Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Tr/Dropper und Antimalware Doctor - bei Neustart wieder da

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 04.08.2010, 21:49   #1
armes Opfer
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



Hallöchen,

heute entdeckte ich erst: BDS/VB.lvn.120
und kurz danach: TR/Dropper.Gen
mit meinem AntiVir.

Anschliessend hatte ich ein schönes Programm namens "antimalware doctor" auf meinem Laptop, dass mich geradezu mit Hinweisen bombadiert hat.

Außerdem konnte ich eine Zeit lang viele Programme nicht öffnen und mein Internet Browser(Firefox) hatte eine falsche Proxy adresse, weshalb ich anfangs auch nicht ins Internet kam.

ich habe hier im Forum eine Vorgehensweise gefunden, bei der erst mit dem "rKiller" der antimalware doctor abgestellt wird und anschliessend mit "malwarebytes" gescannt werden soll.

dabei wurden auch 9 verdächtige Programme gelöscht, aber jedesmal wenn ich neu starte startet zumindest der antimalware doctor wieder...


Das(Anhang) kam als Protokoll von meinem Malwarebytes scan heraus:
Angehängte Dateien
Dateityp: txt mbam-log-2010-08-04 (20-28-27).txt (1,8 KB, 198x aufgerufen)

Alt 05.08.2010, 00:53   #2
Larusso
/// Selecta Jahrusso
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da





Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
  • Bitte arbeite alle Schritte der Reihe nach ab.
  • Lese die Anleitungen sorgfältig. Sollte es Probleme geben, bitte stoppen und hier so gut es geht beschreiben.
  • Nur Scanns durchführen zu denen Du von einem Helfer aufgefordert wirst.
  • Bitte kein Crossposting ( posten in mehreren Foren).
  • Installiere oder Deinstalliere während der Bereinigung keine Software ausser Du wurdest dazu aufgefordert.
  • Lese Dir die Anleitung zuerst vollständig durch. Sollte etwas unklar sein, frage bevor Du beginnst.
  • Poste die Logfiles direkt in deinen Thread. Nicht anhängen ausser ich fordere Dich dazu auf. Erschwert mir nämlich das auswerten.

Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg.
Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis dir jemand vom Team sagt, dass Du clean bist.

Vista und Win7 User
Alle Tools mit Rechtsklick "als Administrator ausführen" starten.

Schritt 1

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Starte bitte die OTL.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
         
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Quick Scan Button.
  • Klick auf .
  • Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread
__________________

__________________

Alt 05.08.2010, 11:08   #3
armes Opfer
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



so das ergab OTL:

OTL.txt

OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 8/5/2010 11:03:16 AM - Run 1
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Users\SandAle\Desktop
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 198.29 Gb Total Space | 111.61 Gb Free Space | 56.29% Space Free | Partition Type: NTFS
Drive D: | 252.37 Gb Total Space | 58.47 Gb Free Space | 23.17% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HORST
Current User Name: SandAle
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2010/08/04 21:28:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\SandAle\Desktop\OTL.exe
PRC - [2010/04/20 08:19:12 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 11:28:23 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:01 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/19 11:34:48 | 002,201,192 | ---- | M] (SEC) -- C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
PRC - [2010/01/14 22:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2010/01/12 12:41:00 | 003,168,216 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
PRC - [2009/11/09 12:20:14 | 000,818,432 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Firewall Plus\FWService.exe
PRC - [2009/10/31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/09/29 19:28:44 | 007,744,032 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
PRC - [2009/09/08 01:47:52 | 000,832,512 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2009/09/07 12:42:04 | 000,093,184 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
PRC - [2009/08/23 06:47:34 | 000,716,800 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
PRC - [2009/07/14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 03:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/03/30 17:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 17:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
PRC - [2009/03/19 17:11:24 | 001,138,688 | ---- | M] (Last.fm) -- C:\Programme\Last.fm\LastFM.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/08/04 21:28:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\SandAle\Desktop\OTL.exe
MOD - [2009/07/14 03:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 03:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 03:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 03:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 03:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 03:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 03:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 03:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 03:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 03:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 03:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/14 03:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [On_Demand | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe -- (McSysmon)
SRV - File not found [Unknown | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe -- (McShield)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/04/20 08:19:12 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:01 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/11/09 12:20:14 | 000,818,432 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Firewall Plus\FWService.exe -- (PCToolsFirewallPlus)
SRV - [2009/09/23 13:38:18 | 000,935,208 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/08/13 22:58:10 | 000,044,312 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe -- (OberonGameConsoleService)
SRV - [2009/08/05 23:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/07/14 03:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 03:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 03:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 03:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 03:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 03:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 03:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 03:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
SRV - [2009/07/14 03:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 03:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 03:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 03:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 03:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 03:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX-Installer (AxInstSV)
SRV - [2009/07/14 03:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 03:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/03/30 17:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2010/03/01 10:05:19 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/01/13 09:59:28 | 000,115,216 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctplfw.sys -- (pctplfw)
DRV - [2010/01/12 10:34:14 | 000,070,664 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctNdis-PacketFilter.sys -- (PCTFW-PacketFilter)
DRV - [2010/01/11 12:05:36 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/01/11 12:05:36 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2010/01/07 13:40:26 | 000,233,136 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\Windows\System32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2010/01/07 12:35:06 | 000,058,816 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctNdis.sys -- (pctNDIS)
DRV - [2010/01/05 23:09:32 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/12/14 05:44:42 | 001,245,696 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/12/11 09:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/11/23 14:54:20 | 000,088,040 | ---- | M] (PC Tools) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PCTAppEvent.sys -- (PCTAppEvent)
DRV - [2009/11/21 04:34:54 | 011,515,752 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/11/04 17:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 17:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/09/29 19:16:02 | 002,776,672 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/08/21 01:04:54 | 000,189,440 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2009/08/05 23:48:42 | 000,054,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\fssfltr.sys -- (fssfltr)
DRV - [2009/07/15 01:16:34 | 000,212,656 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/07/14 03:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 03:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/14 03:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/14 03:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/14 03:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/14 03:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/14 03:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/14 03:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/14 03:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 03:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 03:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 03:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 03:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 03:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 03:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 03:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 03:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 03:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 03:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 03:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 03:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 03:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 03:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/14 03:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/14 03:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 03:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 03:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 03:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 03:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 03:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 03:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 03:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 03:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 03:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 03:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 03:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 03:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 03:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 02:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/14 02:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 02:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 01:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 01:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 01:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/14 01:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/14 01:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 01:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 01:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 01:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/14 01:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 01:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 01:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 01:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 01:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 01:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 01:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/14 01:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/14 01:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/14 00:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/14 00:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/14 00:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/14 00:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/14 00:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/14 00:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/14 00:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/14 00:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/14 00:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/06/10 23:19:30 | 004,756,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/06/04 11:43:16 | 000,330,264 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2009/05/28 08:38:12 | 000,010,752 | ---- | M] (SAMSUNG ELECTRONICS) [Kernel | System | Running] -- C:\Windows\System32\drivers\SABI.sys -- (SABI)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/15 12:25:46 | 000,056,268 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\windows\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2009/01/08 10:42:54 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2008/02/22 16:33:02 | 000,114,304 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2008/02/22 16:33:02 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2008/02/22 16:33:00 | 000,087,936 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: philip.hasky@stud.fh-dortmund.de:1.6
FF - prefs.js..network.proxy.type: 4
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/28 21:05:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/28 21:05:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/05/03 07:41:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/07/08 17:41:03 | 000,000,000 | ---D | M]
 
[2009/12/14 15:40:50 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\mozilla\Extensions
[2009/12/14 15:40:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\SandAle\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/08/04 22:03:28 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\mozilla\Firefox\Profiles\cimcsryy.default\extensions
[2010/06/28 17:18:10 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\SandAle\AppData\Roaming\mozilla\Firefox\Profiles\cimcsryy.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/04/14 13:30:48 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\mozilla\Firefox\Profiles\cimcsryy.default\extensions\philip.hasky@stud.fh-dortmund.de
[2010/05/04 20:03:22 | 000,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2010/05/04 20:03:21 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/03/12 12:41:16 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2010/03/12 12:41:16 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2010/03/12 12:41:16 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2010/03/12 12:41:16 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2010/03/12 12:41:16 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009/06/10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [00PCTFW] C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ Malwarebytes Anti-Malware  (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\Hubi.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.3.11.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\windows\System32\livessp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\YDKJAutorun.exe -- File not found
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\startup.exe -- File not found
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\startup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: Wmi - C:\windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
 
Drivers32: aux - C:\windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\windows\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ac3acm - C:\windows\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.imaadpcm - C:\windows\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\windows\System32\lameACM.acm (hxxp://www.mp3dev.org/)
Drivers32: msacm.msadpcm - C:\windows\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\windows\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\windows\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\windows\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\windows\System32\ff_vfw.dll ()
Drivers32: vidc.i420 - C:\windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: VIDC.IYUV - C:\windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\windows\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\windows\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.XVID - C:\windows\System32\xvidvfw.dll ()
Drivers32: VIDC.YUY2 - C:\windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YV12 - C:\windows\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.YVU9 - C:\windows\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\windows\System32\msacm32.drv (Microsoft Corporation)
 
========== Files/Folders - Created Within 90 Days ==========
 
[2010/08/04 21:28:12 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Desktop\anti doctor dingens
[2010/08/04 21:27:56 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\SandAle\Desktop\OTL.exe
[2010/08/04 19:14:59 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\Malwarebytes
[2010/08/04 19:14:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/08/04 19:14:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/08/04 19:14:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/08/04 19:14:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/04 18:15:30 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\ofbanyeef
[2010/08/04 18:15:30 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Local\ofbanyeef
[2010/08/04 18:15:12 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7
[2010/07/26 17:07:36 | 000,000,000 | ---D | C] -- C:\Program Files\Creative Labs
[2010/07/26 17:06:58 | 000,000,000 | ---D | C] -- C:\Program Files\EidosNet
[2010/07/21 16:37:39 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/06/29 11:53:50 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Desktop\Briefe
[2010/06/29 10:12:31 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Desktop\Bafög
[2010/06/22 13:49:55 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/06/20 18:47:34 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Documents\MeinSpore-Kreationen
[2010/06/20 18:46:40 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\SPORE
[2010/06/14 18:39:00 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\Nero
[2010/06/14 18:37:24 | 000,000,000 | ---D | C] -- C:\Program Files\Nero ControlCenter 4
[2010/06/14 18:29:56 | 000,000,000 | ---D | C] -- C:\Program Files\Nero 9
[2010/06/14 18:29:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero
[2010/06/14 18:29:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2010/06/01 19:47:27 | 000,000,000 | ---D | C] -- C:\Users\SandAle\Desktop\Simpsons Songs
[2010/05/11 21:05:34 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/05/11 12:01:13 | 000,000,000 | ---D | C] -- C:\Users\SandAle\AppData\Roaming\Miranda Fusion
[15 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\Users\SandAle\Desktop\*.tmp files -> C:\Users\SandAle\Desktop\*.tmp -> ]
 
========== Files - Modified Within 90 Days ==========
 
[2010/08/05 11:04:11 | 002,359,296 | -HS- | M] () -- C:\Users\SandAle\NTUSER.DAT
[2010/08/05 10:44:31 | 000,001,098 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/05 10:44:14 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2010/08/05 10:44:13 | 000,001,094 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/05 00:10:38 | 000,015,872 | ---- | M] () -- C:\Users\SandAle\Desktop\Schweden Sachen.xls
[2010/08/05 00:09:13 | 000,014,512 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/08/05 00:09:13 | 000,014,512 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/08/05 00:01:58 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2010/08/05 00:01:51 | 2388,086,784 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/04 22:58:27 | 009,722,582 | -H-- | M] () -- C:\Users\SandAle\AppData\Local\IconCache.db
[2010/08/04 21:28:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\SandAle\Desktop\OTL.exe
[2010/08/04 17:56:35 | 000,000,153 | ---- | M] () -- C:\Users\SandAle\AppData\Roaming\default.rss
[2010/08/04 03:47:05 | 000,113,664 | ---- | M] () -- C:\Users\SandAle\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/01 19:34:22 | 001,472,002 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2010/08/01 19:34:22 | 000,643,866 | ---- | M] () -- C:\windows\System32\perfh007.dat
[2010/08/01 19:34:22 | 000,607,190 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2010/08/01 19:34:22 | 000,126,394 | ---- | M] () -- C:\windows\System32\perfc007.dat
[2010/08/01 19:34:22 | 000,103,568 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2010/07/22 17:40:23 | 000,013,824 | ---- | M] () -- C:\Users\SandAle\Desktop\O-Phase 2010.xls
[2010/07/22 17:29:49 | 000,054,035 | ---- | M] () -- C:\Users\SandAle\Desktop\Umweltgefährdend.png
[2010/07/22 11:42:14 | 000,016,803 | ---- | M] () -- C:\Users\SandAle\Desktop\Inhalt.pdf
[2010/07/16 10:52:58 | 000,050,915 | ---- | M] () -- C:\Users\SandAle\Desktop\picdump-10-07-16-02.jpg
[2010/06/10 17:50:16 | 000,431,032 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[15 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\Users\SandAle\Desktop\*.tmp files -> C:\Users\SandAle\Desktop\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010/08/04 17:55:36 | 000,000,153 | ---- | C] () -- C:\Users\SandAle\AppData\Roaming\default.rss
[2010/08/04 16:33:30 | 000,015,872 | ---- | C] () -- C:\Users\SandAle\Desktop\Schweden Sachen.xls
[2010/07/22 17:40:23 | 000,013,824 | ---- | C] () -- C:\Users\SandAle\Desktop\O-Phase 2010.xls
[2010/07/22 17:24:45 | 000,054,035 | ---- | C] () -- C:\Users\SandAle\Desktop\Umweltgefährdend.png
[2010/07/22 11:42:14 | 000,016,803 | ---- | C] () -- C:\Users\SandAle\Desktop\Inhalt.pdf
[2010/07/16 10:52:58 | 000,050,915 | ---- | C] () -- C:\Users\SandAle\Desktop\picdump-10-07-16-02.jpg
[2010/05/11 21:05:36 | 000,001,098 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/11 21:05:36 | 000,001,094 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/12/26 01:18:40 | 000,281,760 | ---- | C] () -- C:\windows\System32\drivers\atksgt.sys
[2009/12/26 01:18:40 | 000,025,888 | ---- | C] () -- C:\windows\System32\drivers\lirsgt.sys
[2009/12/07 21:27:30 | 000,000,097 | ---- | C] () -- C:\windows\System32\PICSDK.ini
[2009/12/06 22:28:44 | 000,116,224 | ---- | C] () -- C:\windows\System32\redmonnt.dll
[2009/12/06 22:22:50 | 000,178,176 | ---- | C] () -- C:\windows\System32\unrar.dll
[2009/12/06 22:22:50 | 000,000,038 | ---- | C] () -- C:\windows\avisplitter.ini
[2009/12/06 22:22:49 | 000,881,664 | ---- | C] () -- C:\windows\System32\xvidcore.dll
[2009/12/06 22:22:49 | 000,205,824 | ---- | C] () -- C:\windows\System32\xvidvfw.dll
[2009/12/06 22:22:48 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll
[2009/12/06 22:22:47 | 000,085,504 | ---- | C] () -- C:\windows\System32\ff_vfw.dll
[2009/12/06 22:22:47 | 000,000,547 | ---- | C] () -- C:\windows\System32\ff_vfw.dll.manifest
[2009/12/06 13:38:53 | 000,110,592 | ---- | C] () -- C:\windows\System32\FsUsbExDevice.Dll
[2009/12/06 13:38:53 | 000,036,608 | ---- | C] () -- C:\windows\System32\FsUsbExDisk.Sys
[2009/12/05 18:39:08 | 000,691,696 | ---- | C] () -- C:\windows\System32\drivers\sptd.sys
[2009/12/05 15:07:54 | 000,073,728 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2009/12/05 11:35:31 | 000,000,400 | ---- | C] () -- C:\windows\ODBC.INI
[2009/12/04 22:44:57 | 000,040,960 | R--- | C] () -- C:\windows\System32\psfind.dll
[2009/12/04 21:08:49 | 000,000,002 | ---- | C] () -- C:\windows\HotFixList.ini
[2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\windows\System32\physxcudart_20.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelSwedish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelSpanish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelPortugese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelKorean.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelJapanese.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelGerman.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\windows\System32\AgCPanelFrench.dll
[2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
[2007/10/25 18:26:10 | 000,005,632 | ---- | C] () -- C:\windows\System32\drivers\StarOpen.sys
 
========== LOP Check ==========
 
[2010/01/06 19:06:42 | 000,000,000 | -HSD | M] -- C:\Users\SandAle\AppData\Roaming\.#
[2010/08/04 18:21:57 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7
[2010/07/26 17:42:58 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\DAEMON Tools Lite
[2010/08/04 21:25:19 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\DC++
[2009/12/04 21:31:36 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\GameConsole
[2009/12/18 18:36:28 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\Go Go Gourmet
[2010/05/11 12:01:13 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\Miranda Fusion
[2010/08/04 20:29:36 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\ofbanyeef
[2010/04/12 00:17:19 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\OpenOffice.org
[2010/01/25 20:11:07 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\PCToolsFirewallPlus
[2009/12/04 21:41:37 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\PlayFirst
[2010/01/06 19:21:37 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\Samsung
[2010/07/03 21:38:48 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\SPORE
[2009/12/14 15:40:48 | 000,000,000 | ---D | M] -- C:\Users\SandAle\AppData\Roaming\Thunderbird
[2010/05/09 12:33:30 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.* >
[2010/07/21 10:35:36 | 000,000,000 | ---- | M] () -- C:\AILog.txt
[2009/06/10 23:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/06/10 23:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/12/27 23:24:08 | 000,015,428 | ---- | M] () -- C:\eula.1031.txt
[2010/07/07 11:48:51 | 000,001,140 | ---- | M] () -- C:\fpRedmon.log
[2007/12/27 23:24:08 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2010/08/05 00:01:51 | 2388,086,784 | -HS- | M] () -- C:\hiberfil.sys
[2007/12/27 23:24:08 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe
[2007/12/27 23:24:20 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/12/27 23:37:08 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2009/09/23 19:57:29 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/09/23 19:57:29 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/08/05 00:01:52 | 3184,119,808 | -HS- | M] () -- C:\pagefile.sys
[2010/02/17 14:28:02 | 000,002,091 | ---- | M] () -- C:\RHDSetup.log
[2010/08/04 20:32:36 | 000,000,551 | ---- | M] () -- C:\rkill.log
[2010/02/17 14:28:02 | 000,000,206 | ---- | M] () -- C:\setup.log
[2007/12/27 23:24:08 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/12/27 23:48:06 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/12/27 23:51:02 | 000,234,496 | ---- | M] () -- C:\VC_RED.MSI
 
< %systemroot%\system32\*.wt >
 
< %systemroot%\system32\*.ruy >
 
< %systemroot%\Fonts\*.com >
[2009/07/14 06:52:25 | 000,026,040 | ---- | M] () -- C:\windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/14 06:52:25 | 000,026,489 | ---- | M] () -- C:\windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/14 06:52:25 | 000,029,779 | ---- | M] () -- C:\windows\Fonts\GlobalSerif.CompositeFont
[2009/07/14 06:52:25 | 000,043,318 | ---- | M] () -- C:\windows\Fonts\GlobalUserInterface.CompositeFont
 
< %systemroot%\Fonts\*.dll >
 
< %systemroot%\Fonts\*.ini >
[2009/06/10 23:31:19 | 000,000,065 | ---- | M] () -- C:\windows\Fonts\desktop.ini
 
< %systemroot%\Fonts\*.ini2 >
 
< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2009/07/14 03:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\mdippr.dll
[2009/07/14 03:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll
 
< %systemroot%\REPAIR\*.bak1 >
 
< %systemroot%\REPAIR\*.ini >
 
< %systemroot%\system32\*.jpg >
 
< %systemroot%\*.scr >
[2009/07/10 14:10:44 | 000,307,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
[15 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
 
< %systemroot%\*._sy >
 
< %APPDATA%\Adobe\Update\*.* >
 
< %ALLUSERSPROFILE%\Favorites\*.* >
 
< %APPDATA%\Microsoft\*.* >
 
< %PROGRAMFILES%\*.* >
[2009/07/14 06:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini
 
< %APPDATA%\Update\*.* >
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
 
< %systemroot%\Tasks\*.job /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
 
< %systemroot%\system32\user32.dll /md5 >
[2009/07/14 03:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\System32\user32.dll
 
< %systemroot%\system32\ws2_32.dll /md5 >
[2009/07/14 03:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\System32\ws2_32.dll
 
< %systemroot%\system32\ws2help.dll /md5 >
[2009/07/14 03:11:26 | 000,004,608 | ---- | M] (Microsoft Corporation) MD5=808AABDF9337312195CAFF76D1804786 -- C:\Windows\System32\ws2help.dll
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-04 01:56:08
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 152 bytes -> C:\ProgramData\Temp:5C5A503E
@Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:A42A9F39
@Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:4CF61E54
@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:ABE89FFE
@Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:A66A990E
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:E1F04E8D
@Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:C31F31E6

< End of report >
         
--- --- ---


Extra.txt

OTL Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 8/5/2010 11:03:16 AM - Run 1
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Users\SandAle\Desktop
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 198.29 Gb Total Space | 111.61 Gb Free Space | 56.29% Space Free | Partition Type: NTFS
Drive D: | 252.37 Gb Total Space | 58.47 Gb Free Space | 23.17% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HORST
Current User Name: SandAle
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{03534DA5-2F88-4B8E-A978-849B979E1B8F}" = TuxGuitar
"{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)
"{09298F26-A95C-31E2-9D95-2C60F586F075}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID-Anmelde-Assistent
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution 4
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{178EE5F4-0F86-4BF0-A0D1-9790AFF409D1}" = EasyBatteryManager
"{192A107E-C6B9-41B9-BDBF-38E3AA226054}" = OpenOffice.org 3.2
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 18
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2BA722D1-48D1-406E-9123-8AE5431D63EF}" = Windows Live Fotogalerie
"{33CF58F5-48D8-4575-83D6-96F574E4D83A}" = Nero DriveSpeed
"{359CFC0A-BEB1-440D-95BA-CF63A86DA34F}" = Nero Recode
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{368BA326-73AD-4351-84ED-3C0A7A52CC53}" = Nero Rescue Agent
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3EFEF049-23D4-4B46-8903-4592FEA51018}" = Windows Live Movie Maker
"{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}" = Titan Quest
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D2121FE-5CCC-4D47-B3A0-BF56045A5099}" = Samsung Support Center
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner
"{63eafc52-b963-4297-a7eb-d412944e7065}_is1" = Game Pack
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{76618402-179D-4699-A66B-D351C59436BC}" = Windows Live Sync
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{7829DB6F-A066-4E40-8912-CB07887C20BB}" = Nero BurnRights
"{7FB12670-0F93-4E1E-B2F5-4F339199A03A}" = Microsoft SQL Server Native Client
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114072167}" = Go-Go Gourmet
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115053100}" = Dairy Dash
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115246907}" = Elf Bowling Hawaiian Vacation
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11531173}" = Farm Frenzy 2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{849A32C3-E75A-4791-9B11-E568BA3525A4}" = Microsoft SQL Server VSS Writer
"{853F8A41-A3C9-43FA-87FA-1AE74FC6F3F7}" = BatteryLifeExtender
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{869200DB-287A-4DC0-B02B-2B6787FBCD4C}" = Nero DiscSpeed
"{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}" = Epson Easy Photo Print 2
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows Vista and Later
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90A40407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0407-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{994223F3-A99B-4DDD-9E1D-0190A17C6860}" = Windows Live Family Safety
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{9E82B934-9A25-445B-B8DF-8012808074AC}" = Nero PhotoSnap
"{A209525B-3377-43F4-B886-32F6B6E7356F}" = Nero WaveEditor
"{A7581D39-EA20-4883-A480-80C21047052B}" = Easy Network Manager
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.3 - Deutsch
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B5C5C17E-FEF6-4062-8151-A427AE8AF9D7}" = Titan Quest Immortal Throne
"{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{C1E11C46-E6EB-4BD2-9ADF-2A98ACBEB216}" = iTunes
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C5A7CB6C-E76D-408F-BA0E-85605420FE9D}" = SoundTrax
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{D025A639-B9C9-417D-8531-208859000AF8}" = NeroBurningROM
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1434266-0486-4469-B338-A60082CC04E1}" = Atheros Client Installation Program
"{D3F2FAA5-FEC4-42AA-9ABA-1F763919A2B5}" = Samsung Update Plus
"{D9DCF92E-72EB-412D-AC71-3B01276E5F8B}" = Nero ShowTime
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{EF367AA4-070B-493C-9575-85BE59D789C9}" = Easy SpeedUp Manager
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1861F30-3419-44DB-B2A1-C274825698B3}" = Nero Disc Copy Gadget
"{f58502db-ffec-4e55-b81c-e36141c61c12}" = Nero 9
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"{FBCDFD61-7DCF-4E71-9226-873BA0053139}" = Nero InfoTool
"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows-Treiberpaket - MobileTop (sshpmdm) Modem  (02/23/2007 2.5.0.0)
"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows-Treiberpaket - MobileTop (sshpusb) USB  (02/23/2007 2.5.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AnvSoft Flash to Video Converter Professional_is1" = AnvSoft Flash to Video Converter Professional 1.3.3
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"DC++" = DC++ 0.762
"DivX Setup.divx.com" = DivX-Setup
"EADM" = EA Download Manager
"EAX(tm) Unified (SHELL)" = EAX(tm) Unified (SHELL)
"EPSON S21 Series" = Druckerdeinstallation für EPSON S21 Series
"Epson Stylus S21_T21_T27 Benutzerhandbuch" = Epson Stylus S21_T21_T27 Handbuch
"FINAL FANTASY VIII" = FINAL FANTASY VIII
"FreePDF_XP" = FreePDF (Remove only)
"GPL Ghostscript 8.70" = GPL Ghostscript 8.70
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.4.4
"LastFM_is1" = Last.fm 1.5.4.24567
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MirandaFusion" = Miranda Fusion 2.0.23
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"PC Tools Firewall Plus" = PC Tools Firewall Plus 6.0
"PokerStars.net" = PokerStars.net
"PowerISO" = PowerISO
"RADVideo" = RAD Video Tools
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SystemRequirementsLab" = System Requirements Lab
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
"YDKJG" = YOU DON'T KNOW JACK®
"You Don't Know Jack 4" = You Don't Know Jack 4 1.00
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 7/27/2010 11:14:35 AM | Computer Name = Horst | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 7/27/2010 11:14:35 AM | Computer Name = Horst | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 14059184
 
Error - 7/27/2010 11:14:35 AM | Computer Name = Horst | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 14059184
 
Error - 7/27/2010 11:17:06 AM | Computer Name = Horst | Source = Google Update | ID = 20
Description = 
 
Error - 7/28/2010 3:58:09 PM | Computer Name = Horst | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files\Samsung\Samsung
 Support Center\Drv\drv2x64\KStartMem.exe.Manifest".  Die abhängige Assemblierung 
"Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0""
 konnte nicht gefunden werden.  Verwenden Sie für eine detaillierte Diagnose das Programm
 "sxstrace.exe".
 
Error - 7/28/2010 3:58:46 PM | Computer Name = Horst | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files\Samsung\BatteryLifeExtender\Drv\SABI2x64\KStartMem.exe.Manifest".
Die
 abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0""
 konnte nicht gefunden werden.  Verwenden Sie für eine detaillierte Diagnose das Programm
 "sxstrace.exe".
 
Error - 7/28/2010 4:46:21 PM | Computer Name = Horst | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FF8.exe, Version: 0.0.0.0, Zeitstempel:
 0x38ee73f0  Name des fehlerhaften Moduls: FF8.exe, Version: 0.0.0.0, Zeitstempel:
 0x38ee73f0  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000977d4  ID des fehlerhaften Prozesses:
 0x1058  Startzeit der fehlerhaften Anwendung: 0x01cb2e95e45e6255  Pfad der fehlerhaften
 Anwendung: D:\Spiele\FF VIII\FF8.exe  Pfad des fehlerhaften Moduls: D:\Spiele\FF 
VIII\FF8.exe  Berichtskennung: 2d54d509-9a89-11df-ad3f-00245422697c
 
Error - 7/28/2010 4:46:48 PM | Computer Name = Horst | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FF8.exe, Version: 0.0.0.0, Zeitstempel:
 0x38ee73f0  Name des fehlerhaften Moduls: FF8.exe, Version: 0.0.0.0, Zeitstempel:
 0x38ee73f0  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000977d4  ID des fehlerhaften Prozesses:
 0x1280  Startzeit der fehlerhaften Anwendung: 0x01cb2e95f6160aab  Pfad der fehlerhaften
 Anwendung: D:\Spiele\FF VIII\FF8.exe  Pfad des fehlerhaften Moduls: D:\Spiele\FF 
VIII\FF8.exe  Berichtskennung: 3d842a48-9a89-11df-ad3f-00245422697c
 
Error - 7/28/2010 4:47:24 PM | Computer Name = Horst | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FF8.exe, Version: 0.0.0.0, Zeitstempel:
 0x38ee73f0  Name des fehlerhaften Moduls: FF8.exe, Version: 0.0.0.0, Zeitstempel:
 0x38ee73f0  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000977d4  ID des fehlerhaften Prozesses:
 0x14f8  Startzeit der fehlerhaften Anwendung: 0x01cb2e960b2d48ba  Pfad der fehlerhaften
 Anwendung: D:\Spiele\FF VIII\FF8.exe  Pfad des fehlerhaften Moduls: D:\Spiele\FF 
VIII\FF8.exe  Berichtskennung: 52992e07-9a89-11df-ad3f-00245422697c
 
Error - 7/28/2010 4:48:34 PM | Computer Name = Horst | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FF8.exe, Version: 0.0.0.0, Zeitstempel:
 0x38ee73f0  Name des fehlerhaften Moduls: FF8.exe, Version: 0.0.0.0, Zeitstempel:
 0x38ee73f0  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000977d4  ID des fehlerhaften Prozesses:
 0x988  Startzeit der fehlerhaften Anwendung: 0x01cb2e9625657623  Pfad der fehlerhaften
 Anwendung: D:\Spiele\FF VIII\FF8.exe  Pfad des fehlerhaften Moduls: D:\Spiele\FF 
VIII\FF8.exe  Berichtskennung: 7c972f1e-9a89-11df-ad3f-00245422697c
 
[ System Events ]
Error - 5/10/2010 11:09:57 AM | Computer Name = Horst | Source = bowser | ID = 8003
Description = 
 
Error - 5/11/2010 3:33:06 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7000
Description = Der Dienst "McAfee Real-time Scanner" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
Error - 5/11/2010 3:33:12 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7034
Description = Dienst "SQL Server VSS Writer" wurde unerwartet beendet. Dies ist 
bereits 1 Mal passiert.
 
Error - 5/11/2010 5:48:37 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7000
Description = Der Dienst "McAfee Real-time Scanner" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
Error - 5/11/2010 5:48:54 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7034
Description = Dienst "SQL Server VSS Writer" wurde unerwartet beendet. Dies ist 
bereits 1 Mal passiert.
 
Error - 5/11/2010 5:54:37 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7000
Description = Der Dienst "McAfee Real-time Scanner" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
Error - 5/11/2010 5:54:53 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7034
Description = Dienst "SQL Server VSS Writer" wurde unerwartet beendet. Dies ist 
bereits 1 Mal passiert.
 
Error - 5/12/2010 2:06:11 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7000
Description = Der Dienst "McAfee Real-time Scanner" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
Error - 5/12/2010 2:06:19 AM | Computer Name = Horst | Source = Service Control Manager | ID = 7034
Description = Dienst "SQL Server VSS Writer" wurde unerwartet beendet. Dies ist 
bereits 1 Mal passiert.
 
Error - 5/12/2010 7:37:23 PM | Computer Name = Horst | Source = DCOM | ID = 10010
Description = 
 
 
< End of report >
         
--- --- ---
__________________

Alt 05.08.2010, 11:29   #4
Larusso
/// Selecta Jahrusso
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



Schritt 1

Temp File Cleaner

Downloade Dir bitte TFC ( von Oldtimer ) und speichere die Datei auf dem Desktop.
Schließe nun alle offenen Programme und trenne Dich von dem Internet.
Doppelklick auf die TFC.exe
Sollte TFC nicht alle Dateien löschen können wird es einen Neustart verlangen. Dies bitte zulassen.


Schritt 2

Downloade Dir bitte defogger von jpshortstuff auf Deinem Desktop.
  • Starte das Tool mit Doppelklick.
    Vista User: Bitte mit Rechtsklick "als Administrator starten".
  • Klicke nun auf den Disable Button um die Treiber gewisser Emulatoren zu deaktivieren.
  • Wenn der Scan beendet wurde ( Finished ), klicke auf OK.
  • Defogger fordert nun zum Neustart auf. Bestätige dies mit OK.
  • DeFogger erstellt nun ein Logfile auf dem Desktop (defogger_disable).
Poste bitte den Inhalt der Logfile in Deiner nächsten Antwort.

Wenn wir die Bereinigung beendet haben, starte bitte defogger erneut und klicke den Re-enable Button.


Schritt 3

Bitte
  • alle anderen Scanner gegen Viren, Spyware, usw. deaktivieren,
  • keine bestehende Verbindung zu einem Netzwerk/Internet (WLAN nicht vergessen),
  • nichts am Rechner arbeiten,
  • nach jedem Scan der Rechner neu gestarten.
Gmer scannen lassen
  • Lade Dir Gmer von dieser Seite herunter
    (auf den Button Download EXE drücken) und das Programm auf dem Desktop speichern.
  • Alle anderen Programme sollen geschlossen sein.
  • Starte gmer.exe (Programm hat einen willkürlichen Programm-Namen).
  • Vista und Win7 User mit Rechtsklick und als Administrator starten.
  • Entferne rechts den Haken bei:
    • IAT/EAT
    • Alle Festplatten ausser die Systemplatte (normalerweise ist nur C:\ angehackt)
    • Show all (sollte abgehackt sein)
  • Sollte sich ein Fenster mit folgender Warnung öffnen:
    WARNING !!!
    GMER has found system modification, which might have been caused by ROOTKIT activity.
    Do you want to fully scan your system ?
    Unbedingt auf "No" klicken.
  • Starte den Scan mit "Scan". Mache nichts am Computer während der Scan läuft.
  • Wenn der Scan fertig ist klicke auf Save und speichere die Logfile unter Gmer.txt auf deinem Desktop. Mit "Ok" wird GMER beendet.
Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!


Bitte poste in Deiner nächsten Antwort
defogger_disable.txt
Gmer.txt
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 05.08.2010, 12:10   #5
armes Opfer
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



so hier wieder die ergebnisse:

hab ich das richtig verstanden, dass ich den defogger erst nach eurem ok wieder benutzen darf?

oder soll der jetzt schon wieder auf Re-Enable geklickt werden?

erstmal die berichte:

defogger:

Zitat:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 11:55 on 05/08/2010 (SandAle)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-
GMER

GMER Logfile:
Code:
ATTFilter
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-08-05 12:07:12
Windows 6.1.7600 
Running: i4trbk3u.exe; Driver: C:\Users\SandAle\AppData\Local\Temp\fxldipoc.sys


---- System - GMER 1.0.15 ----

SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwAllocateVirtualMemory [0x82601752]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwAlpcConnectPort [0x82601388]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwAssignProcessToJobObject [0x82601440]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwConnectPort [0x82601482]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwCreateFile [0x82601530]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwCreateProcess [0x82601DD8]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwCreateProcessEx [0x82601E64]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwCreateThread [0x82601EF4]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwCreateThreadEx [0x82601F96]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwCreateUserProcess [0x82601D68]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwDebugActiveProcess [0x82601580]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwDuplicateObject [0x826015C2]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwLoadDriver [0x82601606]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwOpenKey [0x82601648]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwOpenSection [0x8260168A]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwOpenThread [0x826016CC]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwProtectVirtualMemory [0x8260179A]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwRequestWaitReplyPort [0x8260170E]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwRestoreKey [0x826017DC]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwResumeThread [0x82601824]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwSecureConnectPort [0x826018B4]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwSetValueKey [0x82601866]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwSuspendProcess [0x82601958]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwSystemDebugControl [0x8260199A]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwTerminateProcess [0x826019DC]
SSDT            \??\C:\windows\system32\drivers\PCTAppEvent.sys                                                       ZwWriteVirtualMemory [0x82601A2A]

INT 0x1F        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              83033AF8
INT 0x37        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              83033104
INT 0xC1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              830333F4
INT 0xD1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              8301B634
INT 0xD2        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              8301B898
INT 0xDF        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              830331DC
INT 0xE1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              83033958
INT 0xE3        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              830336F8
INT 0xFD        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              83033F2C
INT 0xFE        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)              830341A8

---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!ZwSaveKeyEx + 13B1                                                                       82C4E8E9 1 Byte  [06]
.text           ntoskrnl.exe!KiDispatchInterrupt + 5A2                                                                82C6E3D2 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntoskrnl.exe!KeRemoveQueueEx + 13B3                                                                   82C75680 3 Bytes  [52, 17, 60] {PUSH EDX; POP SS; PUSHA }
.text           ntoskrnl.exe!KeRemoveQueueEx + 13BF                                                                   82C7568C 3 Bytes  [88, 13, 60] {MOV [EBX], DL; PUSHA }
.text           ntoskrnl.exe!KeRemoveQueueEx + 1413                                                                   82C756E0 3 Bytes  [40, 14, 60] {INC EAX; ADC AL, 0x60}
.text           ntoskrnl.exe!KeRemoveQueueEx + 1453                                                                   82C75720 3 Bytes  JMP 60148282 
.text           ntoskrnl.exe!KeRemoveQueueEx + 146F                                                                   82C7573C 3 Bytes  [30, 15, 60]
.text           ...                                                                                                   
?               \Device\Harddisk0\Partition3\windows\system32\drivers\PctWfpFilter.sys                                Das System kann den angegebenen Pfad nicht finden. !
.text           C:\windows\system32\DRIVERS\atksgt.sys                                                                section is writeable [0x825AE300, 0x3B6D8, 0xE8000020]
.text           C:\windows\system32\DRIVERS\lirsgt.sys                                                                section is writeable [0x825F1300, 0x1BEE, 0xE8000020]
.text           peauth.sys                                                                                            8260FC9D 28 Bytes  [8F, 84, 45, 94, 68, D2, 01, ...]
.text           peauth.sys                                                                                            8260FCC1 28 Bytes  [8F, 84, 45, 94, 68, D2, 01, ...]
PAGE            peauth.sys                                                                                            82615E20 101 Bytes  [64, 5E, E2, 32, C4, BA, 5D, ...]
PAGE            peauth.sys                                                                                            8261602C 102 Bytes  [C7, 77, BA, 2A, C2, DE, 40, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 4F90                                                                   A54EF000 229 Bytes  [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 5076                                                                   A54EF0E6 60 Bytes  [A5, A1, 2C, A5, 4E, A5, 56, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 50B3                                                                   A54EF123 629 Bytes  [A5, 4E, A5, FE, 05, 34, A5, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 5329                                                                   A54EF399 101 Bytes  [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 538F                                                                   A54EF3FF 148 Bytes  [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE            ...                                                                                                   

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                               Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                               Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\tdx \Device\Tcp                                                                               pctgntdi.sys

Device          \Driver\ACPI_HAL \Device\00000062                                                                     halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                                fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread          System [4:3900]                                                                                       A54FCF2E

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                      
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                   0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                   0
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                0x36 0xB0 0x7C 0x57 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                       0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                       0
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                    0x36 0xB0 0x7C 0x57 ...

---- EOF - GMER 1.0.15 ----
         
--- --- ---


Alt 05.08.2010, 13:38   #6
Larusso
/// Selecta Jahrusso
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



Hast Du richtig verstanden.
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Lade ComboFix von einem der unten aufgeführten Links herunter. Du musst diese umbenennen, bevor Du es auf den Desktop speicherst. Speichere ComboFix auf deinen Desktop.**NB: Es ist wichtig, das ComboFix.exe auf dem Desktop gespeichert wird**



  • Deaktivere Deine Anti-Virus- und Anti-Spyware-Programme. Normalerweise kannst Du dies über einen Rechtsklick auf das Systemtray-Icon tun. Die Programme könnten sonst eventuell unsere Programme bei deren Arbeit stören.
  • Doppel-klicke auf ComboFix.exe und folge den Aufforderungen.
    • Wenn ComboFix fertig ist, wird es ein Log für dich erstellen.
    • Bitte poste mir den Inhalt von C:\ComboFix.txt hier in de Thread.
__________________
--> Tr/Dropper und Antimalware Doctor - bei Neustart wieder da

Alt 05.08.2010, 14:02   #7
armes Opfer
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



so auch dieses beendet!

allerdings wärend des Durchlaufs musste ich tausend mal ein Fenster schließen:

Dienstprogramm Find String (QGREP) reagiert nicht
ist das ok, wenn ich immer auf "X" gedrückt habe?

hier der Log:

Combofix Logfile:
Code:
ATTFilter
ComboFix 10-08-04.05 - SandAle 05.08.2010  13:48:03.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.49.1031.18.3037.2132 [GMT 2:00]
ausgeführt von:: c:\users\SandAle\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\programdata\FullRemove.exe

c:\windows\system32\wuauclt.exe . . . ist infiziert!!

c:\windows\system32\ctfmon.exe . . . ist infiziert!!

.
(((((((((((((((((((((((   Dateien erstellt von 2010-07-05 bis 2010-08-05  ))))))))))))))))))))))))))))))
.

2010-08-04 17:14 . 2010-08-04 17:14	--------	d-----w-	c:\users\SandAle\AppData\Roaming\Malwarebytes
2010-08-04 17:14 . 2010-04-29 10:19	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-04 17:14 . 2010-08-04 17:14	--------	d-----w-	c:\programdata\Malwarebytes
2010-08-04 17:14 . 2010-08-04 17:15	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-08-04 17:14 . 2010-04-29 10:19	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-08-04 16:15 . 2010-08-04 22:00	--------	d-----w-	c:\users\SandAle\AppData\Local\ofbanyeef
2010-08-04 16:15 . 2010-08-04 18:29	--------	d-----w-	c:\users\SandAle\AppData\Roaming\ofbanyeef
2010-08-04 16:15 . 2010-08-04 16:21	--------	d-----w-	c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7
2010-07-26 15:07 . 2010-07-26 15:07	--------	d-----w-	c:\program files\Creative Labs
2010-07-26 15:07 . 1999-07-06 12:13	40960	----a-w-	c:\windows\system32\eax.dll
2010-07-26 15:06 . 2010-07-26 15:07	--------	d-----w-	c:\program files\EidosNet
2010-07-26 15:05 . 1998-10-29 14:45	306688	----a-w-	c:\windows\IsUninst.exe
2010-07-21 14:37 . 2010-07-21 14:37	--------	d-----w-	c:\program files\iPod
2010-07-21 14:34 . 2010-07-21 14:34	73000	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 11:45 . 2010-01-03 20:12	--------	d-----w-	c:\users\SandAle\AppData\Roaming\DC++
2010-08-04 20:01 . 2009-12-05 21:49	--------	d-----w-	c:\users\SandAle\AppData\Roaming\Skype
2010-08-04 18:17 . 2009-12-05 21:51	--------	d-----w-	c:\users\SandAle\AppData\Roaming\skypePM
2010-08-04 15:40 . 2009-12-04 19:31	--------	d-----w-	c:\program files\Common Files\SWF Studio
2010-08-01 17:34 . 2009-09-22 22:05	643866	----a-w-	c:\windows\system32\perfh007.dat
2010-08-01 17:34 . 2009-09-22 22:05	126394	----a-w-	c:\windows\system32\perfc007.dat
2010-07-26 15:42 . 2010-01-05 21:08	--------	d-----w-	c:\users\SandAle\AppData\Roaming\DAEMON Tools Lite
2010-07-26 09:49 . 2010-04-11 22:17	1	----a-w-	c:\users\SandAle\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-21 14:38 . 2009-12-29 14:47	--------	d-----w-	c:\program files\iTunes
2010-07-21 14:37 . 2009-12-29 14:45	--------	d-----w-	c:\program files\Common Files\Apple
2010-07-03 19:38 . 2010-06-20 16:46	--------	d-----w-	c:\users\SandAle\AppData\Roaming\SPORE
2010-06-22 11:57 . 2009-12-29 14:47	--------	d-----w-	c:\users\SandAle\AppData\Roaming\Apple Computer
2010-06-22 11:51 . 2009-12-29 14:46	--------	d-----w-	c:\programdata\Apple Computer
2010-06-22 11:49 . 2010-06-22 11:49	--------	d-----w-	c:\program files\Bonjour
2010-06-20 16:36 . 2009-09-22 05:19	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-06-14 16:39 . 2010-06-14 16:39	--------	d-----w-	c:\users\SandAle\AppData\Roaming\Nero
2010-06-14 16:37 . 2010-06-14 16:29	--------	d-----w-	c:\program files\Common Files\Nero
2010-06-14 16:37 . 2010-06-14 16:37	--------	d-----w-	c:\program files\Nero ControlCenter 4
2010-06-14 16:37 . 2010-06-14 16:29	--------	d-----w-	c:\program files\Nero 9
2010-06-14 16:31 . 2010-06-14 16:29	--------	d-----w-	c:\programdata\Nero
2010-06-12 09:20 . 2009-12-17 16:17	--------	d-----w-	c:\program files\PokerStars.NET
2010-06-07 05:45 . 2009-12-04 19:08	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-05-27 07:24 . 2010-06-10 14:09	34304	----a-w-	c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-10 14:09	293888	----a-w-	c:\windows\system32\atmfd.dll
2010-05-21 05:18 . 2010-06-10 14:09	977920	----a-w-	c:\windows\system32\wininet.dll
2010-05-18 14:35 . 2010-05-18 14:35	91424	----a-w-	c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35	107808	----a-w-	c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04	9633792	--sha-r-	c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42	396800	--sha-w-	c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-29 7744032]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
" Malwarebytes Anti-Malware  (reboot)"="c:\program files\Malwarebytes' Anti-Malware\Hubi.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^Users^SandAle^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\SandAle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06	976832	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04	35760	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32	1135912	----a-w-	c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON S21 Series]
2008-09-12 04:00	199680	----a-w-	c:\windows\System32\spool\drivers\w32x86\3\E_FATIFAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreePDF Assistant]
2009-09-05 16:29	385024	----a-w-	c:\program files\FreePDF_XP\fpassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 05:41	141608	----a-w-	c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53	421888	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43	248040	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2009-02-25 13:40	218408	------w-	c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-01-08 36608]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 136176]
R4 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-13 44312]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-05 691696]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-01-07 233136]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-23 88040]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-12 70664]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-07 58816]
S3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2010-01-13 115216]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-20 189440]

.
Inhalt des "geplante Tasks" Ordners

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:05]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:05]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\SandAle\AppData\Roaming\Mozilla\Firefox\Profiles\cimcsryy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Samsung Mobile phone USB driver - c:\windows\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
AddRemove-You Don't Know Jack 4 - d:\spiele\YOUDON~1\Setup.exe


.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-771618654-3341757510-301361698-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:79,13,56,62,1e,20,99,0d,ab,77,54,b0,86,d8,c2,45,69,fd,86,9e,22,e7,b0,
   4f,fb,34,13,bf,45,0b,1f,1b,e9,23,d4,03,12,0f,89,11,7f,b0,47,65,f8,b9,13,dd,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12

[HKEY_USERS\S-1-5-21-771618654-3341757510-301361698-1000\Software\SecuROM\License information*]
"datasecu"=hex:be,8a,ea,53,6e,cc,88,b4,8a,a1,de,5f,f7,58,a5,d8,ad,23,af,28,f0,
   4f,5d,6e,d6,e2,3d,fc,e0,a5,05,02,e0,a5,e0,39,6a,c9,2f,ab,81,30,51,1f,65,d2,\
"rkeysecu"=hex:c4,6c,f0,dc,d9,12,8b,a5,f4,9f,85,11,e3,7c,35,6c

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Samsung\Samsung Support Center\SSCKbdHk.exe
c:\program files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-08-05  14:00:10 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2010-08-05 12:00

Vor Suchlauf: 10 Verzeichnis(se), 121.821.429.760 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 121.728.192.512 Bytes frei

- - End Of File - - 4A04C297B23398E2A60273A3BDACD4D6
         
--- --- ---

Alt 05.08.2010, 14:58   #8
Larusso
/// Selecta Jahrusso
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



Nicht gut

Bitte lasse die Dateien aus der Code-Box bei Virustotal überprüfen
Code:
ATTFilter
c:\windows\system32\ctfmon.exe
c:\windows\system32\wuauclt.exe
         
Also gehe wie hier beschrieben vor:
  • Öffne diese Webseite: virustotal
  • Klicke auf "Durchsuchen"
  • Suche die Datei auf deinem Rechner--> Doppelklick auf die zu prüfende Datei (oder kopiere den Inhalt ab aus der Codebox)
  • "Senden der Datei"
  • Warte, bis der Scandurchlauf aller Virenscanner beendet ist
  • Auf "Compact" klicken (Links oben zu finden)
  • Ein neuer Tab dürfte sich öffnen.
  • Den Inhalt komplett kopieren und hier einfügen
Sollte die Datei als schädlich erkannt werden bitte noch nicht entfernen
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 05.08.2010, 15:20   #9
armes Opfer
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



das ist die ctfmon.exe:

Zitat:
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2010.08.05.03 2010.08.05 -
AntiVir 8.2.4.32 2010.08.05 -
Antiy-AVL 2.0.3.7 2010.08.03 -
Authentium 5.2.0.5 2010.08.05 -
Avast 4.8.1351.0 2010.08.05 -
Avast5 5.0.332.0 2010.08.05 -
AVG 9.0.0.851 2010.08.05 -
BitDefender 7.2 2010.08.05 -
CAT-QuickHeal 11.00 2010.08.05 -
ClamAV 0.96.0.3-git 2010.08.05 -
Comodo 5654 2010.08.05 -
DrWeb 5.0.2.03300 2010.08.05 -
Emsisoft 5.0.0.36 2010.08.05 -
eSafe 7.0.17.0 2010.08.04 -
eTrust-Vet 36.1.7768 2010.08.05 -
F-Prot 4.6.1.107 2010.08.05 -
F-Secure 9.0.15370.0 2010.08.05 -
Fortinet 4.1.143.0 2010.08.05 -
GData 21 2010.08.05 -
Ikarus T3.1.1.84.0 2010.08.05 -
Jiangmin 13.0.900 2010.08.03 -
Kaspersky 7.0.0.125 2010.08.05 -
McAfee 5.400.0.1158 2010.08.05 -
McAfee-GW-Edition 2010.1 2010.08.05 -
Microsoft 1.6004 2010.08.05 -
NOD32 5343 2010.08.05 -
Norman 6.05.11 2010.08.04 -
nProtect 2010-08-05.01 2010.08.05 -
Panda 10.0.2.7 2010.08.04 -
PCTools 7.0.3.5 2010.08.04 -
Rising 22.59.03.04 2010.08.05 -
Sophos 4.56.0 2010.08.05 -
Sunbelt 6688 2010.08.05 -
SUPERAntiSpyware 4.40.0.1006 2010.08.05 -
Symantec 20101.1.1.7 2010.08.05 -
TheHacker 6.5.2.1.332 2010.08.05 -
TrendMicro 9.120.0.1004 2010.08.05 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.05 -
VBA32 3.12.12.8 2010.08.04 -
ViRobot 2010.8.4.3971 2010.08.05 -
VirusBuster 5.0.27.0 2010.08.05 -
weitere Informationen
File size: 8704 bytes
MD5...: 4a3cdcef8ed41b221f3dbef5792fb52d
SHA1..: 6c04499f7406e270b590374ef813c4012530273e
SHA256: 6bb5f3a7147660db416b838893c7d0734872ada9f7db68b1d019043a1cb89397
ssdeep: 96:lInYnnVBwi2hfsZdSlC1Tp+XDSGJzIVANNLDJ7pRKRREWCGgWwAeig:wUkqxp
+XBJzIVsN9pWCGgW
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14ea
timedatestamp.....: 0x4a5bc292 (Mon Jul 13 23:26:10 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd66 0xe00 5.99 a4cb8f3ff2cd7a18a69bf1bf3312b10a
.data 0x2000 0x384 0x200 0.30 a497d24ecb6e112af339fa7456a7af7f
.rsrc 0x3000 0xae8 0xc00 4.20 bfaa4cb2f8abfd245d94b9b8f82da87c
.reloc 0x4000 0x190 0x200 3.94 fd08bd3916168d28e938398bf3a7ad4e

( 3 imports )
> KERNEL32.dll: RegisterApplicationRestart, GetModuleHandleW, GetCommandLineW, GetStartupInfoW, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, Sleep, InterlockedExchange
> msvcrt.dll: _controlfp, _except_handler4_common, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, __setusermatherr, _amsg_exit, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs
> MsCtfMonitor.DLL: DoMsCtfMonitor

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: CTF Loader
original name: CTFMON.EXE
internal name: CTFMON
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
und hier die wuauclt.exe:
Zitat:
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2010.08.01.00 2010.07.31 -
AntiVir 8.2.4.32 2010.08.01 -
Antiy-AVL 2.0.3.7 2010.08.02 -
Authentium 5.2.0.5 2010.08.02 -
Avast 4.8.1351.0 2010.08.02 -
Avast5 5.0.332.0 2010.08.02 -
AVG 9.0.0.851 2010.08.02 -
BitDefender 7.2 2010.08.02 -
CAT-QuickHeal 11.00 2010.08.02 -
ClamAV 0.96.0.3-git 2010.08.02 -
Comodo 5618 2010.08.02 -
DrWeb 5.0.2.03300 2010.08.02 -
Emsisoft 5.0.0.34 2010.07.30 -
eSafe 7.0.17.0 2010.08.01 -
eTrust-Vet 36.1.7756 2010.08.02 -
F-Prot 4.6.1.107 2010.08.02 -
F-Secure 9.0.15370.0 2010.08.02 -
Fortinet 4.1.143.0 2010.08.02 -
GData 21 2010.08.02 -
Ikarus T3.1.1.84.0 2010.08.02 -
Jiangmin 13.0.900 2010.08.01 -
Kaspersky 7.0.0.125 2010.08.02 -
McAfee 5.400.0.1158 2010.08.02 -
McAfee-GW-Edition 2010.1 2010.08.01 -
Microsoft 1.6004 2010.08.02 -
NOD32 5333 2010.08.02 -
Norman 6.05.11 2010.08.01 -
nProtect 2010-08-02.01 2010.08.02 -
Panda 10.0.2.7 2010.08.01 -
PCTools 7.0.3.5 2010.08.02 -
Prevx 3.0 2010.08.02 -
Rising 22.59.00.04 2010.08.02 -
Sophos 4.56.0 2010.08.02 -
Sunbelt 6673 2010.08.02 -
SUPERAntiSpyware 4.40.0.1006 2010.08.02 -
Symantec 20101.1.1.7 2010.08.02 -
TheHacker 6.5.2.1.328 2010.07.30 -
TrendMicro 9.120.0.1004 2010.08.02 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.02 -
VBA32 3.12.12.7 2010.07.30 -
ViRobot 2010.7.31.3965 2010.08.02 -
VirusBuster 5.0.27.0 2010.08.01 -
weitere Informationen
File size: 47104 bytes
MD5 : b0da80ff42a0819d162a86612896aaf2
SHA1 : efd711a9fe6ef3b74c0c287f8e5326e011a00f02
SHA256: dac715e415ed0d9e087729542905678d145c5aaa1a2fd57a79cd6f55ee47150c
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4928
timedatestamp.....: 0x4A5BCDDB (Tue Jul 14 02:14:19 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x96CC 0x9800 6.03 47fb7c3c93610979d22b8b037083c879
.data 0xB000 0xDF8 0x400 5.84 7e33388b0a71f3510575b54f02b34ef0
.rsrc 0xC000 0x848 0xA00 4.24 6a8c7a24d7f07c35d6d12cb4bc6b7e6f
.reloc 0xD000 0xD4C 0xE00 3.31 56832d83ae13dcbdae7b7f6aedbe6725

( 8 imports )

> advapi32.dll: AllocateAndInitializeSid, FreeSid, GetTokenInformation, DuplicateTokenEx, CheckTokenMembership, IsValidSid, CopySid, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW, RegDeleteValueW, GetUserNameW, GetLengthSid, InitializeAcl, AddAccessAllowedAce, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOpenKeyExW, RegCloseKey
> kernel32.dll: CreateFileW, CreateDirectoryW, GetFileAttributesW, ExpandEnvironmentStringsW, lstrlenW, CreateProcessW, VerSetConditionMask, VerifyVersionInfoW, OutputDebugStringW, WideCharToMultiByte, WriteFile, FlushFileBuffers, GetModuleFileNameW, InterlockedIncrement, InterlockedDecrement, GetSystemTime, GetLastError, SetLastError, GetFileSize, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, SetFilePointer, SetEndOfFile, ReleaseMutex, WaitForSingleObject, CreateMutexW, CloseHandle, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, Sleep, InterlockedExchange, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, GetSystemDirectoryW, LoadLibraryExW, GetDriveTypeW, GetVolumePathNameW, GetFileType, GetSystemInfo, GetModuleHandleW, CompareStringW, GetProcessHeap, HeapFree, HeapAlloc, GetCommandLineW, FreeLibrary, LoadLibraryW, InterlockedCompareExchange, OpenEventW, GetProcAddress
> msvcrt.dll: _controlfp, _terminate@@YAXXZ, free, malloc, memmove, memcpy, memset, __set_app_type, __p__fmode, __p__commode, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _unlock, _vsnwprintf, __dllonexit, _lock, _onexit, __wgetmainargs, _cexit
> ntdll.dll: RtlUnwind
> ole32.dll: CoTaskMemFree, CoUninitialize, CoCreateInstance, CoInitialize, CoInitializeEx
> oleaut32.dll: -, -
> shlwapi.dll: StrRChrW, StrChrW, -, PathIsRelativeW, PathIsUNCW, PathStripToRootW, PathIsRootW
> user32.dll: IsWindow, PostMessageW

( 0 exports )
TrID : File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
ssdeep: 768:OiNmsGdYr9XYC7ffVDXqgAOZeQU23X4wQw28hMgd47Y33:H5YCTftRAk9bNdz3
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Update
original name: wuauclt.exe
internal name: wuauclt.exe
file version.: 7.3.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set
-

Alt 05.08.2010, 15:26   #10
Larusso
/// Selecta Jahrusso
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



Poppt der Malware Doctor immernoch auf?

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Starte bitte die OTL.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
/md5start
ctfmon.exe
wuauclt.exe
/md5stop
         
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Nichts und danach den Scan Button.
  • Klick auf .
  • Kopiere nun den Inhalt aus OTL.txt hier in Deinen Thread
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 05.08.2010, 15:28   #11
armes Opfer
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



den hab ich shcon total vergessen^^ nein, der malware doctor ist wohl tot =)

Alt 05.08.2010, 15:33   #12
armes Opfer
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



der neue otl.txt:

OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 8/5/2010 3:31:30 PM - Run 2
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Users\SandAle\Desktop
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 198.29 Gb Total Space | 113.42 Gb Free Space | 57.20% Space Free | Partition Type: NTFS
Drive D: | 252.37 Gb Total Space | 58.47 Gb Free Space | 23.17% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HORST
Current User Name: SandAle
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Custom Scans ==========
 
 
 
< MD5 for: CTFMON.EXE  >
[2009/07/14 03:14:16 | 000,008,704 | ---- | M] (Microsoft Corporation) MD5=4A3CDCEF8ED41B221F3DBEF5792FB52D -- C:\Windows\ERDNT\cache\ctfmon.exe
[2009/07/14 03:14:16 | 000,008,704 | ---- | M] (Microsoft Corporation) MD5=4A3CDCEF8ED41B221F3DBEF5792FB52D -- C:\Windows\System32\ctfmon.exe
[2009/07/14 03:14:16 | 000,008,704 | ---- | M] (Microsoft Corporation) MD5=4A3CDCEF8ED41B221F3DBEF5792FB52D -- C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe
 
< MD5 for: WUAUCLT.EXE  >
[2009/07/14 03:14:50 | 000,047,104 | ---- | M] (Microsoft Corporation) MD5=B0DA80FF42A0819D162A86612896AAF2 -- C:\Windows\ERDNT\cache\wuauclt.exe
[2009/07/14 03:14:50 | 000,047,104 | ---- | M] (Microsoft Corporation) MD5=B0DA80FF42A0819D162A86612896AAF2 -- C:\Windows\System32\wuauclt.exe
[2009/07/14 03:14:50 | 000,047,104 | ---- | M] (Microsoft Corporation) MD5=B0DA80FF42A0819D162A86612896AAF2 -- C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe
< End of report >
         
--- --- ---

Alt 05.08.2010, 15:37   #13
Larusso
/// Selecta Jahrusso
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von einem der folgenden Download-Spiegel neu herunter:
BleepingComputer.com - ForoSpyware.com
und speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!

Lass Combofix bitte erneut laufen
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 05.08.2010, 15:46   #14
armes Opfer
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



gelöscht, neu runtergeladen und neu durchgeführt!

diesmal hatte er auch keine Probleme, dass irgendetwas nicht reagiert^^

Combofix Logfile:
Code:
ATTFilter
ComboFix 10-08-04.05 - SandAle 05.08.2010  15:40:40.2.2 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.49.1031.18.3037.2204 [GMT 2:00]
ausgeführt von:: c:\users\SandAle\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\SandAle\AppData\Roaming\.#
c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7
c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7\enemies-names.txt
c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7\local.ini
c:\users\SandAle\AppData\Roaming\495C55760FD3D9186BF1B1B1EA6D64D7\lsrslt.ini
c:\windows\SEC
c:\windows\SEC\172100logo.bmp
c:\windows\SEC\banner.png
c:\windows\SEC\Computer.png
c:\windows\SEC\Media _S_ Logo.png
c:\windows\SEC\Samsung.png
c:\windows\SEC\Samsung2.png
c:\windows\SEC\SamsungLogo.png
c:\windows\SEC\Thumbs.db
c:\windows\SEC\Wallpapers\Thumbs.db
c:\windows\SEC\Wallpapers\wallpaper.jpg
c:\windows\SEC\Wallpapers\wallpaper1.jpg
c:\windows\SEC\Wallpapers\Wallpaper2.jpg

.
(((((((((((((((((((((((   Dateien erstellt von 2010-07-05 bis 2010-08-05  ))))))))))))))))))))))))))))))
.

2010-08-05 13:44 . 2010-08-05 13:44	--------	d-----w-	c:\users\SandAle\AppData\Local\temp
2010-08-05 13:44 . 2010-08-05 13:44	--------	d-----w-	c:\users\Public\AppData\Local\temp
2010-08-05 13:44 . 2010-08-05 13:44	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-08-05 11:47 . 2010-08-05 12:00	--------	d-----w-	C:\Combo-Fix
2010-08-04 17:14 . 2010-08-04 17:14	--------	d-----w-	c:\users\SandAle\AppData\Roaming\Malwarebytes
2010-08-04 17:14 . 2010-04-29 10:19	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-04 17:14 . 2010-08-04 17:14	--------	d-----w-	c:\programdata\Malwarebytes
2010-08-04 17:14 . 2010-08-04 17:15	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-08-04 17:14 . 2010-04-29 10:19	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-08-04 16:15 . 2010-08-04 22:00	--------	d-----w-	c:\users\SandAle\AppData\Local\ofbanyeef
2010-08-04 16:15 . 2010-08-04 18:29	--------	d-----w-	c:\users\SandAle\AppData\Roaming\ofbanyeef
2010-07-26 15:07 . 2010-07-26 15:07	--------	d-----w-	c:\program files\Creative Labs
2010-07-26 15:07 . 1999-07-06 12:13	40960	----a-w-	c:\windows\system32\eax.dll
2010-07-26 15:06 . 2010-07-26 15:07	--------	d-----w-	c:\program files\EidosNet
2010-07-26 15:05 . 1998-10-29 14:45	306688	----a-w-	c:\windows\IsUninst.exe
2010-07-21 14:37 . 2010-07-21 14:37	--------	d-----w-	c:\program files\iPod
2010-07-21 14:34 . 2010-07-21 14:34	73000	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 11:45 . 2010-01-03 20:12	--------	d-----w-	c:\users\SandAle\AppData\Roaming\DC++
2010-08-04 20:01 . 2009-12-05 21:49	--------	d-----w-	c:\users\SandAle\AppData\Roaming\Skype
2010-08-04 18:17 . 2009-12-05 21:51	--------	d-----w-	c:\users\SandAle\AppData\Roaming\skypePM
2010-08-04 15:40 . 2009-12-04 19:31	--------	d-----w-	c:\program files\Common Files\SWF Studio
2010-08-01 17:34 . 2009-09-22 22:05	643866	----a-w-	c:\windows\system32\perfh007.dat
2010-08-01 17:34 . 2009-09-22 22:05	126394	----a-w-	c:\windows\system32\perfc007.dat
2010-07-26 15:42 . 2010-01-05 21:08	--------	d-----w-	c:\users\SandAle\AppData\Roaming\DAEMON Tools Lite
2010-07-26 09:49 . 2010-04-11 22:17	1	----a-w-	c:\users\SandAle\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-21 14:38 . 2009-12-29 14:47	--------	d-----w-	c:\program files\iTunes
2010-07-21 14:37 . 2009-12-29 14:45	--------	d-----w-	c:\program files\Common Files\Apple
2010-07-03 19:38 . 2010-06-20 16:46	--------	d-----w-	c:\users\SandAle\AppData\Roaming\SPORE
2010-06-22 11:57 . 2009-12-29 14:47	--------	d-----w-	c:\users\SandAle\AppData\Roaming\Apple Computer
2010-06-22 11:51 . 2009-12-29 14:46	--------	d-----w-	c:\programdata\Apple Computer
2010-06-22 11:49 . 2010-06-22 11:49	--------	d-----w-	c:\program files\Bonjour
2010-06-20 16:36 . 2009-09-22 05:19	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-06-14 16:39 . 2010-06-14 16:39	--------	d-----w-	c:\users\SandAle\AppData\Roaming\Nero
2010-06-14 16:37 . 2010-06-14 16:29	--------	d-----w-	c:\program files\Common Files\Nero
2010-06-14 16:37 . 2010-06-14 16:37	--------	d-----w-	c:\program files\Nero ControlCenter 4
2010-06-14 16:37 . 2010-06-14 16:29	--------	d-----w-	c:\program files\Nero 9
2010-06-14 16:31 . 2010-06-14 16:29	--------	d-----w-	c:\programdata\Nero
2010-06-12 09:20 . 2009-12-17 16:17	--------	d-----w-	c:\program files\PokerStars.NET
2010-06-07 05:45 . 2009-12-04 19:08	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-05-27 07:24 . 2010-06-10 14:09	34304	----a-w-	c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-10 14:09	293888	----a-w-	c:\windows\system32\atmfd.dll
2010-05-21 05:18 . 2010-06-10 14:09	977920	----a-w-	c:\windows\system32\wininet.dll
2010-05-18 14:35 . 2010-05-18 14:35	91424	----a-w-	c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35	107808	----a-w-	c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04	9633792	--sha-r-	c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42	396800	--sha-w-	c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-29 7744032]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
" Malwarebytes Anti-Malware  (reboot)"="c:\program files\Malwarebytes' Anti-Malware\Hubi.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^Users^SandAle^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\SandAle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06	976832	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04	35760	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32	1135912	----a-w-	c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON S21 Series]
2008-09-12 04:00	199680	----a-w-	c:\windows\System32\spool\drivers\w32x86\3\E_FATIFAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreePDF Assistant]
2009-09-05 16:29	385024	----a-w-	c:\program files\FreePDF_XP\fpassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 05:41	141608	----a-w-	c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53	421888	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43	248040	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2009-02-25 13:40	218408	------w-	c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-01-08 36608]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 136176]
R4 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-13 44312]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-05 691696]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-01-07 233136]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-23 88040]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-12 70664]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-07 58816]
S3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2010-01-13 115216]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-20 189440]

.
Inhalt des "geplante Tasks" Ordners

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:05]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:05]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\SandAle\AppData\Roaming\Mozilla\Firefox\Profiles\cimcsryy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-771618654-3341757510-301361698-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:79,13,56,62,1e,20,99,0d,ab,77,54,b0,86,d8,c2,45,69,fd,86,9e,22,e7,b0,
   4f,fb,34,13,bf,45,0b,1f,1b,e9,23,d4,03,12,0f,89,11,7f,b0,47,65,f8,b9,13,dd,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12

[HKEY_USERS\S-1-5-21-771618654-3341757510-301361698-1000\Software\SecuROM\License information*]
"datasecu"=hex:be,8a,ea,53,6e,cc,88,b4,8a,a1,de,5f,f7,58,a5,d8,ad,23,af,28,f0,
   4f,5d,6e,d6,e2,3d,fc,e0,a5,05,02,e0,a5,e0,39,6a,c9,2f,ab,81,30,51,1f,65,d2,\
"rkeysecu"=hex:c4,6c,f0,dc,d9,12,8b,a5,f4,9f,85,11,e3,7c,35,6c

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2010-08-05  15:45:39
ComboFix-quarantined-files.txt  2010-08-05 13:45
ComboFix2.txt  2010-08-05 12:00

Vor Suchlauf: 14 Verzeichnis(se), 121.530.929.152 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 121.475.850.240 Bytes frei

- - End Of File - - E5B29C5CD9F5179157830B91373F7AFC
         
--- --- ---

Alt 05.08.2010, 15:51   #15
Larusso
/// Selecta Jahrusso
 
Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Standard

Tr/Dropper und Antimalware Doctor - bei Neustart wieder da



Schritt 1

Hinweis für Mitleser:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Drücke die Windows + R Taste --> Notepad (hinein schreiben) --> OK

Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.
Code:
ATTFilter
Folder::
c:\users\SandAle\AppData\Local\ofbanyeef
c:\users\SandAle\AppData\Roaming\ofbanyeef

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
         
Speichere dies als CFScript.txt auf Deinem Desktop.

Wichtig:
  • Stelle deine Anti Viren Software temprär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
    Danach wieder anstellen nicht vergessen!
  • Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein.
    Dies kann dazu führen, dass ComboFix sich aufhängt.
  • Schließe alle laufenden Programme. Gehe sicher das ComboFix ungehindert arbeiten kann.
  • Mache nichts am PC solange ComboFix läuft.

  • In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
  • Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.


Schritt 2

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Starte bitte die OTL.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
netsvcs
drivers32 /all
msconfig
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
         
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Quick Scan Button.
  • Klick auf .
  • Kopiere nun den Inhalt aus OTL.txt hier in Deinen Thread


Bitte poste in Deiner nächsten Antwort
Combofix.txt
OTL.txt
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Antwort

Themen zu Tr/Dropper und Antimalware Doctor - bei Neustart wieder da
adresse, anhang, antimalware, browser, entdeck, falsche, firefox, forum, gelöscht, interne, internet, internet browser, laptop, malwarebytes, namens, neu, neustart, nicht öffnen, programm, programme, programme nicht öffnen, protokoll, proxy, starte, startet, tr/dropper, verdächtige, öffnen



Ähnliche Themen: Tr/Dropper und Antimalware Doctor - bei Neustart wieder da


  1. Trojaner Dropper Gen der bei jedem Neustart wieder erscheint
    Plagegeister aller Art und deren Bekämpfung - 13.10.2010 (1)
  2. Antimalware Doctor - Laptop wieder vollkommen sauber?
    Plagegeister aller Art und deren Bekämpfung - 10.10.2010 (44)
  3. Antimalware Doctor - Ist mein Laptop wieder vollständig sauber?
    Plagegeister aller Art und deren Bekämpfung - 22.09.2010 (28)
  4. Antimalware Doctor
    Plagegeister aller Art und deren Bekämpfung - 22.09.2010 (22)
  5. antimalware doctor
    Plagegeister aller Art und deren Bekämpfung - 18.09.2010 (1)
  6. Antimalware Doctor...
    Plagegeister aller Art und deren Bekämpfung - 09.09.2010 (6)
  7. Antimalware Doctor
    Plagegeister aller Art und deren Bekämpfung - 08.09.2010 (1)
  8. TR/Dropper.gen, getarnt als Bildschirmschoner! Nach jedem Neustart wieder da!
    Plagegeister aller Art und deren Bekämpfung - 06.09.2010 (3)
  9. Antimalware Doctor auf PC
    Plagegeister aller Art und deren Bekämpfung - 30.08.2010 (2)
  10. Antimalware Doctor / Dropper / Immer IFrame im Browser
    Plagegeister aller Art und deren Bekämpfung - 12.08.2010 (15)
  11. Antimalware Doctor entfernt - startet trotzdem bei jedem Neustart
    Plagegeister aller Art und deren Bekämpfung - 08.08.2010 (2)
  12. Wie bekomm ich die Malware wieder weg? -Antimalware Doctor-
    Plagegeister aller Art und deren Bekämpfung - 27.07.2010 (6)
  13. Antimalware Doctor startet immer wieder neu
    Plagegeister aller Art und deren Bekämpfung - 14.06.2010 (41)
  14. Antimalware Doctor
    Plagegeister aller Art und deren Bekämpfung - 11.06.2010 (15)
  15. Antimalware Doctor kommt immer wieder!
    Plagegeister aller Art und deren Bekämpfung - 10.06.2010 (9)
  16. Antimalware Doctor kommt immer wieder
    Plagegeister aller Art und deren Bekämpfung - 08.06.2010 (6)
  17. Antimalware Doctor - "idstrf" kommt immer wieder
    Plagegeister aller Art und deren Bekämpfung - 03.05.2010 (11)

Zum Thema Tr/Dropper und Antimalware Doctor - bei Neustart wieder da - Hallöchen, heute entdeckte ich erst: BDS/VB.lvn.120 und kurz danach: TR/Dropper.Gen mit meinem AntiVir. Anschliessend hatte ich ein schönes Programm namens "antimalware doctor" auf meinem Laptop, dass mich geradezu mit Hinweisen - Tr/Dropper und Antimalware Doctor - bei Neustart wieder da...
Archiv
Du betrachtest: Tr/Dropper und Antimalware Doctor - bei Neustart wieder da auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.