Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Harddrive Error - Fake Trojaner (https://www.trojaner-board.de/99723-harddrive-error-fake-trojaner.html)

DaDude 29.05.2011 15:22
Harddrive Error - Fake Trojaner
 
Hallo zusammen,

vor zwei Stunden habe ich mir auch diesen tollen Trojaner eingefangen der sich immer über die angeblich defekte Festplatte beschwert...

Auf jeden Fall habe ich dann direkt Anti-Malware laufen lassen und alle 8 gefundenen Probleme entfernen lassen. Bin mir allerdings nicht sicher ob wirklich alles weg ist.

Ausserdem sind ja noch alle Dateien versteckt. Kann ich da problemlos die unhide.exe anwenden oder ist das ein tiefgreifenderes Problem?

anbei die Logs von OTL und Anti Malware.

Ich hoffe auf eure Unterstützung. :)

Viele Grüße,
Florian

OTL1:
OTL Logfile:
Code:
OTL logfile created on: 29.05.2011 16:23:39 - Run 2
OTL by OldTimer - Version 3.2.23.0    Folder = C:\Users\Florian\Downloads
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,90 Gb Total Physical Memory | 1,47 Gb Available Physical Memory | 50,66% Memory free
5,80 Gb Paging File | 4,27 Gb Available in Paging File | 73,54% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147,04 Gb Total Space | 16,77 Gb Free Space | 11,40% Space Free | Partition Type: NTFS
Drive E: | 665,39 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: FLORIAN-NB | User Name: Florian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Florian\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Opera\opera.exe (Opera Software)
PRC - C:\Programme\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Programme\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Programme\Malwarebytes' Anti-Malware\herbert.exe (Malwarebytes Corporation)
PRC - C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
PRC - C:\Programme\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Hewlett-Packard\Shared\hpCaslNotification.exe (Hewlett-Packard Development Company L.P.)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)
PRC - C:\Programme\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe ( Hewlett-Packard Development Company, L.P.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\vmnat.exe (VMware, Inc.)
PRC - C:\Programme\VMware\VMware Player\vmware-authd.exe (VMware, Inc.)
PRC - C:\Windows\System32\vmnetdhcp.exe (VMware, Inc.)
PRC - C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe (VMware, Inc.)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE (Microsoft Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\RMClock\RMClock.exe (NGO Science Center "RightMark")
PRC - C:\Programme\RMClock\RMClockHLT.exe (NGO Science Center "RightMark")
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Users\Florian\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (AEADIFilters) -- C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)
SRV - (OpenVPNService) -- C:\Programme\OpenVPN\bin\openvpnserv.exe ()
SRV - (VMware NAT Service) -- C:\Windows\System32\vmnat.exe (VMware, Inc.)
SRV - (VMAuthdService) -- C:\Program Files\VMware\VMware Player\vmware-authd.exe (VMware, Inc.)
SRV - (VMnetDHCP) -- C:\Windows\System32\vmnetdhcp.exe (VMware, Inc.)
SRV - (VMUSBArbService) -- C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe (VMware, Inc.)
SRV - (ufad-ws60) -- C:\Program Files\VMware\VMware Player\vmware-ufad.exe (VMware, Inc.)
SRV - (LBTServ) -- C:\Programme\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (dtsoftbus01) -- C:\Windows\System32\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV - (UsbserFilt) -- C:\Windows\System32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\Windows\System32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (nmwcdc) -- C:\Windows\System32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (NETw5s32) Intel(R) -- C:\Windows\System32\drivers\NETw5s32.sys (Intel Corporation)
DRV - (tap0901) -- C:\Windows\System32\drivers\tap0901.sys (The OpenVPN Project)
DRV - (ATSwpWDF) -- C:\Windows\System32\drivers\ATSwpWDF.sys (AuthenTec, Inc.)
DRV - (HTCAND32) -- C:\Windows\System32\drivers\ANDROIDUSB.sys (HTC, Corporation)
DRV - (vmx86) -- C:\Windows\System32\drivers\vmx86.sys (VMware, Inc.)
DRV - (vmci) -- C:\Windows\System32\drivers\vmci.sys (VMware, Inc.)
DRV - (VMnetuserif) -- C:\Windows\System32\drivers\vmnetuserif.sys (VMware, Inc.)
DRV - (vmkbd) -- C:\Windows\System32\drivers\VMkbd.sys (VMware, Inc.)
DRV - (hcmon) -- C:\Windows\System32\drivers\hcmon.sys (VMware, Inc.)
DRV - (VMnetBridge) -- C:\Windows\System32\drivers\vmnetbridge.sys (VMware, Inc.)
DRV - (vmusb) -- C:\Windows\System32\drivers\vmusb.sys (VMware, Inc.)
DRV - (VMnetAdapter) -- C:\Windows\System32\drivers\vmnetadapter.sys (VMware, Inc.)
DRV - (vstor2-ws60) -- C:\Programme\VMware\VMware Player\vstor2-ws60.sys (VMware, Inc.)
DRV - (volsnap) -- C:\Windows\system32\DRIVERS\volsnap.sys ()
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (netw5v32) Intel(R) -- C:\Windows\System32\drivers\netw5v32.sys (Intel Corporation)
DRV - (hpdskflt) -- C:\Windows\system32\DRIVERS\hpdskflt.sys (Hewlett-Packard)
DRV - (Accelerometer) -- C:\Windows\System32\drivers\Accelerometer.sys (Hewlett-Packard)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (LHidEqd) -- C:\Windows\System32\drivers\LHidEqd.sys (Logitech, Inc.)
DRV - (LEqdUsb) -- C:\Windows\System32\drivers\LEqdUsb.sys (Logitech, Inc.)
DRV - (e1yexpress) Intel(R) -- C:\Windows\System32\drivers\e1y6232.sys (Intel Corporation)
DRV - (Point32) -- C:\Windows\System32\drivers\point32k.sys (Microsoft Corporation)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HBtnKey) -- C:\Windows\System32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (cpuz132) -- C:\Windows\System32\drivers\cpuz132_x32.sys (Windows (R) Codename Longhorn DDK provider)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (SNP2UVC) USB2.0 PC Camera (SNP2UVC) -- C:\Windows\System32\drivers\snp2uvc.sys ()
DRV - (pccsmcfd) -- C:\Windows\System32\drivers\pccsmcfd.sys (Nokia)
DRV - (RTCore32) -- C:\Programme\RMClock\RTCore32.sys ()
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DB 2B E8 24 70 C3 CA 01  [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultthis.engineName: "NCH Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2319825&SearchSource=13"
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.732
FF - prefs.js..extensions.enabledItems: anttoolbar@ant.com:2.3.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.5
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: ytvdw@pgport.com:1.1.4
 
FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2010.07.04 18:20:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.04.14 20:52:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.04.29 18:27:15 | 000,000,000 | ---D | M]
 
[2010.04.11 14:57:39 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Florian\AppData\Roaming\mozilla\Extensions
[2011.05.29 14:51:57 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Florian\AppData\Roaming\mozilla\Firefox\Profiles\5r8bm6t8.default\extensions
[2011.05.29 14:06:34 | 000,000,000 | -H-D | M] (DownThemAll!) -- C:\Users\Florian\AppData\Roaming\mozilla\Firefox\Profiles\5r8bm6t8.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2011.05.29 14:06:34 | 000,000,000 | -H-D | M] (Ant Video Downloader) -- C:\Users\Florian\AppData\Roaming\mozilla\Firefox\Profiles\5r8bm6t8.default\extensions\anttoolbar@ant.com
[2011.05.15 13:30:29 | 000,000,000 | -H-D | M] (Conduit Engine) -- C:\Users\Florian\AppData\Roaming\mozilla\Firefox\Profiles\5r8bm6t8.default\extensions\engine@conduit.com
[2011.05.15 13:30:29 | 000,000,000 | -H-D | M] (YouTube Video Download Wizard) -- C:\Users\Florian\AppData\Roaming\mozilla\Firefox\Profiles\5r8bm6t8.default\extensions\ytvdw@pgport.com
[2010.08.19 21:28:28 | 000,000,909 | -H-- | M] () -- C:\Users\Florian\AppData\Roaming\Mozilla\Firefox\Profiles\5r8bm6t8.default\searchplugins\conduit.xml
[2011.05.15 13:30:33 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2010.09.12 14:22:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.09.12 14:22:41 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.07.04 18:20:55 | 000,000,000 | ---D | M] (PC Sync 2 Synchronisation Extension) -- C:\PROGRAM FILES\NOKIA\NOKIA PC SUITE 7\BKMRKSYNC
[2010.09.12 14:22:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.04.01 18:54:38 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.04.01 18:54:38 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.04.01 18:54:38 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.04.01 18:54:38 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.04.01 18:54:38 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Logitech Download Assistant] C:\Windows\System32\LogiLDA.dll (Logitech, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\herbert.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\soundmax.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [RMClock] C:\Programme\RMClock\RMClockLauncher.exe (NGO Science Center "RightMark")
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Programme\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2003.02.10 17:42:58 | 000,133,840 | R--- | M] () - E:\Auto.bmp -- [ CDFS ]
O32 - AutoRun File - [2002.05.19 14:43:42 | 000,448,032 | R--- | M] () - E:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2003.02.10 18:04:34 | 000,000,057 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{9c9f6ea8-6785-11e0-8c81-002186353506}\Shell - "" = AutoRun
O33 - MountPoints2\{9c9f6ea8-6785-11e0-8c81-002186353506}\Shell\AutoRun\command - "" = E:\pointsoft.exe -- [2003.02.17 19:52:32 | 000,021,536 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E78BFA60-5393-4C38-82AB-E8019E464EB4} - .NET Framework
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
MsConfig - StartUpFolder: C:^Users^Florian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE - (Microsoft Corporation)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: PC Suite Tray - hkey= - key= - C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: Sidebar - hkey= - key= - C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: VMware hqtray - hkey= - key= - C:\Program Files\VMware\VMware Player\hqtray.exe (VMware, Inc.)
MsConfig - State: "startup" - 2
MsConfig - State: "bootini" - 2

 
========== Files/Folders - Created Within 30 Days ==========
 
[2011.05.29 14:33:52 | 000,000,000 | -H-D | C] -- C:\Users\Florian\AppData\Roaming\Malwarebytes
[2011.05.29 14:33:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011.05.29 14:33:40 | 000,000,000 | -H-D | C] -- C:\ProgramData\Malwarebytes
[2011.05.29 14:33:37 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2011.05.29 14:30:36 | 000,000,000 | -H-D | C] -- C:\Users\Florian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
[2011.05.15 13:31:24 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011.05.15 13:30:04 | 000,000,000 | -H-D | C] -- C:\Users\Florian\Documents\Freecorder
[2011.05.15 13:30:04 | 000,000,000 | -H-D | C] -- C:\Users\Florian\AppData\Local\FLVService
[2011.05.15 13:30:01 | 000,000,000 | ---D | C] -- C:\Windows\Freecorder
[2011.05.01 19:14:05 | 000,000,000 | -H-D | C] -- C:\Users\Florian\AppData\Local\SkinSoft
[2011.05.01 19:13:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Street Challenge Extreme Velocity 2.0
[2011.05.01 19:13:40 | 000,000,000 | -H-D | C] -- C:\Programme\Street Challenge
[2011.02.11 18:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2010.01.16 23:12:04 | 000,186,928 | ---- | C] ( ) -- C:\Windows\System32\rsnp2uvc.dll
[2008.10.09 03:28:56 | 000,195,112 | ---- | C] ( ) -- C:\Windows\System32\csnp2uvc.dll
 
========== Files - Modified Within 30 Days ==========
 
[2011.05.29 15:20:07 | 000,657,018 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.05.29 15:20:07 | 000,618,642 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.05.29 15:20:07 | 000,132,368 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.05.29 15:20:07 | 000,108,804 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.05.29 15:14:22 | 000,013,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011.05.29 15:14:22 | 000,013,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011.05.29 15:06:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.05.29 15:06:14 | 2337,484,800 | -HS- | M] () -- C:\hiberfil.sys
[2011.05.29 14:30:37 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~29613816r
[2011.05.29 14:30:37 | 000,000,104 | -H-- | M] () -- C:\ProgramData\~29613816
[2011.05.29 14:30:36 | 000,000,635 | -H-- | M] () -- C:\Users\Florian\Desktop\Windows 7 Recovery.lnk
[2011.05.29 14:30:21 | 000,000,336 | -H-- | M] () -- C:\ProgramData\29613816
 
========== Files Created - No Company Name ==========
 
[2011.05.29 14:30:37 | 000,000,136 | -H-- | C] () -- C:\ProgramData\~29613816r
[2011.05.29 14:30:37 | 000,000,104 | -H-- | C] () -- C:\ProgramData\~29613816
[2011.05.29 14:30:36 | 000,000,635 | -H-- | C] () -- C:\Users\Florian\Desktop\Windows 7 Recovery.lnk
[2011.05.29 14:30:21 | 000,000,336 | -H-- | C] () -- C:\ProgramData\29613816
[2011.01.15 22:20:23 | 000,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2011.01.15 22:20:23 | 000,045,056 | ---- | C] () -- C:\Windows\System32\unredmon.exe
[2010.07.28 21:01:14 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010.07.28 21:01:12 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010.07.28 21:01:10 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010.03.06 11:41:20 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010.01.17 14:43:31 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2010.01.17 14:43:30 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2010.01.17 14:43:29 | 000,881,664 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2010.01.17 14:43:29 | 000,205,824 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2010.01.17 14:43:27 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010.01.17 11:24:17 | 000,007,601 | -H-- | C] () -- C:\Users\Florian\AppData\Local\Resmon.ResmonCfg
[2010.01.16 23:40:02 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2010.01.16 23:12:04 | 000,015,497 | ---- | C] () -- C:\Windows\snp2uvc.ini
[2010.01.16 23:09:53 | 000,134,592 | ---- | C] () -- C:\Windows\System32\igfcg500.bin
[2009.12.02 20:39:02 | 020,317,504 | ---- | C] () -- C:\Windows\System32\TrueSuiteCoInst02020000.dll
[2009.10.30 11:10:56 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2009.07.14 10:47:43 | 000,657,018 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2009.07.14 10:47:43 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2009.07.14 10:47:43 | 000,132,368 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2009.07.14 10:47:43 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2009.07.14 06:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009.07.14 06:33:53 | 000,343,000 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009.07.14 04:05:48 | 000,618,642 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009.07.14 04:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009.07.14 04:05:48 | 000,108,804 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009.07.14 04:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009.07.14 04:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009.07.14 04:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009.07.14 01:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009.07.14 01:11:34 | 000,245,328 | ---- | C] () -- C:\Windows\System32\drivers\volsnap.sys
[2009.06.10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2008.10.09 03:33:06 | 000,027,176 | ---- | C] () -- C:\Windows\snuvcdsm.exe
[2008.10.09 03:32:46 | 001,810,856 | ---- | C] () -- C:\Windows\System32\drivers\snp2uvc.sys
[2008.10.09 03:31:10 | 000,034,856 | ---- | C] () -- C:\Windows\System32\drivers\sncduvc.sys
 
========== LOP Check ==========
 
[2010.12.29 23:13:37 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\Bentley
[2011.04.22 15:22:19 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\DAEMON Tools Lite
[2010.01.17 17:06:29 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
[2011.05.28 14:11:07 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\FileZilla
[2011.05.27 22:45:44 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\foobar2000
[2011.05.29 14:46:23 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\ICQ
[2010.02.06 20:49:21 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\Leadertech
[2010.09.07 20:14:37 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\NCH Swift Sound
[2010.07.21 18:19:21 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\Nokia
[2010.01.16 22:53:37 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\Opera
[2011.05.15 13:39:22 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\Orbit
[2010.01.28 23:08:57 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\PC Suite
[2011.04.14 21:29:46 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011.05.29 14:46:22 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\uTorrent
[2011.04.14 21:59:12 | 000,000,000 | -H-D | M] -- C:\Users\Florian\AppData\Roaming\WindSolutions
[2009.07.14 06:53:46 | 000,022,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
<  >
 
< %SYSTEMDRIVE%\*. >
[2010.01.24 18:08:08 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin
[2011.01.18 16:05:06 | 000,000,000 | -H-D | M] -- C:\BentleyDownloads
[2010.01.16 22:22:35 | 000,000,000 | -HSD | M] -- C:\Boot
[2009.07.14 06:53:55 | 000,000,000 | -HSD | M] -- C:\Documents and Settings
[2010.01.16 22:31:23 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen
[2011.05.15 13:32:57 | 000,000,000 | -H-D | M] -- C:\Downloads
[2010.02.07 21:45:15 | 000,000,000 | -H-D | M] -- C:\Intel
[2010.01.16 23:47:31 | 000,000,000 | RH-D | M] -- C:\MSOCache
[2009.07.14 04:37:05 | 000,000,000 | ---D | M] -- C:\PerfLogs
[2011.05.29 14:33:37 | 000,000,000 | R--D | M] -- C:\Programme
[2011.05.29 15:06:52 | 000,000,000 | -H-D | M] -- C:\ProgramData
[2010.01.16 22:31:23 | 000,000,000 | -HSD | M] -- C:\Programme
[2010.01.16 22:31:24 | 000,000,000 | -HSD | M] -- C:\Recovery
[2011.01.02 17:13:51 | 000,000,000 | -H-D | M] -- C:\ruu_log
[2011.01.18 16:44:22 | 000,000,000 | -H-D | M] -- C:\speedikon
[2011.05.22 12:16:47 | 000,000,000 | -HSD | M] -- C:\System Volume Information
[2010.01.16 22:31:36 | 000,000,000 | R--D | M] -- C:\Users
[2011.05.15 13:31:24 | 000,000,000 | ---D | M] -- C:\Windows
 
< %PROGRAMFILES%\*.exe >
 
< %LOCALAPPDATA%\*.exe >
 
< %systemroot%\*. /mp /s >
 
 
< MD5 for: EXPLORER.EXE  >
[2009.07.14 03:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\explorer.exe
[2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2009.08.03 07:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009.08.03 07:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009.10.31 08:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
 
< MD5 for: REGEDIT.EXE  >
[2009.07.14 03:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\regedit.exe
[2009.07.14 03:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_f4050b883d2c3c08\regedit.exe
 
< MD5 for: USERINIT.EXE  >
[2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe
[2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
 
< MD5 for: WININIT.EXE  >
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe
 
< MD5 for: WINLOGON.EXE  >
[2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe
[2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009.10.28 07:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2009.07.14 03:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoRebootWithLoggedOnUsers" = 1
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-04-15 17:24:44
 
<            >

< End of report >
--- --- ---

[/QUOTE]

OTL Extras:

OTL Logfile:
Code:
OTL Extras logfile created on: 29.05.2011 15:22:06 - Run 1
OTL by OldTimer - Version 3.2.23.0    Folder = C:\Users\Florian\Downloads
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,90 Gb Total Physical Memory | 1,76 Gb Available Physical Memory | 60,60% Memory free
5,80 Gb Paging File | 4,54 Gb Available in Paging File | 78,21% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147,04 Gb Total Space | 16,66 Gb Free Space | 11,33% Space Free | Partition Type: NTFS
Drive E: | 665,39 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: FLORIAN-NB | User Name: Florian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.scr [@ = MicroStation Resource] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DisableUnicastResponsesToMulticastBroadcast" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{05709317-05C6-BED8-3DE2-AB2D8EEAA485}" = twhirl
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1061DF04-CF33-40B0-8360-D07C9BBEB122}" = HP Wireless Assistant
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4200" = Canon iP4200
"{154E4F71-DFC0-4B31-8D99-F97615031B02}" = HP Webcam Application
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}" = Nokia PC Suite
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = HP Webcam
"{3FA5E4CC-58ED-4ED0-AC9E-ED0759E9166E}" = RedistSysFiles
"{414EE950-1063-4DD4-8D1B-571C1562B820}" = speedikon Architektur M 8.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D568C38-0552-4CDD-A643-01FAFA2957EF}" = Nokia Software Updater
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57F5CC1D-2E00-4008-8CEC-EFE61B2E58AE}" = Visual Basic for Applications (R) Core - German
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6F6D972C-7D4E-49DF-8F6C-3B367FA9899A}" = VBA (2701.01)
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser und SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90F50409-6000-11D3-8CFE-0150048383C9}" = Visual Basic for Applications (R) Core
"{90F60407-6000-11D3-8CFE-0150048383C9}" = Visual Basic for Applications (R) Core - German
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{991A4895-3346-4980-990F-A1041B73C6F7}" = HP 3D DriveGuard
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A0ADE659-3EB6-4C89-ABED-2DD705531D58}" = Bentley speedikon
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A53A11EA-0095-493F-86FA-A15E8A86A405}" = VMware Player
"{A5A70E61-FEAB-4CEC-977C-BE0EF8DC05AB}" = PC Connectivity Solution
"{ABE09F66-3206-45DD-8409-2F6D5BA15EE5}" = Bentley License Client
"{AC07C34E-ED79-4B0F-A7F6-388112027739}" = Bentley MicroStation V8 XM Edition 08.09.03.66
"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.4 - Deutsch
"{AEACD7BE-7E12-490D-80B2-C7DEBDBD8915}" = Windows 7 Default Setting
"{AED2DD42-9853-407E-A6BC-8A1D6B715909}" = Windows Live Messenger
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CF5F4572-78B4-4AFC-B485-C133AD527832}" = Bentley License Client 08.09
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D2041A37-5FEC-49F0-AE5C-3F2FFDFAA4F4}" = Windows Live Call
"{D9496760-FEA9-4477-ADDE-43C025E6556B}_0" = Bentley MicroStation (V 08.05.00.64) - 1
"{E1CD7FC4-98F6-4A14-A8C8-A01D6F6F8FC3}" = HP SoftPaq Download Manager
"{E6C44758-FF49-47D1-8182-65E3818ACE23}" = AuthenTec TrueSuite
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{EAEFE1C0-EB56-8963-9EC5-A0EB5FBA358D}" = TweetDeck
"{EBB714D5-CE4D-47BF-BF34-23B529B1276F}" = TouchCopy 09
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"{F1D7AC58-554A-4A58-B784-B61558B1449A}" = QLBCASL
"{F1FDAA01-988C-423F-AC12-0D8F333943FD}" = Nokia Connectivity Cable Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F5CC2EF8-20A4-4366-A681-3FE849E65809}" = RICOH Media Driver
"{FB97C283-1F3C-42D4-AE01-ADC1DC12F774}" = Visual Basic for Applications (R) Core
"34EA302E7F4CBD17A19E33BBCB72363234956D7E" = Windows-Treiberpaket - Nokia Modem  (06/09/2010 4.5)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows-Treiberpaket - Nokia pccsmcfd  (08/22/2008 7.0.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CANONIJINBOXADDON100" = Canon Inkjet Printer Driver Add-On Module
"CCleaner" = CCleaner
"CopyTrans Suite" = CopyTrans Suite
"CPUID HWMonitor_is1" = CPUID HWMonitor 1.15
"DAEMON Tools Lite" = DAEMON Tools Lite
"de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1" = twhirl
"DivX Setup.divx.com" = DivX-Setup
"Drag_Racer_v3_is1" = Drag_Racer_v3
"EEEE705096F837B7907659F100C9FE6DA001970F" = Windows-Treiberpaket - Nokia Modem  (06/09/2010 7.01.0.7)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FLAC" = FLAC 1.2.1b (remove only)
"foobar2000" = foobar2000 v1.1.5
"FreePDF_XP" = FreePDF (Remove only)
"GPL Ghostscript 9.00" = GPL Ghostscript 9.00
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.6.1 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Messenger Plus!" = Messenger Plus! 5
"Messenger Plus! Live" = Messenger Plus! Live
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Nokia PC Suite" = Nokia PC Suite
"OpenVPN" = OpenVPN 2.1.1
"Opera" = Opera
"Opera 11.11.2109" = Opera 11.11
"Orbit_is1" = Orbit Downloader
"Patrizier II Gold_is1" = Patrizier II Gold
"PROSet" = Intel(R) Network Connections Drivers
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"Street Challenge - Extreme Velocity" = Street Challenge - Extreme Velocity
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TVWiz" = Intel(R) TV Wizard
"TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1" = TweetDeck
"uTorrent" = µTorrent
"VMware_Player" = VMware Player
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{414EE950-1063-4DD4-8D1B-571C1562B820}" = speedikon M 8.0
"CopyTrans Suite" = Nur Deinstallierung der CopyTrans Suite möglich.
"FileZilla Client" = FileZilla Client 3.3.5.1
"VLFSDash" = VLFSDash
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 28.05.2011 19:54:59 | Computer Name = Florian-NB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 28.05.2011 19:54:59 | Computer Name = Florian-NB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 7301
 
Error - 28.05.2011 19:54:59 | Computer Name = Florian-NB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 7301
 
Error - 29.05.2011 05:07:03 | Computer Name = Florian-NB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 29.05.2011 05:07:08 | Computer Name = Florian-NB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 33131352
 
Error - 29.05.2011 05:07:08 | Computer Name = Florian-NB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 33131352
 
Error - 29.05.2011 08:48:13 | Computer Name = Florian-NB | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
 
Error - 29.05.2011 08:48:13 | Computer Name = Florian-NB | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
 
Error - 29.05.2011 09:06:36 | Computer Name = Florian-NB | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
 
Error - 29.05.2011 09:06:36 | Computer Name = Florian-NB | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
 
[ OSession Events ]
Error - 05.05.2010 15:25:35 | Computer Name = Florian-NB | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 09.06.2010 13:33:12 | Computer Name = Florian-NB | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 262
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 27.12.2010 06:05:04 | Computer Name = Florian-NB | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 16
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 25.04.2011 05:07:55 | Computer Name = Florian-NB | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 25
 seconds with 0 seconds of active time.  This session ended with a crash.
 
[ System Events ]
Error - 29.05.2011 09:19:50 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:19:54 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:19:54 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:19:54 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:19:56 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:19:56 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:19:56 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:21:18 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:21:18 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
Error - 29.05.2011 09:21:18 | Computer Name = Florian-NB | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Arbeitsstationsdienst"
 abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1058
 
 
< End of report >
--- --- ---

[/QUOTE]

Anti-Malware1 :
Zitat:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6713

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

29.05.2011 15:58:30
mbam-log-2011-05-29 (15-58-30).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Durchsuchte Objekte: 253900
Laufzeit: 50 Minute(n), 34 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Anti-Malware 2:

Zitat:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6713

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

29.05.2011 15:05:19
mbam-log-2011-05-29 (15-05-19).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 149517
Laufzeit: 5 Minute(n), 23 Sekunde(n)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3

Infizierte Speicherprozesse:
c:\programdata\utyutxppbb.exe (Trojan.FakeMS) -> 3296 -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UtYUtxpPbB (Trojan.FakeMS) -> Value: UtYUtxpPbB -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\programdata\utyutxppbb.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\Florian\AppData\Local\Temp\tmpBC00.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\programdata\29613816.exe (Trojan.Agent) -> Quarantined and deleted successfully.

cosinus 30.05.2011 14:59
Zitat:
Auf jeden Fall habe ich dann direkt Anti-Malware laufen lassen und alle 8 gefundenen Probleme entfernen lassen.
Bitte das Log auch posten. Du hast "nur" ein Log ohne Funde und eins mit nur 5 Funden gepostet.

DaDude 30.05.2011 17:14
Hoppla, war ein Typo. Waren wohl nur 5. Hab auch nur die beiden Logs bislang.

Hab jetzt auch mal unhide.exe laufen lassen sodass soweit wieder alles geht. Bin mir halt nur nicht sicher ob das Teil vollkommen weg ist.

Sollte wohl generell auch in Avira mal diesen "aggressiven Modus" aus dem Forum einstellen, oder?

cosinus 30.05.2011 18:44
Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:
:OTL
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2003.02.10 17:42:58 | 000,133,840 | R--- | M] () - E:\Auto.bmp -- [ CDFS ]
O32 - AutoRun File - [2002.05.19 14:43:42 | 000,448,032 | R--- | M] () - E:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2003.02.10 18:04:34 | 000,000,057 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{9c9f6ea8-6785-11e0-8c81-002186353506}\Shell - "" = AutoRun
O33 - MountPoints2\{9c9f6ea8-6785-11e0-8c81-002186353506}\Shell\AutoRun\command - "" = E:\pointsoft.exe -- [2003.02.17 19:52:32 | 000,021,536 | R--- | M] ()
[2011.05.29 14:30:37 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~29613816r
[2011.05.29 14:30:37 | 000,000,104 | -H-- | M] () -- C:\ProgramData\~29613816
[2011.05.29 14:30:36 | 000,000,635 | -H-- | M] () -- C:\Users\Florian\Desktop\Windows 7 Recovery.lnk
[2011.05.29 14:30:21 | 000,000,336 | -H-- | M] () -- C:\ProgramData\29613816
:Commands
[purity]
[resethosts]
Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt.

DaDude 30.05.2011 20:23
Hi Arne und thx schonmal!

Hier das Logfile:
Zitat:
========== OTL ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\autoexec.bat moved successfully.
File move failed. E:\Auto.bmp scheduled to be moved on reboot.
File move failed. E:\autorun.exe scheduled to be moved on reboot.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c9f6ea8-6785-11e0-8c81-002186353506}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9c9f6ea8-6785-11e0-8c81-002186353506}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c9f6ea8-6785-11e0-8c81-002186353506}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9c9f6ea8-6785-11e0-8c81-002186353506}\ not found.
File move failed. E:\pointsoft.exe scheduled to be moved on reboot.
File C:\ProgramData\~29613816r not found.
File C:\ProgramData\~29613816 not found.
File C:\Users\Florian\Desktop\Windows 7 Recovery.lnk not found.
File C:\ProgramData\29613816 not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.23.0 log created on 05302011_211833

Files\Folders moved on Reboot...
File\Folder E:\Auto.bmp not found!
File\Folder E:\autorun.exe not found!
File\Folder E:\autorun.inf not found!
File\Folder E:\pointsoft.exe not found!

Registry entries deleted on Reboot...
Gruß,
Florian

cosinus 30.05.2011 21:03
Bitte nun dieses Tool von Kaspersky ausführen und das Log posten => http://www.trojaner-board.de/82358-t...entfernen.html

Das Tool so einstellen wie unten im Bild angegeben - also beide Haken setzen, auf Start scan klicken und wenn es durch ist auf den Button Report klicken um das Log anzuzeigen. Dieses bitte komplett posten.

http://www.trojaner-board.de/attachm...rnen-start.png


Falls du durch die Infektion auf deine Dokumente/Eigenen Dateien nicht zugreifen kannst, bitte unhide ausführen:
Downloade dir bitte unhide.exe und speichere diese Datei auf deinem Desktop.
Starte das Tool und es sollten alle Dateien und Ordner wieder sichtbar sein. ( Könnte eine Weile dauern )
http://www.trojaner-board.de/images/icons/icon4.gif Vista und 7 User müssen das Tool per Rechtsklick als Administrator ausführen! http://www.trojaner-board.de/images/icons/icon4.gif

DaDude 30.05.2011 21:25
Das Tool startet leider nicht... ?? Woran könnte es liegen?

cosinus 31.05.2011 07:58
Dann bitte erst CF ausführen, den tdsskiller probieren wir danach nochmal.

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.
http://saved.im/mtm0nzyzmzd5/cofi.jpg
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

DaDude 31.05.2011 17:20
Hier der Log,

ist es normal dass nun die Desktopverknüpfungen nicht mehr funktionieren und einen Registry-Error bringen?

Combofix Logfile:
Code:
ComboFix 11-05-30.08 - Florian 31.05.2011  18:03:14.1.2 - x86
Microsoft Windows 7 Home Premium  6.1.7600.0.1252.49.1031.18.2972.2131 [GMT 2:00]
ausgeführt von:: c:\users\Florian\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((  Dateien erstellt von 2011-04-28 bis 2011-05-31  ))))))))))))))))))))))))))))))
.
.
2011-05-31 16:07 . 2011-05-31 16:07        --------        d-----w-        c:\users\Default\AppData\Local\temp
2011-05-30 19:18 . 2011-05-30 19:18        --------        d-----w-        C:\_OTL
2011-05-29 12:33 . 2011-05-29 12:33        --------        d-----w-        c:\users\Florian\AppData\Roaming\Malwarebytes
2011-05-29 12:33 . 2010-12-20 16:09        38224        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 12:33 . 2011-05-29 12:33        --------        d-----w-        c:\programdata\Malwarebytes
2011-05-29 12:33 . 2011-05-29 13:05        --------        d-----w-        c:\program files\Malwarebytes' Anti-Malware
2011-05-15 11:31 . 2011-05-15 11:31        --------        d-----w-        c:\windows\Sun
2011-05-15 11:30 . 2011-05-15 11:34        --------        d-----w-        c:\users\Florian\AppData\Local\FLVService
2011-05-15 11:30 . 2011-05-15 11:30        --------        d-----w-        c:\windows\Freecorder
2011-05-01 17:14 . 2011-05-01 17:14        --------        d-----w-        c:\users\Florian\AppData\Local\SkinSoft
2011-05-01 17:13 . 2011-05-01 17:14        --------        d-----w-        c:\program files\Street Challenge
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 13:19 . 2011-04-22 13:19        218688        ----a-w-        c:\windows\system32\drivers\dtsoftbus01.sys
2011-04-14 14:30 . 2011-04-15 17:24        6792528        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{4D0AD09C-481A-4000-A3B1-9058CB8AAE4C}\mpengine.dll
2011-03-11 05:40 . 2011-04-15 17:08        1164288        ----a-w-        c:\windows\system32\mfc42u.dll
2011-03-11 05:40 . 2011-04-15 17:08        1137664        ----a-w-        c:\windows\system32\mfc42.dll
2011-03-08 05:38 . 2011-04-15 17:08        740864        ----a-w-        c:\windows\system32\inetcomm.dll
2011-03-03 05:29 . 2011-04-15 17:08        132608        ----a-w-        c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27 . 2011-04-15 17:08        28672        ----a-w-        c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31 . 2011-04-15 17:08        2331136        ----a-w-        c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"RMClock"="c:\programme\RMClock\RMClockLauncher.exe" [2008-02-29 61440]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-09-01 499768]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-16 1314816]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2010-06-17 370176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1246544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\herbert.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28        72208        ----a-w-        c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^Florian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=c:\users\Florian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=c:\windows\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07        932288        ----a-r-        c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44        35760        ----a-w-        c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04        1164584        ----a-w-        c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 13:33        421160        ----a-w-        c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-05-14 08:32        1479680        ----a-w-        c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 15:38        421888        ----a-w-        c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14        1173504        ----a-w-        c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 09:43        248040        ----a-w-        c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2009-09-30 19:20        64048        ----a-w-        c:\program files\VMware\VMware Player\hqtray.exe
.
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000-Serie - Adaptertreiber für Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-16 691696]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-04-22 218688]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-01-16 108289]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 26168]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2009-09-30 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-09-30 563760]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 625224]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-12 221912]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2009-06-17 40720]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2009-06-17 10384]
S3 NETw5s32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows 7 32-Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Florian\AppData\Roaming\Mozilla\Firefox\Profiles\5r8bm6t8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2319825&SearchSource=13
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Ant Video Downloader: anttoolbar@ant.com - %profile%\extensions\anttoolbar@ant.com
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: YouTube Video Download Wizard: ytvdw@pgport.com - %profile%\extensions\ytvdw@pgport.com
.
.
------- Dateityp-Verknüpfung -------
.
.scr=MicroStation Resource
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-CopyTrans Suite - c:\program files\CopyTrans Suite\Uninstall.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(2900)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ger.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\AEADISRV.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\consent.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Shared\hpqToaster.exe
c:\program files\Hewlett-Packard\Shared\hpCaslNotification.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-05-31  18:13:18 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2011-05-31 16:13
.
Vor Suchlauf: 13 Verzeichnis(se), 19.297.181.696 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 19.066.810.368 Bytes frei
.
- - End Of File - - 545C5405EE410C8B9B53D0CE6A95ACEA
--- --- ---

cosinus 31.05.2011 18:23
Zitat:
ist es normal dass nun die Desktopverknüpfungen nicht mehr funktionieren und einen Registry-Error bringen?
nach CF Windows bitte neu starten!

DaDude 31.05.2011 18:31
Ah ok. Das wars. Und nun das Kaspersky Tool ausführen?

cosinus 31.05.2011 18:43
Ja genau:

Bitte nun dieses Tool von Kaspersky ausführen und das Log posten => http://www.trojaner-board.de/82358-t...entfernen.html

Das Tool so einstellen wie unten im Bild angegeben - also beide Haken setzen, auf Start scan klicken und wenn es durch ist auf den Button Report klicken um das Log anzuzeigen. Dieses bitte komplett posten.

http://www.trojaner-board.de/attachm...rnen-start.png


Falls du durch die Infektion auf deine Dokumente/Eigenen Dateien nicht zugreifen kannst, bitte unhide ausführen:
Downloade dir bitte unhide.exe und speichere diese Datei auf deinem Desktop.
Starte das Tool und es sollten alle Dateien und Ordner wieder sichtbar sein. ( Könnte eine Weile dauern )
http://www.trojaner-board.de/images/icons/icon4.gif Vista und 7 User müssen das Tool per Rechtsklick als Administrator ausführen! http://www.trojaner-board.de/images/icons/icon4.gif

DaDude 31.05.2011 18:55
Hm, startet immernoch nicht. Dito die neueste Version von der Kaspersky Seite.

cosinus 31.05.2011 19:48
Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.


Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
  • Doppelklick auf die MBRCheck.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Das Tool braucht nur wenige Sekunden.
  • Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.
Poste mir bitte den Inhalt des .txt Dokumentes

DaDude 31.05.2011 20:38
1. GMER (Spuckt imho doch verdammt viele Funde aus, oder? Denke ich sollte mich nach der Aktion hier mal als Azubi bewerben... :) )

GMER Logfile:
Code:
GMER 1.0.15.15640 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-31 21:36:45
Windows 6.1.7600  Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9160823AS rev.3.AHE
Running: grhbqswj.exe; Driver: C:\Users\Florian\AppData\Local\Temp\pwdirpob.sys


---- System - GMER 1.0.15 ----

SSDT            94D71484                                                                                                            ZwCreateThread
SSDT            94D71470                                                                                                            ZwOpenProcess
SSDT            94D71475                                                                                                            ZwOpenThread
SSDT            94D7147F                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text          ntoskrnl.exe!ZwSaveKeyEx + 13B1                                                                                    82C458A9 1 Byte  [06]
.text          ntoskrnl.exe!KiDispatchInterrupt + 5A2                                                                              82C65312 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text          ntoskrnl.exe!KeRemoveQueueEx + 14C3                                                                                82C6C6D0 4 Bytes  [84, 14, D7, 94] {TEST [EDI+EDX*8], DL; XCHG ESP, EAX}
.text          ntoskrnl.exe!KeRemoveQueueEx + 165F                                                                                82C6C86C 4 Bytes  [70, 14, D7, 94] {JO 0x16; XLATB ; XCHG ESP, EAX}
.text          ntoskrnl.exe!KeRemoveQueueEx + 167F                                                                                82C6C88C 4 Bytes  [75, 14, D7, 94] {JNZ 0x16; XLATB ; XCHG ESP, EAX}
.text          ntoskrnl.exe!KeRemoveQueueEx + 192F                                                                                82C6CB3C 4 Bytes  [7F, 14, D7, 94] {JG 0x16; XLATB ; XCHG ESP, EAX}
?              System32\Drivers\spiy.sys                                                                                          Das System kann den angegebenen Pfad nicht finden. !
PAGE            ataport.SYS!DllUnload + 1                                                                                          8BC7FAD7 4 Bytes  JMP 855EE1D9
.text          USBPORT.SYS!DllUnload                                                                                              95EC6CA0 5 Bytes  JMP 869721D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT            \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice]                                                  [8BA3ADDC] \SystemRoot\System32\Drivers\spiy.sys
IAT            \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack]                                      [8BA3AE30] \SystemRoot\System32\Drivers\spiy.sys
IAT            \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar]                                            [8BA10042] \SystemRoot\System32\Drivers\spiy.sys
IAT            \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar]                                          [8BA106D6] \SystemRoot\System32\Drivers\spiy.sys
IAT            \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort]                                    [8BA10800] \SystemRoot\System32\Drivers\spiy.sys
IAT            \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort]                                    [8BA1013E] \SystemRoot\System32\Drivers\spiy.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT            C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]              [75C75E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT            C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                [75C75E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT            C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]              [75C75E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT            C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]            [75C75E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                                              855F51F8
Device          \FileSystem\fastfat \FatCdrom                                                                                      869581F8

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                            VMkbd.sys
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                            Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                            VMkbd.sys
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                            Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)

Device          \Driver\volmgr \Device\VolMgrControl                                                                                855F01F8
Device          \Driver\usbuhci \Device\USBPDO-0                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBPDO-0                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBPDO-1                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBPDO-1                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBPDO-2                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBPDO-2                                                                                    hcmon.sys
Device          \Driver\usbehci \Device\USBPDO-3                                                                                    8691F500
Device          \Driver\usbehci \Device\USBPDO-3                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBPDO-4                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBPDO-4                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBPDO-5                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBPDO-5                                                                                    hcmon.sys
Device          \Driver\ACPI_HAL \Device\00000056                                                                                  halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device          \Driver\usbuhci \Device\USBPDO-6                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBPDO-6                                                                                    hcmon.sys
Device          \Driver\volmgr \Device\HarddiskVolume1                                                                              855F01F8

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                              rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device          \Driver\usbehci \Device\USBPDO-7                                                                                    8691F500
Device          \Driver\usbehci \Device\USBPDO-7                                                                                    hcmon.sys
Device          \Driver\NetBT \Device\NetBT_Tcpip_{15B4A1FC-D5CB-403B-9346-9DBA1CE7BA3B}                                            8681E1F8
Device          \Driver\cdrom \Device\CdRom0                                                                                        867871F8
Device          \Driver\volmgr \Device\HarddiskVolume2                                                                              855F01F8

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                              rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0                                                                        855F21F8
Device          \Driver\atapi \Device\Ide\IdePort0                                                                                  855F21F8
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                  855F21F8
Device          \Driver\atapi \Device\Ide\IdePort2                                                                                  855F21F8
Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1                                                                        855F21F8
Device          \Driver\msahci \Device\Ide\PciIde0Channel0                                                                          855F31F8
Device          \Driver\msahci \Device\Ide\PciIde0Channel1                                                                          855F31F8
Device          \Driver\msahci \Device\Ide\PciIde0Channel5                                                                          855F31F8
Device          \Driver\cdrom \Device\CdRom1                                                                                        867871F8
Device          \Driver\usbhub \Device\USBPDO-9                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\00000080                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\00000081                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\USBPDO-11                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\00000082                                                                                    hcmon.sys
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                            8681E1F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{7DC4A59F-D737-4989-A767-408E79C994E0}                                            8681E1F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{2F36CA64-9AD7-4EDB-AB7B-519CAB1AD821}                                            8681E1F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{F568D7CA-13F1-4A69-8D35-4AFBE2B8BC99}                                            8681E1F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{2973FC4E-761D-4073-9EA5-04BE51247E09}                                            8681E1F8
Device          \Driver\usbuhci \Device\USBFDO-0                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBFDO-0                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBFDO-1                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBFDO-1                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBFDO-2                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBFDO-2                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\0000007b                                                                                    hcmon.sys
Device          \Driver\usbehci \Device\USBFDO-3                                                                                    8691F500
Device          \Driver\usbehci \Device\USBFDO-3                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\0000007c                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBFDO-4                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBFDO-4                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\0000007d                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBFDO-5                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBFDO-5                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\0000007e                                                                                    hcmon.sys
Device          \Driver\usbuhci \Device\USBFDO-6                                                                                    869781F8
Device          \Driver\usbuhci \Device\USBFDO-6                                                                                    hcmon.sys
Device          \Driver\usbhub \Device\0000007f                                                                                    hcmon.sys
Device          \Driver\usbehci \Device\USBFDO-7                                                                                    8691F500
Device          \Driver\usbehci \Device\USBFDO-7                                                                                    hcmon.sys
Device          \FileSystem\fastfat \Fat                                                                                            869581F8

AttachedDevice  \FileSystem\fastfat \Fat                                                                                            fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread          System [4:264]                                                                                                      865D5E7A
Thread          System [4:268]                                                                                                      865D8008

---- Registry - GMER 1.0.15 ----

Reg            HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002186353506                                       
Reg            HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002186353506@00254802b86c                            0xDD 0x93 0xD0 0x1A ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002186353506@00224888b3fe                            0xA6 0xCA 0x02 0xC8 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002186353506@00224888a17a                            0xAE 0x54 0xA6 0x43 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002186353506@902155ad6728                            0xD0 0x14 0x49 0xD1 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1                                                                  771343423
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2                                                                  285507792
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0                                                                  1
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                   
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                C:\Programme\DAEMON Tools Lite\
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                0xD4 0xC3 0x97 0x02 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                0
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x55 0x89 0xDC 0x97 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                         
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                    0x69 0x03 0xC5 0xEF ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                     
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0xB2 0x7A 0x1E 0xC8 ...
Reg            HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002186353506 (not active ControlSet)                   
Reg            HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002186353506@00254802b86c                                0xDD 0x93 0xD0 0x1A ...
Reg            HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002186353506@00224888b3fe                                0xA6 0xCA 0x02 0xC8 ...
Reg            HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002186353506@00224888a17a                                0xAE 0x54 0xA6 0x43 ...
Reg            HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002186353506@902155ad6728                                0xD0 0x14 0x49 0xD1 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)               
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                    C:\Programme\DAEMON Tools Lite\
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                    0xD4 0xC3 0x97 0x02 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                    0
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x55 0x89 0xDC 0x97 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)     
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                        0x69 0x03 0xC5 0xEF ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xB2 0x7A 0x1E 0xC8 ...

---- EOF - GMER 1.0.15 ----
--- --- ---

DaDude 31.05.2011 20:47
2. OSAM, MBRCheck folgt

OSAM Logfile:
Code:
Report of OSAM: Autorun Manager v5.0.11926.0
Online Solutions. Complex Protection for Information Systems
Saved at 21:45:55 on 31.05.2011

OS: Windows 7 Home Premium Edition (Build 7600), 32-bit
Default Browser: Opera Software Opera Internet Browser 11.11

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"DivXControlPanelApplet.cpl" - "DivX, Inc." - C:\Windows\system32\DivXControlPanelApplet.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"HP 3D DriveGuard" - "Hewlett-Packard" - C:\Program Files\Hewlett-Packard\HP 3D DriveGuard\hpaccelerometercp.CPL
"mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\MLCFG32.CPL
"NokiaConnectionManager" - "Nokia" - C:\PROGRA~1\Nokia\NOKIAP~1\CONNEC~1.CPL
"QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl
"SoundMAX" - "Analog Devices, Inc." - C:\Program Files\Analog Devices\SoundMAX\soundmax.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"az1gvk2h" (az1gvk2h) - ? - C:\Windows\system32\drivers\az1gvk2h.sys  (Hidden registry entry, rootkit activity | File not found)
"catchme" (catchme) - ? - C:\Users\Florian\AppData\Local\Temp\catchme.sys  (File not found)
"cpuz132" (cpuz132) - "Windows (R) Codename Longhorn DDK provider" - C:\Windows\system32\drivers\cpuz132_x32.sys
"HTC Device Driver" (HTCAND32) - "HTC, Corporation" - C:\Windows\System32\Drivers\ANDROIDUSB.sys
"Microsoft IntelliPoint Filter Driver" (Point32) - "Microsoft Corporation" - C:\Windows\System32\DRIVERS\point32k.sys
"RTCore32" (RTCore32) - ? - C:\Programme\RMClock\RTCore32.sys  (File found, but it contains no detailed information)
"Speichervolumes" (volsnap) - ? - C:\Windows\System32\DRIVERS\volsnap.sys  (File found, but it contains no detailed information)
"sptd" (sptd) - "Duplex Secure Ltd." - C:\Windows\System32\Drivers\sptd.sys  (File is exclusively opened, access blocked)
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"VMware hcmon" (hcmon) - "VMware, Inc." - C:\Windows\system32\drivers\hcmon.sys
"VMware kbd" (vmkbd) - "VMware, Inc." - C:\Windows\system32\drivers\VMkbd.sys
"VMware Network Application Interface" (VMnetuserif) - "VMware, Inc." - C:\Windows\system32\drivers\vmnetuserif.sys
"VMware vmci" (vmci) - "VMware, Inc." - C:\Windows\system32\Drivers\vmci.sys
"VMware vmx86" (vmx86) - "VMware, Inc." - C:\Windows\system32\Drivers\vmx86.sys
"Vstor2 WS60 Virtual Storage Driver" (vstor2-ws60) - "VMware, Inc." - C:\Program Files\VMware\VMware Player\vstor2-ws60.sys

[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WIC4A1~1\MESSEN~1\msgrapp.14.0.8117.0416.dll
{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WIC4A1~1\MESSEN~1\msgrapp.14.0.8117.0416.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{D8D1CE8C-B1EB-4E95-B63B-1531BA60E992} "DivX Property Handler" - "DivX, Inc." - C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXPropertyHandler.dll
{83238FAE-D346-4E12-8734-D42F7554B3E6} "DivX Thumbnail Provider" - "DivX, Inc." - C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXThumbnailProvider.dll
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll
{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} "KbLogiExt Class" - "Logitech, Inc." - C:\Program Files\Logitech\SetPoint\kbcplext.dll
{B9B9F083-2B04-452A-8691-83694AC1037B} "LogiExt Class" - "Logitech, Inc." - C:\Program Files\Logitech\SetPoint\mcplext.dll
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} "Nokia Phone Browser" - "Nokia" - C:\Program Files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll
{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Programme\WinRAR\rarext.dll

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
ITBar7Height "ITBar7Height" - ? -  (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_20.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
"ICQ7.2" - "ICQ, LLC." - C:\Program Files\ICQ7.2\ICQ.exe
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{000123B4-9B42-4900-B3F7-F4B073EFC214} "Octh Class" - "Orbitdownloader.com" - C:\Program Files\Orbitdownloader\orbitcth.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" - ? -  (File not found | COM-object registry key not found)

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\Florian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"DAEMON Tools Lite" - "DT Soft Ltd" - "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
"msnmsgr" - "Microsoft Corporation" - "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
"RMClock" - "NGO Science Center "RightMark"" - C:\Programme\RMClock\RMClockLauncher.exe
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"FreePDF Assistant" - "shbox.de" - C:\Program Files\FreePDF_XP\fpassist.exe
"iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe"
"Malwarebytes' Anti-Malware (reboot)" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\herbert.exe" /runcleanupscript
"QlbCtrl.exe" - " Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
"QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime
"WirelessAssistant" - "Hewlett-Packard" - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Redirected Port" - ? - C:\Windows\system32\redmonnt.dll  (File found, but it contains no detailed information)
"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"Com4QLBEx" (Com4QLBEx) - "Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
"Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe
"hpqwmiex" (hpqwmiex) - "Hewlett-Packard Company" - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe
"Logitech Bluetooth Service" (LBTServ) - "Logitech, Inc." - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"OpenVPN Service" (OpenVPNService) - ? - C:\Program Files\OpenVPN\bin\openvpnserv.exe  (File found, but it contains no detailed information)
"ServiceLayer" (ServiceLayer) - "Nokia" - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
"VMware Agent Service" (ufad-ws60) - "VMware, Inc." - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
"VMware Authorization Service" (VMAuthdService) - "VMware, Inc." - C:\Program Files\VMware\VMware Player\vmware-authd.exe
"VMware DHCP Service" (VMnetDHCP) - "VMware, Inc." - C:\Windows\system32\vmnetdhcp.exe
"VMware NAT Service" (VMware NAT Service) - "VMware, Inc." - C:\Windows\system32\vmnat.exe
"VMware USB Arbitration Service" (VMUSBArbService) - "VMware, Inc." - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

[Winlogon]
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"LBTWlgn" - "Logitech, Inc." - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries )-----
"VMCI sockets DGRAM" - "VMware, Inc." - C:\Program Files\VMware\VMware Player\vsocklib.dll
"VMCI sockets STREAM" - "VMware, Inc." - C:\Program Files\VMware\VMware Player\vsocklib.dll

===[ Logfile end ]=========================================[ Logfile end ]===
--- --- ---

If You have questions or want to get some help, You can visit Online Solutions :: Index[/QUOTE]

DaDude 31.05.2011 20:48
Und hier nun der MBRCheck

Zitat:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP EliteBook 6930p
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 228):
0x82C0A000 \SystemRoot\system32\ntoskrnl.exe
0x8300B000 \SystemRoot\system32\halmacpi.dll
0x80BD2000 \SystemRoot\system32\kdcom.dll
0x8B818000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8B890000 \SystemRoot\system32\PSHED.dll
0x8B8A1000 \SystemRoot\system32\BOOTVID.dll
0x8B8A9000 \SystemRoot\system32\CLFS.SYS
0x8B8EB000 \SystemRoot\system32\CI.dll
0x8B996000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8BA07000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8BA15000 \SystemRoot\System32\Drivers\spdo.sys
0x8BB08000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x8BB11000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x8BB37000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8BB7F000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8BB87000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x8BB92000 \SystemRoot\system32\DRIVERS\pci.sys
0x8BBBC000 \SystemRoot\System32\drivers\partmgr.sys
0x8BBCD000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8BBD5000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8BBE0000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x8BC27000 \SystemRoot\System32\drivers\volmgrx.sys
0x8BC72000 \SystemRoot\System32\drivers\mountmgr.sys
0x8BC88000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8BC91000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8BCB4000 \SystemRoot\system32\DRIVERS\msahci.sys
0x8BCBE000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8BCCC000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8BCD5000 \SystemRoot\system32\drivers\fltmgr.sys
0x8BD09000 \SystemRoot\system32\drivers\fileinfo.sys
0x8BD1A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BE49000 \SystemRoot\System32\Drivers\msrpc.sys
0x8BE74000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8BE87000 \SystemRoot\System32\Drivers\cng.sys
0x8BEE4000 \SystemRoot\System32\drivers\pcw.sys
0x8BEF2000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8BEFB000 \SystemRoot\system32\drivers\ndis.sys
0x8BFB2000 \SystemRoot\system32\drivers\NETIO.SYS
0x8BC00000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C013000 \SystemRoot\System32\drivers\tcpip.sys
0x8C15C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C18D000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8C1CC000 \SystemRoot\System32\Drivers\spldr.sys
0x8C1D4000 \SystemRoot\System32\drivers\rdyboost.sys
0x8C201000 \SystemRoot\System32\Drivers\mup.sys
0x8C211000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8C219000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
0x8C222000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8C254000 \SystemRoot\system32\DRIVERS\disk.sys
0x8C265000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8C2BD000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C2DC000 \SystemRoot\System32\Drivers\Null.SYS
0x8C2E3000 \SystemRoot\System32\Drivers\Beep.SYS
0x8C2EA000 \SystemRoot\System32\drivers\vga.sys
0x8C2F6000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8C317000 \SystemRoot\System32\drivers\watchdog.sys
0x8C324000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8C32C000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8C334000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8C33C000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8C347000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8C355000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8C36C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8C377000 \SystemRoot\system32\drivers\afd.sys
0x9203B000 \SystemRoot\System32\DRIVERS\netbt.sys
0x9206D000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x92076000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x9207D000 \SystemRoot\system32\DRIVERS\pacer.sys
0x9209C000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x920AD000 \SystemRoot\system32\DRIVERS\netbios.sys
0x920BB000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
0x920F6000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x92109000 \SystemRoot\system32\DRIVERS\termdd.sys
0x92119000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x9211F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x92160000 \SystemRoot\system32\drivers\nsiproxy.sys
0x9216A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x92174000 \SystemRoot\System32\drivers\discache.sys
0x92180000 \SystemRoot\System32\Drivers\dfsc.sys
0x92198000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x921A6000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x921C2000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0x921C4000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x921E5000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x95421000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x95D41000 \SystemRoot\System32\Drivers\fastfat.SYS
0x95D6B000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x95E22000 \SystemRoot\System32\drivers\dxgmms1.sys
0x95E5B000 \SystemRoot\system32\DRIVERS\e1y6232.sys
0x95E95000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x95EA0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x95EEB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x95EFA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x96806000 \SystemRoot\system32\DRIVERS\NETw5s32.sys
0x96E82000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x96E8C000 \SystemRoot\system32\drivers\sdbus.sys
0x96EA5000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x96EB6000 \SystemRoot\system32\drivers\tpm.sys
0x96EC2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x96EDA000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x96EE3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x96EF0000 \??\C:\Windows\system32\drivers\VMkbd.sys
0x921F7000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x96EF5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x96EF7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x96F04000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x96F0A000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0x96F15000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x96F19000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x96F1C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x96F2F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x96F36000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x96F3F000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x96F4C000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x96F5E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x96F76000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x96F81000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x96FA3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x96FBB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x96FD2000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x96FE9000 \SystemRoot\system32\DRIVERS\tap0901.sys
0x96FF0000 \SystemRoot\system32\DRIVERS\swenum.sys
0x95F19000 \SystemRoot\system32\DRIVERS\ks.sys
0x96FF2000 \SystemRoot\system32\DRIVERS\umbus.sys
0x95F4D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x95F91000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x95F9D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x92334000 \SystemRoot\system32\drivers\ADIHdAud.sys
0x95FAE000 \SystemRoot\system32\drivers\portcls.sys
0x95FDD000 \SystemRoot\system32\drivers\drmk.sys
0x95400000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x92397000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x95417000 \SystemRoot\System32\Drivers\LEqdUsb.Sys
0x923A2000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x96800000 \SystemRoot\System32\Drivers\LHidEqd.Sys
0x95FF6000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0x923AD000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0x923B5000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x82016000 \SystemRoot\System32\Drivers\bthport.sys
0x98110000 \SystemRoot\System32\win32k.sys
0x8207A000 \SystemRoot\System32\drivers\Dxapi.sys
0x82084000 \SystemRoot\System32\Drivers\crashdmp.sys
0x82091000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8209C000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x820A6000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x820B7000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x820DB000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x820E8000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x82103000 \SystemRoot\system32\DRIVERS\bthmodem.sys
0x82115000 \SystemRoot\system32\drivers\modem.sys
0x82122000 \SystemRoot\system32\DRIVERS\hidbth.sys
0x8213D000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0x822F6000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0x82304000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0x8230B000 \SystemRoot\System32\Drivers\ATSwpWDF.sys
0x823A8000 \SystemRoot\system32\DRIVERS\monitor.sys
0x98370000 \SystemRoot\System32\TSDDD.dll
0x983A0000 \SystemRoot\System32\cdd.dll
0x98000000 \SystemRoot\System32\ATMFD.DLL
0x823B3000 \SystemRoot\system32\drivers\luafv.sys
0x823CE000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x823E2000 \SystemRoot\system32\drivers\WudfPf.sys
0x82000000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0x8200E000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0x923C7000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xAD833000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xAD879000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAD889000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAD89C000 \SystemRoot\system32\drivers\HTTP.sys
0xAD921000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAD94B000 \??\C:\Windows\system32\drivers\hcmon.sys
0xAD955000 \??\C:\Windows\system32\Drivers\vmci.sys
0xAD965000 \??\C:\Windows\system32\Drivers\vmx86.sys
0xADA34000 \??\C:\Windows\system32\drivers\cpuz132_x32.sys
0xADA38000 \SystemRoot\system32\drivers\peauth.sys
0xADACF000 \SystemRoot\System32\Drivers\secdrv.SYS
0xADAD9000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xADAFA000 \SystemRoot\System32\drivers\tcpipreg.sys
0xADB07000 \??\C:\Windows\system32\drivers\vmnetuserif.sys
0xADB0C000 \??\C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
0xADB10000 \SystemRoot\System32\DRIVERS\srv2.sys
0xADB5F000 \SystemRoot\System32\DRIVERS\srv.sys
0xADBB1000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0xADBBA000 \SystemRoot\system32\DRIVERS\bowser.sys
0xADBD3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x92000000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAD800000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAD81B000 \??\C:\Programme\RMClock\RTCore32.sys
0xBAC79000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x777A0000 \Windows\System32\ntdll.dll
0x47A10000 \Windows\System32\smss.exe
0x779E0000 \Windows\System32\apisetschema.dll
0x005C0000 \Windows\System32\autochk.exe
0x779C0000 \Windows\System32\lpk.dll
0x779A0000 \Windows\System32\imm32.dll
0x77900000 \Windows\System32\advapi32.dll
0x77710000 \Windows\System32\clbcatq.dll
0x76AC0000 \Windows\System32\shell32.dll
0x768C0000 \Windows\System32\iertutil.dll
0x767F0000 \Windows\System32\user32.dll
0x767A0000 \Windows\System32\Wldap32.dll
0x766D0000 \Windows\System32\msctf.dll
0x76650000 \Windows\System32\comdlg32.dll
0x778F0000 \Windows\System32\psapi.dll
0x76630000 \Windows\System32\sechost.dll
0x765D0000 \Windows\System32\shlwapi.dll
0x76580000 \Windows\System32\gdi32.dll
0x778E0000 \Windows\System32\nsi.dll
0x764E0000 \Windows\System32\usp10.dll
0x76430000 \Windows\System32\msvcrt.dll
0x762F0000 \Windows\System32\urlmon.dll
0x76210000 \Windows\System32\kernel32.dll
0x761D0000 \Windows\System32\ws2_32.dll
0x761C0000 \Windows\System32\normaliz.dll
0x76130000 \Windows\System32\oleaut32.dll
0x75F90000 \Windows\System32\setupapi.dll
0x75F30000 \Windows\System32\difxapi.dll
0x75DD0000 \Windows\System32\ole32.dll
0x75D20000 \Windows\System32\rpcrt4.dll
0x75C20000 \Windows\System32\wininet.dll
0x75BF0000 \Windows\System32\imagehlp.dll
0x75B60000 \Windows\System32\comctl32.dll
0x75B30000 \Windows\System32\cfgmgr32.dll
0x75A10000 \Windows\System32\crypt32.dll
0x759C0000 \Windows\System32\KernelBase.dll
0x75990000 \Windows\System32\wintrust.dll
0x75970000 \Windows\System32\devobj.dll
0x75960000 \Windows\System32\msasn1.dll

Processes (total 68):
0 System Idle Process
4 System
300 C:\Windows\System32\smss.exe
424 csrss.exe
480 C:\Windows\System32\wininit.exe
492 csrss.exe
536 C:\Windows\System32\services.exe
552 C:\Windows\System32\lsass.exe
560 C:\Windows\System32\lsm.exe
680 C:\Windows\System32\svchost.exe
728 C:\Windows\System32\winlogon.exe
820 C:\Windows\System32\svchost.exe
872 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
1008 C:\Windows\System32\svchost.exe
1140 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\hpservice.exe
1288 C:\Windows\System32\svchost.exe
1400 C:\Windows\System32\spoolsv.exe
1476 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1500 C:\Windows\System32\svchost.exe
1612 C:\Windows\System32\AEADISRV.EXE
1640 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1660 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1692 C:\Program Files\Bonjour\mDNSResponder.exe
1740 C:\Windows\System32\svchost.exe
1828 C:\Windows\System32\svchost.exe
1880 C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
1924 C:\Windows\System32\vmnat.exe
1960 C:\Windows\System32\vmnetdhcp.exe
320 C:\Program Files\VMware\VMware Player\vmware-authd.exe
2304 C:\Windows\System32\svchost.exe
2468 C:\Windows\System32\svchost.exe
2592 WmiPrvSE.exe
2880 C:\Windows\System32\taskhost.exe
2932 C:\Windows\System32\dwm.exe
2976 C:\Windows\explorer.exe
3120 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3132 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
3140 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
3148 C:\Program Files\Analog Devices\Core\smax4pnp.exe
3176 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3204 C:\Program Files\FreePDF_XP\fpassist.exe
3336 C:\Program Files\iTunes\iTunesHelper.exe
3388 C:\Windows\System32\igfxtray.exe
3432 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
3444 C:\Windows\System32\hkcmd.exe
3452 C:\Windows\System32\igfxpers.exe
3564 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
3620 C:\Program Files\DAEMON Tools Lite\DTLite.exe
3656 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3800 C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
3924 C:\Program Files\iPod\bin\iPodService.exe
2580 C:\Program Files\RMClock\RMClock.exe
216 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
2772 C:\Windows\System32\svchost.exe
3088 C:\Program Files\RMClock\RMClockHLT.exe
3100 C:\Program Files\RMClock\RMClockHLT.exe
3880 C:\Program Files\Windows Media Player\wmpnetwk.exe
1680 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
920 C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
3764 C:\Program Files\Windows Live\Contacts\wlcomm.exe
4420 C:\Windows\System32\svchost.exe
5028 C:\Program Files\Opera\opera.exe
4312 C:\Windows\System32\wuauclt.exe
3948 C:\Downloads\osam_autorun_manager_5_0_portable\osam.exe
5928 C:\Users\Florian\Desktop\MBRCheck.exe
5936 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: ST9160823AS, Rev: 3.AHE

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

cosinus 31.05.2011 21:14
Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SASW und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!


Anschließend über den OnlineScanner von ESET eine zusätzliche Meinung zu holen ist auch nicht verkehrt:


ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


DaDude 01.06.2011 20:24
1. SuperAntiSpyware:

Zitat:
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 06/01/2011 at 09:22 PM

Application Version : 4.53.1000

Core Rules Database Version : 7171
Trace Rules Database Version: 4983

Scan type : Complete Scan
Total Scan Time : 01:16:21

Memory items scanned : 809
Memory threats detected : 0
Registry items scanned : 9832
Registry threats detected : 0
File items scanned : 97944
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Florian\AppData\Roaming\Microsoft\Windows\Cookies\florian@adtech[1].txt
C:\Users\Florian\AppData\Roaming\Microsoft\Windows\Cookies\florian@www.active-tracking[1].txt
C:\Users\Florian\AppData\Roaming\Microsoft\Windows\Cookies\florian@atdmt.combing[2].txt
C:\Users\Florian\AppData\Roaming\Microsoft\Windows\Cookies\florian@atdmt[1].txt
C:\Users\Florian\AppData\Roaming\Microsoft\Windows\Cookies\florian@tracking.mecum[2].txt
media.rofl.to [ C:\Users\Florian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\AVVUS96T ]

DaDude 01.06.2011 21:13
2. Malwarebytes Anti-Malware

Zitat:
Malwarebytes' Anti-Malware 1.51.0.1200
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Datenbank Version: 6747

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

01.06.2011 22:13:11
mbam-log-2011-06-01 (22-13-11).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Durchsuchte Objekte: 247406
Laufzeit: 42 Minute(n), 46 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\downloads\installer_kaspersky_tdsskiller_2_4_1_2_deutsch.exe (PUP.SmsPay.PGen) -> Quarantined and deleted successfully.

cosinus 01.06.2011 22:09
Zitat:
Infizierte Dateien:
c:\downloads\installer_kaspersky_tdsskiller_2_4_1_2_deutsch.exe (PUP.SmsPay.PGen) -> Quarantined and deleted successfully.
Woher hast du diesen angeblichen tdsskiller?

DaDude 01.06.2011 22:59
Kann dir nicht sagen woher ich den hab. Bei der Recherche nach dem Fehler warum es nicht laufen könnte im Web auf einem Software-Portal gefunden...

EDIT dazu: War bei phpnuke.org, aber die Downloadseite existiert nicht mehr... mit dem Link ausm Downloadmanager kann man es immernoch runterladen. Den werde ich aber besser nicht öffentlich posten...

Hier der ESET:

Zitat:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e20151d9e9ef204b9476069060b5d77f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-01 09:54:20
# local_time=2011-06-01 11:54:20 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1797 16775165 100 100 287231 82472211 8655 0
# compatibility_mode=5893 16776573 100 94 4072222 59399247 0 0
# compatibility_mode=8192 67108863 100 0 999 999 0 0
# scanned=105123
# found=11
# cleaned=0
# scan_time=4764
C:\Qoobox\Quarantine\C\Windows\System32\drivers\volsnap.sys.vir Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-767ae9cf multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-16d2fb53 Java/Exploit.CVE-2010-4452.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\6d441f9c-2f7484ec multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\361be31e-4226dced multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\20281164-433f1dfd multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\509f69c4-35db5444 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\6c087473-7aeaeba6 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\48a5427d-7d35226b multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\2d89d408-51e78bbd multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\drivers\volsnap.sys Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I

cosinus 02.06.2011 00:26
Zitat:
C:\Windows\System32\drivers\volsnap.sys Win32/Olmasco.E trojan (unable to clean)
Oh nö, CF hatte den doch so schön "geheilt" :headbang:

Starte Windows neu, lösch die alte cofi.exe, lade CF neu als cofi.exe runter und mach einen neuen Durchgang mit CF

DaDude 02.06.2011 13:22
Hier nochmal cofi:

Combofix Logfile:
Code:
ComboFix 11-06-01.07 - Florian 02.06.2011  14:10:59.2.2 - x86
Microsoft Windows 7 Home Premium  6.1.7600.0.1252.49.1031.18.2972.2054 [GMT 2:00]
ausgeführt von:: c:\users\Florian\Desktop\cofi.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((  Dateien erstellt von 2011-05-02 bis 2011-06-02  ))))))))))))))))))))))))))))))
.
.
2011-06-02 12:15 . 2011-06-02 12:15        --------        d-----w-        c:\users\Default\AppData\Local\temp
2011-06-01 20:18 . 2011-06-01 20:18        --------        d-----w-        c:\program files\ESET
2011-06-01 20:16 . 2011-06-01 20:16        404640        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-31 20:20 . 2011-05-31 20:20        --------        d-----w-        c:\users\Florian\AppData\Roaming\SUPERAntiSpyware.com
2011-05-31 20:20 . 2011-05-31 20:20        --------        d-----w-        c:\programdata\SUPERAntiSpyware.com
2011-05-31 20:20 . 2011-05-31 20:21        --------        d-----w-        c:\program files\SUPERAntiSpyware
2011-05-31 17:59 . 2011-05-31 17:59        --------        d-----w-        c:\users\Florian\AppData\Local\ElevatedDiagnostics
2011-05-30 19:18 . 2011-05-30 19:18        --------        d-----w-        C:\_OTL
2011-05-29 12:33 . 2011-05-29 12:33        --------        d-----w-        c:\users\Florian\AppData\Roaming\Malwarebytes
2011-05-29 12:33 . 2011-05-29 07:11        39984        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 12:33 . 2011-05-29 12:33        --------        d-----w-        c:\programdata\Malwarebytes
2011-05-29 12:33 . 2011-06-01 19:27        --------        d-----w-        c:\program files\Malwarebytes' Anti-Malware
2011-05-15 11:31 . 2011-05-15 11:31        --------        d-----w-        c:\windows\Sun
2011-05-15 11:30 . 2011-05-15 11:34        --------        d-----w-        c:\users\Florian\AppData\Local\FLVService
2011-05-15 11:30 . 2011-05-15 11:30        --------        d-----w-        c:\windows\Freecorder
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 13:19 . 2011-04-22 13:19        218688        ----a-w-        c:\windows\system32\drivers\dtsoftbus01.sys
2011-04-14 14:30 . 2011-04-15 17:24        6792528        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{4D0AD09C-481A-4000-A3B1-9058CB8AAE4C}\mpengine.dll
2011-03-11 05:40 . 2011-04-15 17:08        1164288        ----a-w-        c:\windows\system32\mfc42u.dll
2011-03-11 05:40 . 2011-04-15 17:08        1137664        ----a-w-        c:\windows\system32\mfc42.dll
2011-03-08 05:38 . 2011-04-15 17:08        740864        ----a-w-        c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"RMClock"="c:\programme\RMClock\RMClockLauncher.exe" [2008-02-29 61440]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-09-01 499768]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-16 1314816]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2010-06-17 370176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1246544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28        72208        ----a-w-        c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^Florian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=c:\users\Florian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=c:\windows\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07        932288        ----a-r-        c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44        35760        ----a-w-        c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04        1164584        ----a-w-        c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 13:33        421160        ----a-w-        c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-05-14 08:32        1479680        ----a-w-        c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 15:38        421888        ----a-w-        c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14        1173504        ----a-w-        c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 09:43        248040        ----a-w-        c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2009-09-30 19:20        64048        ----a-w-        c:\program files\VMware\VMware Player\hqtray.exe
.
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000-Serie - Adaptertreiber für Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-16 691696]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-04-22 218688]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-01-16 108289]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 26168]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2009-09-30 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-09-30 563760]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 625224]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-12 221912]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2009-06-17 40720]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2009-06-17 10384]
S3 NETw5s32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows 7 32-Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Florian\AppData\Roaming\Mozilla\Firefox\Profiles\5r8bm6t8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2319825&SearchSource=13
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Ant Video Downloader: anttoolbar@ant.com - %profile%\extensions\anttoolbar@ant.com
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: YouTube Video Download Wizard: ytvdw@pgport.com - %profile%\extensions\ytvdw@pgport.com
.
.
------- Dateityp-Verknüpfung -------
.
.scr=MicroStation Resource
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(4760)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ger.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\AEADISRV.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\taskhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\conhost.exe
c:\windows\system32\consent.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Shared\hpqToaster.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\hpCaslNotification.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-06-02  14:21:13 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2011-06-02 12:21
ComboFix2.txt  2011-05-31 16:13
.
Vor Suchlauf: 16 Verzeichnis(se), 17.358.684.160 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 17.186.836.480 Bytes frei
.
- - End Of File - - F407582AE8B92B366ACECC20BC8AFE7B
--- --- ---

cosinus 03.06.2011 09:57
Ist unuaffällig. :dummguck:
Lass ESET bitte nochmal durchlaufen.

DaDude 23.06.2011 13:34
So, bin wieder da. War im Urlaub und ansonsten auch sehr busy. Bin gerade dabei den Eset durchlaufen zu lassen. Hab den Laptop zwar eher seltener verwendet, hoffe aber dass sich da nicht wieder etwas ausgebreitet hat... oO Wobei ich im Moment eine Neuinstallation doch schon als am sinnvollsten in Erwägung ziehe. Mal sehen.

Bislang 9 gefundene Objekte.

DaDude 23.06.2011 14:32
So, hier der neue ESET:

Zitat:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e20151d9e9ef204b9476069060b5d77f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-01 09:54:20
# local_time=2011-06-01 11:54:20 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1797 16775165 100 100 287231 82472211 8655 0
# compatibility_mode=5893 16776573 100 94 4072222 59399247 0 0
# compatibility_mode=8192 67108863 100 0 999 999 0 0
# scanned=105123
# found=11
# cleaned=0
# scan_time=4764
C:\Qoobox\Quarantine\C\Windows\System32\drivers\volsnap.sys.vir Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-767ae9cf multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-16d2fb53 Java/Exploit.CVE-2010-4452.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\6d441f9c-2f7484ec multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\361be31e-4226dced multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\20281164-433f1dfd multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\509f69c4-35db5444 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\6c087473-7aeaeba6 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\48a5427d-7d35226b multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\2d89d408-51e78bbd multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\drivers\volsnap.sys Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e20151d9e9ef204b9476069060b5d77f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-23 01:28:09
# local_time=2011-06-23 03:28:09 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1797 16775165 100 100 45478 83718156 38271 0
# compatibility_mode=5893 16776573 100 94 1807687 61263935 0 0
# compatibility_mode=8192 67108863 100 0 1865687 1865687 0 0
# scanned=112209
# found=10
# cleaned=0
# scan_time=10496
C:\Qoobox\Quarantine\C\Windows\System32\drivers\volsnap.sys.vir Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-767ae9cf multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\6d441f9c-2f7484ec multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\361be31e-4226dced multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\20281164-433f1dfd multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\509f69c4-35db5444 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\6c087473-7aeaeba6 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\48a5427d-7d35226b multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Florian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\2d89d408-51e78bbd multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\drivers\volsnap.sys Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I

cosinus 23.06.2011 15:06
Bitte mal runterladen => File-Upload.net - volsnap.sys
(direkt nach c: ins Hauptverzeichnis)

Dann gehts so weiter:

PartedMagic
  • Lade Dir das ISO-Image von PartedMagic herunter, müssten ca. 150 MB sein
  • Brenn die ISO-Datei per Imagebrennfunktion auf CD, geht zB mit ImgBurn oder Nero per Imagebrennfunktion unter Windows
  • Boote den Rechner (mit defektem/infizierten) Windows von der gebrannten CD, im Bootmenü von Option 1 starten und warten bis der Linux-Desktop oben ist


    http://partedmagic.com/lib/exe/fetch...bootscreen.png


  • Du müsstest ein Symbol Mount Devices finden, das doppelklicken



    http://partedmagic.com/lib/exe/fetch...ia=desktop.png

  • Mounte die Partition wo Windows installiert ist, meistens ist es /dev/sda1
  • Benenne auf sda1 (bzw. die Partition wo Windows ist, falls es nicht sda1 sein sollte) folgende Datei um, einfach ein .vir dranhängen:

    Code:
    /media/[LW C]/windows/system32/drivers/volsnap.sys.vir
  • Die saubere Datei volsnap.sys nach system32 kopieren:

    Code:
    /media/[LW C]/volsnap.sys => /media/[LW C]/windows/system32/drivers/volsnap.sys
    (müsste eigentlich alles ganz easy über den graphischen Dateibrowser in Linux gehen)

  • Starte den Rechner neu und boote Windows
  • Falls Windows wieder normal bootet => die in Linux umbenannte Datei (die mit .vir) bei uns hochladen => http://www.trojaner-board.de/54791-a...ner-board.html

Gib Bescheid wenn alles durch ist. Mach am besten auch nochmal einen Durchgang mit ESET.


Alle Zeitangaben in WEZ +1. Es ist jetzt 19:57 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19