TR/Pincav.afyp Trojan

kiki82 · 14.12.2010, 15:43

Hi Arne,

hier kommt das Log von Combofix (das ich leider nur im reduzierten Modus ausführen konnte).

Log Combofix:

Combofix Logfile:

Code:

ATTFilter

ComboFix 10-12-07.06 - Kirsten 14.12.2010  14:58:18.3.2 - x86
ausgeführt von:: c:\dokumente und einstellungen\Kirsten\Desktop\cofi.exe
.
- REDUZIERTER FUNKTIONALITÄTSMODUS -
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Vorheriger Suchlauf -------
.
c:\windows\service4g.exe
c:\windows\starter4g.exe
c:\windows\updater4g.exe

.
(((((((((((((((((((((((((((((((((((((((   Treiber/Dienste   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XS_Stick_Service
-------\Service_XS Stick Service


(((((((((((((((((((((((   Dateien erstellt von 2010-11-14 bis 2010-12-14  ))))))))))))))))))))))))))))))
.

2010-12-07 23:38 . 2010-11-29 16:42	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 23:37 . 2010-11-29 16:42	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-11-22 22:04 . 2010-12-08 13:23	--------	d-----w-	c:\windows\system32\NtmsData
2010-11-22 16:31 . 2010-11-22 16:31	--------	d-----w-	c:\dokumente und einstellungen\Kirsten\Lokale Einstellungen\Anwendungsdaten\ArcSoft
2010-11-22 16:31 . 2010-11-22 16:31	--------	d-----w-	c:\dokumente und einstellungen\Kirsten\Anwendungsdaten\ArcSoft
2010-11-22 16:31 . 2010-11-22 16:32	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\ArcSoft
2010-11-22 16:30 . 2010-11-22 16:30	--------	d-----w-	c:\programme\Gemeinsame Dateien\ArcSoft
2010-11-22 16:30 . 2010-11-22 16:30	--------	d-----w-	c:\programme\ArcSoft
2010-11-22 16:30 . 2005-04-27 15:36	245408	----a-w-	c:\windows\system32\unicows.dll
2010-11-22 16:30 . 2004-05-04 10:53	1645320	----a-w-	c:\windows\system32\gdiplus.dll
2010-11-22 16:30 . 2003-03-18 21:14	499712	----a-r-	c:\windows\system32\msvcp71.dll
2010-11-22 16:30 . 2003-02-21 03:42	348160	----a-w-	c:\windows\system32\msvcr71.dll
2010-11-22 16:30 . 2001-09-05 03:18	77824	----a-w-	c:\programme\Gemeinsame Dateien\InstallShield\Engine\6\Intel 32\ctor.dll
2010-11-22 16:30 . 2001-09-05 03:18	225280	----a-w-	c:\programme\Gemeinsame Dateien\InstallShield\IScript\iscript.dll
2010-11-22 16:30 . 2001-09-05 03:14	176128	----a-w-	c:\programme\Gemeinsame Dateien\InstallShield\Engine\6\Intel 32\iuser.dll
2010-11-22 16:30 . 2001-09-05 03:13	32768	----a-w-	c:\programme\Gemeinsame Dateien\InstallShield\Engine\6\Intel 32\objectps.dll
2010-11-22 16:30 . 2002-07-25 15:07	614532	----a-w-	c:\programme\Gemeinsame Dateien\InstallShield\Engine\6\Intel 32\IKernel.exe
2010-11-22 16:29 . 2010-11-22 16:29	--------	d-----w-	c:\programme\Philips
2010-11-22 16:28 . 2010-11-22 16:32	--------	d-----w-	C:\temp
2010-11-22 11:43 . 2010-11-22 11:43	--------	d-----w-	c:\dokumente und einstellungen\LocalService\Startmenü
2010-11-22 11:39 . 2010-11-22 11:39	--------	d-----w-	c:\dokumente und einstellungen\Kirsten\Anwendungsdaten\Avira
2010-11-22 11:33 . 2010-08-02 15:09	126856	----a-w-	c:\windows\system32\drivers\avipbb.sys
2010-11-22 11:33 . 2010-06-17 14:27	45416	----a-w-	c:\windows\system32\drivers\avgntdd.sys
2010-11-22 11:33 . 2010-06-17 14:27	22360	----a-w-	c:\windows\system32\drivers\avgntmgr.sys
2010-11-22 11:33 . 2010-11-22 11:33	--------	d-----w-	c:\programme\Avira
2010-11-22 11:33 . 2010-11-22 11:33	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-22 11:43 . 2010-02-27 20:46	61960	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2010-11-03 17:12 . 2010-11-03 17:12	103424	----a-w-	c:\windows\system32\drivers\cmnsusbser.sys
2010-11-03 17:12 . 2010-11-03 17:12	52128	----a-w-	c:\windows\system32\drivers\smsbda.sys
2010-11-03 17:12 . 2010-11-03 17:12	118272	----a-w-	c:\windows\system32\drivers\cm_seramd.sys
2010-11-03 17:12 . 2010-11-03 17:12	103680	----a-w-	c:\windows\system32\drivers\cm_ser32.sys
2010-11-03 17:11 . 2010-11-03 17:12	133120	----a-w-	c:\windows\system32\drivers\cm_netamd.sys
2010-11-03 17:11 . 2010-11-03 17:12	112640	----a-w-	c:\windows\system32\drivers\cm_net32.sys
2010-09-18 10:22 . 2010-09-18 10:22	974848	----a-w-	c:\windows\system32\mfc42u.dll
2010-09-18 06:52 . 2010-10-20 14:36	954368	----a-w-	c:\windows\system32\mfc40.dll
2010-09-18 06:52 . 2010-10-20 14:36	953856	----a-w-	c:\windows\system32\mfc40u.dll
2010-09-18 06:52 . 2010-10-20 14:36	974848	----a-w-	c:\windows\system32\mfc42.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\atapi.sys
[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys

[7] 2008-04-15 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\asyncmac.sys
[7] 2008-04-15 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys

[7] 2008-04-15 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\beep.sys
[7] 2008-04-15 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[7] 2008-04-14 . 1704D8C4C8807B889E43C649B478A452 . 25216 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\kbdclass.sys
[7] 2008-04-14 . 1704D8C4C8807B889E43C649B478A452 . 25216 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys

[7] 2008-04-15 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ndis.sys
[7] 2008-04-15 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

[7] 2008-04-15 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ntfs.sys
[7] 2008-04-15 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys

[7] 2008-04-15 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\null.sys
[7] 2008-04-15 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-15 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2008-04-15 . B42057F06BBB98B31876C0B3F2B54E33 . 77824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\browser.dll
[7] 2008-04-15 . B42057F06BBB98B31876C0B3F2B54E33 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll

[7] 2008-04-15 . AFB8261B56CBA0D86AEB6DF682AF9785 . 13312 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\lsass.exe
[7] 2008-04-15 . AFB8261B56CBA0D86AEB6DF682AF9785 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[7] 2008-04-15 . E6D88F1F6745BF00B57E7855A2AB696C . 198144 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\netman.dll
[7] 2008-04-15 . E6D88F1F6745BF00B57E7855A2AB696C . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll

[7] 2008-04-15 . D6F603772A789BB3228F310D650B8BD1 . 409088 . . [6.7.2600.5512] . . c:\windows\ERDNT\cache\qmgr.dll
[7] 2008-04-15 . D6F603772A789BB3228F310D650B8BD1 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[7] 2009-02-09 . D3D765E8455A961AE567B408F767D4F9 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[7] 2009-02-09 . 3127AFBF2C1ED0AB14A1BBB7AAECB85B . 401408 . . [5.1.2600.5755] . . c:\windows\ERDNT\cache\rpcss.dll
[7] 2009-02-09 . 3127AFBF2C1ED0AB14A1BBB7AAECB85B . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[7] 2009-02-09 . 3127AFBF2C1ED0AB14A1BBB7AAECB85B . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[7] 2008-04-15 . E970C2296916BF4A2F958680016FE312 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll

[7] 2009-02-09 . A3EDBE9053889FB24AB22492472B39DC . 111104 . . [5.1.2600.5755] . . c:\windows\ERDNT\cache\services.exe
[7] 2009-02-09 . A3EDBE9053889FB24AB22492472B39DC . 111104 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[7] 2009-02-09 . A3EDBE9053889FB24AB22492472B39DC . 111104 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[7] 2009-02-09 . F0A7D59AF279326528715B206669B86C . 111104 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-15 . 4BB6A83640F1D1792AD21CE767B621C6 . 109056 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe

[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\ERDNT\cache\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-15 . 39356A9CDB6753A6D13A4072A9F5A4BB . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe

[7] 2008-04-15 . F09A527B422E25C478E38CAA0E44417A . 513024 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[7] 2008-04-15 . F09A527B422E25C478E38CAA0E44417A . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[7] 2010-08-23 . 1438703F3D9FFE111DA3869E4F3EEE73 . 617472 . . [5.82] . . c:\windows\ERDNT\cache\comctl32.dll
[7] 2010-08-23 . 1438703F3D9FFE111DA3869E4F3EEE73 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2010-08-23 . 2B6ADE29F8D00EEFA5FA2250CBE094AD . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
[7] 2008-04-15 . AD28671D1B83A386B070DC451A113C13 . 617472 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
[7] 2008-04-15 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2008-04-15 . 3C93CE6C6985C55952B7BE6673E9FD15 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[7] 2008-04-15 . 611F824E5C703A5A899F84C5F1699E4D . 62464 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\cryptsvc.dll
[7] 2008-04-15 . 611F824E5C703A5A899F84C5F1699E4D . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll

[7] 2008-07-07 20:26 . AF4F6B5739D18CA7972AB53E091CBC74 . 253952 . . [2001.12.4414.706] . . c:\windows\ERDNT\cache\es.dll
[7] 2008-07-07 20:26 . AF4F6B5739D18CA7972AB53E091CBC74 . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[7] 2008-07-07 20:26 . AF4F6B5739D18CA7972AB53E091CBC74 . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[7] 2008-07-07 20:23 . ADA7241C16F3F42C7F210539FAD5F3AA . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[7] 2008-04-15 12:00 . 0F3EDAEE1EF97CF3DB2BE23A7289B78C . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll

[7] 2008-04-15 . F9954695D246B33A5BF105029A4C6AB6 . 110080 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\imm32.dll
[7] 2008-04-15 . F9954695D246B33A5BF105029A4C6AB6 . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll

[7] 2009-03-21 . B055C64AABC1A3E3DE57EC8025CAD283 . 1063424 . . [5.1.2600.5781] . . c:\windows\ERDNT\cache\kernel32.dll
[7] 2009-03-21 . B055C64AABC1A3E3DE57EC8025CAD283 . 1063424 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[7] 2009-03-21 . B055C64AABC1A3E3DE57EC8025CAD283 . 1063424 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[7] 2009-03-21 . 3EB703BFC2ED26A3D8ACB8626AB2C006 . 1065472 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2008-04-15 . 4C897C69754D88F496339B1A666907C1 . 1063424 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll

[7] 2008-04-15 . 5543A9D4A1D0F9F84092482A9373A024 . 19968 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\linkinfo.dll
[7] 2008-04-15 . 5543A9D4A1D0F9F84092482A9373A024 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll

[7] 2008-04-15 . F38F3C47BBFFD748C1359AB171C3A630 . 22016 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\lpk.dll
[7] 2008-04-15 . F38F3C47BBFFD748C1359AB171C3A630 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll

[7] 2010-09-10 . 2EE27CDF8C897B5ABE5D86D1C03F1066 . 5957120 . . [8.00.6001.18975] . . c:\windows\ERDNT\cache\mshtml.dll
[7] 2010-09-10 . 2EE27CDF8C897B5ABE5D86D1C03F1066 . 5957120 . . [8.00.6001.18975] . . c:\windows\system32\mshtml.dll
[7] 2010-09-10 . 2EE27CDF8C897B5ABE5D86D1C03F1066 . 5957120 . . [8.00.6001.18975] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2010-09-10 . FC277C347BBAAE912A5B0748B3504483 . 5958656 . . [8.00.6001.23067] . . c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\mshtml.dll
[7] 2010-06-24 . 7CF74ED1A2C05369C67531E7855742CF . 5954560 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\mshtml.dll
[7] 2010-06-24 . AC2E0BBFA7C01FD7CBF858C764B745DE . 5951488 . . [8.00.6001.18939] . . c:\windows\ie8updates\KB2360131-IE8\mshtml.dll
[7] 2010-05-06 . 91A9BB7F22F7D21E9C07E995C4E31F74 . 5950976 . . [8.00.6001.18928] . . c:\windows\ie8updates\KB2183461-IE8\mshtml.dll
[7] 2010-05-06 . A0091E83B21A4C2627D1DD1A64C1B4B9 . 5953024 . . [8.00.6001.23019] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\mshtml.dll
[7] 2010-02-25 . 2127D9862937DBD40882B9417DEB1837 . 5944832 . . [8.00.6001.18904] . . c:\windows\ie8updates\KB982381-IE8\mshtml.dll
[7] 2010-02-25 . 0A164AB476D7835335220D7A2AE5578B . 5946880 . . [8.00.6001.22995] . . c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mshtml.dll
[7] 2009-12-21 . A947E6258FB5FBD0E5F58DA9541D7BE3 . 5942784 . . [8.00.6001.18876] . . c:\windows\ie8updates\KB980182-IE8\mshtml.dll
[7] 2009-12-21 . DDAAECF8E188A0E2DB93842A7D193641 . 5945856 . . [8.00.6001.22967] . . c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\mshtml.dll
[7] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB978207-IE8\mshtml.dll
[7] 2008-04-15 . 72AE55A9FFBC60650339CB12E35C7DD5 . 3066880 . . [6.00.2900.5512] . . c:\windows\ie8\mshtml.dll

[7] 2008-04-15 . C6A6E53A0C34EC87883137A6CB87AE5E . 343040 . . [7.0.2600.5512] . . c:\windows\ERDNT\cache\msvcrt.dll
[7] 2008-04-15 . C6A6E53A0C34EC87883137A6CB87AE5E . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[7] 2008-04-15 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[7] 2008-04-15 . C536AAD8A71608FE33CD956214EDD366 . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll

[-] 2008-06-20 . ACD8BD448A74F344D46FCAF21BAB92AF . 247296 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\mswsock.dll
[-] 2008-06-20 . ACD8BD448A74F344D46FCAF21BAB92AF . 247296 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . ACD8BD448A74F344D46FCAF21BAB92AF . 247296 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . 4AA50627B01C0E9C6B4C6BD3AF648F12 . 247296 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-04-15 . F12B9D9A069331877D006CC81B4735F9 . 247296 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll

[7] 2008-04-15 . 0098D35F91DEAB9C127360A877F2CF84 . 407040 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\netlogon.dll
[7] 2008-04-15 . 0098D35F91DEAB9C127360A877F2CF84 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll

[7] 2008-04-15 . C8C0BDABC966B6C24D337DF0A0A399E1 . 17408 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\powrprof.dll
[7] 2008-04-15 . C8C0BDABC966B6C24D337DF0A0A399E1 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll

[7] 2008-04-15 . 5132443DF6FC3771A17AB4AE55DCBC28 . 187904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\scecli.dll
[7] 2008-04-15 . 5132443DF6FC3771A17AB4AE55DCBC28 . 187904 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll

[7] 2008-04-15 . 44161A59DC33AC2EA9C95438ADFFFB7F . 5120 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\sfc.dll
[7] 2008-04-15 . 44161A59DC33AC2EA9C95438ADFFFB7F . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll

[7] 2008-04-15 . 4FBC75B74479C7A6F829E0CA19DF3366 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[7] 2008-04-15 . 4FBC75B74479C7A6F829E0CA19DF3366 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[7] 2008-04-15 . 05903CAC4B98908D55EA5774775B382E . 249856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\tapisrv.dll
[7] 2008-04-15 . 05903CAC4B98908D55EA5774775B382E . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll

[7] 2008-04-15 . B0050CC5340E3A0760DD8B417FF7AEBD . 580096 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\user32.dll
[7] 2008-04-15 . B0050CC5340E3A0760DD8B417FF7AEBD . 580096 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[7] 2008-04-15 . 788F95312E26389D596C0FA55834E106 . 26624 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\userinit.exe
[7] 2008-04-15 . 788F95312E26389D596C0FA55834E106 . 26624 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[7] 2010-09-10 . 41E62E6AA4D4C03322467FB0D2D29967 . 916480 . . [8.00.6001.18968] . . c:\windows\ERDNT\cache\wininet.dll
[7] 2010-09-10 . 41E62E6AA4D4C03322467FB0D2D29967 . 916480 . . [8.00.6001.18968] . . c:\windows\system32\wininet.dll
[7] 2010-09-10 . 41E62E6AA4D4C03322467FB0D2D29967 . 916480 . . [8.00.6001.18968] . . c:\windows\system32\dllcache\wininet.dll
[7] 2010-09-10 . 7B7028B726053782DD9B98B729515567 . 919552 . . [8.00.6001.23060] . . c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\wininet.dll
[7] 2010-06-24 . 1ACB8E6FAD2A8690CBB41D3229A2B27D . 919040 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\wininet.dll
[7] 2010-06-24 . 5AC0C1733D8C3DE781002F45A678E0FC . 916480 . . [8.00.6001.18939] . . c:\windows\ie8updates\KB2360131-IE8\wininet.dll
[7] 2010-05-06 . 12C5EEBBC10DB644B44131EE3ECBC430 . 916480 . . [8.00.6001.18923] . . c:\windows\ie8updates\KB2183461-IE8\wininet.dll
[7] 2010-05-06 . B5B9887088B8168D52CB28020CF05498 . 919040 . . [8.00.6001.23014] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\wininet.dll
[7] 2010-02-25 . 7857131DA01250E02BEE64F1163F6159 . 916480 . . [8.00.6001.18904] . . c:\windows\ie8updates\KB982381-IE8\wininet.dll
[7] 2010-02-25 . 3C41EB3A0EC8E2606B6C906993E11C29 . 919040 . . [8.00.6001.22995] . . c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\wininet.dll
[7] 2009-12-21 . F2A70583964128530B7E86B1A13023A7 . 916480 . . [8.00.6001.18876] . . c:\windows\ie8updates\KB980182-IE8\wininet.dll
[7] 2009-12-21 . 5E3A3EB3BC5849BE4D5FE2B5F1869783 . 916480 . . [8.00.6001.22967] . . c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\wininet.dll
[7] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB978207-IE8\wininet.dll
[7] 2008-04-15 . B4AEE98A48917B274FACFB78BBE0BC84 . 671744 . . [6.00.2900.5512] . . c:\windows\ie8\wininet.dll

[7] 2008-04-15 . 6A35E2D6F5F052C84EC2CEB296389439 . 82432 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ws2_32.dll
[7] 2008-04-15 . 6A35E2D6F5F052C84EC2CEB296389439 . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[7] 2008-04-15 . C7D8A0517CBF16B84F657DE87EBE9D4B . 19968 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ws2help.dll
[7] 2008-04-15 . C7D8A0517CBF16B84F657DE87EBE9D4B . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll

[7] 2008-04-15 . 418045A93CD87A352098AB7DABE1B53E . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-15 . 418045A93CD87A352098AB7DABE1B53E . 1036800 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe

[7] 2010-07-16 . B28AF7976F2D8109C0DC2CF2460BEDC2 . 1288192 . . [5.1.2600.6010] . . c:\windows\ERDNT\cache\ole32.dll
[7] 2010-07-16 . B28AF7976F2D8109C0DC2CF2460BEDC2 . 1288192 . . [5.1.2600.6010] . . c:\windows\system32\ole32.dll
[7] 2010-07-16 . B28AF7976F2D8109C0DC2CF2460BEDC2 . 1288192 . . [5.1.2600.6010] . . c:\windows\system32\dllcache\ole32.dll
[7] 2010-07-16 . B3D7633CF83B09042A49810A7A72ADED . 1289216 . . [5.1.2600.6010] . . c:\windows\$hf_mig$\KB979687\SP3QFE\ole32.dll
[7] 2008-04-15 . E08D638BA3D3DD6DF6E31216AB66AE0B . 1287680 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB979687$\ole32.dll

[7] 2010-04-16 . 45954AFB7AE6E29B23C56B830C820A11 . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll
[7] 2010-04-16 . 45954AFB7AE6E29B23C56B830C820A11 . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll
[7] 2010-04-16 . EB2AD9C7DADE6C63F5F933881BA2A430 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
[7] 2008-04-15 . 052F968390A85D37D5EE8BE3AB2A83A2 . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll

[7] 2008-04-15 . FE77A85495065F3AD59C5C65B6C54182 . 171520 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\srsvc.dll
[7] 2008-04-15 . FE77A85495065F3AD59C5C65B6C54182 . 171520 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

[7] 2008-04-15 . EDAFBE25FB6480CE68F688BA691890DC . 13824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\wscntfy.exe
[7] 2008-04-15 . EDAFBE25FB6480CE68F688BA691890DC . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[7] 2008-04-15 . 0ADA34871A2E1CD2CAAFED1237A47750 . 129024 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\xmlprov.dll
[7] 2008-04-15 . 0ADA34871A2E1CD2CAAFED1237A47750 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

[7] 2008-04-15 . 04955AA695448C181B367D964AF158AA . 56320 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\eventlog.dll
[7] 2008-04-15 . 04955AA695448C181B367D964AF158AA . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll

[-] 2008-04-15 . 5251425B86EA4A3532B8BB8D14044E61 . 1571840 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\sfcfiles.dll
[-] 2008-04-15 . 5251425B86EA4A3532B8BB8D14044E61 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[7] 2008-04-15 . 01B4E6E990B6C5EA8856D96C7FD044B2 . 15360 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ctfmon.exe
[7] 2008-04-15 . 01B4E6E990B6C5EA8856D96C7FD044B2 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

[7] 2008-04-15 . 40602EBFBE06AA075C8E4560743F6883 . 135168 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\shsvcs.dll
[7] 2008-04-15 . 40602EBFBE06AA075C8E4560743F6883 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll

[7] 2008-04-15 . E4CD1F3D84E1C2CA0B8CF7501E201593 . 59904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\regsvc.dll
[7] 2008-04-15 . E4CD1F3D84E1C2CA0B8CF7501E201593 . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll

[7] 2008-04-15 . A050194A44D7FA8D7186ED2F4E8367AE . 193536 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\schedsvc.dll
[7] 2008-04-15 . A050194A44D7FA8D7186ED2F4E8367AE . 193536 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

[7] 2008-04-15 . 4DF5B05DFAEC29E13E1ED6F6EE12C500 . 71680 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ssdpsrv.dll
[7] 2008-04-15 . 4DF5B05DFAEC29E13E1ED6F6EE12C500 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll

[7] 2008-04-15 . B7DE02C863D8F5A005A7BF375375A6A4 . 297472 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\termsrv.dll
[7] 2008-04-15 . B7DE02C863D8F5A005A7BF375375A6A4 . 297472 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

[7] 2008-04-15 . 9E1CA3160DAFB159CA14F83B1E317F75 . 12160 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\acpiec.sys
[7] 2008-04-15 . 9E1CA3160DAFB159CA14F83B1E317F75 . 12160 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[7] 2008-04-13 20:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ERDNT\cache\aec.sys
[7] 2008-04-13 20:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

[7] 2008-04-14 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\AGP440.SYS
[7] 2008-04-14 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\AGP440.SYS

[7] 2008-04-15 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ip6fw.sys
[7] 2008-04-15 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

[7] 2010-09-18 07:18 . 4891FCDAE77486BFB56999AA217651FA . 953856 . . [4.1.6151] . . c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40u.dll
[7] 2010-09-18 06:52 . 1614669828A32BCD06E1BE6F334BB888 . 953856 . . [4.1.6151] . . c:\windows\ERDNT\cache\mfc40u.dll
[7] 2010-09-18 06:52 . 1614669828A32BCD06E1BE6F334BB888 . 953856 . . [4.1.6151] . . c:\windows\system32\mfc40u.dll
[7] 2008-04-15 12:00 . ACC19BA6876AF18768EE87931CAD14E2 . 927504 . . [4.1.0.61] . . c:\windows\$NtUninstallKB2387149$\mfc40u.dll

[7] 2008-04-15 . B7550A7107281D170CE85524B1488C98 . 33792 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\msgsvc.dll
[7] 2008-04-15 . B7550A7107281D170CE85524B1488C98 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll

[7] 2006-10-18 19:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\ERDNT\cache\mspmsnsv.dll
[7] 2006-10-18 19:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[7] 2010-04-28 . 4EACA49489EB3C4A2E83C5546EB5884C . 2069248 . . [5.1.2600.5973] . . c:\windows\$hf_mig$\KB981852\SP3QFE\ntkrnlpa.exe
[7] 2010-04-28 . 989290FBD9A7E90CD8B8E9C96817804D . 2069120 . . [5.1.2600.5973] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2010-04-28 . 989290FBD9A7E90CD8B8E9C96817804D . 2069120 . . [5.1.2600.5973] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2010-04-28 . 6D8D53C3EE866AB72AC73A68808E7371 . 2027008 . . [5.1.2600.5973] . . c:\windows\ERDNT\cache\ntkrnlpa.exe
[7] 2010-04-28 . 6D8D53C3EE866AB72AC73A68808E7371 . 2027008 . . [5.1.2600.5973] . . c:\windows\system32\ntkrnlpa.exe
[7] 2010-02-16 . 1DFCBCFD1C9016C051BE6D7243459CCA . 2027008 . . [5.1.2600.5938] . . c:\windows\$NtUninstallKB981852$\ntkrnlpa.exe
[7] 2010-02-16 . CEE28C8C47E52F185F9F8F3A2E31880C . 2069248 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe
[7] 2009-12-10 . 2E72317A93EF61138E43DCF7CD423EDF . 2068480 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165-v2\SP3QFE\ntkrnlpa.exe
[7] 2009-12-09 . 1143EBE276EA80A88942A21613078088 . 2026496 . . [5.1.2600.5913] . . c:\windows\$NtUninstallKB979683$\ntkrnlpa.exe
[7] 2009-08-04 . C50ED62BB5CDC5AD4F3985ED39C6AE87 . 2068480 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[7] 2009-08-04 . 1FF1F43613BA7510A5A975ED034EB8E0 . 2026496 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB977165-v2$\ntkrnlpa.exe
[7] 2009-02-09 . 1F9DA92672B8B5720C5FB1E87D8F249F . 2068480 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-04-15 . FEFB3BDA35CF469809B0C89AB6833AFC . 2026496 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe

[7] 2008-04-15 12:00 . 56AF4064996FA5BAC9C449B1514B4770 . 438272 . . [5.1.2400.5512] . . c:\windows\ERDNT\cache\ntmssvc.dll
[7] 2008-04-15 12:00 . 56AF4064996FA5BAC9C449B1514B4770 . 438272 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll

[7] 2008-04-15 . 1DFD8975D8C89214B98D9387C1125B49 . 186880 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\upnphost.dll
[7] 2008-04-15 . 1DFD8975D8C89214B98D9387C1125B49 . 186880 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll

[7] 2008-04-15 . 9236E736EDB57BE7D1EF6274410E3BAC . 367616 . . [5.3.2600.5512] . . c:\windows\ERDNT\cache\dsound.dll
[7] 2008-04-15 . 9236E736EDB57BE7D1EF6274410E3BAC . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll

[-] 2008-04-15 . 36969CF86E51EC8ED202B40F2FA80AA6 . 1689088 . . [5.03.2600.5512] . . c:\windows\ERDNT\cache\d3d9.dll
[-] 2008-04-15 . 36969CF86E51EC8ED202B40F2FA80AA6 . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\d3d9.dll

[7] 2008-04-15 . 4A37188B83B00DD9CFBA049687AD0DAF . 279552 . . [5.03.2600.5512] . . c:\windows\ERDNT\cache\ddraw.dll
[7] 2008-04-15 . 4A37188B83B00DD9CFBA049687AD0DAF . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll

[7] 2008-04-15 12:00 . 5D7F5A46975D2E59A6FECB6C231D200F . 84992 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\olepro32.dll
[7] 2008-04-15 12:00 . 5D7F5A46975D2E59A6FECB6C231D200F . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll

[7] 2008-04-15 . C47FD93010649AC0D79022D9B69ADBE4 . 41984 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\perfctrs.dll
[7] 2008-04-15 . C47FD93010649AC0D79022D9B69ADBE4 . 41984 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll

[7] 2008-04-15 . F86000634319F71535BCE6B06995EE99 . 18944 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\version.dll
[7] 2008-04-15 . F86000634319F71535BCE6B06995EE99 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll

[7] 2010-04-28 . FE9DA2C577DF69771B31183EF5684BE8 . 2192256 . . [5.1.2600.5973] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2010-04-28 . FE9DA2C577DF69771B31183EF5684BE8 . 2192256 . . [5.1.2600.5973] . . c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2010-04-28 . 490911C4B913989D4958543FED2C8F21 . 2148864 . . [5.1.2600.5973] . . c:\windows\ERDNT\cache\ntoskrnl.exe
[7] 2010-04-28 . 490911C4B913989D4958543FED2C8F21 . 2148864 . . [5.1.2600.5973] . . c:\windows\system32\ntoskrnl.exe
[7] 2010-04-28 . 6AF2E8CEB03F7CB3B8183359563DBB87 . 2192384 . . [5.1.2600.5973] . . c:\windows\$hf_mig$\KB981852\SP3QFE\ntoskrnl.exe
[7] 2010-02-16 . E1BD0FAFF2C1D0A825CBA97DCF0DDDAE . 2148864 . . [5.1.2600.5938] . . c:\windows\$NtUninstallKB981852$\ntoskrnl.exe
[7] 2010-02-16 . 4456016C2FF1A8CCCAC8309C9B76E2F5 . 2192384 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe
[7] 2009-12-10 . A97847B2D30F4A299B35239D26BAD948 . 2191616 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165-v2\SP3QFE\ntoskrnl.exe
[7] 2009-12-09 . D4128AA197DD8F3120FC80008AB66CF7 . 2147840 . . [5.1.2600.5913] . . c:\windows\$NtUninstallKB979683$\ntoskrnl.exe
[7] 2009-08-04 . 96D6882D49438D58B0DE0F7E8C8D241B . 2147840 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB977165-v2$\ntoskrnl.exe
[7] 2009-08-04 . 4B86421F2D85D9A4ECB06885C40B8EEB . 2191616 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[7] 2009-02-10 . D3453310FC92736E674FFDC6E3F455B7 . 2191488 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-04-15 . 88077F757C6C793C33408D878B6E0F76 . 2147840 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe

[7] 2008-04-15 . FE77A85495065F3AD59C5C65B6C54182 . 171520 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\srsvc.dll
[7] 2008-04-15 . FE77A85495065F3AD59C5C65B6C54182 . 171520 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

[7] 2008-04-15 . 7B353059E665F8B7AD2BBEAEF597CF45 . 177152 . . [5.1.2600.5512] . . c:\windows\system32\w32time.dll

[7] 2008-04-15 . BC2C5985611C5356B24AEB370953DED9 . 334336 . . [5.1.2600.5512] . . c:\windows\system32\wiaservc.dll
.
(((((((((((((((((((((((((((((   SnapShot@2010-11-08_16.48.53   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:02 . 2009-07-11 23:02	51008              c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	59728              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	42832              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	43344              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	61264              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	62800              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	61760              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	61776              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	53568              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	63296              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	36688              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	35648              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05	59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05	59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-12-14 13:48 . 2010-12-14 13:48	16384              c:\windows\temp\Perflib_Perfdata_32c.dat
+ 2009-04-10 22:57 . 2010-11-20 16:21	67646              c:\windows\system32\perfc009.dat
- 2009-04-10 22:57 . 2010-11-06 16:39	67646              c:\windows\system32\perfc009.dat
- 2009-04-10 22:57 . 2010-11-06 16:39	80488              c:\windows\system32\perfc007.dat
+ 2009-04-10 22:57 . 2010-11-20 16:21	80488              c:\windows\system32\perfc007.dat
- 2010-02-27 20:46 . 2009-05-11 08:12	28520              c:\windows\system32\drivers\ssmdrv.sys
+ 2010-11-22 11:33 . 2010-06-17 14:27	28520              c:\windows\system32\drivers\ssmdrv.sys
+ 2010-11-08 22:17 . 2010-11-08 22:17	21504              c:\windows\Installer\28aeb73.msi
+ 2009-07-11 23:02 . 2009-07-11 23:02	653120              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	569664              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05	225280              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	159032              c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-04-10 22:57 . 2010-11-20 16:21	432690              c:\windows\system32\perfh009.dat
- 2009-04-10 22:57 . 2010-11-06 16:39	432690              c:\windows\system32\perfh009.dat
+ 2009-04-10 22:57 . 2010-11-20 16:21	448970              c:\windows\system32\perfh007.dat
- 2009-04-10 22:57 . 2010-11-06 16:39	448970              c:\windows\system32\perfh007.dat
+ 2010-11-22 11:32 . 2010-11-22 11:32	219648              c:\windows\Installer\e1212.msi
+ 2009-07-11 23:02 . 2009-07-11 23:02	3780424              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02	3765048              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2010-02-22 26101032]
"ISUSPM"="c:\dokumente und einstellungen\All Users\Anwendungsdaten\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"SUPERAntiSpyware"="c:\programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"HP BTW Detect Program"="c:\programme\HP\HPBTWD.exe" [2009-03-30 319488]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-06 737280]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"WirelessAssistant"="c:\programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"ArcSoft Connection Service"="c:\programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\dokumente und einstellungen\Kirsten\Startmen\Programme\Autostart\
OpenOffice.org 3.2.lnk - c:\programme\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Philips GoGear SA1VBExxA Device Manager.lnk - c:\programme\Philips\GoGear SA1VBExxA Device Manager\GoGear_SA1VBExxA_DeviceManager.exe [2010-11-22 1611120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programme\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [2010-11-08 136176]
R3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\DRIVERS\cmnsusbser.sys [2010-11-03 103424]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-11-22 160256]
R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
S0 SahdIa32;HDD Filter Driver;c:\windows\System32\Drivers\SahdIa32.sys [2009-06-01 21488]
S0 SaibIa32;Volume Filter Driver;c:\windows\System32\Drivers\SaibIa32.sys [2009-06-01 15856]
S0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2009-07-01 103792]
S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVd32.sys [2009-06-01 25584]
S1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\programme\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [2009-06-02 457200]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
S2 BOTService;BOTService;c:\programme\Roxio\BackOnTrack\Instant Restore\BOTService.exe [2009-07-09 199152]
S2 WTGService;WTGService;c:\programme\XSManager\WTGService.exe [2010-04-12 329168]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-04-21 113664]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x86.sys [2009-03-31 39424]

.
Inhalt des "geplante Tasks" Ordners

2010-12-13 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\programme\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 02:09]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2010-11-08 16:12]

2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2010-11-08 16:12]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_DE&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_DE&c=94&bd=Pavilion&pf=cnnb
IE: &AOL Toolbar-Suche - c:\dokumente und einstellungen\All Users\Anwendungsdaten\AOL\ieToolbar\resources\de-DE\local\search.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\dokumente und einstellungen\Kirsten\Anwendungsdaten\Mozilla\Firefox\Profiles\j34jflrb.default\
FF - component: c:\programme\ArcSoft\Media Converter for Philips\Internet Video Downloader\Plugin_FireFox\components\nsURLRecordEx.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\programme\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Extension: Zotero: zotero@chnm.gmu.edu - c:\dokumente und einstellungen\Kirsten\Anwendungsdaten\Mozilla\Firefox\Profiles\j34jflrb.default\extensions\zotero@chnm.gmu.edu
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\dokumente und einstellungen\Kirsten\Anwendungsdaten\Mozilla\Firefox\Profiles\j34jflrb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\programme\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Internet Video Downloader: {B728AB94-9BC7-49b7-B76A-422BB31B2FD0} - c:\programme\ArcSoft\Media Converter for Philips\Internet Video Downloader\Plugin_FireFox
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
SafeBoot-Wdf01000.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-12-14 15:03
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, hxxp://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD16 rev.13.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0 

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys SahdIa32.sys >>UNKNOWN [0x85132EC5]<< 
c:\dokume~1\Kirsten\LOKALE~1\Temp\catchme.sys  
c:\windows\system32\drivers\SahdIa32.sys Sonic Solutions 
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x81aaa872; SUB DWORD [EBP-0x4], 0x81aaa12e; PUSH EDI; CALL 0xffffffffffffdf33;  }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86574AB8]
3 CLASSPNP[0xF75C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86574020]
5 SahdIa32[0xF75E9939] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86575028]
[0x85AE1CA8] -> IRP_MJ_CREATE -> 0x85132EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0;  }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD1600BEVT-60ZCT1___________________13.01A13#4&9cf173c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x85132AEA
user & kernel MBR OK 
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft-Datenträgerkontingent"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@SACL=
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Softwareinstallation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@SACL=
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Programme\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"Hilfeassistent"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"HelpAssistant"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Zeit der Fertigstellung: 2010-12-14  15:21:37
ComboFix-quarantined-files.txt  2010-12-14 14:21
ComboFix2.txt  2010-11-08 16:59

Vor Suchlauf: 15 Verzeichnis(se), 119.740.334.080 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 119.726.301.184 Bytes frei

- - End Of File - - 42E40CD97E06E0682D27C558BA455972

--- --- ---

Viele Grüße,
kiki

cosinus · 14.12.2010, 15:57

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.

Doppelklick auf die MBRCheck.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Das Tool braucht nur eine Sekunde.
Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.

Poste mir bitte den Inhalt des .txt Dokumentes

kiki82 · 15.12.2010, 01:23

Hallo Arne,

erstmal vielen lieben Dank, dass Du mir weiterhilfst!

Hier kommen die Logs von Osam und MBRCheck; GMER ist leider abgestürzt.

Osam Log:
OSAM Logfile:

Code:

ATTFilter

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 16:45:39 on 14.12.2010

OS: Windows XP Home Edition Service Pack 3 (Build 2600)
Default Browser: Mozilla Corporation Firefox 3.6.12

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"BackOnTrack Instant Restore Idle.job" - "Sonic Solutions" - C:\Programme\Roxio\BackOnTrack\Instant Restore\RstIdle.exe
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"hpBat.cpl" - ? - C:\WINDOWS\system32\hpBat.cpl  (File found, but it contains no detailed information)
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"ISUSPM.cpl" - "Macrovision Corporation" - C:\WINDOWS\system32\ISUSPM.cpl
"javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Avira AntiVir Personal" - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"hpBat.CPL" - ? - C:\Programme\Hewlett-Packard\HP BatteryCheck\hpBat.CPL  (File not found)

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys
"catchme" (catchme) - ? - C:\DOKUME~1\Kirsten\LOKALE~1\Temp\catchme.sys  (File not found)
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys  (File not found)
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys  (File not found)
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys  (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys  (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys  (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys  (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys  (File not found)
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"Realtek IR Driver" (Rts516xIR) - ? - C:\WINDOWS\System32\DRIVERS\Rts516xIR.sys  (File not found)
"Realtek Smartcard Reader Driver" (USBCCID) - ? - C:\WINDOWS\System32\DRIVERS\Rts5161ccid.sys  (File not found)
"SASDIFSV" (SASDIFSV) - "SUPERAdBlocker.com and SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS
"SASKUTIL" (SASKUTIL) - "SUPERAdBlocker.com and SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
"SysCow" (SysCow) - "Sonic Solutions" - C:\WINDOWS\System32\drivers\syscow32x.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys  (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "SABShellExecuteHook Class" - "SuperAdBlocker.com" - C:\Programme\SUPERAntiSpyware\SASSEH.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll  (File not found)
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? -   (File not found | COM-object registry key not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? -   (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\shlext.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? -   (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL
{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Programme\WinRAR\rarext.dll

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "AOL Toolbar" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll
ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
{DE9C389F-3316-41A7-809B-AA305ED9D922} "AOL Toolbar" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} "AOL Toolbar BHO" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll
{11222041-111B-46E3-BD29-EFB2449479B1} "IEPlugin Class" - "ArcSoft, Inc." - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"Philips GoGear SA1VBExxA Device Manager.lnk" - "Philips" - C:\Programme\Philips\GoGear SA1VBExxA Device Manager\GoGear_SA1VBExxA_DeviceManager.exe  (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\Kirsten\Startmenü\Programme\Autostart\desktop.ini
"OpenOffice.org 3.2.lnk" - ? - C:\Programme\OpenOffice.org 3\program\quickstart.exe  (Shortcut exists | File found, but it contains no detailed information | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"ISUSPM" - "Macrovision Corporation" - "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
"Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
"SUPERAntiSpyware" - "SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ArcSoft Connection Service" - "ArcSoft Inc." - C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACDaemon.exe
"avgnt" - "Avira GmbH" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
"HP BTW Detect Program" - ? - C:\Programme\HP\HPBTWD.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
"WirelessAssistant" - "Hewlett-Packard" - C:\Programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\msonpmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Anwendungsverwaltung" (AppMgmt) - ? - C:\WINDOWS\System32\appmgmts.dll  (File not found)
"ArcSoft Connect Daemon" (ACDaemon) - "ArcSoft Inc." - C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACService.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe
"BOTService" (BOTService) - "Sonic Solutions" - C:\Programme\Roxio\BackOnTrack\Instant Restore\BOTService.exe
"GameConsoleService" (GameConsoleService) - "WildTangent, Inc." - C:\Programme\HP Games\HP Game Console\GameConsoleService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"hpqwmiex" (hpqwmiex) - "Hewlett-Packard Development Company, L.P." - C:\Programme\Hewlett-Packard\Shared\hpqwmiex.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - c:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
"Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"Roxio SAIB Service" (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - ? - C:\Programme\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
"Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
"WTGService" (WTGService) - ? - C:\Programme\XSManager\WTGService.exe  (File found, but it contains no detailed information)

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll  (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions )-----
{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} "802.3 Group Policy" - "Microsoft Corporation" - C:\WINDOWS\system32\dot3gpclnt.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} "EFS recovery" - "Microsoft Corporation" - C:\WINDOWS\system32\scecli.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} "Internet Explorer Branding" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} "Internet Explorer Machine Accelerators" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{7B849a69-220F-451E-B3FE-2CB811AF94AE} "Internet Explorer User Accelerators" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} "Internet Explorer Zonemapping" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{C631DF4C-088F-4156-B058-4375F0853CD8} "Microsoft Offline Files" - "Microsoft Corporation" - C:\WINDOWS\System32\cscui.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{3610eda5-77ef-11d2-8dc5-00c04fa31a66} "Microsoft-Datenträgerkontingent" - "Microsoft Corporation" - C:\WINDOWS\system32\dskquota.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{827D319E-6EAC-11D2-A4EA-00C04F79F83A} "Security" - "Microsoft Corporation" - C:\WINDOWS\system32\scecli.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{c6dc5466-785a-11d2-84d0-00c04fb169f7} "Softwareinstallation" - ? - appmgmts.dll  (Hidden registry entry, rootkit activity | File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"!SASWinLogon" - "SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASWINLO.DLL  (Hidden registry entry, rootkit activity)
"crypt32chain" - "Microsoft Corporation" - C:\WINDOWS\system32\crypt32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"cryptnet" - "Microsoft Corporation" - C:\WINDOWS\system32\cryptnet.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"cscdll" - "Microsoft Corporation" - C:\WINDOWS\system32\cscdll.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"dimsntfy" - "Microsoft Corporation" - C:\WINDOWS\System32\dimsntfy.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"igfxcui" - "Intel Corporation" - C:\WINDOWS\system32\igfxdev.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"ScCertProp" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"Schedule" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"sclgntfy" - "Microsoft Corporation" - C:\WINDOWS\system32\sclgntfy.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"SensLogn" - "Microsoft Corporation" - C:\WINDOWS\system32\WlNotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"termsrv" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"wlballoon" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)

===[ Logfile end ]=========================================[ Logfile end ]===

--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

MBRCheck Log:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000004

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7A88000 \WINDOWS\system32\KDCOM.DLL
0xF7998000 \WINDOWS\system32\BOOTVID.dll
0xF7458000 ACPI.sys
0xF7A8A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7447000 pci.sys
0xF7588000 isapnp.sys
0xF799C000 compbatt.sys
0xF79A0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B50000 pciide.sys
0xF7808000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A8C000 aliide.sys
0xF7A8E000 viaide.sys
0xF7A90000 intelide.sys
0xF7598000 MountMgr.sys
0xF7428000 ftdisk.sys
0xF79A4000 ACPIEC.sys
0xF7B51000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7810000 PartMgr.sys
0xF75A8000 VolSnap.sys
0xF734E000 iaStor.sys
0xF75B8000 disk.sys
0xF75C8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF732E000 fltMgr.sys
0xF7316000 syscow32x.sys
0xF7304000 sr.sys
0xF75D8000 PxHelp20.sys
0xF72ED000 KSecDD.sys
0xF7260000 Ntfs.sys
0xF7233000 NDIS.sys
0xF7818000 SaibIa32.sys
0xF75E8000 SahdIa32.sys
0xF7219000 Mup.sys
0xF77E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF5F72000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF5F5E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF5F36000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5D8B000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF77F8000 \SystemRoot\system32\DRIVERS\l1c51x86.sys
0xF78A8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5D67000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78B0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7628000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78B8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF5D36000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7AC6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7638000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF5CBA000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF78C0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF714D000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7149000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7CA1000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7648000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A40000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5CA3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7658000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7668000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78C8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5C92000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7678000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78D0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78D8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7688000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AC8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5C6F000 \SystemRoot\system32\DRIVERS\ks.sys
0xF5C11000 \SystemRoot\system32\DRIVERS\update.sys
0xF6EB8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7698000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA9281000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA7CD8000 \SystemRoot\system32\drivers\sthda.sys
0xA7CB4000 \SystemRoot\system32\drivers\portcls.sys
0xA9271000 \SystemRoot\system32\drivers\drmk.sys
0xA7C98000 \SystemRoot\system32\drivers\AESTAud.sys
0xF71F1000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7B46000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x9FE82000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B48000 \SystemRoot\System32\Drivers\Beep.SYS
0xA35FD000 \SystemRoot\System32\drivers\vga.sys
0xF7B4A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B4C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA35F5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA35ED000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF71ED000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9D4AF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9D456000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9D406000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9D3E0000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9D3BE000 \SystemRoot\System32\drivers\afd.sys
0x9D210000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0xA3877000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xA35E5000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0xA3867000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA35D5000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x9D1EE000 \??\C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS
0xA35CD000 \??\C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS
0xA3857000 \SystemRoot\System32\Drivers\SaibVd32.sys
0x9D1C3000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9D153000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA00AF000 \SystemRoot\System32\Drivers\Fips.SYS
0x9D130000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF7AF0000 \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys
0x97731000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9624D000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x98160000 \SystemRoot\System32\drivers\Dxapi.sys
0x97B4E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C63000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x96238000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x9665E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x961FB000 \SystemRoot\system32\drivers\wdmaud.sys
0x96996000 \SystemRoot\system32\drivers\sysaudio.sys
0x96060000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x95CE8000 \SystemRoot\system32\DRIVERS\srv.sys
0x9599D000 \SystemRoot\system32\drivers\kmixer.sys
0x97BDD000 \SystemRoot\system32\drivers\splitter.sys
0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
764 C:\WINDOWS\system32\smss.exe
812 csrss.exe
836 C:\WINDOWS\system32\winlogon.exe
880 C:\WINDOWS\system32\services.exe
892 C:\WINDOWS\system32\lsass.exe
1064 C:\WINDOWS\system32\svchost.exe
1160 svchost.exe
1216 C:\Programme\Roxio\BackOnTrack\Instant Restore\BOTService.exe
1380 svchost.exe
1428 svchost.exe
1472 C:\WINDOWS\explorer.exe
1812 C:\Programme\IDT\WDM\stacsv.exe
516 C:\Programme\Avira\AntiVir Desktop\sched.exe
644 svchost.exe
724 C:\Programme\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
168 C:\WINDOWS\system32\igfxtray.exe
1012 C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACService.exe
1008 C:\WINDOWS\system32\hkcmd.exe
1092 C:\WINDOWS\system32\igfxpers.exe
1100 C:\Programme\HP\HPBTWD.exe
1084 C:\Programme\Synaptics\SynTP\SynTPEnh.exe
1308 C:\WINDOWS\system32\AESTFltr.exe
1352 C:\Programme\Avira\AntiVir Desktop\avguard.exe
1368 C:\Programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
1376 C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
1392 C:\Programme\Avira\AntiVir Desktop\avgnt.exe
1296 C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACDaemon.exe
1412 C:\Programme\Skype\Phone\Skype.exe
1444 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Macrovision\FLEXnet Connect\6\ISUSPM.exe
1552 C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
1620 C:\WINDOWS\system32\ctfmon.exe
1500 C:\WINDOWS\system32\igfxsrvc.exe
1908 C:\Programme\Philips\GoGear SA1VBExxA Device Manager\GoGear_SA1VBExxA_DeviceManager.exe
1988 C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ArcCon.ac
208 C:\Programme\Java\jre6\bin\jqs.exe
224 C:\Programme\Google\Update\GoogleUpdate.exe
244 C:\Programme\Avira\AntiVir Desktop\avshadow.exe
252 C:\Programme\OpenOffice.org 3\program\soffice.exe
540 C:\WINDOWS\system32\svchost.exe
436 C:\Programme\OpenOffice.org 3\program\soffice.bin
1548 C:\Programme\XSManager\WTGService.exe
3072 C:\Programme\Hewlett-Packard\Shared\hpqWmiEx.exe
3296 C:\WINDOWS\system32\wbem\wmiapsrv.exe
3392 alg.exe
3568 C:\Programme\Hewlett-Packard\Shared\HpqToaster.exe
2244 C:\WINDOWS\system32\spoolsv.exe
1240 C:\Programme\Avira\AntiVir Desktop\avcenter.exe
692 C:\Programme\Avira\AntiVir Desktop\avwsc.exe
2820 C:\Dokumente und Einstellungen\Kirsten\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BEVT-60ZCT1, Rev: 13.01A13

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

Viele Grüße,
kiki

cosinus · 15.12.2010, 12:00

Ok. Probier combofix bitte mit einer neu heruntergeladenen cofi.exe nochmal aus.

kiki82 · 17.12.2010, 11:04

Hallo Arne,

Combofix habe ich neu heruntergeladen und gestartet. Das Programm lief sehr lange- mehr als 12 Stunden und meldete, dass nach infizierten Dateien gesucht wird. Als ich zur Uni musste, habe ich den Rechner weiterlaufen lassen, um Combofix nicht zu unterbrechen.
Danach lief er im Ruhemodus und hat sich schließlich aufgehangen. Es erschien die Nachricht, dass nur PCxy oder ein Administrator die Computersperre aufheben kann. Ich drückte auf Enter, doch dann tat sich gar nichts mehr. Ich musste schließlich warten, bis die Batterie leer war, um ihn neu starten zu können.
Soll ich es nochmal mit Combofix versuchen?

Viele Grüße,
kiki

cosinus · 17.12.2010, 11:08

Nee lass CF jetzt weg.
Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.

Doppelklick auf die MBRCheck.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Das Tool braucht nur eine Sekunde.
Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.

Poste mir bitte den Inhalt des .txt Dokumentes

kiki82 · 17.12.2010, 12:41

Hallo Arne,

okay, habe ich durchgeführt. Anbei poste ich Dir die Logs.

OSAM Logfile:
OSAM Logfile:

Code:

ATTFilter

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 11:37:45 on 17.12.2010

OS: Windows XP Home Edition Service Pack 3 (Build 2600)
Default Browser: Mozilla Corporation Firefox 3.6.12

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"BackOnTrack Instant Restore Idle.job" - "Sonic Solutions" - C:\Programme\Roxio\BackOnTrack\Instant Restore\RstIdle.exe
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"hpBat.cpl" - ? - C:\WINDOWS\system32\hpBat.cpl  (File found, but it contains no detailed information)
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"ISUSPM.cpl" - "Macrovision Corporation" - C:\WINDOWS\system32\ISUSPM.cpl
"javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Avira AntiVir Personal" - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"hpBat.CPL" - ? - C:\Programme\Hewlett-Packard\HP BatteryCheck\hpBat.CPL  (File not found)

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys
"catchme" (catchme) - ? - C:\DOKUME~1\Kirsten\LOKALE~1\Temp\catchme.sys  (File not found)
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys  (File not found)
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys  (File not found)
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys  (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys  (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys  (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys  (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys  (File not found)
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"Realtek IR Driver" (Rts516xIR) - ? - C:\WINDOWS\System32\DRIVERS\Rts516xIR.sys  (File not found)
"Realtek Smartcard Reader Driver" (USBCCID) - ? - C:\WINDOWS\System32\DRIVERS\Rts5161ccid.sys  (File not found)
"SASDIFSV" (SASDIFSV) - "SUPERAdBlocker.com and SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS
"SASKUTIL" (SASKUTIL) - "SUPERAdBlocker.com and SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
"SysCow" (SysCow) - "Sonic Solutions" - C:\WINDOWS\System32\drivers\syscow32x.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys  (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "SABShellExecuteHook Class" - "SuperAdBlocker.com" - C:\Programme\SUPERAntiSpyware\SASSEH.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll  (File not found)
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? -   (File not found | COM-object registry key not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? -   (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\shlext.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? -   (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL
{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Programme\WinRAR\rarext.dll

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "AOL Toolbar" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll
ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
{DE9C389F-3316-41A7-809B-AA305ED9D922} "AOL Toolbar" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} "AOL Toolbar BHO" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll
{11222041-111B-46E3-BD29-EFB2449479B1} "IEPlugin Class" - "ArcSoft, Inc." - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"Philips GoGear SA1VBExxA Device Manager.lnk" - "Philips" - C:\Programme\Philips\GoGear SA1VBExxA Device Manager\GoGear_SA1VBExxA_DeviceManager.exe  (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\Kirsten\Startmenü\Programme\Autostart\desktop.ini
"OpenOffice.org 3.2.lnk" - ? - C:\Programme\OpenOffice.org 3\program\quickstart.exe  (Shortcut exists | File found, but it contains no detailed information | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"ISUSPM" - "Macrovision Corporation" - "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
"Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
"SUPERAntiSpyware" - "SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ArcSoft Connection Service" - "ArcSoft Inc." - C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACDaemon.exe
"avgnt" - "Avira GmbH" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
"HP BTW Detect Program" - ? - C:\Programme\HP\HPBTWD.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
"WirelessAssistant" - "Hewlett-Packard" - C:\Programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\msonpmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Anwendungsverwaltung" (AppMgmt) - ? - C:\WINDOWS\System32\appmgmts.dll  (File not found)
"ArcSoft Connect Daemon" (ACDaemon) - "ArcSoft Inc." - C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACService.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe
"BOTService" (BOTService) - "Sonic Solutions" - C:\Programme\Roxio\BackOnTrack\Instant Restore\BOTService.exe
"GameConsoleService" (GameConsoleService) - "WildTangent, Inc." - C:\Programme\HP Games\HP Game Console\GameConsoleService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"hpqwmiex" (hpqwmiex) - "Hewlett-Packard Development Company, L.P." - C:\Programme\Hewlett-Packard\Shared\hpqwmiex.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - c:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
"Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"Roxio SAIB Service" (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - ? - C:\Programme\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
"Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
"WTGService" (WTGService) - ? - C:\Programme\XSManager\WTGService.exe  (File found, but it contains no detailed information)

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll  (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions )-----
{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} "802.3 Group Policy" - "Microsoft Corporation" - C:\WINDOWS\system32\dot3gpclnt.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} "EFS recovery" - "Microsoft Corporation" - C:\WINDOWS\system32\scecli.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} "Internet Explorer Branding" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} "Internet Explorer Machine Accelerators" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{7B849a69-220F-451E-B3FE-2CB811AF94AE} "Internet Explorer User Accelerators" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} "Internet Explorer Zonemapping" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{C631DF4C-088F-4156-B058-4375F0853CD8} "Microsoft Offline Files" - "Microsoft Corporation" - C:\WINDOWS\System32\cscui.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{3610eda5-77ef-11d2-8dc5-00c04fa31a66} "Microsoft-Datenträgerkontingent" - "Microsoft Corporation" - C:\WINDOWS\system32\dskquota.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{827D319E-6EAC-11D2-A4EA-00C04F79F83A} "Security" - "Microsoft Corporation" - C:\WINDOWS\system32\scecli.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
{c6dc5466-785a-11d2-84d0-00c04fb169f7} "Softwareinstallation" - ? - appmgmts.dll  (Hidden registry entry, rootkit activity | File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"!SASWinLogon" - "SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASWINLO.DLL  (Hidden registry entry, rootkit activity)
"crypt32chain" - "Microsoft Corporation" - C:\WINDOWS\system32\crypt32.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"cryptnet" - "Microsoft Corporation" - C:\WINDOWS\system32\cryptnet.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"cscdll" - "Microsoft Corporation" - C:\WINDOWS\system32\cscdll.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"dimsntfy" - "Microsoft Corporation" - C:\WINDOWS\System32\dimsntfy.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"igfxcui" - "Intel Corporation" - C:\WINDOWS\system32\igfxdev.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"ScCertProp" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"Schedule" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"sclgntfy" - "Microsoft Corporation" - C:\WINDOWS\system32\sclgntfy.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"SensLogn" - "Microsoft Corporation" - C:\WINDOWS\system32\WlNotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"termsrv" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"wlballoon" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll  (Hidden registry entry, rootkit activity | File signed by Microsoft)

===[ Logfile end ]=========================================[ Logfile end ]===

--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

GMER Logfile:
GMER Logfile:

Code:

ATTFilter

GMER 1.0.15.15530 - hxxp://www.gmer.net
Rootkit scan 2010-12-17 12:19:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD16 rev.13.0
Running: wbhqtxmy.exe; Driver: C:\DOKUME~1\Kirsten\LOKALE~1\Temp\fftorfow.sys


---- System - GMER 1.0.15 ----

SSDT            F7CA1EBE                                                                                                                                                 ZwCreateKey
SSDT            F7CA1EB4                                                                                                                                                 ZwCreateThread
SSDT            F7CA1EC3                                                                                                                                                 ZwDeleteKey
SSDT            F7CA1ECD                                                                                                                                                 ZwDeleteValueKey
SSDT            F7CA1ED2                                                                                                                                                 ZwLoadKey
SSDT            F7CA1EA0                                                                                                                                                 ZwOpenProcess
SSDT            F7CA1EA5                                                                                                                                                 ZwOpenThread
SSDT            F7CA1EDC                                                                                                                                                 ZwReplaceKey
SSDT            F7CA1ED7                                                                                                                                                 ZwRestoreKey
SSDT            F7CA1EC8                                                                                                                                                 ZwSetValueKey
SSDT            \??\C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)                                                ZwTerminateProcess [0x9DBFB620]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc           C:\WINDOWS\System32\drivers\afd.sys                                                                                                                      entry point in ".rsrc" section [0x9DC32C94]

---- Devices - GMER 1.0.15 ----

Device                                                                                                                                                                   Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                                                                                  wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                                                                                                                  wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                   SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device          \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0                                                                                                      85162AEA
Device                                                                                                                                                                   mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device          \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD1600BEVT-60ZCT1___________________13.01A13#4&9cf173c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}  device not found

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                                                       15
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                                                          10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                                                        yes
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                                                                       
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                                                       90
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                                                         10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs                                                                      1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@                                          Microsoft-Datentr?gerkontingent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoMachinePolicy                           0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoUserPolicy                              1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoSlowLink                                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoBackgroundPolicy                        1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoGPOListChanges                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@PerUserLocalSettings                      0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@RequiresSuccessfulRegistry                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@EnableAsynchronousProcessing              0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@DllName                                   dskquota.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ProcessGroupPolicy                        ProcessGroupPolicy
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@                                          Internet Explorer Zonemapping
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@DllName                                   C:\WINDOWS\system32\iedkcs32.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@ProcessGroupPolicy                        ProcessGroupPolicyForZoneMap
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@NoGPOListChanges                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@RequiresSucessfulRegistry                 1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@DisplayName                               @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@RequiresSuccessfulRegistry                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@                                          Internet Explorer User Accelerators
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@DisplayName                               @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@DllName                                   C:\WINDOWS\system32\iedkcs32.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@NoGPOListChanges                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ProcessGroupPolicy                        ProcessGroupPolicyForActivities
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ProcessGroupPolicyEx                      ProcessGroupPolicyForActivitiesEx
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@RequiresSuccessfulRegistry                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy                        SceProcessSecurityPolicyGPO
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@GenerateGroupPolicy                       SceGenerateGroupPolicy
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionRsopPlanningDebugLevel           1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicyEx                      SceProcessSecurityPolicyGPOEx
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionDebugLevel                       1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@DllName                                   scecli.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@                                          Security
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy                              1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@EnableAsynchronousProcessing              1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@MaxNoGPOListChangesInterval               1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicyEx                      ProcessGroupPolicyEx
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@GenerateGroupPolicy                       GenerateGroupPolicy
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicy                        ProcessGroupPolicy
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DllName                                   C:\WINDOWS\system32\iedkcs32.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@                                          Internet Explorer Branding
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoSlowLink                                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoBackgroundPolicy                        0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoGPOListChanges                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoMachinePolicy                           1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DisplayName                               @C:\WINDOWS\system32\iedkcs32.dll.mui,-3014
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy                        SceProcessEFSRecoveryGPO
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@DllName                                   scecli.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@                                          EFS recovery
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy                              1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@RequiresSuccessfulRegistry                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@                                          802.3 Group Policy
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@DisplayName                               @dot3gpclnt.dll,-100
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@ProcessGroupPolicyEx                      ProcessLANPolicyEx
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@GenerateGroupPolicy                       GenerateLANPolicy
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@DllName                                   dot3gpclnt.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@NoUserPolicy                              1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@NoGPOListChanges                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@                                          Microsoft Offline Files
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@DllName                                   %SystemRoot%\System32\cscui.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@EnableAsynchronousProcessing              0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoBackgroundPolicy                        0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoGPOListChanges                          0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoMachinePolicy                           0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoSlowLink                                0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoUserPolicy                              1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@PerUserLocalSettings                      0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@ProcessGroupPolicy                        ProcessGroupPolicy
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@RequiresSuccessfulRegistry                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@                                          Softwareinstallation
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@DllName                                   appmgmts.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ProcessGroupPolicyEx                      ProcessGroupPolicyObjectsEx
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@GenerateGroupPolicy                       GenerateGroupPolicy
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoBackgroundPolicy                        0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@RequiresSucessfulRegistry                 0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoSlowLink                                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@PerUserLocalSettings                      1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@EventSources                              (Application Management,Application)?(MsiInstaller,Application)?
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@                                          Internet Explorer Machine Accelerators
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@DisplayName                               @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@DllName                                   C:\WINDOWS\system32\iedkcs32.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@NoGPOListChanges                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ProcessGroupPolicy                        ProcessGroupPolicyForActivities
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ProcessGroupPolicyEx                      ProcessGroupPolicyForActivitiesEx
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@RequiresSuccessfulRegistry                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DllName                                                                   C:\Programme\SUPERAntiSpyware\SASWINLO.DLL
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logon                                                                     SABWINLOLogon
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logoff                                                                    SABWINLOLogoff
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Startup                                                                   SABWINLOStartup
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Shutdown                                                                  SABWINLOShutdown
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Asynchronous                                                              0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Impersonate                                                               0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous                                                              0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate                                                               0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName                                                                   crypt32.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff                                                                    ChainWlxLogoffEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous                                                                  0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate                                                                   0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName                                                                       cryptnet.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff                                                                        CryptnetWlxLogoffEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName                                                                         cscdll.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon                                                                           WinlogonLogonEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff                                                                          WinlogonLogoffEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver                                                                     WinlogonScreenSaverEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup                                                                         WinlogonStartupEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown                                                                        WinlogonShutdownEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell                                                                      WinlogonStartShellEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate                                                                     0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous                                                                    1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Asynchronous                                                                  1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DllName                                                                       %SystemRoot%\System32\dimsntfy.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Startup                                                                       WlDimsStartup
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Shutdown                                                                      WlDimsShutdown
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logon                                                                         WlDimsLogon
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logoff                                                                        WlDimsLogoff
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@StartShell                                                                    WlDimsStartShell
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Lock                                                                          WlDimsLock
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Unlock                                                                        WlDimsUnlock
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@                                                                               
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@DLLName                                                                        igfxdev.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@Asynchronous                                                                   1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@Impersonate                                                                    1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@Unlock                                                                         WinlogonUnlockEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName                                                                     wlnotify.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon                                                                       SCardStartCertProp
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff                                                                      SCardStopCertProp
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock                                                                        SCardSuspendCertProp
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock                                                                      SCardResumeCertProp
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled                                                                     1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate                                                                 1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous                                                                1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous                                                                  0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName                                                                       wlnotify.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate                                                                   0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell                                                                    SchedStartShell
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff                                                                        SchedEventLogOff
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff                                                                        WLEventLogoff
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate                                                                   0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous                                                                  1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName                                                                       sclgntfy.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName                                                                       WlNotify.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock                                                                          SensLockEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon                                                                         SensLogonEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff                                                                        SensLogoffEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe                                                                          1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait                                                                       600
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver                                                              SensStartScreenSaverEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver                                                               SensStopScreenSaverEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup                                                                       SensStartupEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown                                                                      SensShutdownEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell                                                                    SensStartShellEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell                                                                     SensPostShellEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect                                                                    SensDisconnectEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect                                                                     SensReconnectEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock                                                                        SensUnlockEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate                                                                   1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous                                                                  1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous                                                                   0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName                                                                        wlnotify.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate                                                                    0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff                                                                         TSEventLogoff
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon                                                                          TSEventLogon
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell                                                                      TSEventPostShell
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown                                                                       TSEventShutdown
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell                                                                     TSEventStartShell
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup                                                                        TSEventStartup
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait                                                                        600
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect                                                                      TSEventReconnect
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect                                                                     TSEventDisconnect
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName                                                                      wlnotify.dll
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon                                                                        RegisterTicketExpiredNotificationEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff                                                                       UnregisterTicketExpiredNotificationEvent
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate                                                                  1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous                                                                 1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@Hilfeassistent                                                       0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@TsInternetUser                                                       0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@SQLAgentCmdExec                                                      0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@NetShowServices                                                      0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@HelpAssistant                                                        0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IWAM_                                                                65536
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IUSR_                                                                65536
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@VUSR_                                                                65536

---- Disk sectors - GMER 1.0.15 ----

Disk            \Device\Harddisk0\DR0                                                                                                                                    sectors 312581552 (+254): rootkit-like behavior; 

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\System32\drivers\afd.sys                                                                                                                      suspicious modification; TDL3                                      <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

--- --- ---

MBR Check Logfile:
CE0000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF78C8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF714D000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7149000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7BD6000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7658000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A40000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5CC9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7668000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7678000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78D0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5CB8000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7688000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78D8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78E0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF65BE000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7ACA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5C95000 \SystemRoot\system32\DRIVERS\ks.sys
0xF5C37000 \SystemRoot\system32\DRIVERS\update.sys
0xF6EDE000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF65AE000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA9281000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA7C3B000 \SystemRoot\system32\drivers\sthda.sys
0xA7739000 \SystemRoot\system32\drivers\portcls.sys
0xA9201000 \SystemRoot\system32\drivers\drmk.sys
0xA5D2D000 \SystemRoot\system32\drivers\AESTAud.sys
0x9DD0F000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0xA3E28000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xA3790000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0xF71F5000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7B3C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA013D000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B3E000 \SystemRoot\System32\Drivers\Beep.SYS
0xA3778000 \SystemRoot\System32\drivers\vga.sys
0xF7B40000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B42000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA3770000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA3768000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF71F1000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9DCDC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9DC83000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9DC5D000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9DC35000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9DC13000 \SystemRoot\System32\drivers\afd.sys
0xA3E08000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA3758000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x9DBF1000 \??\C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS
0x9FDE7000 \??\C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS
0xA3DF8000 \SystemRoot\System32\Drivers\SaibVd32.sys
0x9DBC6000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9DB56000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA011D000 \SystemRoot\System32\Drivers\Fips.SYS
0x9DB33000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x9FD6A000 \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys
0x977C8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x96BB1000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x980E1000 \SystemRoot\System32\drivers\Dxapi.sys
0x97A1E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BC7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x96B9C000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xF7A7C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x96B5F000 \SystemRoot\system32\drivers\wdmaud.sys
0xA00AD000 \SystemRoot\system32\drivers\sysaudio.sys
0x969C4000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x965FC000 \SystemRoot\system32\DRIVERS\srv.sys
0x96021000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x966A4000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x95D15000 \SystemRoot\system32\drivers\kmixer.sys
0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
764 C:\WINDOWS\system32\smss.exe
812 csrss.exe
836 C:\WINDOWS\system32\winlogon.exe
880 C:\WINDOWS\system32\services.exe
892 C:\WINDOWS\system32\lsass.exe
1068 C:\WINDOWS\system32\svchost.exe
1160 svchost.exe
1216 C:\Programme\Roxio\BackOnTrack\Instant Restore\BOTService.exe
1396 svchost.exe
1432 svchost.exe
1476 C:\WINDOWS\explorer.exe
1808 C:\Programme\IDT\WDM\stacsv.exe
608 C:\Programme\Avira\AntiVir Desktop\sched.exe
664 svchost.exe
680 C:\WINDOWS\system32\igfxtray.exe
688 C:\WINDOWS\system32\hkcmd.exe
696 C:\WINDOWS\system32\igfxpers.exe
704 C:\Programme\HP\HPBTWD.exe
712 C:\Programme\Synaptics\SynTP\SynTPEnh.exe
720 C:\WINDOWS\system32\AESTFltr.exe
1100 C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
1332 C:\Programme\Avira\AntiVir Desktop\avgnt.exe
1288 C:\Programme\Skype\Phone\Skype.exe
1532 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Macrovision\FLEXnet Connect\6\ISUSPM.exe
1544 C:\WINDOWS\system32\igfxsrvc.exe
1560 C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
1764 C:\Programme\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
1832 C:\WINDOWS\system32\ctfmon.exe
1896 C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACService.exe
1908 C:\Programme\Philips\GoGear SA1VBExxA Device Manager\GoGear_SA1VBExxA_DeviceManager.exe
1956 C:\Programme\Avira\AntiVir Desktop\avguard.exe
284 C:\Programme\OpenOffice.org 3\program\soffice.exe
368 C:\Programme\Java\jre6\bin\jqs.exe
384 C:\Programme\Avira\AntiVir Desktop\avshadow.exe
396 C:\Programme\OpenOffice.org 3\program\soffice.bin
412 C:\Programme\Google\Update\GoogleUpdate.exe
1132 C:\WINDOWS\system32\svchost.exe
2088 C:\Programme\XSManager\WTGService.exe
2960 C:\Programme\Hewlett-Packard\Shared\hpqWmiEx.exe
3960 C:\WINDOWS\system32\wbem\wmiapsrv.exe
444 alg.exe
228 C:\WINDOWS\system32\spoolsv.exe
2724 C:\WINDOWS\system32\svchost.exe
4024 C:\Dokumente und Einstellungen\Kirsten\Desktop\MBRCheck (1).exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BEVT-60ZCT1, Rev: 13.01A13

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

Hoffe sehr, dass mein Rechner bald wieder normal läuft und sich die Viren etc. entfernen lassen. Danke auf jeden Fall für Deine Unterstützung!!

Viele Grüße,
kiki

cosinus · 17.12.2010, 13:32

Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!

kiki82 · 17.12.2010, 17:33

Hallo Arne,

okay; habe beides aktualisiert und die Scans durchgeführt.
Antispyware hat einen Tracking Cookie entdeckt; Malwarebytes meldete keine infizierten Dateien.
Das sieht ja erstmal okay aus. Ich werde nun beobachten, ob noch Probleme mit der Internetverbindung oder der Taskleiste auftreten.

Anbei das Log von Malwarebytes:

Malwarebytes Logfile:
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Datenbank Version: 5342

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17.12.2010 15:25:04
mbam-log-2010-12-17 (15-25-04).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Durchsuchte Objekte: 221138
Laufzeit: 1 Stunde(n), 23 Minute(n), 57 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

Viele Grüße,
kiki

cosinus · 19.12.2010, 14:58

Sieht ok aus.
Noch Probleme oder weitere Funde in der Zwischenzeit?

kiki82 · 22.12.2010, 01:32

Hallo Arne,

nein, es gab keine weiteren Funde.
Aber einige Minuten nach dem Hochfahren des Computers verändert sich immer noch die Taskleiste, u.a. Uhrzeit und Schriftbild. Diese Änderungen sind erst nach den letzten Virusmeldungen aufgetreten.
Soll ich nochmal andere Programme durchlaufen lassen, die Rootkits entfernen wie z.B. Blacklight?

Viele Grüße,
kiki

cosinus · 22.12.2010, 09:56

Zitat:

verändert sich immer noch die Taskleiste, u.a. Uhrzeit und Schriftbild. Diese Änderungen sind erst nach den letzten Virusmeldungen aufgetreten.

Wie genau sehen die Änderungen aus? Altbackenes Design?

kiki82 · 22.12.2010, 12:19

Hallo Arne,

ja, genau.
Also anfangs sieht die Taskleiste noch normal aus; Uhrzeit und Wochentag erscheinen im bekannten Schriftbild und die Leiste ist durchgängig dunkelgrau. Doch nach einigen Minuten sieht es so aus, als ob sich eine weitere Taskleiste "daraufsetzt". Die Farbgebung ist dann nicht mehr einheitlich; die Mitte der Leiste ist anschließend hellgrau und die Taskleiste sieht dadurch wie unterbrochen aus.
Wenn ich das Startmenü anklicke, erscheint mein Benutzername in einem ganz anderen Schriftbild als sonst.

Viele Grüße,
kiki

cosinus · 22.12.2010, 12:35

Mach mal einen Screenshot davon...

kiki82 · 23.12.2010, 20:59

Hallo Arne,

okay; ich habe einen Screenshot gemacht und ihn als Paint-Dokument abgespeichert. Aber wie ich kann ihn Dir posten? Sorry, habe leider keine Ahnung.

Viele Grüße,
kiki

17.12.2010, 13:32	#8
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	TR/Pincav.afyp Trojan Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!! __________________ Logfiles bitte immer in CODE-Tags posten

19.12.2010, 14:58	#10
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	TR/Pincav.afyp Trojan Sieht ok aus. Noch Probleme oder weitere Funde in der Zwischenzeit? __________________ Logfiles bitte immer in CODE-Tags posten

22.12.2010, 12:35	#14
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	TR/Pincav.afyp Trojan Mach mal einen Screenshot davon... __________________ Logfiles bitte immer in CODE-Tags posten

TR/Pincav.afyp Trojan

Plagegeister aller Art und deren Bekämpfung: TR/Pincav.afyp Trojan