| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Tr/Dropper und Antimalware Doctor - bei Neustart wieder daWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
04.08.2010, 21:49
| #1 |
 |  Tr/Dropper und Antimalware Doctor - bei Neustart wieder da Hallöchen, heute entdeckte ich erst: BDS/VB.lvn.120 und kurz danach: TR/Dropper.Gen mit meinem AntiVir. Anschliessend hatte ich ein schönes Programm namens "antimalware doctor" auf meinem Laptop, dass mich geradezu mit Hinweisen bombadiert hat. Außerdem konnte ich eine Zeit lang viele Programme nicht öffnen und mein Internet Browser(Firefox) hatte eine falsche Proxy adresse, weshalb ich anfangs auch nicht ins Internet kam. ich habe hier im Forum eine Vorgehensweise gefunden, bei der erst mit dem "rKiller" der antimalware doctor abgestellt wird und anschliessend mit "malwarebytes" gescannt werden soll. dabei wurden auch 9 verdächtige Programme gelöscht, aber jedesmal wenn ich neu starte startet zumindest der antimalware doctor wieder... Das(Anhang) kam als Protokoll von meinem Malwarebytes scan heraus: |
|
05.08.2010, 00:53
| #2 |
| /// Selecta Jahrusso   | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg. Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis dir jemand vom Team sagt, dass Du clean bist. Vista und Win7 User Alle Tools mit Rechtsklick "als Administrator ausführen" starten. Schritt 1 CustomScan mit OTL Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
__________________ |
|
05.08.2010, 11:08
| #3 |
| | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da so das ergab OTL:
__________________OTL.txt OTL Logfile: Code:
ATTFilter OTL logfile created on: 8/5/2010 11:03:16 AM - Run 1 OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\SandAle\Desktop Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free 6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 198.29 Gb Total Space | 111.61 Gb Free Space | 56.29% Space Free | Partition Type: NTFS Drive D: | 252.37 Gb Total Space | 58.47 Gb Free Space | 23.17% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: HORST Current User Name: SandAle Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/08/04 21:28:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\SandAle\Desktop\OTL.exe PRC - [2010/04/20 08:19:12 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2010/03/02 11:28:23 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2010/02/24 10:28:01 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2010/01/19 11:34:48 | 002,201,192 | ---- | M] (SEC) -- C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe PRC - [2010/01/14 22:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2010/01/12 12:41:00 | 003,168,216 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe PRC - [2009/11/09 12:20:14 | 000,818,432 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Firewall Plus\FWService.exe PRC - [2009/10/31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009/09/29 19:28:44 | 007,744,032 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe PRC - [2009/09/08 01:47:52 | 000,832,512 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe PRC - [2009/09/07 12:42:04 | 000,093,184 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe PRC - [2009/08/23 06:47:34 | 000,716,800 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe PRC - [2009/07/14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009/07/14 03:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2009/03/30 17:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE PRC - [2009/03/30 17:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe PRC - [2009/03/19 17:11:24 | 001,138,688 | ---- | M] (Last.fm) -- C:\Programme\Last.fm\LastFM.exe ========== Modules (SafeList) ========== MOD - [2010/08/04 21:28:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\SandAle\Desktop\OTL.exe MOD - [2009/07/14 03:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll MOD - [2009/07/14 03:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll MOD - [2009/07/14 03:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll MOD - [2009/07/14 03:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll MOD - [2009/07/14 03:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll MOD - [2009/07/14 03:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll MOD - [2009/07/14 03:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll MOD - [2009/07/14 03:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll MOD - [2009/07/14 03:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll MOD - [2009/07/14 03:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll MOD - [2009/07/14 03:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx MOD - [2009/07/14 03:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe -- (McSysmon) SRV - File not found [Unknown | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe -- (McShield) SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2010/04/20 08:19:12 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2010/02/24 10:28:01 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2009/11/09 12:20:14 | 000,818,432 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Firewall Plus\FWService.exe -- (PCToolsFirewallPlus) SRV - [2009/09/23 13:38:18 | 000,935,208 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0) SRV - [2009/08/13 22:58:10 | 000,044,312 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe -- (OberonGameConsoleService) SRV - [2009/08/05 23:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc) SRV - [2009/07/14 03:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc) SRV - [2009/07/14 03:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc) SRV - [2009/07/14 03:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power) SRV - [2009/07/14 03:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes) SRV - [2009/07/14 03:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify) SRV - [2009/07/14 03:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper) SRV - [2009/07/14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009/07/14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc) SRV - [2009/07/14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc) SRV - [2009/07/14 03:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider) SRV - [2009/07/14 03:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg) SRV - [2009/07/14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend) SRV - [2009/07/14 03:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener) SRV - [2009/07/14 03:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache) SRV - [2009/07/14 03:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp) SRV - [2009/07/14 03:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc) SRV - [2009/07/14 03:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC) SRV - [2009/07/14 03:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX-Installer (AxInstSV) SRV - [2009/07/14 03:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc) SRV - [2009/07/14 03:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc) SRV - [2009/03/30 17:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc) SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter) ========== Driver Services (SafeList) ========== DRV - [2010/03/01 10:05:19 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2010/01/13 09:59:28 | 000,115,216 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctplfw.sys -- (pctplfw) DRV - [2010/01/12 10:34:14 | 000,070,664 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctNdis-PacketFilter.sys -- (PCTFW-PacketFilter) DRV - [2010/01/11 12:05:36 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt) DRV - [2010/01/11 12:05:36 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt) DRV - [2010/01/07 13:40:26 | 000,233,136 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\Windows\System32\drivers\pctgntdi.sys -- (pctgntdi) DRV - [2010/01/07 12:35:06 | 000,058,816 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctNdis.sys -- (pctNDIS) DRV - [2010/01/05 23:09:32 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\System32\Drivers\sptd.sys -- (sptd) DRV - [2009/12/14 05:44:42 | 001,245,696 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2009/12/11 09:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\ksecpkg.sys -- (KSecPkg) DRV - [2009/11/23 14:54:20 | 000,088,040 | ---- | M] (PC Tools) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PCTAppEvent.sys -- (PCTAppEvent) DRV - [2009/11/21 04:34:54 | 011,515,752 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2009/11/04 17:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk) DRV - [2009/11/04 17:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk) DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk) DRV - [2009/11/04 17:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk) DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk) DRV - [2009/09/29 19:16:02 | 002,776,672 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2009/08/21 01:04:54 | 000,189,440 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167) DRV - [2009/08/05 23:48:42 | 000,054,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\fssfltr.sys -- (fssfltr) DRV - [2009/07/15 01:16:34 | 000,212,656 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP) DRV - [2009/07/14 03:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\cmdide.sys -- (cmdide) DRV - [2009/07/14 03:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adpahci.sys -- (adpahci) DRV - [2009/07/14 03:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adp94xx.sys -- (adp94xx) DRV - [2009/07/14 03:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\amdsbs.sys -- (amdsbs) DRV - [2009/07/14 03:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adpu320.sys -- (adpu320) DRV - [2009/07/14 03:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\arcsas.sys -- (arcsas) DRV - [2009/07/14 03:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\amdsata.sys -- (amdsata) DRV - [2009/07/14 03:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\arc.sys -- (arc) DRV - [2009/07/14 03:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\amdxata.sys -- (amdxata) DRV - [2009/07/14 03:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\aliide.sys -- (aliide) DRV - [2009/07/14 03:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nvstor.sys -- (nvstor) DRV - [2009/07/14 03:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nvraid.sys -- (nvraid) DRV - [2009/07/14 03:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nfrd960.sys -- (nfrd960) DRV - [2009/07/14 03:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS) DRV - [2009/07/14 03:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\iaStorV.sys -- (iaStorV) DRV - [2009/07/14 03:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\MegaSR.sys -- (MegaSR) DRV - [2009/07/14 03:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI) DRV - [2009/07/14 03:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC) DRV - [2009/07/14 03:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2) DRV - [2009/07/14 03:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\iirsp.sys -- (iirsp) DRV - [2009/07/14 03:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\megasas.sys -- (megasas) DRV - [2009/07/14 03:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\hwpolicy.sys -- (hwpolicy) DRV - [2009/07/14 03:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\elxstor.sys -- (elxstor) DRV - [2009/07/14 03:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\djsvs.sys -- (aic78xx) DRV - [2009/07/14 03:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD) DRV - [2009/07/14 03:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends) DRV - [2009/07/14 03:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\vsmraid.sys -- (vsmraid) DRV - [2009/07/14 03:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\vhdmp.sys -- (vhdmp) DRV - [2009/07/14 03:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot) DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount) DRV - [2009/07/14 03:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\viaide.sys -- (viaide) DRV - [2009/07/14 03:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\ql2300.sys -- (ql2300) DRV - [2009/07/14 03:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\rdyboost.sys -- (rdyboost) DRV - [2009/07/14 03:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\ql40xx.sys -- (ql40xx) DRV - [2009/07/14 03:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4) DRV - [2009/07/14 03:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\pcw.sys -- (pcw) DRV - [2009/07/14 03:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2) DRV - [2009/07/14 03:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\stexstor.sys -- (stexstor) DRV - [2009/07/14 03:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\cng.sys -- (CNG) DRV - [2009/07/14 02:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM) DRV - [2009/07/14 02:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\rdpbus.sys -- (rdpbus) DRV - [2009/07/14 02:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP) DRV - [2009/07/14 01:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2) DRV - [2009/07/14 01:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf) DRV - [2009/07/14 01:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap) DRV - [2009/07/14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp) DRV - [2009/07/14 01:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt) DRV - [2009/07/14 01:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus) DRV - [2009/07/14 01:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\1394ohci.sys -- (1394ohci) DRV - [2009/07/14 01:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\umpass.sys -- (UmPass) DRV - [2009/07/14 01:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb) DRV - [2009/07/14 01:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf) DRV - [2009/07/14 01:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\MTConfig.sys -- (MTConfig) DRV - [2009/07/14 01:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus) DRV - [2009/07/14 01:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\appid.sys -- (AppID) DRV - [2009/07/14 01:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter) DRV - [2009/07/14 01:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache) DRV - [2009/07/14 01:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\HidBatt.sys -- (HidBatt) DRV - [2009/07/14 01:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi) DRV - [2009/07/14 01:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\amdppm.sys -- (AmdPPM) DRV - [2009/07/14 00:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2009/07/14 00:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm) DRV - [2009/07/14 00:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer) DRV - [2009/07/14 00:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm) DRV - [2009/07/14 00:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo) DRV - [2009/07/14 00:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp) DRV - [2009/07/14 00:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x) DRV - [2009/07/14 00:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\evbdx.sys -- (ebdrv) DRV - [2009/07/14 00:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv) DRV - [2009/06/10 23:19:30 | 004,756,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx) DRV - [2009/06/04 11:43:16 | 000,330,264 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\iaStor.sys -- (iaStor) DRV - [2009/05/28 08:38:12 | 000,010,752 | ---- | M] (SAMSUNG ELECTRONICS) [Kernel | System | Running] -- C:\Windows\System32\drivers\SABI.sys -- (SABI) DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009/03/15 12:25:46 | 000,056,268 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\windows\System32\drivers\scdemu.sys -- (SCDEmu) DRV - [2009/01/08 10:42:54 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk) DRV - [2008/02/22 16:33:02 | 000,114,304 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm) DRV - [2008/02/22 16:33:02 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl) DRV - [2008/02/22 16:33:00 | 000,087,936 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/" FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3 FF - prefs.js..extensions.enabledItems: philip.hasky@stud.fh-dortmund.de:1.6 FF - prefs.js..network.proxy.type: 4 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/28 21:05:16 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/28 21:05:16 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/05/03 07:41:12 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/07/08 17:41:03 | 000,000,000 | ---D | M] [2009/12/14 15:40:50 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\mozilla\Extensions [2009/12/14 15:40:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\SandAle\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2010/08/04 22:03:28 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\mozilla\Firefox\Profiles\cimcsryy.default\extensions [2010/06/28 17:18:10 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\SandAle\AppData\Roaming\mozilla\Firefox\Profiles\cimcsryy.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2010/04/14 13:30:48 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\mozilla\Firefox\Profiles\cimcsryy.default\extensions\philip.hasky@stud.fh-dortmund.de [2010/05/04 20:03:22 | 000,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions [2010/05/04 20:03:21 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2010/03/12 12:41:16 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2010/03/12 12:41:16 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2010/03/12 12:41:16 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2010/03/12 12:41:16 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2010/03/12 12:41:16 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009/06/10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.) O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4 - HKLM..\Run: [00PCTFW] C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\Hubi.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.3.11.1 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O30 - LSA: Security Packages - (pku2u) - C:\windows\System32\pku2u.dll (Microsoft Corporation) O30 - LSA: Security Packages - (livessp) - C:\windows\System32\livessp.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\F\Shell - "" = AutoRun O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\YDKJAutorun.exe -- File not found O33 - MountPoints2\G\Shell - "" = AutoRun O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\startup.exe -- File not found O33 - MountPoints2\H\Shell - "" = AutoRun O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\startup.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - File not found NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: Wmi - C:\windows\System32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation) NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation) Drivers32: aux - C:\windows\System32\wdmaud.drv (Microsoft Corporation) Drivers32: midi - C:\windows\System32\wdmaud.drv (Microsoft Corporation) Drivers32: midimapper - C:\windows\System32\midimap.dll (Microsoft Corporation) Drivers32: mixer - C:\windows\System32\wdmaud.drv (Microsoft Corporation) Drivers32: msacm.ac3acm - C:\windows\System32\ac3acm.acm (fccHandler) Drivers32: msacm.imaadpcm - C:\windows\System32\imaadp32.acm (Microsoft Corporation) Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: msacm.lameacm - C:\windows\System32\lameACM.acm (hxxp://www.mp3dev.org/) Drivers32: msacm.msadpcm - C:\windows\System32\msadp32.acm (Microsoft Corporation) Drivers32: msacm.msg711 - C:\windows\System32\msg711.acm (Microsoft Corporation) Drivers32: msacm.msgsm610 - C:\windows\System32\msgsm32.acm (Microsoft Corporation) Drivers32: msacm.siren - C:\windows\System32\sirenacm.dll (Microsoft Corporation) Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.DIVX - C:\windows\System32\DivX.dll (DivX, Inc.) Drivers32: VIDC.FFDS - C:\windows\System32\ff_vfw.dll () Drivers32: vidc.i420 - C:\windows\System32\iyuv_32.dll (Microsoft Corporation) Drivers32: VIDC.IYUV - C:\windows\System32\iyuv_32.dll (Microsoft Corporation) Drivers32: vidc.mrle - C:\windows\System32\msrle32.dll (Microsoft Corporation) Drivers32: vidc.msvc - C:\windows\System32\msvidc32.dll (Microsoft Corporation) Drivers32: VIDC.UYVY - C:\windows\System32\msyuv.dll (Microsoft Corporation) Drivers32: VIDC.XVID - C:\windows\System32\xvidvfw.dll () Drivers32: VIDC.YUY2 - C:\windows\System32\msyuv.dll (Microsoft Corporation) Drivers32: VIDC.YV12 - C:\windows\System32\DivX.dll (DivX, Inc.) Drivers32: VIDC.YVU9 - C:\windows\System32\tsbyuv.dll (Microsoft Corporation) Drivers32: VIDC.YVYU - C:\windows\System32\msyuv.dll (Microsoft Corporation) Drivers32: wave - C:\windows\System32\wdmaud.drv (Microsoft Corporation) Drivers32: wavemapper - C:\windows\System32\msacm32.drv (Microsoft Corporation) ========== Files/Folders - Created Within 90 Days ========== [2010/08/04 21:28:12 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Desktop\anti doctor dingens [2010/08/04 21:27:56 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\SandAle\Desktop\OTL.exe [2010/08/04 19:14:59 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\Malwarebytes [2010/08/04 19:14:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys [2010/08/04 19:14:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/08/04 19:14:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys [2010/08/04 19:14:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/08/04 18:15:30 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\ofbanyeef [2010/08/04 18:15:30 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Local\ofbanyeef [2010/08/04 18:15:12 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7 [2010/07/26 17:07:36 | 000,000,000 | ---D | C] -- C:\Program Files\Creative Labs [2010/07/26 17:06:58 | 000,000,000 | ---D | C] -- C:\Program Files\EidosNet [2010/07/21 16:37:39 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2010/06/29 11:53:50 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Desktop\Briefe [2010/06/29 10:12:31 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Desktop\Bafög [2010/06/22 13:49:55 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour [2010/06/20 18:47:34 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Documents\MeinSpore-Kreationen [2010/06/20 18:46:40 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\SPORE [2010/06/14 18:39:00 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\Nero [2010/06/14 18:37:24 | 000,000,000 | ---D | C] -- C:\Program Files\Nero ControlCenter 4 [2010/06/14 18:29:56 | 000,000,000 | ---D | C] -- C:\Program Files\Nero 9 [2010/06/14 18:29:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero [2010/06/14 18:29:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero [2010/06/01 19:47:27 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Desktop\Simpsons Songs [2010/05/11 21:05:34 | 000,000,000 | ---D | C] -- C:\Program Files\Google [2010/05/11 12:01:13 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\Miranda Fusion [15 C:\windows\*.tmp files -> C:\windows\*.tmp -> ] [1 C:\Users\SandAle\Desktop\*.tmp files -> C:\Users\SandAle\Desktop\*.tmp -> ] ========== Files - Modified Within 90 Days ========== [2010/08/05 11:04:11 | 002,359,296 | -HS- | M] () -- C:\Users\SandAle\NTUSER.DAT [2010/08/05 10:44:31 | 000,001,098 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job [2010/08/05 10:44:14 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat [2010/08/05 10:44:13 | 000,001,094 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job [2010/08/05 00:10:38 | 000,015,872 | ---- | M] () -- C:\Users\SandAle\Desktop\Schweden Sachen.xls [2010/08/05 00:09:13 | 000,014,512 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/08/05 00:09:13 | 000,014,512 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/08/05 00:01:58 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT [2010/08/05 00:01:51 | 2388,086,784 | -HS- | M] () -- C:\hiberfil.sys [2010/08/04 22:58:27 | 009,722,582 | -H-- | M] () -- C:\Users\SandAle\AppData\Local\IconCache.db [2010/08/04 21:28:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\SandAle\Desktop\OTL.exe [2010/08/04 17:56:35 | 000,000,153 | ---- | M] () -- C:\Users\SandAle\AppData\Roaming\default.rss [2010/08/04 03:47:05 | 000,113,664 | ---- | M] () -- C:\Users\SandAle\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/08/01 19:34:22 | 001,472,002 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI [2010/08/01 19:34:22 | 000,643,866 | ---- | M] () -- C:\windows\System32\perfh007.dat [2010/08/01 19:34:22 | 000,607,190 | ---- | M] () -- C:\windows\System32\perfh009.dat [2010/08/01 19:34:22 | 000,126,394 | ---- | M] () -- C:\windows\System32\perfc007.dat [2010/08/01 19:34:22 | 000,103,568 | ---- | M] () -- C:\windows\System32\perfc009.dat [2010/07/22 17:40:23 | 000,013,824 | ---- | M] () -- C:\Users\SandAle\Desktop\O-Phase 2010.xls [2010/07/22 17:29:49 | 000,054,035 | ---- | M] () -- C:\Users\SandAle\Desktop\Umweltgefährdend.png [2010/07/22 11:42:14 | 000,016,803 | ---- | M] () -- C:\Users\SandAle\Desktop\Inhalt.pdf [2010/07/16 10:52:58 | 000,050,915 | ---- | M] () -- C:\Users\SandAle\Desktop\picdump-10-07-16-02.jpg [2010/06/10 17:50:16 | 000,431,032 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT [15 C:\windows\*.tmp files -> C:\windows\*.tmp -> ] [1 C:\Users\SandAle\Desktop\*.tmp files -> C:\Users\SandAle\Desktop\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/08/04 17:55:36 | 000,000,153 | ---- | C] () -- C:\Users\SandAle\AppData\Roaming\default.rss [2010/08/04 16:33:30 | 000,015,872 | ---- | C] () -- C:\Users\SandAle\Desktop\Schweden Sachen.xls [2010/07/22 17:40:23 | 000,013,824 | ---- | C] () -- C:\Users\SandAle\Desktop\O-Phase 2010.xls [2010/07/22 17:24:45 | 000,054,035 | ---- | C] () -- C:\Users\SandAle\Desktop\Umweltgefährdend.png [2010/07/22 11:42:14 | 000,016,803 | ---- | C] () -- C:\Users\SandAle\Desktop\Inhalt.pdf [2010/07/16 10:52:58 | 000,050,915 | ---- | C] () -- C:\Users\SandAle\Desktop\picdump-10-07-16-02.jpg [2010/05/11 21:05:36 | 000,001,098 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job [2010/05/11 21:05:36 | 000,001,094 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job [2009/12/26 01:18:40 | 000,281,760 | ---- | C] () -- C:\windows\System32\drivers\atksgt.sys [2009/12/26 01:18:40 | 000,025,888 | ---- | C] () -- C:\windows\System32\drivers\lirsgt.sys [2009/12/07 21:27:30 | 000,000,097 | ---- | C] () -- C:\windows\System32\PICSDK.ini [2009/12/06 22:28:44 | 000,116,224 | ---- | C] () -- C:\windows\System32\redmonnt.dll [2009/12/06 22:22:50 | 000,178,176 | ---- | C] () -- C:\windows\System32\unrar.dll [2009/12/06 22:22:50 | 000,000,038 | ---- | C] () -- C:\windows\avisplitter.ini [2009/12/06 22:22:49 | 000,881,664 | ---- | C] () -- C:\windows\System32\xvidcore.dll [2009/12/06 22:22:49 | 000,205,824 | ---- | C] () -- C:\windows\System32\xvidvfw.dll [2009/12/06 22:22:48 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll [2009/12/06 22:22:47 | 000,085,504 | ---- | C] () -- C:\windows\System32\ff_vfw.dll [2009/12/06 22:22:47 | 000,000,547 | ---- | C] () -- C:\windows\System32\ff_vfw.dll.manifest [2009/12/06 13:38:53 | 000,110,592 | ---- | C] () -- C:\windows\System32\FsUsbExDevice.Dll [2009/12/06 13:38:53 | 000,036,608 | ---- | C] () -- C:\windows\System32\FsUsbExDisk.Sys [2009/12/05 18:39:08 | 000,691,696 | ---- | C] () -- C:\windows\System32\drivers\sptd.sys [2009/12/05 15:07:54 | 000,073,728 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll [2009/12/05 11:35:31 | 000,000,400 | ---- | C] () -- C:\windows\ODBC.INI [2009/12/04 22:44:57 | 000,040,960 | R--- | C] () -- C:\windows\System32\psfind.dll [2009/12/04 21:08:49 | 000,000,002 | ---- | C] () -- C:\windows\HotFixList.ini [2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\windows\System32\physxcudart_20.dll [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelTraditionalChinese.dll [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelSwedish.dll [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelSpanish.dll [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelSimplifiedChinese.dll [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelPortugese.dll [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelKorean.dll [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelJapanese.dll [2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelGerman.dll [2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelFrench.dll [2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll [2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll [2007/10/25 18:26:10 | 000,005,632 | ---- | C] () -- C:\windows\System32\drivers\StarOpen.sys ========== LOP Check ========== [2010/01/06 19:06:42 | 000,000,000 | -HSD | M] -- C:\Users\SandAle\AppData\Roaming\.# [2010/08/04 18:21:57 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7 [2010/07/26 17:42:58 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\DAEMON Tools Lite [2010/08/04 21:25:19 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\DC++ [2009/12/04 21:31:36 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\GameConsole [2009/12/18 18:36:28 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\Go Go Gourmet [2010/05/11 12:01:13 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\Miranda Fusion [2010/08/04 20:29:36 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\ofbanyeef [2010/04/12 00:17:19 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\OpenOffice.org [2010/01/25 20:11:07 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\PCToolsFirewallPlus [2009/12/04 21:41:37 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\PlayFirst [2010/01/06 19:21:37 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\Samsung [2010/07/03 21:38:48 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\SPORE [2009/12/14 15:40:48 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\Thunderbird [2010/05/09 12:33:30 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2010/07/21 10:35:36 | 000,000,000 | ---- | M] () -- C:\AILog.txt [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat [2009/06/10 23:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys [2007/12/27 23:24:08 | 000,015,428 | ---- | M] () -- C:\eula.1031.txt [2010/07/07 11:48:51 | 000,001,140 | ---- | M] () -- C:\fpRedmon.log [2007/12/27 23:24:08 | 000,001,110 | ---- | M] () -- C:\globdata.ini [2010/08/05 00:01:51 | 2388,086,784 | -HS- | M] () -- C:\hiberfil.sys [2007/12/27 23:24:08 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe [2007/12/27 23:24:20 | 000,000,843 | ---- | M] () -- C:\install.ini [2007/12/27 23:37:08 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll [2009/09/23 19:57:29 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2009/09/23 19:57:29 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2010/08/05 00:01:52 | 3184,119,808 | -HS- | M] () -- C:\pagefile.sys [2010/02/17 14:28:02 | 000,002,091 | ---- | M] () -- C:\RHDSetup.log [2010/08/04 20:32:36 | 000,000,551 | ---- | M] () -- C:\rkill.log [2010/02/17 14:28:02 | 000,000,206 | ---- | M] () -- C:\setup.log [2007/12/27 23:24:08 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp [2007/12/27 23:48:06 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab [2007/12/27 23:51:02 | 000,234,496 | ---- | M] () -- C:\VC_RED.MSI < %systemroot%\system32\*.wt > < %systemroot%\system32\*.ruy > < %systemroot%\Fonts\*.com > [2009/07/14 06:52:25 | 000,026,040 | ---- | M] () -- C:\windows\Fonts\GlobalMonospace.CompositeFont [2009/07/14 06:52:25 | 000,026,489 | ---- | M] () -- C:\windows\Fonts\GlobalSansSerif.CompositeFont [2009/07/14 06:52:25 | 000,029,779 | ---- | M] () -- C:\windows\Fonts\GlobalSerif.CompositeFont [2009/07/14 06:52:25 | 000,043,318 | ---- | M] () -- C:\windows\Fonts\GlobalUserInterface.CompositeFont < %systemroot%\Fonts\*.dll > < %systemroot%\Fonts\*.ini > [2009/06/10 23:31:19 | 000,000,065 | ---- | M] () -- C:\windows\Fonts\desktop.ini < %systemroot%\Fonts\*.ini2 > < %systemroot%\system32\spool\prtprocs\w32x86\*.* > [2009/07/14 03:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll [2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\mdippr.dll [2009/07/14 03:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll < %systemroot%\REPAIR\*.bak1 > < %systemroot%\REPAIR\*.ini > < %systemroot%\system32\*.jpg > < %systemroot%\*.scr > [2009/07/10 14:10:44 | 000,307,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR [15 C:\windows\*.tmp files -> C:\windows\*.tmp -> ] < %systemroot%\*._sy > < %APPDATA%\Adobe\Update\*.* > < %ALLUSERSPROFILE%\Favorites\*.* > < %APPDATA%\Microsoft\*.* > < %PROGRAMFILES%\*.* > [2009/07/14 06:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini < %APPDATA%\Update\*.* > < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\System32\config\*.sav > < %systemroot%\system32\user32.dll /md5 > [2009/07/14 03:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\System32\user32.dll < %systemroot%\system32\ws2_32.dll /md5 > [2009/07/14 03:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\System32\ws2_32.dll < %systemroot%\system32\ws2help.dll /md5 > [2009/07/14 03:11:26 | 000,004,608 | ---- | M] (Microsoft Corporation) MD5=808AABDF9337312195CAFF76D1804786 -- C:\Windows\System32\ws2help.dll < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-04 01:56:08 ========== Alternate Data Streams ========== @Alternate Data Stream - 152 bytes -> C:\ProgramData\Temp:5C5A503E @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:A42A9F39 @Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:4CF61E54 @Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:ABE89FFE @Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:A66A990E @Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:E1F04E8D @Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:C31F31E6 < End of report > Extra.txt OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 8/5/2010 11:03:16 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\SandAle\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 198.29 Gb Total Space | 111.61 Gb Free Space | 56.29% Space Free | Partition Type: NTFS
Drive D: | 252.37 Gb Total Space | 58.47 Gb Free Space | 23.17% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: HORST
Current User Name: SandAle
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{03534DA5-2F88-4B8E-A978-849B979E1B8F}" = TuxGuitar
"{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)
"{09298F26-A95C-31E2-9D95-2C60F586F075}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID-Anmelde-Assistent
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution 4
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{178EE5F4-0F86-4BF0-A0D1-9790AFF409D1}" = EasyBatteryManager
"{192A107E-C6B9-41B9-BDBF-38E3AA226054}" = OpenOffice.org 3.2
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 18
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2BA722D1-48D1-406E-9123-8AE5431D63EF}" = Windows Live Fotogalerie
"{33CF58F5-48D8-4575-83D6-96F574E4D83A}" = Nero DriveSpeed
"{359CFC0A-BEB1-440D-95BA-CF63A86DA34F}" = Nero Recode
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{368BA326-73AD-4351-84ED-3C0A7A52CC53}" = Nero Rescue Agent
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3EFEF049-23D4-4B46-8903-4592FEA51018}" = Windows Live Movie Maker
"{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}" = Titan Quest
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D2121FE-5CCC-4D47-B3A0-BF56045A5099}" = Samsung Support Center
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner
"{63eafc52-b963-4297-a7eb-d412944e7065}_is1" = Game Pack
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{76618402-179D-4699-A66B-D351C59436BC}" = Windows Live Sync
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{7829DB6F-A066-4E40-8912-CB07887C20BB}" = Nero BurnRights
"{7FB12670-0F93-4E1E-B2F5-4F339199A03A}" = Microsoft SQL Server Native Client
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114072167}" = Go-Go Gourmet
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115053100}" = Dairy Dash
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115246907}" = Elf Bowling Hawaiian Vacation
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11531173}" = Farm Frenzy 2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{849A32C3-E75A-4791-9B11-E568BA3525A4}" = Microsoft SQL Server VSS Writer
"{853F8A41-A3C9-43FA-87FA-1AE74FC6F3F7}" = BatteryLifeExtender
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{869200DB-287A-4DC0-B02B-2B6787FBCD4C}" = Nero DiscSpeed
"{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}" = Epson Easy Photo Print 2
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows Vista and Later
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90A40407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0407-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{994223F3-A99B-4DDD-9E1D-0190A17C6860}" = Windows Live Family Safety
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{9E82B934-9A25-445B-B8DF-8012808074AC}" = Nero PhotoSnap
"{A209525B-3377-43F4-B886-32F6B6E7356F}" = Nero WaveEditor
"{A7581D39-EA20-4883-A480-80C21047052B}" = Easy Network Manager
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.3 - Deutsch
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B5C5C17E-FEF6-4062-8151-A427AE8AF9D7}" = Titan Quest Immortal Throne
"{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{C1E11C46-E6EB-4BD2-9ADF-2A98ACBEB216}" = iTunes
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C5A7CB6C-E76D-408F-BA0E-85605420FE9D}" = SoundTrax
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{D025A639-B9C9-417D-8531-208859000AF8}" = NeroBurningROM
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1434266-0486-4469-B338-A60082CC04E1}" = Atheros Client Installation Program
"{D3F2FAA5-FEC4-42AA-9ABA-1F763919A2B5}" = Samsung Update Plus
"{D9DCF92E-72EB-412D-AC71-3B01276E5F8B}" = Nero ShowTime
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{EF367AA4-070B-493C-9575-85BE59D789C9}" = Easy SpeedUp Manager
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1861F30-3419-44DB-B2A1-C274825698B3}" = Nero Disc Copy Gadget
"{f58502db-ffec-4e55-b81c-e36141c61c12}" = Nero 9
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"{FBCDFD61-7DCF-4E71-9226-873BA0053139}" = Nero InfoTool
"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows-Treiberpaket - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows-Treiberpaket - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AnvSoft Flash to Video Converter Professional_is1" = AnvSoft Flash to Video Converter Professional 1.3.3
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"DC++" = DC++ 0.762
"DivX Setup.divx.com" = DivX-Setup
"EADM" = EA Download Manager
"EAX(tm) Unified (SHELL)" = EAX(tm) Unified (SHELL)
"EPSON S21 Series" = Druckerdeinstallation für EPSON S21 Series
"Epson Stylus S21_T21_T27 Benutzerhandbuch" = Epson Stylus S21_T21_T27 Handbuch
"FINAL FANTASY VIII" = FINAL FANTASY VIII
"FreePDF_XP" = FreePDF (Remove only)
"GPL Ghostscript 8.70" = GPL Ghostscript 8.70
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.4.4
"LastFM_is1" = Last.fm 1.5.4.24567
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MirandaFusion" = Miranda Fusion 2.0.23
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"PC Tools Firewall Plus" = PC Tools Firewall Plus 6.0
"PokerStars.net" = PokerStars.net
"PowerISO" = PowerISO
"RADVideo" = RAD Video Tools
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SystemRequirementsLab" = System Requirements Lab
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
"YDKJG" = YOU DON'T KNOW JACK®
"You Don't Know Jack 4" = You Don't Know Jack 4 1.00
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 7/27/2010 11:14:35 AM | Computer Name = Horst | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 7/27/2010 11:14:35 AM | Computer Name = Horst | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 14059184
Error - 7/27/2010 11:14:35 AM | Computer Name = Horst | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 14059184
Error - 7/27/2010 11:17:06 AM | Computer Name = Horst | Source = Google Update | ID = 20
Description =
Error - 7/28/2010 3:58:09 PM | Computer Name = Horst | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files\Samsung\Samsung
Support Center\Drv\drv2x64\KStartMem.exe.Manifest". Die abhängige Assemblierung
"Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm
"sxstrace.exe".
Error - 7/28/2010 3:58:46 PM | Computer Name = Horst | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files\Samsung\BatteryLifeExtender\Drv\SABI2x64\KStartMem.exe.Manifest".
Die
abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm
"sxstrace.exe".
Error - 7/28/2010 4:46:21 PM | Computer Name = Horst | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FF8.exe, Version: 0.0.0.0, Zeitstempel:
0x38ee73f0 Name des fehlerhaften Moduls: FF8.exe, Version: 0.0.0.0, Zeitstempel:
0x38ee73f0 Ausnahmecode: 0xc0000005 Fehleroffset: 0x000977d4 ID des fehlerhaften Prozesses:
0x1058 Startzeit der fehlerhaften Anwendung: 0x01cb2e95e45e6255 Pfad der fehlerhaften
Anwendung: D:\Spiele\FF VIII\FF8.exe Pfad des fehlerhaften Moduls: D:\Spiele\FF
VIII\FF8.exe Berichtskennung: 2d54d509-9a89-11df-ad3f-00245422697c
Error - 7/28/2010 4:46:48 PM | Computer Name = Horst | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FF8.exe, Version: 0.0.0.0, Zeitstempel:
0x38ee73f0 Name des fehlerhaften Moduls: FF8.exe, Version: 0.0.0.0, Zeitstempel:
0x38ee73f0 Ausnahmecode: 0xc0000005 Fehleroffset: 0x000977d4 ID des fehlerhaften Prozesses:
0x1280 Startzeit der fehlerhaften Anwendung: 0x01cb2e95f6160aab Pfad der fehlerhaften
Anwendung: D:\Spiele\FF VIII\FF8.exe Pfad des fehlerhaften Moduls: D:\Spiele\FF
VIII\FF8.exe Berichtskennung: 3d842a48-9a89-11df-ad3f-00245422697c
Error - 7/28/2010 4:47:24 PM | Computer Name = Horst | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FF8.exe, Version: 0.0.0.0, Zeitstempel:
0x38ee73f0 Name des fehlerhaften Moduls: FF8.exe, Version: 0.0.0.0, Zeitstempel:
0x38ee73f0 Ausnahmecode: 0xc0000005 Fehleroffset: 0x000977d4 ID des fehlerhaften Prozesses:
0x14f8 Startzeit der fehlerhaften Anwendung: 0x01cb2e960b2d48ba Pfad der fehlerhaften
Anwendung: D:\Spiele\FF VIII\FF8.exe Pfad des fehlerhaften Moduls: D:\Spiele\FF
VIII\FF8.exe Berichtskennung: 52992e07-9a89-11df-ad3f-00245422697c
Error - 7/28/2010 4:48:34 PM | Computer Name = Horst | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FF8.exe, Version: 0.0.0.0, Zeitstempel:
0x38ee73f0 Name des fehlerhaften Moduls: FF8.exe, Version: 0.0.0.0, Zeitstempel:
0x38ee73f0 Ausnahmecode: 0xc0000005 Fehleroffset: 0x000977d4 ID des fehlerhaften Prozesses:
0x988 Startzeit der fehlerhaften Anwendung: 0x01cb2e9625657623 Pfad der fehlerhaften
Anwendung: D:\Spiele\FF VIII\FF8.exe Pfad des fehlerhaften Moduls: D:\Spiele\FF
VIII\FF8.exe Berichtskennung: 7c972f1e-9a89-11df-ad3f-00245422697c
[ System Events ]
Error - 5/10/2010 11:09:57 AM | Computer Name = Horst | Source = bowser | ID = 8003
Description =
Error - 5/11/2010 3:33:06 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7000
Description = Der Dienst "McAfee Real-time Scanner" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
Error - 5/11/2010 3:33:12 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7034
Description = Dienst "SQL Server VSS Writer" wurde unerwartet beendet. Dies ist
bereits 1 Mal passiert.
Error - 5/11/2010 5:48:37 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7000
Description = Der Dienst "McAfee Real-time Scanner" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
Error - 5/11/2010 5:48:54 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7034
Description = Dienst "SQL Server VSS Writer" wurde unerwartet beendet. Dies ist
bereits 1 Mal passiert.
Error - 5/11/2010 5:54:37 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7000
Description = Der Dienst "McAfee Real-time Scanner" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
Error - 5/11/2010 5:54:53 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7034
Description = Dienst "SQL Server VSS Writer" wurde unerwartet beendet. Dies ist
bereits 1 Mal passiert.
Error - 5/12/2010 2:06:11 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7000
Description = Der Dienst "McAfee Real-time Scanner" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
Error - 5/12/2010 2:06:19 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7034
Description = Dienst "SQL Server VSS Writer" wurde unerwartet beendet. Dies ist
bereits 1 Mal passiert.
Error - 5/12/2010 7:37:23 PM | Computer Name = Horst | Source = DCOM | ID = 10010
Description =
< End of report >
|
|
05.08.2010, 11:29
| #4 |
| /// Selecta Jahrusso | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da Schritt 1 Temp File Cleaner Downloade Dir bitte TFC ( von Oldtimer ) und speichere die Datei auf dem Desktop. Schließe nun alle offenen Programme und trenne Dich von dem Internet. Doppelklick auf die TFC.exe Sollte TFC nicht alle Dateien löschen können wird es einen Neustart verlangen. Dies bitte zulassen. Schritt 2 Downloade Dir bitte defogger von jpshortstuff auf Deinem Desktop.
Wenn wir die Bereinigung beendet haben, starte bitte defogger erneut und klicke den Re-enable Button. Schritt 3 Bitte
Bitte poste in Deiner nächsten Antwort defogger_disable.txt Gmer.txt
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
05.08.2010, 12:10
| #5 | |
| | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da so hier wieder die ergebnisse: hab ich das richtig verstanden, dass ich den defogger erst nach eurem ok wieder benutzen darf? oder soll der jetzt schon wieder auf Re-Enable geklickt werden? erstmal die berichte: defogger: Zitat:
GMER Logfile: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-08-05 12:07:12
Windows 6.1.7600
Running: i4trbk3u.exe; Driver: C:\Users\SandAle\AppData\Local\Temp\fxldipoc.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwAllocateVirtualMemory [0x82601752]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwAlpcConnectPort [0x82601388]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwAssignProcessToJobObject [0x82601440]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwConnectPort [0x82601482]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwCreateFile [0x82601530]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwCreateProcess [0x82601DD8]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwCreateProcessEx [0x82601E64]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwCreateThread [0x82601EF4]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwCreateThreadEx [0x82601F96]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwCreateUserProcess [0x82601D68]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwDebugActiveProcess [0x82601580]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwDuplicateObject [0x826015C2]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwLoadDriver [0x82601606]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwOpenKey [0x82601648]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwOpenSection [0x8260168A]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwOpenThread [0x826016CC]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwProtectVirtualMemory [0x8260179A]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwRequestWaitReplyPort [0x8260170E]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwRestoreKey [0x826017DC]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwResumeThread [0x82601824]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwSecureConnectPort [0x826018B4]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwSetValueKey [0x82601866]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwSuspendProcess [0x82601958]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwSystemDebugControl [0x8260199A]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwTerminateProcess [0x826019DC]
SSDT \??\C:\windows\system32\drivers\PCTAppEvent.sys ZwWriteVirtualMemory [0x82601A2A]
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83033AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83033104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830333F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301B634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301B898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830331DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83033958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830336F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83033F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830341A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C4E8E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C6E3D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 13B3 82C75680 3 Bytes [52, 17, 60] {PUSH EDX; POP SS; PUSHA }
.text ntoskrnl.exe!KeRemoveQueueEx + 13BF 82C7568C 3 Bytes [88, 13, 60] {MOV [EBX], DL; PUSHA }
.text ntoskrnl.exe!KeRemoveQueueEx + 1413 82C756E0 3 Bytes [40, 14, 60] {INC EAX; ADC AL, 0x60}
.text ntoskrnl.exe!KeRemoveQueueEx + 1453 82C75720 3 Bytes JMP 60148282
.text ntoskrnl.exe!KeRemoveQueueEx + 146F 82C7573C 3 Bytes [30, 15, 60]
.text ...
? \Device\Harddisk0\Partition3\windows\system32\drivers\PctWfpFilter.sys Das System kann den angegebenen Pfad nicht finden. !
.text C:\windows\system32\DRIVERS\atksgt.sys section is writeable [0x825AE300, 0x3B6D8, 0xE8000020]
.text C:\windows\system32\DRIVERS\lirsgt.sys section is writeable [0x825F1300, 0x1BEE, 0xE8000020]
.text peauth.sys 8260FC9D 28 Bytes [8F, 84, 45, 94, 68, D2, 01, ...]
.text peauth.sys 8260FCC1 28 Bytes [8F, 84, 45, 94, 68, D2, 01, ...]
PAGE peauth.sys 82615E20 101 Bytes [64, 5E, E2, 32, C4, BA, 5D, ...]
PAGE peauth.sys 8261602C 102 Bytes [C7, 77, BA, 2A, C2, DE, 40, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A54EF000 229 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5076 A54EF0E6 60 Bytes [A5, A1, 2C, A5, 4E, A5, 56, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A54EF123 629 Bytes [A5, 4E, A5, FE, 05, 34, A5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A54EF399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A54EF3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp pctgntdi.sys
Device \Driver\ACPI_HAL \Device\00000062 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [4:3900] A54FCF2E
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0xB0 0x7C 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0xB0 0x7C 0x57 ...
---- EOF - GMER 1.0.15 ----
|
|
05.08.2010, 13:38
| #6 |
| /// Selecta Jahrusso | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da Hast Du richtig verstanden. Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Lade ComboFix von einem der unten aufgeführten Links herunter. Du musst diese umbenennen, bevor Du es auf den Desktop speicherst. Speichere ComboFix auf deinen Desktop.**NB: Es ist wichtig, das ComboFix.exe auf dem Desktop gespeichert wird**  
__________________ --> Tr/Dropper und Antimalware Doctor - bei Neustart wieder da |
|
05.08.2010, 14:02
| #7 |
| | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da so auch dieses beendet! allerdings wärend des Durchlaufs musste ich tausend mal ein Fenster schließen: Dienstprogramm Find String (QGREP) reagiert nicht ist das ok, wenn ich immer auf "X" gedrückt habe? hier der Log: Combofix Logfile: Code:
ATTFilter ComboFix 10-08-04.05 - SandAle 05.08.2010 13:48:03.1.2 - x86 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.49.1031.18.3037.2132 [GMT 2:00] ausgeführt von:: c:\users\SandAle\Desktop\Combo-Fix.exe . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Install.exe c:\programdata\FullRemove.exe c:\windows\system32\wuauclt.exe . . . ist infiziert!! c:\windows\system32\ctfmon.exe . . . ist infiziert!! . ((((((((((((((((((((((( Dateien erstellt von 2010-07-05 bis 2010-08-05 )))))))))))))))))))))))))))))) . 2010-08-04 17:14 . 2010-08-04 17:14 -------- d-----w- c:\users\SandAle\AppData\Roaming\Malwarebytes 2010-08-04 17:14 . 2010-04-29 10:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-04 17:14 . 2010-08-04 17:14 -------- d-----w- c:\programdata\Malwarebytes 2010-08-04 17:14 . 2010-08-04 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-04 17:14 . 2010-04-29 10:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-04 16:15 . 2010-08-04 22:00 -------- d-----w- c:\users\SandAle\AppData\Local\ofbanyeef 2010-08-04 16:15 . 2010-08-04 18:29 -------- d-----w- c:\users\SandAle\AppData\Roaming\ofbanyeef 2010-08-04 16:15 . 2010-08-04 16:21 -------- d-----w- c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7 2010-07-26 15:07 . 2010-07-26 15:07 -------- d-----w- c:\program files\Creative Labs 2010-07-26 15:07 . 1999-07-06 12:13 40960 ----a-w- c:\windows\system32\eax.dll 2010-07-26 15:06 . 2010-07-26 15:07 -------- d-----w- c:\program files\EidosNet 2010-07-26 15:05 . 1998-10-29 14:45 306688 ----a-w- c:\windows\IsUninst.exe 2010-07-21 14:37 . 2010-07-21 14:37 -------- d-----w- c:\program files\iPod 2010-07-21 14:34 . 2010-07-21 14:34 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-05 11:45 . 2010-01-03 20:12 -------- d-----w- c:\users\SandAle\AppData\Roaming\DC++ 2010-08-04 20:01 . 2009-12-05 21:49 -------- d-----w- c:\users\SandAle\AppData\Roaming\Skype 2010-08-04 18:17 . 2009-12-05 21:51 -------- d-----w- c:\users\SandAle\AppData\Roaming\skypePM 2010-08-04 15:40 . 2009-12-04 19:31 -------- d-----w- c:\program files\Common Files\SWF Studio 2010-08-01 17:34 . 2009-09-22 22:05 643866 ----a-w- c:\windows\system32\perfh007.dat 2010-08-01 17:34 . 2009-09-22 22:05 126394 ----a-w- c:\windows\system32\perfc007.dat 2010-07-26 15:42 . 2010-01-05 21:08 -------- d-----w- c:\users\SandAle\AppData\Roaming\DAEMON Tools Lite 2010-07-26 09:49 . 2010-04-11 22:17 1 ----a-w- c:\users\SandAle\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-07-21 14:38 . 2009-12-29 14:47 -------- d-----w- c:\program files\iTunes 2010-07-21 14:37 . 2009-12-29 14:45 -------- d-----w- c:\program files\Common Files\Apple 2010-07-03 19:38 . 2010-06-20 16:46 -------- d-----w- c:\users\SandAle\AppData\Roaming\SPORE 2010-06-22 11:57 . 2009-12-29 14:47 -------- d-----w- c:\users\SandAle\AppData\Roaming\Apple Computer 2010-06-22 11:51 . 2009-12-29 14:46 -------- d-----w- c:\programdata\Apple Computer 2010-06-22 11:49 . 2010-06-22 11:49 -------- d-----w- c:\program files\Bonjour 2010-06-20 16:36 . 2009-09-22 05:19 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-06-14 16:39 . 2010-06-14 16:39 -------- d-----w- c:\users\SandAle\AppData\Roaming\Nero 2010-06-14 16:37 . 2010-06-14 16:29 -------- d-----w- c:\program files\Common Files\Nero 2010-06-14 16:37 . 2010-06-14 16:37 -------- d-----w- c:\program files\Nero ControlCenter 4 2010-06-14 16:37 . 2010-06-14 16:29 -------- d-----w- c:\program files\Nero 9 2010-06-14 16:31 . 2010-06-14 16:29 -------- d-----w- c:\programdata\Nero 2010-06-12 09:20 . 2009-12-17 16:17 -------- d-----w- c:\program files\PokerStars.NET 2010-06-07 05:45 . 2009-12-04 19:08 -------- d-----w- c:\program files\Microsoft Silverlight 2010-05-27 07:24 . 2010-06-10 14:09 34304 ----a-w- c:\windows\system32\atmlib.dll 2010-05-27 03:49 . 2010-06-10 14:09 293888 ----a-w- c:\windows\system32\atmfd.dll 2010-05-21 05:18 . 2010-06-10 14:09 977920 ----a-w- c:\windows\system32\wininet.dll 2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe 2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat 2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-29 7744032] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416] "00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] " Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\Hubi.exe" [2010-04-29 1090952] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp [HKLM\~\startupfolder\C:^Users^SandAle^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] path=c:\users\SandAle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup backupExtension=.Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON S21 Series] 2008-09-12 04:00 199680 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIFAE.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreePDF Assistant] 2009-09-05 16:29 385024 ----a-w- c:\program files\FreePDF_XP\fpassist.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-07-16 05:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu] 2009-02-25 13:40 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-01-08 36608] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336] R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 136176] R4 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-13 44312] R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-05 691696] S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-01-07 233136] S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336] S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-23 88040] S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-12 70664] S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-07 58816] S3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2010-01-13 115216] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-20 189440] . Inhalt des "geplante Tasks" Ordners 2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:05] 2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:05] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.de/ uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = http=127.0.0.1:6522 IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\SandAle\AppData\Roaming\Mozilla\Firefox\Profiles\cimcsryy.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/ FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll ---- FIREFOX Richtlinien ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - Entfernte verwaiste Registrierungseinträge - - - - Toolbar-Locked - (no file) SafeBoot-mcmscsvc SafeBoot-MCODS AddRemove-Samsung Mobile phone USB driver - c:\windows\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe AddRemove-You Don't Know Jack 4 - d:\spiele\YOUDON~1\Setup.exe . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_USERS\S-1-5-21-771618654-3341757510-301361698-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) "??"=hex:79,13,56,62,1e,20,99,0d,ab,77,54,b0,86,d8,c2,45,69,fd,86,9e,22,e7,b0, 4f,fb,34,13,bf,45,0b,1f,1b,e9,23,d4,03,12,0f,89,11,7f,b0,47,65,f8,b9,13,dd,\ "??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12 [HKEY_USERS\S-1-5-21-771618654-3341757510-301361698-1000\Software\SecuROM\License information*] "datasecu"=hex:be,8a,ea,53,6e,cc,88,b4,8a,a1,de,5f,f7,58,a5,d8,ad,23,af,28,f0, 4f,5d,6e,d6,e2,3d,fc,e0,a5,05,02,e0,a5,e0,39,6a,c9,2f,ab,81,30,51,1f,65,d2,\ "rkeysecu"=hex:c4,6c,f0,dc,d9,12,8b,a5,f4,9f,85,11,e3,7c,35,6c [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Weitere laufende Prozesse ------------------------ . c:\windows\system32\nvvsvc.exe c:\windows\system32\nvvsvc.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\PC Tools Firewall Plus\FWService.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\windows\system32\conhost.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\windows\system32\taskhost.exe c:\program files\Samsung\Samsung Support Center\SSCKbdHk.exe c:\program files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\servicing\TrustedInstaller.exe c:\windows\system32\conhost.exe c:\program files\Synaptics\SynTP\SynTPHelper.exe c:\windows\system32\sppsvc.exe . ************************************************************************** . Zeit der Fertigstellung: 2010-08-05 14:00:10 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2010-08-05 12:00 Vor Suchlauf: 10 Verzeichnis(se), 121.821.429.760 Bytes frei Nach Suchlauf: 14 Verzeichnis(se), 121.728.192.512 Bytes frei - - End Of File - - 4A04C297B23398E2A60273A3BDACD4D6 |
|
05.08.2010, 14:58
| #8 |
| /// Selecta Jahrusso | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da Nicht gut  Bitte lasse die Dateien aus der Code-Box bei Virustotal überprüfen Code:
ATTFilter c:\windows\system32\ctfmon.exe
c:\windows\system32\wuauclt.exe
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
05.08.2010, 15:20
| #9 | ||
| | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da das ist die ctfmon.exe: Zitat:
Zitat:
|
|
05.08.2010, 15:26
| #10 |
| /// Selecta Jahrusso | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da Poppt der Malware Doctor immernoch auf? CustomScan mit OTL Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter /md5start
ctfmon.exe
wuauclt.exe
/md5stop
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
05.08.2010, 15:28
| #11 |
| | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da den hab ich shcon total vergessen^^ nein, der malware doctor ist wohl tot =) |
|
05.08.2010, 15:33
| #12 |
| | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da der neue otl.txt: OTL Logfile: Code:
ATTFilter OTL logfile created on: 8/5/2010 3:31:30 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\SandAle\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 198.29 Gb Total Space | 113.42 Gb Free Space | 57.20% Space Free | Partition Type: NTFS
Drive D: | 252.37 Gb Total Space | 58.47 Gb Free Space | 23.17% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: HORST
Current User Name: SandAle
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
========== Custom Scans ==========
< MD5 for: CTFMON.EXE >
[2009/07/14 03:14:16 | 000,008,704 | ---- | M] (Microsoft Corporation) MD5=4A3CDCEF8ED41B221F3DBEF5792FB52D -- C:\Windows\ERDNT\cache\ctfmon.exe
[2009/07/14 03:14:16 | 000,008,704 | ---- | M] (Microsoft Corporation) MD5=4A3CDCEF8ED41B221F3DBEF5792FB52D -- C:\Windows\System32\ctfmon.exe
[2009/07/14 03:14:16 | 000,008,704 | ---- | M] (Microsoft Corporation) MD5=4A3CDCEF8ED41B221F3DBEF5792FB52D -- C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe
< MD5 for: WUAUCLT.EXE >
[2009/07/14 03:14:50 | 000,047,104 | ---- | M] (Microsoft Corporation) MD5=B0DA80FF42A0819D162A86612896AAF2 -- C:\Windows\ERDNT\cache\wuauclt.exe
[2009/07/14 03:14:50 | 000,047,104 | ---- | M] (Microsoft Corporation) MD5=B0DA80FF42A0819D162A86612896AAF2 -- C:\Windows\System32\wuauclt.exe
[2009/07/14 03:14:50 | 000,047,104 | ---- | M] (Microsoft Corporation) MD5=B0DA80FF42A0819D162A86612896AAF2 -- C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe
< End of report >
|
|
05.08.2010, 15:37
| #13 |
| /// Selecta Jahrusso | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von einem der folgenden Download-Spiegel neu herunter: BleepingComputer.com - ForoSpyware.comund speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)! Lass Combofix bitte erneut laufen
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
05.08.2010, 15:46
| #14 |
| | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da gelöscht, neu runtergeladen und neu durchgeführt! diesmal hatte er auch keine Probleme, dass irgendetwas nicht reagiert^^ Combofix Logfile: Code:
ATTFilter ComboFix 10-08-04.05 - SandAle 05.08.2010 15:40:40.2.2 - x86 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.49.1031.18.3037.2204 [GMT 2:00] ausgeführt von:: c:\users\SandAle\Desktop\Combo-Fix.exe . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\SandAle\AppData\Roaming\.# c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7 c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7\enemies-names.txt c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7\local.ini c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7\lsrslt.ini c:\windows\SEC c:\windows\SEC\172100logo.bmp c:\windows\SEC\banner.png c:\windows\SEC\Computer.png c:\windows\SEC\Media _S_ Logo.png c:\windows\SEC\Samsung.png c:\windows\SEC\Samsung2.png c:\windows\SEC\SamsungLogo.png c:\windows\SEC\Thumbs.db c:\windows\SEC\Wallpapers\Thumbs.db c:\windows\SEC\Wallpapers\wallpaper.jpg c:\windows\SEC\Wallpapers\wallpaper1.jpg c:\windows\SEC\Wallpapers\Wallpaper2.jpg . ((((((((((((((((((((((( Dateien erstellt von 2010-07-05 bis 2010-08-05 )))))))))))))))))))))))))))))) . 2010-08-05 13:44 . 2010-08-05 13:44 -------- d-----w- c:\users\SandAle\AppData\Local\temp 2010-08-05 13:44 . 2010-08-05 13:44 -------- d-----w- c:\users\Public\AppData\Local\temp 2010-08-05 13:44 . 2010-08-05 13:44 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-08-05 11:47 . 2010-08-05 12:00 -------- d-----w- C:\Combo-Fix 2010-08-04 17:14 . 2010-08-04 17:14 -------- d-----w- c:\users\SandAle\AppData\Roaming\Malwarebytes 2010-08-04 17:14 . 2010-04-29 10:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-04 17:14 . 2010-08-04 17:14 -------- d-----w- c:\programdata\Malwarebytes 2010-08-04 17:14 . 2010-08-04 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-04 17:14 . 2010-04-29 10:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-04 16:15 . 2010-08-04 22:00 -------- d-----w- c:\users\SandAle\AppData\Local\ofbanyeef 2010-08-04 16:15 . 2010-08-04 18:29 -------- d-----w- c:\users\SandAle\AppData\Roaming\ofbanyeef 2010-07-26 15:07 . 2010-07-26 15:07 -------- d-----w- c:\program files\Creative Labs 2010-07-26 15:07 . 1999-07-06 12:13 40960 ----a-w- c:\windows\system32\eax.dll 2010-07-26 15:06 . 2010-07-26 15:07 -------- d-----w- c:\program files\EidosNet 2010-07-26 15:05 . 1998-10-29 14:45 306688 ----a-w- c:\windows\IsUninst.exe 2010-07-21 14:37 . 2010-07-21 14:37 -------- d-----w- c:\program files\iPod 2010-07-21 14:34 . 2010-07-21 14:34 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-05 11:45 . 2010-01-03 20:12 -------- d-----w- c:\users\SandAle\AppData\Roaming\DC++ 2010-08-04 20:01 . 2009-12-05 21:49 -------- d-----w- c:\users\SandAle\AppData\Roaming\Skype 2010-08-04 18:17 . 2009-12-05 21:51 -------- d-----w- c:\users\SandAle\AppData\Roaming\skypePM 2010-08-04 15:40 . 2009-12-04 19:31 -------- d-----w- c:\program files\Common Files\SWF Studio 2010-08-01 17:34 . 2009-09-22 22:05 643866 ----a-w- c:\windows\system32\perfh007.dat 2010-08-01 17:34 . 2009-09-22 22:05 126394 ----a-w- c:\windows\system32\perfc007.dat 2010-07-26 15:42 . 2010-01-05 21:08 -------- d-----w- c:\users\SandAle\AppData\Roaming\DAEMON Tools Lite 2010-07-26 09:49 . 2010-04-11 22:17 1 ----a-w- c:\users\SandAle\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-07-21 14:38 . 2009-12-29 14:47 -------- d-----w- c:\program files\iTunes 2010-07-21 14:37 . 2009-12-29 14:45 -------- d-----w- c:\program files\Common Files\Apple 2010-07-03 19:38 . 2010-06-20 16:46 -------- d-----w- c:\users\SandAle\AppData\Roaming\SPORE 2010-06-22 11:57 . 2009-12-29 14:47 -------- d-----w- c:\users\SandAle\AppData\Roaming\Apple Computer 2010-06-22 11:51 . 2009-12-29 14:46 -------- d-----w- c:\programdata\Apple Computer 2010-06-22 11:49 . 2010-06-22 11:49 -------- d-----w- c:\program files\Bonjour 2010-06-20 16:36 . 2009-09-22 05:19 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-06-14 16:39 . 2010-06-14 16:39 -------- d-----w- c:\users\SandAle\AppData\Roaming\Nero 2010-06-14 16:37 . 2010-06-14 16:29 -------- d-----w- c:\program files\Common Files\Nero 2010-06-14 16:37 . 2010-06-14 16:37 -------- d-----w- c:\program files\Nero ControlCenter 4 2010-06-14 16:37 . 2010-06-14 16:29 -------- d-----w- c:\program files\Nero 9 2010-06-14 16:31 . 2010-06-14 16:29 -------- d-----w- c:\programdata\Nero 2010-06-12 09:20 . 2009-12-17 16:17 -------- d-----w- c:\program files\PokerStars.NET 2010-06-07 05:45 . 2009-12-04 19:08 -------- d-----w- c:\program files\Microsoft Silverlight 2010-05-27 07:24 . 2010-06-10 14:09 34304 ----a-w- c:\windows\system32\atmlib.dll 2010-05-27 03:49 . 2010-06-10 14:09 293888 ----a-w- c:\windows\system32\atmfd.dll 2010-05-21 05:18 . 2010-06-10 14:09 977920 ----a-w- c:\windows\system32\wininet.dll 2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe 2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat 2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-29 7744032] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416] "00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] " Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\Hubi.exe" [2010-04-29 1090952] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp [HKLM\~\startupfolder\C:^Users^SandAle^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] path=c:\users\SandAle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup backupExtension=.Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON S21 Series] 2008-09-12 04:00 199680 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIFAE.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreePDF Assistant] 2009-09-05 16:29 385024 ----a-w- c:\program files\FreePDF_XP\fpassist.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-07-16 05:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu] 2009-02-25 13:40 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-01-08 36608] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336] R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 136176] R4 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-13 44312] R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-05 691696] S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-01-07 233136] S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336] S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-23 88040] S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-12 70664] S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-07 58816] S3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2010-01-13 115216] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-20 189440] . Inhalt des "geplante Tasks" Ordners 2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:05] 2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:05] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.de/ uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = http=127.0.0.1:6522 IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\SandAle\AppData\Roaming\Mozilla\Firefox\Profiles\cimcsryy.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/ FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll ---- FIREFOX Richtlinien ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_USERS\S-1-5-21-771618654-3341757510-301361698-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) "??"=hex:79,13,56,62,1e,20,99,0d,ab,77,54,b0,86,d8,c2,45,69,fd,86,9e,22,e7,b0, 4f,fb,34,13,bf,45,0b,1f,1b,e9,23,d4,03,12,0f,89,11,7f,b0,47,65,f8,b9,13,dd,\ "??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12 [HKEY_USERS\S-1-5-21-771618654-3341757510-301361698-1000\Software\SecuROM\License information*] "datasecu"=hex:be,8a,ea,53,6e,cc,88,b4,8a,a1,de,5f,f7,58,a5,d8,ad,23,af,28,f0, 4f,5d,6e,d6,e2,3d,fc,e0,a5,05,02,e0,a5,e0,39,6a,c9,2f,ab,81,30,51,1f,65,d2,\ "rkeysecu"=hex:c4,6c,f0,dc,d9,12,8b,a5,f4,9f,85,11,e3,7c,35,6c [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Zeit der Fertigstellung: 2010-08-05 15:45:39 ComboFix-quarantined-files.txt 2010-08-05 13:45 ComboFix2.txt 2010-08-05 12:00 Vor Suchlauf: 14 Verzeichnis(se), 121.530.929.152 Bytes frei Nach Suchlauf: 14 Verzeichnis(se), 121.475.850.240 Bytes frei - - End Of File - - E5B29C5CD9F5179157830B91373F7AFC |
|
05.08.2010, 15:51
| #15 |
| /// Selecta Jahrusso | Tr/Dropper und Antimalware Doctor - bei Neustart wieder da Schritt 1 Hinweis für Mitleser: Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen! Drücke die Windows + R Taste --> Notepad (hinein schreiben) --> OK Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument. Code:
ATTFilter Folder::
c:\users\SandAle\AppData\Local\ofbanyeef
c:\users\SandAle\AppData\Roaming\ofbanyeef
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
Wichtig:
Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen. Schritt 2 CustomScan mit OTL Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs
drivers32 /all
msconfig
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Bitte poste in Deiner nächsten Antwort Combofix.txt OTL.txt
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
| Themen zu Tr/Dropper und Antimalware Doctor - bei Neustart wieder da |
| adresse, anhang, antimalware, browser, entdeck, falsche, firefox, forum, gelöscht, interne, internet, internet browser, laptop, malwarebytes, namens, neu, neustart, nicht öffnen, programm, programme, programme nicht öffnen, protokoll, proxy, starte, startet, tr/dropper, verdächtige, öffnen |
Textbox.
.
