Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Thinkpoint Trojaner und weitere Folgen

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 22.10.2010, 09:09   #1
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Hallo,

mein Sohn brachte mir vor zwei Tagen seinen Laptop, darauf war ein vermeintlicher Windows Alert zu sehen, mit dem Hinweis auf diverse infizierte Dateien und die Aufforderung die Viren mit ThinkPoint zu beseitigen. Diese Aufforderung habe ich leider bestätigt, worauf nach einem Rechner-Neustart ThinkPoint startete und keine User-Aktionen zuließ, ThinkPoint zu verlassen.

Es gelang mir jedoch zu einem anderen User zu wechseln (so weit ich es in Erinnerung habe) und entsprechend einer Internet Recherche (Quelle leider nicht mehr bekannt) erste manuelle Maßnahmen gegen Thinkpoint zu setzen:
- stop des hotfix.exe-Prozesses via Task-Manager
- Entfernung von *\Winlogon "Shell" aus der Registry
- Entfrenung der Datei %UserProfile%\Application Data\hotfix.exe

Daraufhin ließ ich einen AVG-Scan laufen, mit folgendem Ergebnis:

12 Infections:

Zitat:
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1O4LKWJE\aaick[1].htm";"Trojan horse Generic18.XUD";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1O4LKWJE\gtbwqys[1].htm";"Trojan horse Downloader.Generic10.AEKW";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1O4LKWJE\oovqlsahc[2].htm";"Trojan horse Crypt.ABEC";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RF7M1YUF\aaick[1].htm";"Trojan horse Generic18.XUD";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RF7M1YUF\erztbwqyg[2].htm";"Trojan horse BackDoor.Generic12.UOV";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RF7M1YUF\gtbwqys[1].htm";"Trojan horse Downloader.Generic10.AEKW";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UC0ZPG4K\ermtbvqls[1].htm";"Trojan horse Generic19.BLJA";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UC0ZPG4K\ermtbvqls[2].htm";"Trojan horse Generic19.BLJA";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UC0ZPG4K\erztbwqyg[1].htm";"Trojan horse BackDoor.Generic12.UOV";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UC0ZPG4K\oovqlsahc[1].htm";"Trojan horse Crypt.ABEC";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Temp\emnwcrxaos.exe";"Trojan horse SHeur3.BDAE";"Moved to Virus Vault"
"C:\Users\---myUser---\AppData\Local\Temp\osacxnmrwe.exe";"Trojan horse Cryptic.BDL";"Moved to Virus Vault"
68 Warnings:
Zitat:
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite";"Found Tracking cookie.Oewabox";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\2o7.net.d7dacc3f";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ad.yieldmanager.com.b4be891c";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adbrite.com.e1f04284";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adbrite.com.f796fd05";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adbrite.com.ff6c09ff";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adtech.de.12210228";"Found Tracking cookie.Adtech";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adtech.de.a9245469";"Found Tracking cookie.Adtech";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adtech.de.bb148b25";"Found Tracking cookie.Adtech";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adviva.net.39ec90c";"Found Tracking cookie.Adviva";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\adtech.de.7bf05b8f";"Found Tracking cookie.Adtech";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\fastclick.net.6fd479aa";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\hitbox.com.2b95f8a3";"Found Tracking cookie.Hitbox";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\fastclick.net.57e8da10";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\hitbox.com.bbf2a6e8";"Found Tracking cookie.Hitbox";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\fastclick.net.fac3d6f0";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\ivwbox.de.41d82fe2";"Found Tracking cookie.Ivwbox";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\oewabox.at.41d82fe2";"Found Tracking cookie.Oewabox";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\pro-market.net.266912e2";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\pro-market.net.bbf67f2d";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\revsci.net.f0067737";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\revsci.net.f7ac007f";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\revsci.net.18a1d1b2";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\serving-sys.com.ac41fe5a";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\smartadserver.com.321a5cf8";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\smartadserver.com.3632541c";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\smartadserver.com.3a30714b";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\smartadserver.com.5550c4ed";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\smartadserver.com.bf8b766";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\smartadserver.com.c5827141";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\tradedoubler.com.ba12c0e9";"Found Tracking cookie.Tradedoubler";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\tradedoubler.com.dc3c9994";"Found Tracking cookie.Tradedoubler";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\tradedoubler.com.eab0972e";"Found Tracking cookie.Tradedoubler";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\tradedoubler.com.ef90aa95";"Found Tracking cookie.Tradedoubler";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\weborama.fr.30104bcb";"Found Tracking cookie.Weborama";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\zedo.com.a5b6a132";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\zedo.com.cef1c7af";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\zedo.com.dd15d628";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\irv56qby.default\cookies.sqlite:\zedo.com.f1d14556";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Users\---otherUser---\AppData\Roaming\Microsoft\Windows\Cookies\Low\---otherUser---@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Users\---otherUser---\AppData\Roaming\Microsoft\Windows\Cookies\Low\---otherUser---@atdmt[1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Users\---otherUser---\AppData\Roaming\Microsoft\Windows\Cookies\Low\---otherUser---@msnportal.112.2o7[1].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Users\---otherUser---\AppData\Roaming\Microsoft\Windows\Cookies\Low\---otherUser---@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Users\---otherUser---\AppData\Roaming\Microsoft\Windows\Cookies\Low\---otherUser---@oewabox[2].txt";"Found Tracking cookie.Oewabox";"Moved to Virus Vault"
"C:\Users\---otherUser---\AppData\Roaming\Microsoft\Windows\Cookies\Low\---otherUser---@oewabox[2].txt:\oewabox.at.41d82fe2";"Found Tracking cookie.Oewabox";"Moved to Virus Vault"
Ich habe dann soweit möglich alles mit AVG beseitigt, Cookies gelöscht.

Nachdem immer noch seltsames Browser-Verhalten im Firefox festzustellen war (Umleitungen auf andere Adressen), habe ich Firefox deinstalliert (mit Löschen der persönlichen Benutzerdaten) und neu installiert. Danach schien alles normal.

Gestern Abend kam mein Sohn aber wieder mit einem Alert, diesmal von AVG, dass eine WinHelp.exe Datei infiziert wäre. Beseitigung mit AVG war möglich aber es wurden ständig neue WinHelp.exe Dateien generiert. Schließlich erschien wieder eine Aufforderung irgend eine Virusbeseitigungs-Software zu installieren oder zu starten. Der Aufforderung leistete ich diesmal nicht Folge, sondern ich rebootete den PC. Danach war das Verhalten bis jetzt wieder normal. AVG findet das WinHelp.exe-Problem nicht mehr.

Ein OTL-Scan brachte folgendes Ergebnis:

OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 21.10.2010 20:20:55 - Run 1
OTL by OldTimer - Version 3.2.16.0 Folder = C:\Users\---myUser---\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000C07 | Country: Österreich | Language: DEA | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 59,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 80,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 94,16 Gb Total Space | 33,91 Gb Free Space | 36,01% Space Free | Partition Type: NTFS
Drive D: | 129,94 Gb Total Space | 113,81 Gb Free Space | 87,59% Space Free | Partition Type: NTFS
 
Computer Name: ORDINATION | User Name: ---myUser--- | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\---myUser---\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\PROGRA~1\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\PROGRA~1\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
PRC - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
PRC - C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe (Fujitsu Siemens Computers)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\HP Wireless Printer Adapter\ConnectMgr.exe ()
PRC - C:\Program Files\OEM\OSD_1.12\OsdService.exe (TODO: <公司名稱>)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Users\---myUser---\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (Norman NJeeves) -- C:\Program Files\Norman\Npm\bin\NJEEVES.EXE File not found
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (avg8emc) -- C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd) -- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (TestHandler) -- C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe (Fujitsu Siemens Computers)
SRV - (OsdService) -- C:\Program Files\OEM\OSD_1.12\OsdService.exe (TODO: <公司名稱>)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (hwdatacard) -- C:\Windows\System32\DRIVERS\ewusbmdm.sys File not found
DRV - (AvgLdx86) -- C:\Windows\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\Windows\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX) -- C:\Windows\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (NGS) -- c:\program files\norman\ngs\bin\ngs.sys (Norman ASA)
DRV - (tdrpman174) Acronis Try&Decide and Restore Points filter (build 174) -- C:\Windows\system32\DRIVERS\tdrpm174.sys (Acronis)
DRV - (timounter) -- C:\Windows\system32\DRIVERS\timntr.sys (Acronis)
DRV - (tifsfilter) -- C:\Windows\System32\drivers\tifsfilt.sys (Acronis)
DRV - (snapman380) Acronis Snapshots Manager (Build 380) -- C:\Windows\system32\DRIVERS\snman380.sys (Acronis)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (NETw5v32) Intel(R) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (JRAID) -- C:\Windows\system32\drivers\jraid.sys (JMicron Technology Corp.)
DRV - (GpdKbFilter) -- C:\Windows\System32\kbfiltr.sys (Windows (R) Codename Longhorn DDK provider)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (ahcix86s) -- C:\Windows\system32\drivers\ahcix86s.sys (AMD Technologies Inc.)
DRV - (HPWPAUSB) -- C:\Windows\System32\drivers\HPWPAUSB.sys (Windows (R) Codename Longhorn DDK provider)
DRV - (GpdDevDPort) -- C:\Windows\System32\directport.sys ()
DRV - (HPNUHUB) -- C:\Windows\System32\drivers\hpnuhub.sys (Hewlett-Packard Development Company)
DRV - (iaStor) -- C:\Windows\system32\drivers\iastor.sys (Intel Corporation)
DRV - (hpnuhst) -- C:\Windows\System32\drivers\hpnuhst.sys (Hewlett-Packard Development Company)
DRV - (PCAMp50) -- C:\Windows\System32\drivers\PCAMp50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (PCASp50) -- C:\Windows\System32\drivers\PCASp50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
 
 
========== Standard Registry (All) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://at.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-at
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A8 67 08 C9 AF D4 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429
FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.5
 
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009.06.25 03:00:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009.12.22 16:45:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2010.01.16 19:07:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.10.21 01:04:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.10.21 01:04:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009.08.22 12:25:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009.01.14 22:19:29 | 000,000,000 | ---D | M]
 
[2010.10.21 01:04:20 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\Mozilla\Extensions
[2010.10.21 01:04:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\---myUser---\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010.10.21 01:06:31 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\24yvnsrx.default\extensions
[2010.10.21 01:06:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\24yvnsrx.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.10.21 01:04:07 | 000,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2010.10.21 01:04:07 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008.12.31 18:13:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009.02.05 23:48:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009.06.08 13:16:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009.09.10 08:08:59 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009.11.17 09:51:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2008.12.02 22:58:10 | 000,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2008.12.02 22:58:10 | 000,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007.04.10 18:21:08 | 000,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2009.10.11 05:17:27 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009.01.06 21:54:52 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2008.12.02 22:58:10 | 000,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009.01.14 22:19:21 | 000,144,960 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2009.01.14 22:19:29 | 000,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll
[2009.01.14 22:19:17 | 000,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2008.03.15 15:56:14 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2008.10.13 20:34:40 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2008.04.16 06:08:20 | 000,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008.02.19 16:40:48 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2006.12.03 17:59:22 | 000,000,986 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2006.11.17 13:19:24 | 000,000,801 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,736 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [FSCRecovery] c:\Program Files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe (Fujitsu Siemens Computers GmbH)
O4 - HKLM..\Run: [ Malwarebytes Anti-Malware  (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NPCTray] C:\Program Files\Norman\npc\bin\npc_tray.exe File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - Startup: C:\Users\---myUser---\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\Windows\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\Windows\System32\sysdm.cpl (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.10.20 23:43:55 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.10.20 23:43:54 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.10.20 23:43:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010.10.20 23:43:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.10.20 21:58:18 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Windows
[2010.10.20 21:57:22 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Server
[2010.10.15 16:52:22 | 008,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2010.10.15 16:52:11 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netevent.dll
[2010.10.15 16:51:53 | 000,157,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010.10.15 16:51:49 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010.10.15 16:51:49 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010.10.15 16:51:49 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010.10.15 16:51:48 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010.10.15 16:51:48 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010.10.15 16:51:48 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010.10.15 16:51:48 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010.10.15 16:51:48 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010.10.15 16:51:48 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010.10.15 16:51:48 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010.10.15 16:51:48 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010.10.15 16:51:48 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010.10.15 16:51:48 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010.10.15 16:51:48 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010.10.15 16:51:48 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010.10.15 16:51:48 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010.10.15 16:51:48 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010.10.15 16:51:41 | 000,954,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40.dll
[2010.10.15 16:51:41 | 000,954,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40u.dll
[2010.10.15 16:51:22 | 002,038,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010.10.15 16:51:21 | 000,231,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msshsq.dll
[2010.10.15 16:51:19 | 000,867,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpmde.dll
[2010.10.13 19:06:36 | 000,000,000 | ---D | C] -- C:\Users\---myUser---\AppData\Roaming\dvdcss
[2010.10.10 16:37:06 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010.10.10 16:37:06 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010.10.10 16:37:06 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010.10.10 16:36:45 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe
[2010.10.10 16:31:33 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010.10.10 16:31:32 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2010.10.08 09:13:02 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010.10.08 09:11:30 | 000,081,920 | ---- | C] (Radius Inc.) -- C:\Windows\System32\iccvid.dll
[2010.10.08 09:11:25 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010.10.08 09:11:21 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll
[2010.10.08 09:11:04 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gameux.dll
[2010.10.08 09:11:02 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010.10.08 09:11:02 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010.10.08 09:10:52 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010.10.08 09:10:47 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MP4SDECD.DLL
[2010.10.08 09:10:46 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010.10.08 09:10:46 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010.10.08 09:10:46 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010.10.08 09:10:43 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rtutils.dll
[2010.10.08 09:10:30 | 003,600,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010.10.08 09:10:30 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010.10.08 09:10:24 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codecp.acm
[2010.10.08 09:10:24 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm
[2010.10.08 09:10:14 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010.10.08 09:10:13 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010.10.08 09:10:03 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010.10.08 09:10:02 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010.10.08 09:10:02 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010.10.08 09:10:01 | 000,518,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010.10.08 09:10:01 | 000,152,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010.10.08 09:10:01 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll
[2010.10.08 09:10:00 | 000,332,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdrm.dll
[2010.10.08 09:08:47 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2010.10.08 09:08:47 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvfw32.dll
[2010.10.08 09:08:47 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2010.10.08 09:08:47 | 000,082,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciavi32.dll
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2010.10.21 20:20:00 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9CC3C4F5-CF12-405B-A11E-72391A018EF1}.job
[2010.10.21 20:17:04 | 000,106,088 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010.10.21 20:17:04 | 000,106,026 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010.10.21 20:14:00 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010.10.21 20:03:25 | 000,000,428 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{476D27DE-7D1D-416B-A067-6FFF8C6AA3FC}.job
[2010.10.21 20:01:58 | 066,653,626 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010.10.21 20:00:13 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010.10.21 19:59:51 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.10.21 04:48:16 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010.10.21 04:48:16 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010.10.21 01:34:06 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\pjcfn.sys
[2010.10.21 01:14:00 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010.10.21 01:04:08 | 000,001,766 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010.10.21 00:52:48 | 000,618,442 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.10.21 00:52:48 | 000,587,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.10.21 00:52:48 | 000,122,842 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.10.21 00:52:48 | 000,101,250 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.10.21 00:47:59 | 3215,613,952 | -HS- | M] () -- C:\hiberfil.sys
[2010.10.20 22:03:39 | 000,000,010 | ---- | M] () -- C:\Users\---myUser---\AppData\Roaming\install
[2010.10.20 21:59:04 | 000,000,185 | ---- | M] () -- C:\Users\---myUser---\AppData\Roaming\21996.bat
[2010.10.20 21:59:01 | 000,000,185 | ---- | M] () -- C:\Users\---myUser---\AppData\Roaming\22597.bat
[2010.10.20 18:15:14 | 000,289,648 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010.10.12 17:38:21 | 000,012,800 | ---- | M] () -- C:\Users\---myUser---\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.10.05 15:19:13 | 000,002,115 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010.10.21 01:34:06 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\pjcfn.sys
[2010.10.21 01:04:08 | 000,001,766 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010.10.20 22:03:39 | 000,000,010 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\install
[2010.10.20 21:59:04 | 000,000,185 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\21996.bat
[2010.10.20 21:59:01 | 000,000,185 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\22597.bat
[2010.10.05 15:19:13 | 000,002,115 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010.04.03 21:28:28 | 000,000,680 | ---- | C] () -- C:\Users\---myUser---\AppData\Local\d3d9caps.dat
[2009.12.08 23:27:12 | 000,012,800 | ---- | C] () -- C:\Users\---myUser---\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.10.20 19:23:12 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.01.01 08:57:03 | 000,000,993 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2008.12.31 21:57:09 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2008.12.31 19:36:13 | 000,037,888 | ---- | C] () -- C:\Windows\System32\setupnt.dll
[2008.07.03 14:39:01 | 000,106,088 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008.07.03 14:39:01 | 000,106,026 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008.04.25 15:23:38 | 000,012,288 | ---- | C] () -- C:\Windows\System32\EvOnlDiag.dll
[2007.11.21 11:31:26 | 000,007,168 | ---- | C] () -- C:\Windows\System32\directport.sys
[2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2002.01.08 16:57:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\anxci_pc.dll
 
========== LOP Check ==========
 
[2009.12.06 11:33:24 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\Acronis
[2009.12.06 11:06:04 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\OpenOffice.org
[2010.01.16 19:19:17 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\Thunderbird
[2010.10.21 00:47:13 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010.10.21 20:03:25 | 000,000,428 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{476D27DE-7D1D-416B-A067-6FFF8C6AA3FC}.job
[2010.10.21 20:20:00 | 000,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{9CC3C4F5-CF12-405B-A11E-72391A018EF1}.job
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.* >
[2008.12.31 15:03:12 | 000,001,024 | ---- | M] () -- C:\.rnd
[2006.09.18 23:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009.04.11 08:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2008.07.03 14:52:51 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2006.09.18 23:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2008.07.03 08:16:09 | 000,000,011 | ---- | M] () -- C:\FSC_PI.txt
[2010.10.21 00:47:59 | 3215,613,952 | -HS- | M] () -- C:\hiberfil.sys
[2010.10.21 00:47:58 | 3529,428,992 | -HS- | M] () -- C:\pagefile.sys
[2008.12.02 16:37:35 | 000,003,452 | ---- | M] () -- C:\pi_adler.csv
[2008.07.01 09:44:37 | 000,001,805 | ---- | M] () -- C:\Prodlog.txt
[2009.02.17 16:32:30 | 000,000,032 | RH-- | M] () -- C:\VDISCPDI.DAT
 
< %systemroot%\system32\*.dll /lockedfiles >
[2009.04.11 08:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009.04.11 08:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[1 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]
 
< %systemroot%\Tasks\*.job /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
[2008.07.03 14:52:34 | 031,981,568 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008.07.03 14:51:45 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008.07.03 14:52:34 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2008.07.03 14:52:47 | 018,571,264 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2008.07.03 14:52:49 | 006,684,672 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV
 
< %systemroot%\system32\drivers\*.sys /90 >
[2010.10.21 01:34:06 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\pjcfn.sys
[2010.09.06 15:45:38 | 000,304,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv.sys
[2010.09.06 15:45:22 | 000,145,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv2.sys
[2010.09.06 15:45:19 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srvnet.sys
 
< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008.01.21 04:23:14 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPLHN.DLL
[2006.11.02 14:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
 
< End of report >
         
--- --- ---

[/QUOTE]

MalwareBytes fand bei einem Qickscan keine Probleme.

Ein darauf folgender Fullscan von Malwarebytes fand 5 infizierte Dateien:
Zitat:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4905

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

22.10.2010 07:07:01
mbam-log-2010-10-22 (07-07-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 284397
Time elapsed: 1 hour(s), 43 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb (Rogue.FakeMSE) -> Delete on reboot.
C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1O4LKWJE\tkbvqkfdls[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TR61XHAD\gtovqub[1].htm (Rogue.FakeMSE) -> Quarantined and deleted successfully.
C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UC0ZPG4K\gtovqub[1].htm (Rogue.FakeMSE) -> Quarantined and deleted successfully.
C:\Users\---myUser---\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
4 der Dateien wurden offenbar gleich in Quarantäne gestellt, für eine führte ich einen Reboot durch, damit sie gelöscht wurde.
Den Inhalt von C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 habe ich über das DOS-Fenster noch zusätzlich gelöscht.

Aber meine Befürchtung ist, dass doch noch Malware auf dem Rechner sein könnte. Wie kann ich die Wahrscheinlichkeit, dass Malware noch drauf ist reduzieren?

Alt 23.10.2010, 21:09   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Hinweis: Falls Du Deinen Benutzernamen unkenntlich gemacht hast, musst Du das Ausgesternte/Editierte in Deinen richtigen Benutzernamen wieder verwandeln, sonst funktioniert das Script nicht!!

Code:
ATTFilter
:OTL
[2010.10.20 21:58:18 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Windows
[2010.10.20 21:57:22 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Server
[2010.10.21 01:34:06 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\pjcfn.sys
[2010.10.20 21:59:04 | 000,000,185 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\21996.bat
[2010.10.20 21:59:01 | 000,000,185 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\22597.bat
:Commands
[purity]
[resethosts]
[emptytemp]
         
Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.
__________________

__________________

Alt 23.10.2010, 22:30   #3
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Das Logfile nach dem OTL-Fix lautet:

Zitat:
All processes killed
========== OTL ==========
C:\Users\Public\Documents\Windows folder moved successfully.
C:\Users\Public\Documents\Server folder moved successfully.
File C:\Windows\System32\drivers\pjcfn.sys not found.
C:\Users\---user---\AppData\Roaming\21996.bat moved successfully.
C:\Users\---user---\AppData\Roaming\22597.bat moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: ---user---
->Temp folder emptied: 10292139 bytes
->Temporary Internet Files folder emptied: 435186 bytes
->Java cache emptied: 37901533 bytes
->FireFox cache emptied: 82353979 bytes
->Flash cache emptied: 50676 bytes

User: ---user2---
->Temp folder emptied: 3035978432 bytes
->Temporary Internet Files folder emptied: 83393493 bytes
->Java cache emptied: 51872037 bytes
->FireFox cache emptied: 106484830 bytes
->Flash cache emptied: 55022 bytes

User: ---user2.2---

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: ---user3---
->Temp folder emptied: 81368078 bytes
->Temporary Internet Files folder emptied: 19284834 bytes
->Java cache emptied: 13697578 bytes
->FireFox cache emptied: 68392626 bytes
->Flash cache emptied: 405 bytes

User: ---user3.2---

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 212024 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 207392874 bytes
RecycleBin emptied: 5371663 bytes

Total Files Cleaned = 3.628,00 mb


OTL by OldTimer - Version 3.2.16.0 log created on 10232010_222110

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\TMP00000049DD10B46FE84D629C not found!

Registry entries deleted on Reboot...
__________________

Alt 23.10.2010, 22:39   #4
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 23.10.2010, 23:44   #5
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



combofix warnt mich, dass

antivirus AVG Anti-Virus Free
antispyware AVG Anti-Virus Free

noch aktiv sind.

Habe versucht

den Dienst AVG email scanner zu deaktivieren -> scheint gelungen zu sein
den Dienst AVG Free8 WatchDog kann ich nicht deaktivieren, er ist im Status gestartet und es sind bei den Diensten alle Menüpunkte für beenden, anhalten, usw. ausgegraut

was nun?


Alt 24.10.2010, 00:12   #6
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Notfalls AVG deinstallieren
__________________
--> Thinkpoint Trojaner und weitere Folgen

Alt 24.10.2010, 00:35   #7
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



AVG deinstalliert, daraufhin Reboot und damit Abbruch von cofi.
Danach lief cofi ohne Warnungen mit folgendem log:

Combofix Logfile:
Code:
ATTFilter
ComboFix 10-10-22.05 - ---user--- 24.10.2010   0:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.43.1031.18.3066.2284 [GMT 2:00]
ausgeführt von:: c:\users\---user---\Desktop\cofi.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\---user2---\Desktop\Translator.url

.
(((((((((((((((((((((((   Dateien erstellt von 2010-09-23 bis 2010-10-23  ))))))))))))))))))))))))))))))
.

2010-10-23 22:25 . 2010-10-23 22:25	--------	d-----w-	c:\users\---user---\AppData\Local\temp
2010-10-23 22:25 . 2010-10-23 22:25	--------	d-----w-	c:\users\---user3---\AppData\Local\temp
2010-10-23 22:25 . 2010-10-23 22:25	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-10-23 22:25 . 2010-10-23 22:25	--------	d-----w-	c:\users\---user2---\AppData\Local\temp
2010-10-23 20:50 . 2010-10-23 20:50	--------	d-----w-	c:\program files\CCleaner
2010-10-22 20:30 . 2010-10-07 23:21	6146896	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{DCDB9C0F-F35F-4585-999A-C3D96418085A}\mpengine.dll
2010-10-21 19:00 . 2010-10-21 19:00	--------	d-----w-	c:\users\---user---\AppData\Roaming\Malwarebytes
2010-10-21 18:30 . 2010-10-21 18:30	--------	d-----w-	C:\_OTL
2010-10-20 21:44 . 2010-10-20 21:44	--------	d-----w-	c:\users\---user3---\AppData\Roaming\Malwarebytes
2010-10-20 21:43 . 2010-04-29 13:39	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 21:43 . 2010-10-20 21:43	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-10-20 21:43 . 2010-10-20 21:43	--------	d-----w-	c:\programdata\Malwarebytes
2010-10-20 21:43 . 2010-04-29 13:39	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-10-15 14:52 . 2010-09-13 13:56	8147456	----a-w-	c:\windows\system32\wmploc.DLL
2010-10-15 14:52 . 2010-09-13 13:56	168960	----a-w-	c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 14:52 . 2010-09-06 16:20	125952	----a-w-	c:\windows\system32\srvsvc.dll
2010-10-15 14:52 . 2010-09-06 13:45	102400	----a-w-	c:\windows\system32\drivers\srvnet.sys
2010-10-15 14:52 . 2010-09-06 16:19	17920	----a-w-	c:\windows\system32\netevent.dll
2010-10-15 14:52 . 2010-09-06 13:45	304128	----a-w-	c:\windows\system32\drivers\srv.sys
2010-10-15 14:52 . 2010-09-06 13:45	145408	----a-w-	c:\windows\system32\drivers\srv2.sys
2010-10-15 14:52 . 2010-08-10 15:53	274944	----a-w-	c:\windows\system32\schannel.dll
2010-10-13 17:06 . 2010-10-13 19:10	--------	d-----w-	c:\users\---user---\AppData\Roaming\dvdcss
2010-10-11 12:59 . 2009-08-24 11:36	377344	----a-w-	c:\windows\system32\winhttp.dll
2010-10-11 12:59 . 2010-05-27 20:08	739328	----a-w-	c:\windows\system32\inetcomm.dll
2010-10-10 14:37 . 2009-11-08 08:55	99176	----a-w-	c:\windows\system32\PresentationHostProxy.dll
2010-10-10 14:37 . 2009-11-08 08:55	49472	----a-w-	c:\windows\system32\netfxperf.dll
2010-10-10 14:37 . 2009-11-08 08:55	297808	----a-w-	c:\windows\system32\mscoree.dll
2010-10-10 14:37 . 2009-11-08 08:55	295264	----a-w-	c:\windows\system32\PresentationHost.exe
2010-10-10 14:37 . 2009-11-08 08:55	1130824	----a-w-	c:\windows\system32\dfshim.dll
2010-10-10 14:36 . 2010-02-12 10:32	293376	----a-w-	c:\windows\system32\browserchoice.exe
2010-10-10 14:31 . 2010-02-20 23:06	24064	----a-w-	c:\windows\system32\nshhttp.dll
2010-10-10 14:31 . 2010-02-20 20:53	411648	----a-w-	c:\windows\system32\drivers\http.sys
2010-10-10 14:31 . 2010-02-20 23:05	30720	----a-w-	c:\windows\system32\httpapi.dll
2010-10-08 07:13 . 2010-04-16 16:46	502272	----a-w-	c:\windows\system32\usp10.dll
2010-10-08 07:13 . 2010-06-22 13:30	2048	----a-w-	c:\windows\system32\tzres.dll
2010-10-08 07:11 . 2010-02-23 11:10	212992	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2010-10-08 07:11 . 2010-02-23 11:10	79360	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2010-10-08 07:11 . 2010-02-23 11:10	106496	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-10-08 07:11 . 2010-05-27 20:08	81920	----a-w-	c:\windows\system32\iccvid.dll
2010-10-08 07:11 . 2010-01-29 15:40	1616384	----a-w-	c:\program files\Windows Mail\msoe.dll
2010-10-08 07:11 . 2010-03-05 14:01	420352	----a-w-	c:\windows\system32\vbscript.dll
2010-10-08 07:11 . 2010-04-05 17:01	67072	----a-w-	c:\windows\system32\asycfilt.dll
2010-10-08 07:11 . 2010-01-06 15:39	1696256	----a-w-	c:\windows\system32\gameux.dll
2010-10-08 07:11 . 2010-04-16 16:43	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2010-10-08 07:11 . 2010-04-16 14:39	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-08 07:09 . 2010-08-17 10:52	2409784	----a-w-	c:\program files\Windows Mail\OESpamFilter.dat
2010-10-08 07:09 . 2010-06-16 16:04	905088	----a-w-	c:\windows\system32\drivers\tcpip.sys
2010-10-08 07:09 . 2009-12-08 17:26	30720	----a-w-	c:\windows\system32\drivers\tcpipreg.sys
2010-10-08 07:09 . 2010-08-26 04:23	13312	----a-w-	c:\program files\Internet Explorer\iecompat.dll
2010-10-08 07:08 . 2009-12-04 18:30	12288	----a-w-	c:\windows\system32\tsbyuv.dll
2010-10-08 07:08 . 2009-12-04 18:29	1314816	----a-w-	c:\windows\system32\quartz.dll
2010-10-08 07:08 . 2009-12-04 18:28	22528	----a-w-	c:\windows\system32\msyuv.dll
2010-10-08 07:08 . 2009-12-04 18:28	31744	----a-w-	c:\windows\system32\msvidc32.dll
2010-10-08 07:08 . 2009-12-04 18:28	123904	----a-w-	c:\windows\system32\msvfw32.dll
2010-10-08 07:08 . 2009-12-04 18:28	13312	----a-w-	c:\windows\system32\msrle32.dll
2010-10-08 07:08 . 2009-12-04 18:28	82944	----a-w-	c:\windows\system32\mciavi32.dll
2010-10-08 07:08 . 2009-12-04 18:28	50176	----a-w-	c:\windows\system32\iyuv_32.dll
2010-10-08 07:08 . 2009-12-04 18:27	91136	----a-w-	c:\windows\system32\avifil32.dll
2010-10-08 06:52 . 2009-12-23 11:33	172032	----a-w-	c:\windows\system32\wintrust.dll
2010-10-08 06:52 . 2010-01-13 17:34	98304	----a-w-	c:\windows\system32\cabview.dll
2010-10-08 06:49 . 2010-10-08 06:49	--------	d-----w-	c:\users\---user3---\AppData\Local\AVG Security Toolbar
2010-10-08 06:48 . 2010-10-08 06:48	--------	d-----w-	c:\users\---user3---\AppData\Local\Mozilla

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 09:41 . 2009-10-23 01:15	222080	------w-	c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 11:58	333192	----a-w-	c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-25 6111232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"FSCRecovery"="c:\program files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe" [2008-05-08 268096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-14 185872]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-11-27 165144]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-27 4386336]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-27 962584]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
" Malwarebytes Anti-Malware  (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\---user2---\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\users\---user3---\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OSD.lnk - c:\users\---user3---\AppData\Roaming\Microsoft\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_4D3FC276DECE661B01DFEC.exe [2008-12-31 21630]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Verbindungsmanager.lnk - c:\program files\HP Wireless Printer Adapter\ConnectMgr.exe [2009-6-8 1613824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 135664]
R3 HPWPAUSB;Wireless Printer Adapter;c:\windows\system32\Drivers\HPWPAUSB.sys [2007-11-23 18560]
R3 PCAMp50;PCAMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50.sys [2006-11-28 28224]
S1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2009-02-11 22712]
S2 OsdService;OSD Service;c:\program files\OEM\OSD_1.12\OsdService.exe [2008-02-22 94208]
S3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [2007-11-21 7168]
S3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [2008-03-31 8192]
S3 hpnuhst;HP NUSB Host;c:\windows\system32\DRIVERS\hpnuhst.sys [2007-03-27 13824]
S3 HPNUHUB;HP NUSB Hub;c:\windows\system32\DRIVERS\hpnuhub.sys [2007-10-30 35328]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-05-01 3660800]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Inhalt des "geplante Tasks" Ordners

2010-10-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-01 11:50]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 16:50]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 16:50]

2010-10-23 c:\windows\Tasks\User_Feed_Synchronization-{476D27DE-7D1D-416B-A067-6FFF8C6AA3FC}.job
- c:\windows\system32\msfeedssync.exe [2010-10-15 04:25]

2010-10-23 c:\windows\Tasks\User_Feed_Synchronization-{9CC3C4F5-CF12-405B-A11E-72391A018EF1}.job
- c:\windows\system32\msfeedssync.exe [2010-10-15 04:25]
.
.
------- Zusätzlicher Suchlauf -------
.
FF - ProfilePath - c:\users\---user---\AppData\Roaming\Mozilla\Firefox\Profiles\24yvnsrx.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-10-24 00:25
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2010-10-24  00:27:30
ComboFix-quarantined-files.txt  2010-10-23 22:27

Vor Suchlauf: 15 Verzeichnis(se), 40.995.127.296 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 41.203.531.776 Bytes frei

- - End Of File - - AAAC01F42D10A08CBB1D52B3F2E391C8
         
--- --- ---

Alt 24.10.2010, 00:48   #8
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus


Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
  • Doppelklick auf die MBRCheck.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Das Tool braucht nur eine Sekunde.
  • Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.
Poste mir bitte den Inhalt des .txt Dokumentes
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 24.10.2010, 02:13   #9
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Log von GMER:

Zitat:
GMER Logfile:
Code:
ATTFilter
GMER 1.0.15.15477 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-10-24 01:39:59
Windows 6.0.6002 Service Pack 2
Running: mls0rlqb.exe; Driver: C:\Users\---user---\AppData\Local\Temp\awdiipod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text           C:\Windows\system32\DRIVERS\nvlddmkm.sys          section is writeable [0x8E205320, 0x3E4E87, 0xE8000020]
?               C:\Windows\system32\Drivers\PROCEXP113.SYS        Das System kann die angegebene Datei nicht finden. !
?               C:\Users\---user---\AppData\Local\Temp\catchme.sys  Das System kann die angegebene Datei nicht finden. !
?               C:\Users\---user---\AppData\Local\Temp\mbr.sys      Das System kann die angegebene Datei nicht finden. !

---- Devices - GMER 1.0.15 ----

Device                                                            Ntfs.sys (NT-Dateisystemtreiber/Microsoft Corporation)

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0           kbfiltr.sys
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1           kbfiltr.sys
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1            tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1            snman380.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2            tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2            snman380.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3            tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3            snman380.sys (Acronis Snapshot API/Acronis)

---- Files - GMER 1.0.15 ----

File            C:\Windows\TEMP                                   0 bytes

---- EOF - GMER 1.0.15 ----
         
--- --- ---
Log von osam:

Zitat:
Report of OSAM: Autorun Manager v5.0.11926.0
Online Solutions. Complex Protection for Information Systems
Saved at 02:00:45 on 24.10.2010
OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit
Default Browser: Mozilla Corporation Firefox 3.0.5

Scanner Settings
Rootkits detection (hidden registry)
Rootkits detection (hidden files)
Retrieve files information
Check Microsoft signatures

Filters
Trusted entries
Empty entries
Hidden registry entries (rootkit activity)
Exclusively opened files
Not found files
Files without detailed information
Existing files
Non-startable services
Non-startable drivers
Active entries
Disabled entries

Risk Name Publisher Full Path Status
Common
%SystemRoot%\Tasks
|||| "GoogleUpdateTaskMachineCore.job" "Google Inc." C:\Program Files\Google\Update\GoogleUpdate.exe File exists
|||| "GoogleUpdateTaskMachineUA.job" "Google Inc." C:\Program Files\Google\Update\GoogleUpdate.exe File exists
|||| "Google Software Updater.job" "Google" C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe File exists
Control Panel Objects
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
|||||| "Nero BurnRights" "Nero AG" C:\Program Files\Nero\Nero8\Nero Toolkit\NeroBurnRights.cpl File exists
Drivers
HKLM\SYSTEM\CurrentControlSet\Services
|||||| "Acronis Snapshots Manager (Build 380)" (snapman380) "Acronis" C:\Windows\System32\DRIVERS\snman380.sys File exists
|||||| "Acronis Try&Decide and Restore Points filter (build 174)" (tdrpman174) "Acronis" C:\Windows\System32\DRIVERS\tdrpm174.sys File exists
"awdiipod" (awdiipod) C:\Users\---user---\AppData\Local\Temp\awdiipod.sys Hidden registry entry, rootkit activity | File not found
"catchme" (catchme) C:\Users\---user---\AppData\Local\Temp\catchme.sys File not found
"GpdDevDPort" (GpdDevDPort) C:\Windows\system32\directport.sys File found, but it contains no detailed information
|||||| "GpdKbFilter" (GpdKbFilter) "Windows (R) Codename Longhorn DDK provider" C:\Windows\system32\kbfiltr.sys File exists
"Huawei DataCard USB Modem and USB Serial" (hwdatacard) C:\Windows\System32\DRIVERS\ewusbmdm.sys File not found
"IP in IP Tunnel Driver" (IpInIp) C:\Windows\System32\DRIVERS\ipinip.sys File not found
"IPX Traffic Filter Driver" (NwlnkFlt) C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
"IPX Traffic Forwarder Driver" (NwlnkFwd) C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
"mbr" (mbr) C:\Users\---user---\AppData\Local\Temp\mbr.sys Hidden registry entry, rootkit activity | File not found
|||||| "Norman General Security Driver" (NGS) "Norman ASA" c:\program files\norman\ngs\bin\ngs.sys File exists
|||||| "PCAMp50 NDIS Protocol Driver" (PCAMp50) "Printing Communications Assoc., Inc. (PCAUSA)" C:\Windows\System32\Drivers\PCAMp50.sys File exists
|||||| "PCASp50 NDIS Protocol Driver" (PCASp50) "Printing Communications Assoc., Inc. (PCAUSA)" C:\Windows\System32\Drivers\PCASp50.sys File exists
Explorer
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
|||||| {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" "Adobe Systems, Inc." C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists
HKLM\Software\Classes\Protocols\Handler
|||||| {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" "Microsoft Corporation" c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" File not found | COM-object registry key not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" File not found | COM-object registry key not found
|||||| {C539A15A-3AF9-4c92-B771-50CB78F5C751} "Acronis True Image Shell Context Menu Extension" "Acronis" C:\Program Files\Acronis\TrueImageHome\tishell.dll File exists
|||||| {C539A15B-3AF9-4c92-B771-50CB78F5C751} "Acronis True Image Shell Extension" "Acronis" C:\Program Files\Acronis\TrueImageHome\tishell.dll File exists
{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" File not found | COM-object registry key not found
{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" File not found | COM-object registry key not found
{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" File not found | COM-object registry key not found
{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" File not found | COM-object registry key not found
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" File not found | COM-object registry key not found
{00020d75-0000-0000-c000-000000000046} "lnkfile" File not found | COM-object registry key not found
|||||| {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" "Microsoft Corporation" c:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll File exists
|||||| {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" "Microsoft Corporation" c:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll File exists
|||||| {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" "Nero AG" C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists
|||||| {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists
|||||| {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists
|||||| {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists
|||||| {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" "RealNetworks, Inc." C:\Program Files\Real\RealPlayer\rpshell.dll File exists
{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" File not found | COM-object registry key not found
{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" File not found | COM-object registry key not found
{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" File not found | COM-object registry key not found
Internet Explorer
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
|||| "Foxit Toolbar" "Ask.com" C:\Program Files\AskBarDis\bar\bin\askBar.dll File exists
ITBar7Height "ITBar7Height" File not found | COM-object registry key not found
"ITBar7Layout" File not found | COM-object registry key not found
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
|||| {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\jp2iexp.dll File exists
|||| {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_17"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\jp2iexp.dll File exists
|||| {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\jp2iexp.dll File exists
|||| {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\npjpi160_17.dll File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
|||| "Foxit Toolbar" "Ask.com" C:\Program Files\AskBarDis\bar\bin\askBar.dll File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
|||||| {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" "Adobe Systems Incorporated" C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File exists
|||| {201f27d4-3704-41d6-89c1-aa35e39143ed} "AskBar BHO" "Ask.com" C:\Program Files\AskBarDis\bar\bin\askBar.dll File exists
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} "AVG Safe Search" C:\Program Files\AVG\AVG8\avgssie.dll File not found
|||| {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" "Google Inc." C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll File exists
|||| {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\jp2ssv.dll File exists
Logon
%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup
|||||| "desktop.ini" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini File exists
|||| "Verbindungsmanager.lnk" C:\Program Files\HP Wireless Printer Adapter\ConnectMgr.exe Shortcut exists | File exists
%SystemDrive%\_OTL\MovedFiles\10232010_222110\C_Users\Public\Documents\Windows
|||||| "desktop.ini" C:\_OTL\MovedFiles\10232010_222110\C_Users\Public\Documents\Windows\desktop.ini File exists
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd
"StartupPrograms" rdpclip File not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|||||| "Acronis Scheduler2 Service" "Acronis" "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" File exists
|||||| "AcronisTimounterMonitor" "Acronis" C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe File exists
|||| "Adobe Reader Speed Launcher" "Adobe Systems Incorporated" "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" File exists
|||| "CanonSolutionMenu" "CANON INC." C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon File exists
"FSCRecovery" "Fujitsu Siemens Computers GmbH" c:\Program Files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe File exists
|||||| " Malwarebytes Anti-Malware (reboot)" "Malwarebytes Corporation" "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript File exists
|||| "SunJavaUpdateSched" "Sun Microsystems, Inc." "C:\Program Files\Java\jre6\bin\jusched.exe" File exists
|||| "TkBellExe" "RealNetworks, Inc." "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot File exists
|||||| "TrueImageMonitor.exe" "Acronis" C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe File exists
Services
HKLM\SYSTEM\CurrentControlSet\Services
|||||| "Acronis Scheduler2 Service" (AcrSch2Svc) "Acronis" C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe File exists
|||||| "Fujitsu Siemens Computers Diagnostic Testhandler" (TestHandler) "Fujitsu Siemens Computers" C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe File exists
|||| "Google Software Updater" (gusvc) "Google" C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe File exists
|||| "Google Update Service (gupdate)" (gupdate) "Google Inc." C:\Program Files\Google\Update\GoogleUpdate.exe File exists
|||||| "Nero BackItUp Scheduler 3" (Nero BackItUp Scheduler 3) "Nero AG" C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe File exists
|||||| "NMIndexingService" (NMIndexingService) "Nero AG" C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe File exists
"Norman NJeeves" (Norman NJeeves) "C:\Program Files\Norman\Npm\bin\NJEEVES.EXE" File not found
|| "OSD Service" (OsdService) "TODO: <公司名稱>" C:\Program Files\OEM\OSD_1.12\OsdService.exe File exists
|||||| "PLFlash DeviceIoControl Service" (PLFlash DeviceIoControl Service) "Prolific Technology Inc." C:\Windows\system32\IoctlSvc.exe File exists

If You have questions or want to get some help, You can visit Online Solutions :: Index
MBRCheck - Log:
Zitat:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: FUJITSU SIEMENS
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: FUJITSU SIEMENS
System Product Name: AMILO Pi 3540
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 139):
0x81E41000 \SystemRoot\system32\ntkrnlpa.exe
0x81E0E000 \SystemRoot\system32\hal.dll
0x80405000 \SystemRoot\system32\kdcom.dll
0x8040C000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047C000 \SystemRoot\system32\PSHED.dll
0x8048D000 \SystemRoot\system32\BOOTVID.dll
0x80495000 \SystemRoot\system32\CLFS.SYS
0x804D6000 \SystemRoot\system32\CI.dll
0x80605000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80681000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8068E000 \SystemRoot\system32\drivers\acpi.sys
0x806D4000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806DD000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E5000 \SystemRoot\system32\drivers\pci.sys
0x8070C000 \SystemRoot\System32\drivers\partmgr.sys
0x8071B000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8071E000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80728000 \SystemRoot\system32\drivers\volmgr.sys
0x80737000 \SystemRoot\System32\drivers\volmgrx.sys
0x80781000 \SystemRoot\System32\drivers\mountmgr.sys
0x80791000 \SystemRoot\system32\drivers\atapi.sys
0x80799000 \SystemRoot\system32\drivers\ataport.SYS
0x807B7000 \SystemRoot\system32\drivers\msahci.sys
0x807C1000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x805B6000 \SystemRoot\system32\drivers\fltmgr.sys
0x807CF000 \SystemRoot\system32\drivers\fileinfo.sys
0x89E09000 \SystemRoot\System32\Drivers\ksecdd.sys
0x89E7A000 \SystemRoot\system32\drivers\ndis.sys
0x89F85000 \SystemRoot\system32\drivers\msrpc.sys
0x89FB0000 \SystemRoot\system32\drivers\NETIO.SYS
0x8A003000 \SystemRoot\System32\drivers\tcpip.sys
0x8A0ED000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A108000 \SystemRoot\system32\DRIVERS\timntr.sys
0x8A20A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A31A000 \SystemRoot\system32\drivers\volsnap.sys
0x8A400000 \SystemRoot\system32\DRIVERS\tdrpm174.sys
0x8A4EC000 \SystemRoot\System32\Drivers\spldr.sys
0x8A4F4000 \SystemRoot\system32\DRIVERS\snman380.sys
0x8A514000 \SystemRoot\System32\Drivers\mup.sys
0x8A523000 \SystemRoot\System32\drivers\ecache.sys
0x8A54A000 \SystemRoot\system32\drivers\disk.sys
0x8A55B000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A57C000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A5A7000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A5B2000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8E205000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8E92B000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E9CC000 \SystemRoot\System32\drivers\watchdog.sys
0x8E9D8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8A5BB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8E9E3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8A353000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8EA01000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x8ED88000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8EDA5000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8EDB8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8EDC3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8EDCE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8EDE6000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8EDEA000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8A18B000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8A1BA000 \SystemRoot\system32\DRIVERS\storport.sys
0x8E9F2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8A3E0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x89FEB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8EE05000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8EE28000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8EE37000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8EE4B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8EE60000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8EE70000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8EE72000 \SystemRoot\system32\DRIVERS\ks.sys
0x8EE9C000 \SystemRoot\system32\DRIVERS\hpnuhst.sys
0x8EEA5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8EEAF000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8EEBC000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8EEF1000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8EF02000 \SystemRoot\system32\DRIVERS\hpnuhub.sys
0x8F207000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8F40D000 \SystemRoot\system32\drivers\portcls.sys
0x8F43A000 \SystemRoot\system32\drivers\drmk.sys
0x8F45F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8F468000 \SystemRoot\System32\Drivers\Null.SYS
0x8F46F000 \SystemRoot\System32\Drivers\Beep.SYS
0x8F47F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8F486000 \SystemRoot\System32\drivers\vga.sys
0x8F492000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8F4B3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8F4BB000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8F4C3000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8F4CE000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8F4DC000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8F4E5000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8F4FB000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F52D000 \SystemRoot\system32\DRIVERS\smb.sys
0x8F541000 \SystemRoot\system32\drivers\afd.sys
0x8F589000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F59F000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F5AD000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F5C0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8EF11000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F200000 \??\c:\program files\norman\ngs\bin\ngs.sys
0x8EF1B000 \SystemRoot\System32\Drivers\dfsc.sys
0x8EF32000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8EF3F000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8EF4A000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x96E80000 \SystemRoot\System32\win32k.sys
0x8EF54000 \SystemRoot\System32\drivers\Dxapi.sys
0x8EF5E000 \SystemRoot\system32\DRIVERS\monitor.sys
0x970A0000 \SystemRoot\System32\TSDDD.dll
0x970C0000 \SystemRoot\System32\cdd.dll
0x8EF6D000 \SystemRoot\system32\drivers\luafv.sys
0x8EF88000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0x9B609000 \SystemRoot\system32\drivers\spsys.sys
0x9B6B9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9B6C9000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9B6F3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9B6FD000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9B710000 \SystemRoot\system32\drivers\HTTP.sys
0x9B77D000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9B79A000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9B7B3000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9B7C8000 \SystemRoot\system32\drivers\mrxdav.sys
0x8EF92000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8EFB1000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x8A585000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9CE0B000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9CE33000 \SystemRoot\System32\DRIVERS\srv.sys
0x9CE81000 \SystemRoot\system32\drivers\peauth.sys
0x9CF5F000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9CF69000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9CF75000 \??\C:\Windows\system32\directport.sys
0x9CF7D000 \??\C:\Windows\system32\kbfiltr.sys
0x9CF84000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x9CF9A000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
0x9CF9C000 \??\C:\Users\---user---\AppData\Local\Temp\catchme.sys
0x9CFA4000 \??\C:\Users\---user---\AppData\Local\Temp\mbr.sys
0x9CFAA000 \??\C:\Users\---user---\AppData\Local\Temp\awdiipod.sys
0x773E0000 \Windows\System32\ntdll.dll

Processes (total 55):
0 System Idle Process
4 System
608 C:\Windows\System32\smss.exe
676 csrss.exe
728 C:\Windows\System32\wininit.exe
740 csrss.exe
772 C:\Windows\System32\services.exe
784 C:\Windows\System32\lsass.exe
792 C:\Windows\System32\lsm.exe
948 C:\Windows\System32\svchost.exe
992 C:\Windows\System32\nvvsvc.exe
1020 C:\Windows\System32\svchost.exe
1072 C:\Windows\System32\svchost.exe
1104 C:\Windows\System32\svchost.exe
1140 C:\Windows\System32\svchost.exe
1172 C:\Windows\System32\svchost.exe
1240 C:\Windows\System32\audiodg.exe
1260 C:\Windows\System32\svchost.exe
1276 C:\Windows\System32\SLsvc.exe
1320 C:\Windows\System32\svchost.exe
1412 C:\Windows\System32\winlogon.exe
1484 C:\Windows\System32\svchost.exe
1880 C:\Windows\System32\spoolsv.exe
1916 C:\Windows\System32\svchost.exe
764 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
744 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
2068 C:\Program Files\OEM\OSD_1.12\OsdService.exe
2096 C:\Windows\System32\IoctlSvc.exe
2112 C:\Windows\System32\svchost.exe
2136 C:\Windows\System32\svchost.exe
2164 C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
2216 C:\Windows\System32\svchost.exe
2240 C:\Windows\System32\SearchIndexer.exe
2784 C:\Windows\System32\dwm.exe
2832 C:\Windows\System32\taskeng.exe
3080 C:\Windows\RtHDVCpl.exe
3220 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
3284 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
3304 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
3396 C:\Program Files\Java\jre6\bin\jusched.exe
3424 C:\Program Files\Windows Sidebar\sidebar.exe
3456 C:\Windows\ehome\ehtray.exe
3472 C:\Program Files\Windows Media Player\wmpnscfg.exe
3480 C:\Program Files\HP Wireless Printer Adapter\ConnectMgr.exe
3540 C:\Program Files\Windows Media Player\wmpnetwk.exe
3572 C:\Windows\ehome\ehmsas.exe
3868 C:\Windows\explorer.exe
2152 C:\Users\---user---\Desktop\mls0rlqb.exe
4092 C:\Program Files\Mozilla Firefox\firefox.exe
2608 C:\Windows\System32\taskeng.exe
3072 D:\---user3---\Downloads\osam\osam_autorun_manager_5_0_portable\osam.exe
3328 C:\Windows\System32\notepad.exe
2868 C:\Windows\System32\SearchProtocolHost.exe
3016 C:\Windows\System32\SearchFilterHost.exe
2672 C:\Users\---user---\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`32900000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000019`bcc00000 (NTFS)

PhysicalDrive0 Model Number: ST9250827AS, Rev: 3.AAA

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

Alt 24.10.2010, 14:41   #10
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 25.10.2010, 06:42   #11
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Malwarebytes hat nichts mehr gefunden:
Zitat:
Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4934

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

24.10.2010 17:29:57
mbam-log-2010-10-24 (17-29-57).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 274093
Time elapsed: 1 hour(s), 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
SUPERAntiSpyware hat folgenden Log gebracht:
Zitat:
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 10/25/2010 at 01:29 AM

Application Version : 4.44.1000

Core Rules Database Version : 5743
Trace Rules Database Version: 3555

Scan type : Complete Scan
Total Scan Time : 01:14:53

Memory items scanned : 590
Memory threats detected : 0
Registry items scanned : 8520
Registry threats detected : 0
File items scanned : 116168
File threats detected : 8

Adware.Tracking Cookie
C:\Users\---user---\AppData\Roaming\Microsoft\Windows\Cookies\benjamin@doubleclick[1].txt
hottraffic.nl [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
interclick.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
media.jaludo.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
media.rofl.to [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
memecounter.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]

Trojan.Agent/Gen
C:\USERS\---user---\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\24YVNSRX.DEFAULT\CACHE\5C77C72FD01
C:\USERS\---user---\DESKTOP\MLS0RLQB.EXE

Alt 25.10.2010, 06:48   #12
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Malwarebytes hat nichts gefunden:

Zitat:
Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4934

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

24.10.2010 17:29:57
mbam-log-2010-10-24 (17-29-57).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 274093
Time elapsed: 1 hour(s), 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
SUPERAntiSpyware hat folgenden Log, nachdem die dort genannten Dateien (bei der Datei am Desktop handelt es sich um GMER, habe ich als einziges nicht entfernen lassen) entfrent wurden:

Zitat:
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 10/25/2010 at 01:29 AM

Application Version : 4.44.1000

Core Rules Database Version : 5743
Trace Rules Database Version: 3555

Scan type : Complete Scan
Total Scan Time : 01:14:53

Memory items scanned : 590
Memory threats detected : 0
Registry items scanned : 8520
Registry threats detected : 0
File items scanned : 116168
File threats detected : 8

Adware.Tracking Cookie
C:\Users\---user---\AppData\Roaming\Microsoft\Windows\Cookies\benjamin@doubleclick[1].txt
hottraffic.nl [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
interclick.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
media.jaludo.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
media.rofl.to [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
memecounter.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]

Trojan.Agent/Gen
C:\USERS\---user---\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\24YVNSRX.DEFAULT\CACHE\5C77C72FD01
C:\USERS\---user---\DESKTOP\MLS0RLQB.EXE
Beste Grüße,

Gerald.

Alt 25.10.2010, 06:57   #13
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Malwarebytes hat nichts gefunden:

Zitat:
Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4934

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

24.10.2010 17:29:57
mbam-log-2010-10-24 (17-29-57).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 274093
Time elapsed: 1 hour(s), 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
SUPERAntiSpyware hat folgenden Log, nachdem die dort genannten Dateien (bei der Datei am Desktop handelt es sich um GMER, habe ich als einziges nicht entfernen lassen) entfrent wurden:

Zitat:
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 10/25/2010 at 01:29 AM

Application Version : 4.44.1000

Core Rules Database Version : 5743
Trace Rules Database Version: 3555

Scan type : Complete Scan
Total Scan Time : 01:14:53

Memory items scanned : 590
Memory threats detected : 0
Registry items scanned : 8520
Registry threats detected : 0
File items scanned : 116168
File threats detected : 8

Adware.Tracking Cookie
C:\Users\---user---\AppData\Roaming\Microsoft\Windows\Cookies\benjamin@doubleclick[1].txt
hottraffic.nl [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
interclick.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
media.jaludo.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
media.rofl.to [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]
memecounter.com [ C:\Users\---user2---.V2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PYGTFVLA ]

Trojan.Agent/Gen
C:\USERS\---user---\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\24YVNSRX.DEFAULT\CACHE\5C77C72FD01
C:\USERS\---user---\DESKTOP\MLS0RLQB.EXE
Beste Grüße,

Gerald.

Alt 25.10.2010, 10:59   #14
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Sieht ok aus, da wurden nur Überreste und Cookies gefunden.
Noch Probleme oder weitere Funde in der Zwischenzeit?
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 25.10.2010, 12:24   #15
gerald61
 
Thinkpoint Trojaner und weitere Folgen - Standard

Thinkpoint Trojaner und weitere Folgen



Derzeit nichts Auffälliges mehr.

Ich danke vielmals für die ganz tolle Unterstützung!

Beste Grüße,

Gerald.

Antwort

Themen zu Thinkpoint Trojaner und weitere Folgen
alert, autorun, avg security toolbar, benutzerdaten, beseitigung, bho, components, corp./icp, defender, error, firefox, firefox.exe, fontcache, format, ftp, home, home premium, hotfix.exe, iastor.sys, infizierte dateien, internet, jusched.exe, langs, location, logfile, maßnahme, moved, mozilla, mozilla thunderbird, norman, nvlddmkm.sys, nvstor.sys, object, oldtimer, otl-scan, otl.exe, programdata, realtek, reduzieren, rundll, schannel.dll, searchplugins, security, shell32.dll, start menu, starten., thinkpoint, trojan, trojaner, viren, virus, virus vault, vista, webcheck, windows, windows alert, winhelp.exe



Ähnliche Themen: Thinkpoint Trojaner und weitere Folgen


  1. Trojaner Frage zu Folgen
    Log-Analyse und Auswertung - 03.02.2015 (26)
  2. GVU-Trojaner gefunden; noch keine Folgen des Trojaners
    Plagegeister aller Art und deren Bekämpfung - 05.03.2013 (18)
  3. BKA Trojaner und seine Folgen ?
    Diskussionsforum - 18.08.2012 (1)
  4. PayPal Phishing Mail -> Passwort geändert Frage zu weitere Folgen
    Plagegeister aller Art und deren Bekämpfung - 19.06.2012 (1)
  5. Funshion (Software aus China) und deren Folgen: 457 Trojaner!
    Plagegeister aller Art und deren Bekämpfung - 28.05.2012 (5)
  6. GVU Trojaner - Folgen -> Desktop wird nicht mehr angezeigt
    Log-Analyse und Auswertung - 20.05.2012 (3)
  7. BKA/Ukash-Trojaner/Virus und seine Folgen
    Plagegeister aller Art und deren Bekämpfung - 03.01.2012 (16)
  8. Weihnachtsgrüße mit Folgen: Microsoft warnt vor Office-Trojaner
    Nachrichten - 03.01.2011 (0)
  9. Thinkpoint entfernen
    Plagegeister aller Art und deren Bekämpfung - 01.12.2010 (29)
  10. Thinkpoint
    Plagegeister aller Art und deren Bekämpfung - 21.11.2010 (4)
  11. Eine Frage zu ThinkPoint
    Log-Analyse und Auswertung - 18.11.2010 (2)
  12. ThinkPoint vollständig entfernt?
    Plagegeister aller Art und deren Bekämpfung - 18.11.2010 (23)
  13. Spätfolgen von Thinkpoint
    Plagegeister aller Art und deren Bekämpfung - 09.11.2010 (36)
  14. ThinkPoint komplett entfernt?
    Plagegeister aller Art und deren Bekämpfung - 05.11.2010 (18)
  15. ThinkPoint entfernen
    Anleitungen, FAQs & Links - 23.10.2010 (2)
  16. Folgen nach Löschung von AV Security - Keine Themenerstellung auf trojaner board möglich
    Plagegeister aller Art und deren Bekämpfung - 27.07.2010 (60)
  17. Problem mit MSN Messenger und evtl. weitere folgen!!
    Mülltonne - 11.09.2006 (1)

Zum Thema Thinkpoint Trojaner und weitere Folgen - Hallo, mein Sohn brachte mir vor zwei Tagen seinen Laptop, darauf war ein vermeintlicher Windows Alert zu sehen, mit dem Hinweis auf diverse infizierte Dateien und die Aufforderung die Viren - Thinkpoint Trojaner und weitere Folgen...
Archiv
Du betrachtest: Thinkpoint Trojaner und weitere Folgen auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.