Tr/psw papras ab

RealSnapshot · 27.07.2010, 17:05

Hallo,

wie es aussieht hab ich mir einen Trojaner eingefangen...Da ich auf dem Gebiet keine Ahnung habe bitte ich hier um Hilfe.

Bitte sagt mir doch welche Logs von welchen Programmen ihr bracuht um diesen loszuwerden.

Danke im Voraus.

Angel21 · 27.07.2010, 17:08

Hallo

Arbeite folgende Liste ab:

1.) Lade dir Malwarebytes herunter - Starte nach dem installieren und Updaten die Funktion Quick Scan und Scanne deinen PC durch. Bitte alle Funde entfernen.

2.) CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Starte bitte die OTL.exe.
Vista und Win7 User: mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die Textbox.

Code:

ATTFilter

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5

Schliesse bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Quick Scan Button.
Klick auf .
Kopiere nun den Inhalt aus OTL.txt und Extras.txt hier in Deinen Thread

3.) Starte einen Scan mit GMER laut Anleitung.

Postings von dir:
-OTL Logs
-Malwarebytes Logfile (zu finden unter Scan-Berichte Reiter oben)
-Gmer Log

RealSnapshot · 27.07.2010, 17:38

OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 27.07.2010 18:34:36 - Run 1
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Users\Snapshot\Downloads
 Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 70,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 77,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68,74 Gb Total Space | 50,48 Gb Free Space | 73,43% Space Free | Partition Type: NTFS
Drive D: | 50,01 Gb Total Space | 25,33 Gb Free Space | 50,66% Space Free | Partition Type: NTFS
Drive E: | 114,14 Gb Total Space | 41,94 Gb Free Space | 36,75% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: SNAPSHOT-PC
Current User Name: Snapshot
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2010.07.27 18:28:43 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Snapshot\Downloads\OTL.exe
PRC - [2010.07.21 22:03:31 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.09.27 17:48:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009.09.08 09:48:55 | 000,066,048 | ---- | M] (PostgreSQL Global Development Group) -- D:\PostgreSQL\8.4\bin\pg_ctl.exe
PRC - [2009.09.08 09:47:07 | 004,513,792 | ---- | M] (PostgreSQL Global Development Group) -- D:\PostgreSQL\8.4\bin\postgres.exe
PRC - [2009.09.05 18:29:06 | 000,385,024 | ---- | M] (shbox.de) -- C:\Programme\FreePDF_XP\fpassist.exe
PRC - [2009.07.21 15:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2009.07.14 03:14:47 | 001,121,280 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2009.07.14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009.07.14 03:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009.05.13 17:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2009.05.07 03:01:00 | 001,904,640 | ---- | M] (AVM Berlin) -- C:\Programme\avmwlanstick\WLanGUI.exe
PRC - [2009.05.07 03:01:00 | 000,368,640 | ---- | M] (AVM Berlin) -- C:\Programme\avmwlanstick\WLanNetService.exe
PRC - [2009.03.02 14:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009.01.08 17:10:00 | 000,187,456 | ---- | M] (DATA BECKER GmbH & Co KG) -- C:\Programme\Common Files\DATA BECKER Shared\DBService.exe
PRC - [2005.12.18 15:18:56 | 000,307,200 | ---- | M] (Team H2O) -- C:\Programme\Syncrosoft\POS\H2O\cledx.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010.07.27 18:28:43 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Snapshot\Downloads\OTL.exe
MOD - [2009.07.14 03:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009.07.14 03:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009.07.14 03:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009.07.14 03:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009.07.14 03:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009.07.14 03:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009.07.14 03:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009.07.14 03:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009.07.14 03:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009.07.14 03:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009.07.14 03:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009.07.14 03:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2009.12.15 22:07:16 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- E:\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009.09.27 17:48:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009.09.08 09:48:55 | 000,066,048 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- D:\PostgreSQL\8.4\bin\pg_ctl.exe -- (postgresql-8.4)
SRV - [2009.07.21 15:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.07.16 17:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009.07.14 03:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009.07.14 03:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009.07.14 03:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009.07.14 03:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009.07.14 03:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009.07.14 03:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009.07.14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009.07.14 03:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009.07.14 03:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.07.14 03:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009.07.14 03:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009.07.14 03:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009.07.14 03:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009.07.14 03:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009.07.14 03:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX-Installer (AxInstSV)
SRV - [2009.07.14 03:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009.07.14 03:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009.05.13 17:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009.05.07 03:01:00 | 000,368,640 | ---- | M] (AVM Berlin) [Auto | Running] -- C:\Programme\avmwlanstick\WLanNetService.exe -- (AVM WLAN Connection Service)
SRV - [2009.01.08 17:10:00 | 000,187,456 | ---- | M] (DATA BECKER GmbH & Co KG) [Auto | Running] -- C:\Programme\Common Files\DATA BECKER Shared\DBService.exe -- (DBService)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Snapshot\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010.03.12 19:45:40 | 000,139,128 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2009.12.11 09:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009.12.09 18:35:49 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009.11.08 17:39:06 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2009.09.27 17:12:22 | 009,509,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009.08.13 23:09:58 | 000,060,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\xusb21.sys -- (xusb21)
DRV - [2009.07.14 03:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009.07.14 03:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009.07.14 03:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009.07.14 03:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009.07.14 03:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009.07.14 03:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009.07.14 03:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009.07.14 03:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009.07.14 03:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009.07.14 03:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009.07.14 03:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009.07.14 03:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009.07.14 03:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009.07.14 03:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009.07.14 03:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009.07.14 03:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009.07.14 03:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009.07.14 03:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009.07.14 03:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009.07.14 03:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009.07.14 03:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009.07.14 03:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009.07.14 03:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009.07.14 03:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009.07.14 03:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009.07.14 03:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009.07.14 03:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009.07.14 03:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009.07.14 03:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009.07.14 03:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009.07.14 03:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009.07.14 03:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009.07.14 03:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009.07.14 03:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009.07.14 03:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009.07.14 03:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009.07.14 03:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009.07.14 03:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009.07.14 03:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009.07.14 03:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009.07.14 03:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009.07.14 02:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC-Seriellschnittstellentreiber (WDM)
DRV - [2009.07.14 02:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009.07.14 02:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009.07.14 01:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009.07.14 01:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009.07.14 01:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009.07.14 01:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009.07.14 01:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009.07.14 01:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009.07.14 01:51:23 | 000,080,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB-Audiotreiber (WDM)
DRV - [2009.07.14 01:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009.07.14 01:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009.07.14 01:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009.07.14 01:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009.07.14 01:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009.07.14 01:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009.07.14 01:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009.07.14 01:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009.07.14 01:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009.07.14 01:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009.07.14 01:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009.07.14 00:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009.07.14 00:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm) Brother MFC-nur-Fax-Modem (USB)
DRV - [2009.07.14 00:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer) Brother MFC-WDM-Treiber (USB,seriell)
DRV - [2009.07.14 00:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm) Brother WDM-Treiber (seriell)
DRV - [2009.07.14 00:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009.07.14 00:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009.07.14 00:02:50 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2009.07.14 00:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009.07.14 00:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009.07.14 00:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009.05.11 11:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.05.07 03:01:00 | 000,265,088 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\fwlanusb.sys -- (FWLANUSB)
DRV - [2009.03.30 11:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2009.03.02 00:05:32 | 000,139,776 | ---- | M] (Realtek Corporation                                            ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2009.02.13 13:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2005.05.09 21:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cledx.sys -- (CLEDX)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C4 FC 8D E1 22 60 CA 01  [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.21 22:03:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.22 10:52:09 | 000,000,000 | ---D | M]
 
[2009.11.08 05:31:36 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\mozilla\Extensions
[2009.11.08 05:31:36 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\mozilla\Firefox\Profiles\rmejjtr4.default\extensions
[2010.07.27 17:26:58 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.07.22 10:29:31 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010.07.22 10:52:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.04.12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2008.02.22 17:24:06 | 000,095,832 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\NPPDLicenseHelper.dll
[2010.01.07 23:35:19 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.01.07 23:35:19 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.01.07 23:35:19 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.01.07 23:35:19 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.01.07 23:35:19 | 000,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2010.07.27 17:41:01 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\WLanGUI.exe (AVM Berlin)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [H2O] C:\Programme\Syncrosoft\POS\H2O\cledx.exe (Team H2O)
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [ICQ] C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.220.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
 
========== Files/Folders - Created Within 90 Days ==========
 
[2010.07.27 18:20:29 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\Malwarebytes
[2010.07.27 18:20:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.07.27 18:20:14 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.07.27 18:20:14 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.07.27 18:20:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.07.27 18:16:02 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010.07.27 18:09:48 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Documents\Simply Super Software
[2010.07.27 18:09:10 | 000,000,000 | ---D | C] -- C:\Programme\Trojan Remover
[2010.07.27 18:09:10 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\Simply Super Software
[2010.07.27 18:09:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software
[2010.07.27 17:43:10 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010.07.27 17:42:24 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010.07.27 17:32:49 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010.07.27 17:32:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010.07.27 17:32:49 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010.07.27 17:29:44 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010.07.27 17:26:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.07.27 17:26:04 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010.07.25 20:32:09 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Steam
[2010.07.25 20:32:08 | 000,000,000 | ---D | C] -- C:\Programme\Steam
[2010.07.22 11:24:29 | 000,000,000 | ---D | C] -- C:\Programme\RVG Software
[2010.07.22 10:52:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010.07.22 10:52:23 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Java
[2010.07.22 10:33:07 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\skypePM
[2010.07.22 10:29:38 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\Skype
[2010.07.22 10:29:08 | 000,000,000 | R--D | C] -- C:\Programme\Skype
[2010.07.22 10:29:08 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Skype
[2010.07.22 10:29:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2010.07.21 17:50:25 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\TeamViewer
[2010.07.15 15:27:02 | 000,000,000 | ---D | C] -- C:\Programme\PSQLINSTALL
[2010.07.15 13:43:25 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\postgresql
[2010.07.01 19:17:48 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Documents\Soulseek Chat Logs
[2010.06.11 14:20:41 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Desktop\HHMiner_V1_21
[2010.06.11 09:26:10 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Local\Microsoft Games
[2010.06.03 16:23:58 | 000,000,000 | ---D | C] -- C:\Programme\TableScan Turbo
[2010.05.29 13:37:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Soulseek
[2010.05.29 13:37:35 | 000,000,000 | ---D | C] -- C:\Programme\SoulseekNS
[2010.05.25 16:22:52 | 000,000,000 | ---D | C] -- C:\Programme\PokerStove
[2010.05.15 04:17:34 | 000,000,000 | ---D | C] -- C:\HMArchive
[2010.05.15 02:41:00 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Local\Boss Media
[2010.05.15 02:41:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Boss Media
[2010.05.08 10:52:07 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\runic games
[2010.05.06 23:48:51 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Documents\CAPCOM
[2010.05.04 22:52:17 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Documents\Settlers7
[2010.05.04 22:42:34 | 000,000,000 | ---D | C] -- C:\Programme\Ubisoft
[2010.05.03 18:52:51 | 000,000,000 | ---D | C] -- C:\Programme\uTorrent
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 90 Days ==========
 
[2010.07.27 18:34:33 | 002,097,152 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat
[2010.07.27 18:04:54 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010.07.27 18:04:54 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010.07.27 17:59:44 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.07.27 17:59:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.07.27 17:59:39 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2010.07.27 17:57:00 | 002,185,398 | -H-- | M] () -- C:\Users\Snapshot\AppData\Local\IconCache.db
[2010.07.27 17:41:07 | 000,000,243 | ---- | M] () -- C:\Windows\system.ini
[2010.07.27 17:41:01 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010.07.26 12:34:23 | 000,027,003 | ---- | M] () -- C:\Users\Snapshot\Documents\Kündigung.docx
[2010.07.26 11:47:07 | 000,047,104 | ---- | M] () -- C:\Windows\System32\forficli.dll
[2010.07.26 11:46:21 | 000,000,913 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2010.07.26 10:55:57 | 000,001,021 | ---- | M] () -- C:\Users\Public\Desktop\Full Tilt Poker.lnk
[2010.07.25 20:32:08 | 000,002,527 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2010.07.25 20:14:50 | 000,000,471 | ---- | M] () -- C:\Windows\System32\Datei4
[2010.07.25 20:14:50 | 000,000,471 | ---- | M] () -- C:\Windows\System32\Datei2
[2010.07.25 20:14:50 | 000,000,470 | ---- | M] () -- C:\Windows\System32\Datei3
[2010.07.25 20:14:50 | 000,000,470 | ---- | M] () -- C:\Windows\System32\Datei1
[2010.07.25 20:14:50 | 000,000,469 | ---- | M] () -- C:\Windows\System32\Datei7
[2010.07.25 20:14:50 | 000,000,469 | ---- | M] () -- C:\Windows\System32\Datei5
[2010.07.25 20:14:50 | 000,000,468 | ---- | M] () -- C:\Windows\System32\Datei0
[2010.07.25 20:14:50 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei9
[2010.07.25 20:14:50 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei8
[2010.07.25 20:14:50 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei10
[2010.07.25 20:14:50 | 000,000,465 | ---- | M] () -- C:\Windows\System32\Datei6
[2010.07.22 21:02:07 | 000,001,678 | ---- | M] () -- C:\Users\Snapshot\Desktop\HoldemManager - Verknüpfung.lnk
[2010.07.22 10:55:19 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010.07.22 10:29:09 | 000,002,505 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2010.07.14 15:23:12 | 003,493,161 | ---- | M] () -- C:\Users\Snapshot\Desktop\BillBrandonVsSnapshot.mp3
[2010.06.19 18:04:53 | 000,483,227 | ---- | M] () -- C:\Users\Snapshot\Desktop\MilkHoneyBonnieDobson.mp3
[2010.06.17 18:47:31 | 001,472,002 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010.06.17 18:47:31 | 000,643,628 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.06.17 18:47:31 | 000,606,992 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.06.17 18:47:31 | 000,126,188 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.06.17 18:47:31 | 000,103,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.06.17 14:31:50 | 000,018,753 | ---- | M] () -- C:\Users\Snapshot\Desktop\Antragsformular.pdf
[2010.06.11 17:07:16 | 000,015,857 | ---- | M] () -- C:\Windows\unins000.dat
[2010.06.11 17:06:55 | 000,678,746 | ---- | M] () -- C:\Windows\unins000.exe
[2010.06.11 14:12:54 | 000,302,352 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010.06.03 16:23:58 | 000,000,953 | ---- | M] () -- C:\Users\Public\Desktop\TableScan Turbo.lnk
[2010.05.29 15:23:14 | 000,016,499 | -HS- | M] () -- C:\Users\Snapshot\Desktop\Folder.jpg
[2010.05.29 15:23:14 | 000,016,499 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArt_{9B1E2307-1987-4E6C-93DF-92B98F8CB373}_Large.jpg
[2010.05.29 15:23:14 | 000,002,139 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArtSmall.jpg
[2010.05.29 15:23:14 | 000,002,139 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArt_{9B1E2307-1987-4E6C-93DF-92B98F8CB373}_Small.jpg
[2010.05.29 15:22:51 | 000,013,244 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArt_{688C9A63-C5AF-44C8-882F-0407866D362E}_Large.jpg
[2010.05.29 15:22:51 | 000,003,242 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArt_{688C9A63-C5AF-44C8-882F-0407866D362E}_Small.jpg
[2010.05.29 13:41:47 | 000,600,899 | ---- | M] () -- C:\Users\Snapshot\Desktop\tpipsmb.mp3
[2010.05.28 20:38:35 | 000,001,599 | ---- | M] () -- C:\Windows\win.ini
[2010.05.25 16:22:53 | 000,000,933 | ---- | M] () -- C:\Users\Snapshot\Desktop\PokerStove.lnk
[2010.05.18 17:38:57 | 001,048,576 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.2.regtrans-ms
[2010.05.18 17:38:57 | 001,048,576 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.1.regtrans-ms
[2010.05.18 17:38:57 | 001,048,576 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.0.regtrans-ms
[2010.05.18 17:38:57 | 000,065,536 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.blf
[2010.05.15 11:52:40 | 000,001,695 | ---- | M] () -- C:\Users\Snapshot\Desktop\PartyPoker.lnk
[2010.05.15 02:39:04 | 000,004,608 | ---- | M] () -- C:\Users\Snapshot\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.04.29 12:19:24 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.04.29 12:19:14 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010.07.27 18:09:12 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2010.07.27 18:09:12 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll
[2010.07.27 18:09:12 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2010.07.27 18:09:12 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2010.07.27 17:32:49 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010.07.27 17:32:49 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010.07.27 17:32:49 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010.07.27 17:32:49 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010.07.27 17:32:49 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010.07.26 11:47:07 | 000,047,104 | ---- | C] () -- C:\Windows\System32\forficli.dll
[2010.07.26 11:46:21 | 000,000,913 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2010.07.26 10:55:57 | 000,001,021 | ---- | C] () -- C:\Users\Public\Desktop\Full Tilt Poker.lnk
[2010.07.25 20:32:08 | 000,002,527 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2010.07.22 21:02:07 | 000,001,678 | ---- | C] () -- C:\Users\Snapshot\Desktop\HoldemManager - Verknüpfung.lnk
[2010.07.22 10:55:19 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010.07.22 10:29:09 | 000,002,505 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2010.07.21 20:48:44 | 000,027,003 | ---- | C] () -- C:\Users\Snapshot\Documents\Kündigung.docx
[2010.07.14 15:22:44 | 003,493,161 | ---- | C] () -- C:\Users\Snapshot\Desktop\BillBrandonVsSnapshot.mp3
[2010.06.19 18:04:52 | 000,483,227 | ---- | C] () -- C:\Users\Snapshot\Desktop\MilkHoneyBonnieDobson.mp3
[2010.06.17 14:31:50 | 000,018,753 | ---- | C] () -- C:\Users\Snapshot\Desktop\Antragsformular.pdf
[2010.06.11 17:07:11 | 000,678,746 | ---- | C] () -- C:\Windows\unins000.exe
[2010.06.11 17:07:11 | 000,015,857 | ---- | C] () -- C:\Windows\unins000.dat
[2010.06.03 16:23:58 | 000,000,953 | ---- | C] () -- C:\Users\Public\Desktop\TableScan Turbo.lnk
[2010.05.29 15:23:14 | 000,016,499 | -HS- | C] () -- C:\Users\Snapshot\Desktop\AlbumArt_{9B1E2307-1987-4E6C-93DF-92B98F8CB373}_Large.jpg
[2010.05.29 15:23:14 | 000,002,139 | -HS- | C] () -- C:\Users\Snapshot\Desktop\AlbumArt_{9B1E2307-1987-4E6C-93DF-92B98F8CB373}_Small.jpg
[2010.05.29 15:22:51 | 000,013,244 | -HS- | C] () -- C:\Users\Snapshot\Desktop\AlbumArt_{688C9A63-C5AF-44C8-882F-0407866D362E}_Large.jpg
[2010.05.29 15:22:51 | 000,003,242 | -HS- | C] () -- C:\Users\Snapshot\Desktop\AlbumArt_{688C9A63-C5AF-44C8-882F-0407866D362E}_Small.jpg
[2010.05.29 13:41:45 | 000,600,899 | ---- | C] () -- C:\Users\Snapshot\Desktop\tpipsmb.mp3
[2010.05.25 16:22:53 | 000,000,933 | ---- | C] () -- C:\Users\Snapshot\Desktop\PokerStove.lnk
[2010.05.18 17:38:57 | 001,048,576 | -HS- | C] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.2.regtrans-ms
[2010.05.18 17:38:57 | 001,048,576 | -HS- | C] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.1.regtrans-ms
[2010.05.18 17:38:57 | 001,048,576 | -HS- | C] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.0.regtrans-ms
[2010.05.18 17:38:57 | 000,065,536 | -HS- | C] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.blf
[2010.05.15 11:52:40 | 000,001,695 | ---- | C] () -- C:\Users\Snapshot\Desktop\PartyPoker.lnk
[2010.05.03 22:01:47 | 000,004,608 | ---- | C] () -- C:\Users\Snapshot\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.03.06 17:43:24 | 000,139,128 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009.12.05 21:19:29 | 000,007,680 | ---- | C] () -- C:\Windows\System32\CNMVS5y.DLL
[2009.11.22 16:04:35 | 000,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2009.11.09 18:46:07 | 000,000,000 | ---- | C] () -- C:\Windows\HMHud.INI
[2009.10.31 03:56:44 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009.08.16 12:08:36 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009.08.03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009.08.03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009.08.03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009.05.29 17:52:26 | 000,204,800 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009.05.29 17:47:06 | 000,881,664 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009.04.22 01:19:06 | 000,172,173 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2007.02.05 21:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
 
========== LOP Check ==========
 
[2010.04.12 23:40:48 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\Azureus
[2009.11.08 20:42:46 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\DAEMON Tools Lite
[2010.01.18 23:25:40 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\FOG Downloader
[2010.07.27 17:27:43 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\ICQ
[2010.07.15 13:43:32 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\postgresql
[2009.11.15 13:55:16 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\ProtectDisc
[2010.05.08 10:52:07 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\runic games
[2010.07.27 18:09:10 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\Simply Super Software
[2010.07.21 17:50:25 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\TeamViewer
[2010.07.27 17:58:40 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\uTorrent
[2009.11.08 17:23:29 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\Win7codecs
[2010.07.10 13:31:37 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.* >
[2009.06.10 23:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009.07.14 03:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009.11.08 05:10:42 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010.07.27 17:42:22 | 000,010,774 | ---- | M] () -- C:\ComboFix.txt
[2009.06.10 23:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010.01.19 15:42:21 | 000,002,580 | ---- | M] () -- C:\fpRedmon.log
[2010.07.27 17:59:39 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2010.05.15 02:42:19 | 000,000,066 | ---- | M] () -- C:\ICSYSINF.log
[2010.07.27 17:59:39 | 2145,902,592 | -HS- | M] () -- C:\pagefile.sys
[2009.11.08 05:20:21 | 000,171,136 | RHS- | M] () -- C:\w7ldr
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
 
< %systemroot%\Tasks\*.job /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
 
< %systemroot%\system32\drivers\*.sys /90 >
[2010.04.29 12:19:14 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.04.29 12:19:24 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
 
< %systemroot%\system32\user32.dll /md5 >
[2009.07.14 03:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\System32\user32.dll
 
< %systemroot%\system32\ws2_32.dll /md5 >
[2009.07.14 03:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\System32\ws2_32.dll

< End of report >

--- --- ---

RealSnapshot · 27.07.2010, 17:39

OTL EXTRAS Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 27.07.2010 18:34:36 - Run 1
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Users\Snapshot\Downloads
 Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 70,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 77,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68,74 Gb Total Space | 50,48 Gb Free Space | 73,43% Space Free | Partition Type: NTFS
Drive D: | 50,01 Gb Total Space | 25,33 Gb Free Space | 50,66% Space Free | Partition Type: NTFS
Drive E: | 114,14 Gb Total Space | 41,94 Gb Free Space | 36,75% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: SNAPSHOT-PC
Current User Name: Snapshot
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable
"{0B82D6C6-9ECC-4710-97AB-5CE482E72852}_is1" = TableScan Turbo v0.48c (BETA)
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 20
"{311EEFFE-8354-42D8-B2A0-A0666689F69F}" = Alesis io|2 ASIO Driver
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE 
"{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{6D0C6BE4-F674-43D2-96BC-3509345108C9}_is1" = PokerStove version 1.23
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89286F5B-4B78-41DE-9982-B7AD010DE01B}" = *tmx englisch
"{8C0CAA7A-3272-4991-A808-2C7559DE3409}" = Win7codecs
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_STANDARD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_STANDARD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_STANDARD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_STANDARD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_STANDARD_{A0516415-ED61-419A-981D-93596DA74165}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_STANDARD_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_STANDARD_{26454C26-D259-4543-AA60-3189E09C5F76}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C916142-C18C-429D-BFED-40094A7E0BEB}" = Die Siedler 7
"{9FCCC8D1-3152-4699-8793-6CB0B9E26EBB}" = Miroslav Philharmonik Instruments
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.2 - Deutsch
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BA0D0121-A3BA-487D-9C78-7AB0E676C722}" = Miroslav Philharmonik
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Audition 3.0" = Adobe Audition 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AVMWLANCLI" = AVM FRITZ!WLAN
"CANONBJ_Deinstall_CNMCP5y.DLL" = Canon PIXMA iP1500
"CANONIJINBOXADDON100" = Canon Inkjet Printer Driver Add-On Module
"FL Studio 8" = FL Studio 8
"FreePDF_XP" = FreePDF (Remove only)
"GPL Ghostscript 8.70" = GPL Ghostscript 8.70
"HS2_is1" = Steinberg Hypersonic 2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.11)" = Mozilla Firefox (3.5.11)
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PartyPoker" = PartyPoker
"PI13765_HPR_SE_Con" = Schnelleinstieg Controlling
"PokerStars" = PokerStars
"PostgreSQL 8.4" = PostgreSQL 8.4
"Protect Disc License Helper" = Protect Disc License Helper 1.0.118
"PunkBusterSvc" = PunkBuster Services
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"rgcAudio z3ta Plus v1.40" = rgcAudio z3ta Plus v1.40
"Sonalksis Plug-Ins for Windows_is1" = Sonalksis Plug-Ins for Windows 2.00
"Soulseek2" = SoulSeek 157 NS 13e
"STANDARD" = Microsoft Office Standard 2007
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft's License Control" = Syncrosofts Lizenz Kontrolle
"Trojan Remover_is1" = Trojan Remover 6.8.2
"uTorrent" = µTorrent
"Winamp" = Winamp
"WinRAR archiver" = WinRAR
"XBCD" = XBCD 1.03
"Zero-X BeatSlicer" = Zero-X BeatSlicer
 
========== Last 10 Event Log Errors ==========
 
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
 
< End of report >

--- --- ---

RealSnapshot · 27.07.2010, 17:40

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4357

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

27.07.2010 18:26:32
mbam-log-2010-07-27 (18-26-32).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 138367
Laufzeit: 4 Minute(n), 30 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

RealSnapshot · 27.07.2010, 17:49

GMER Logfile:

Code:

ATTFilter

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-07-27 18:49:15
Windows 6.1.7600 
Running: pb0do0jm.exe; Driver: C:\Users\Snapshot\AppData\Local\Temp\kwlorkoc.sys


---- System - GMER 1.0.15 ----

SSDT            813843D4                                                                                                            ZwCreateThread
SSDT            813843C0                                                                                                            ZwOpenProcess
SSDT            813843C5                                                                                                            ZwOpenThread
SSDT            813843CF                                                                                                            ZwTerminateProcess

INT 0x1F        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A34AF8
INT 0x37        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A34104
INT 0xC1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A343F4
INT 0xD1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A1C634
INT 0xD2        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A1C898
INT 0xDF        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A341DC
INT 0xE1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A34958
INT 0xE3        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A346F8
INT 0xFD        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A34F2C
INT 0xFE        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A351A8

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                                                     81A94599 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                              81AB8F52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntkrnlpa.exe!RtlSidHashLookup + 34C                                                                                 81AC085C 3 Bytes  [D4, 43, 38]
.text           ntkrnlpa.exe!RtlSidHashLookup + 4E8                                                                                 81AC09F8 3 Bytes  [C0, 43, 38]
.text           ntkrnlpa.exe!RtlSidHashLookup + 508                                                                                 81AC0A18 3 Bytes  [C5, 43, 38] {LDS EAX, DWORD [EBX+0x38]}
.text           ntkrnlpa.exe!RtlSidHashLookup + 7B8                                                                                 81AC0CC8 3 Bytes  [CF, 43, 38]
.text           peauth.sys                                                                                                          97288C9D 28 Bytes  [9E, 95, 33, 78, FB, E3, 63, ...]
.text           peauth.sys                                                                                                          97288CC1 28 Bytes  [9E, 95, 33, 78, FB, E3, 63, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                     [74442494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                [74425624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                               [744256E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                      [7444250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                            [74438573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                              [74434D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                             [744350CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                            [744351A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]                   [744366D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                             [744382CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                        [74438819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                      [7443907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                            [7443E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                [74434C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\0000004b                                                                                   halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \FileSystem\fastfat \Fat                                                                                            fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x8F 0x5B 0xF9 0x68 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0xF7 0x17 0x70 0x86 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x88 0x79 0x40 0x73 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x8F 0x5B 0xF9 0x68 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0xF7 0x17 0x70 0x86 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x88 0x79 0x40 0x73 ...
Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System                                                               
Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL                               90F28113CE8C7EE6F5A97D46A38B23475927727C401C6EED492DCE49BC67821FFC987C5F2E386BF1F864E2101425A3C151F9EEA55E07ABE56E4B36017C42B0C167CDA3158360431E7332B6A5DE779D57D9F950DE90657ADA065416B908D0F7729CD2D8AF8389155EA6661BBDFEAFB2C84E2F1BBCBB282B7A27247103CDE7FAEA09F842DA450FF39CFC67F8C1574A85CBB0391685A99294E58C2E13A2A1325E5A422ACA78C29D753400B379D1AA9ABC092647CE3687BD8D349278870F37AB4D63FD5F9F1EDD37B3F3E15A0D3F2248069D769F147C6893F1EF3C1D9F762AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A9C6AECB7A5D1407FEBC9E127BECC74CEC37D480C4D13F1BBD87DCBB5CE6D59A9FBFAAB943575584ADB92D3B03932D3921C878678A3E4B7F888C3F558189F55CCDE0A12585AB04EF1649C7AC20D4626DDF80D03320446798840A0C38B062F9DAFCD908CFD4757FE8788AEF0F1ED727EBC824B20343CB7CCE98F3063D7CDA488AF3712F6D38BECA092233218E19E73C19CC7A669CC403A3F07944E1E2899E7840CF70D7D44AD69AD0B580CBFA4013143EB44E2A688B572E30B3F3CB4B159F58B602A63B813B4ED7A428AD5348D82ED3851AF0AEF40F7F1FA1A808DFBBE992E68CCD620

---- EOF - GMER 1.0.15 ----

--- --- ---

Angel21 · 28.07.2010, 17:12

Bitte die Punkte NACHEINANDER ausführen.

1.) Scan mit SystemLook

Lade SystemLook von jpshortstuff von einem der folgenden Spiegel herunter und speichere das Tool auf dem Desktop.

Download Mirror #1 - Download Mirror #2

Doppelklick auf die SystemLook.exe, um das Tool zu starten.
Vista-User mit Rechtsklick und als Administrator starten.
Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:
Code:
ATTFilter
```
:file
C:\Windows\System32\Datei4
         
```
Klicke nun auf den Button Look, um den Scan zu starten.
Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten.
Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert.

2.) Ordneransichten ändern
Ändere deine Ordneransicht wie folgt:
Folge dem Pfad-> Gehe auf den "Arbeitsplatz" bei deinem PC gehe auf "Extras" -> "Ordneroptionen" -> "Ansicht" .....dort bitte folgendes umändern:
1.) Geschützte Systemdatein ausblenden (empfohlen) = Haken rausnehmen
2.) Alle Datein und ordner anzeigen = Markierung hinein

Lade nun folgende Datei bei www.virustotal.com hoch (folge dabei dem fett markiertem Pfad):

Zitat:

C:\Windows\System32\forficli.dll

3.) Frage:
[2010.07.27 17:26:34 | 000,000,000 | ---D | C] -- C:\Qoobox
Bei dir lief mal Combofix, hast du das Log? Wenn ja, dann bitte zusätzlich posten.

4.)

ESET Online Scanner
- Anmerkung für Vista-User: Bitte den Browser unbedingt als Administrator starten.
- Button "ESET Online Scanner" drücken.
- Firefox-User müssen ein zusätzliches Addon (esetsmartinstaller_enu.exe) installieren.
- Das Firefox-Addon auf dem Desktop speichern und dann installieren.
- IE-User müssen das Installieren eines ActiveX Elements erlauben.
- Einen Haken bei "Remove found threads" und "Scan archives" machen.
- Start drücken.
- Der Scan beginnt automatisch.
- Finish drücken.
- Browser schließen.
- Explorer öffnen.
- C:\Programme\Eset\EsetOnlineScanner\log.txt suchen und mit Deinem Editor öffnen.
- Logfile hier posten.
- Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
- Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset
- IE-User zusätzlich: mit HJT folgenden Eintrag fixen:
- O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)

RealSnapshot · 03.08.2010, 17:05

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:04 on 03/08/2010 by Snapshot (Administrator - Elevation successful)

========== file ==========

C:\Windows\System32\Datei4 - File found and opened.
MD5: C03233226BC02337262AEF4C72B79E18
Created at 17:14 on 13/11/2009
Modified at 19:11 on 28/07/2010
Size: 471 bytes
Attributes: --a---
No version information available.

-=End Of File=-

RealSnapshot · 03.08.2010, 17:29

die forficili.dll scheint plötzlich weg zu sein

Angel21 · 03.08.2010, 17:33

Was ist mit Punkt 3 und 4? Bitte noch tun, falls noch nicht getan wurde.

Scan mit SystemLook

Lade SystemLook von jpshortstuff von einem der folgenden Spiegel herunter und speichere das Tool auf dem Desktop.

Download Mirror #1 - Download Mirror #2

Doppelklick auf die SystemLook.exe, um das Tool zu starten.
Vista-User mit Rechtsklick und als Administrator starten.
Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:
Code:
ATTFilter
```
:file
C:\Windows\System32\forficli.dll
         
```
Klicke nun auf den Button Look, um den Scan zu starten.
Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten.
Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert.

RealSnapshot · 03.08.2010, 18:16

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0a1cdc2735481445a1985629d3cb5803
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-03 05:15:30
# local_time=2010-08-03 07:15:30 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1797 16775165 100 100 196980 56363517 0 0
# compatibility_mode=5893 16776573 100 94 11550 33290553 0 0
# compatibility_mode=8192 67108863 100 0 89 89 0 0
# scanned=130416
# found=5
# cleaned=5
# scan_time=3919
C:\Users\Snapshot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\13ecae4c-3133ba89 a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Snapshot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\4c08fc3-7c249697 probably a variant of Java/TrojanDownloader.Agent.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Snapshot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\e958e72-240e2a6f multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Snapshot\Downloads\fileutild.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll probably a variant of Win32/Delf trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

RealSnapshot · 03.08.2010, 19:04

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:04 on 03/08/2010 by Snapshot (Administrator - Elevation successful)

========== file ==========

C:\Windows\System32\forficli.dll - Unable to find/read file.

-=End Of File=-

Angel21 · 03.08.2010, 19:45

Punkt 3.)
Du hattest doch Combofix gespeichert. bzw draufgehabt, gibt es hiervon denn ein Log?
Ich würde es gerne sehen.

Findest du unter C:\Qoobox

RealSnapshot · 04.08.2010, 22:29

Nur das hier in nem txt file:

2010-07-27 15:42:04 . 2010-07-27 15:42:04 682 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Everest Poker.reg.dat
2010-07-27 15:39:34 . 2010-07-27 15:39:34 6,211 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-27 15:29:45 . 2010-07-27 15:34:34 113 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\sslibeh.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\slibddf.dll.vir
2010-06-11 15:07:16 . 2009-07-14 02:37:05 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\slibff.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\ssoleht.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\sslibkh.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\sslibfg.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\sslibjy.dll.vir

Angel21 · 06.08.2010, 16:05

Fixen mit OTL

Starte bitte die OTL.exe.
Vista und Win7 User: mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die Textbox.

Code:

ATTFilter

:OTL
[2010.07.26 11:47:07 | 000,047,104 | ---- | C] () -- C:\Windows\System32\forficli.dll
[2010.07.22 10:55:19 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
:Services
:Reg
:Files
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Schliesse bitte nun alle Programme.
Klicke nun bitte auf den Fix Button.
Klick auf .
OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
Nach dem Neustart findest Du ein Textdokument.
Kopiere nun den Inhalt hier in Deinen Thread

Tr/psw papras ab

Plagegeister aller Art und deren Bekämpfung: Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Tr/psw papras ab

Ähnliche Themen: Tr/psw papras ab

27.07.2010, 17:05	#1
RealSnapshot	Tr/psw papras ab Hallo, wie es aussieht hab ich mir einen Trojaner eingefangen...Da ich auf dem Gebiet keine Ahnung habe bitte ich hier um Hilfe. Bitte sagt mir doch welche Logs von welchen Programmen ihr bracuht um diesen loszuwerden. Danke im Voraus.

03.08.2010, 17:29	#9
RealSnapshot	Tr/psw papras ab die forficili.dll scheint plötzlich weg zu sein

03.08.2010, 19:04	#12
RealSnapshot	Tr/psw papras ab SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 20:04 on 03/08/2010 by Snapshot (Administrator - Elevation successful) ========== file ========== C:\Windows\System32\forficli.dll - Unable to find/read file. -=End Of File=-

03.08.2010, 19:45	#13
Angel21	Tr/psw papras ab Punkt 3.) Du hattest doch Combofix gespeichert. bzw draufgehabt, gibt es hiervon denn ein Log? Ich würde es gerne sehen. Findest du unter C:\Qoobox __________________ Avira Upgrade 10 ist auf dem Markt! Agressive Einstellung von Avira What goes around comes around!