spybot durchlauf... Win32.Agent.ieu, Win32.FraudLoad, Win32.PornPopup
    Log-Analyse und Auswertung - 08.08.2010 (3)
  9. win32.FraudLoad.edt
    Plagegeister aller Art und deren Bekämpfung - 17.02.2010 (2)
  10. Laptop spinnt
    Netzwerk und Hardware - 06.07.2009 (0)
  11. laptop spinnt, dau braucht hilfe...
    Log-Analyse und Auswertung - 16.02.2009 (6)
  12. Hilfe - Laptop spinnt!!!
    Mülltonne - 05.02.2009 (0)
  13. Probleme mit Trojanern: Win32/Renos.y u. TR/Dldr. FraudLoad.vcip
    Mülltonne - 01.10.2008 (0)
  14. zlob/virtumonde/win32.fraudload/smitfraud-c.generic
    Plagegeister aller Art und deren Bekämpfung - 13.09.2008 (1)
  15. zlob/virtumonde/win32.fraudload/smitfraud-c.generic
    Log-Analyse und Auswertung - 13.09.2008 (1)
  16. Laptop spinnt total - Virus???
    Log-Analyse und Auswertung - 08.09.2008 (3)
  17. Brauche Unterstützung, mein Laptop spinnt nur noch rum..
    Log-Analyse und Auswertung - 20.01.2007 (3)

Zum Thema Win32.fraudload.edt und Laptop spinnt - Hallo, ich hoffe auf eure Hilfe. Eine Freundin von mir hat diverse Probleme mit ihrem Laptop. Firefox und der Internetexplorer hängen sich immer wieder auf, der Rechner geht einfach aus, - Win32.fraudload.edt und Laptop spinnt...
Archiv
Du betrachtest: Win32.fraudload.edt und Laptop spinnt auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.