Trojaner-Board - Trojaner TR/PCK.Tdss.Z.230 Datei tdlclk.dll

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Trojaner TR/PCK.Tdss.Z.230 Datei tdlclk.dll (https://www.trojaner-board.de/80054-trojaner-tr-pck-tdss-z-230-datei-tdlclk-dll.html)

Trojaner TR/PCK.Tdss.Z.230 Datei tdlclk.dll

Hallo, habe den lästigen Trojaner :teufel2: tdlclk.dll, das Trojanische Pferd :teufel2: TR/PCK.Tdss.Z.230 auf meinem Rechner. Wird erkannt, lässt sich aber mit keinem Tool beseitigen und kommt immer wieder. Habe hier im Forum schon einiges gelesen und Tools getestet, leider ohne Erfolg. Weiss jemand Rat?

Gruss Wolle

Hallo,

und willkommen. :)

Starte bitte Gmer und lass es laut Anleitung durchlaufen. Poste dessen Ergebnis in deinen Thread.

Hallo Angel21,

danke das du dich meiner annimmst.
Habe also alle Progs beendet und gmer laufen lassen. Hier das Protokoll:

PHP-Code:

   GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-12-05 13:24:36

Windows 6.0.6002 Service Pack 2

Running: imjdsm3r.exe; Driver: C:\Users\EIFEL-~1\AppData\Local\Temp\pwldipow.sys

 
 
---- System - GMER 1.0.15 ----

 
SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                         ZwCreateProcess [0x8680FCDE]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                         ZwCreateProcessEx [0x8680FED0]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                         ZwTerminateProcess [0x8680F984]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                         ZwCreateUserProcess [0x868100D8]

 
---- Kernel code sections - GMER 1.0.15 ----

 
.text           ntoskrnl.exe!KeInsertQueue + 3F9                                                                     82475A30 8 Bytes  [DE, FC, 80, 86, D0, FE, 80, ...]

.text           ntoskrnl.exe!KeInsertQueue + 811                                                                     82475E48 4 Bytes  [84, F9, 80, 86]

.text           ntoskrnl.exe!KeInsertQueue + 8D5                                                                     82475F0C 4 Bytes  [D8, 00, 81, 86]

.rsrc           C:\Windows\system32\drivers\atapi.sys                                                                entry point in ".rsrc" section [0x82FC3000]

 
---- User IAT/EAT - GMER 1.0.15 ----

 
IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                [74877817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                 [748CA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]             [7487BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]       [7486F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                 [748775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]              [7486E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]  [748A8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]     [7487DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]             [7486FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]              [7486FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]               [748671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]       [748FCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]          [7489C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]             [7486D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                       [74866853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                      [7486687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]         [74872AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 
---- Devices - GMER 1.0.15 ----

 
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                              Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                              Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice  \Driver\tdx \Device\Tcp                                                                              tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

 
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0                                                          [82FBF9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device          \Driver\atapi \Device\Ide\IdePort0                                                                   [82FBF9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device          \Driver\atapi \Device\Ide\IdePort1                                                                   [82FBF9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1                                                          [82FBF9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

 
---- Registry - GMER 1.0.15 ----

 
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd502966                          

Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd502966 (not active ControlSet)      

 
---- Files - GMER 1.0.15 ----

 
File            C:\Windows\system32\drivers\atapi.sys                                                                suspicious modification

 
---- EOF - GMER 1.0.15 ----

Hoffe du findest etwas.

thx wolle

Bitte künftig die Logs nicht in PHP Code Tags posten.

Das erschwert die Übersicht über das Log nur.

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Wichtig! Bitte die combofix.exe per Rechtsklick, "Ziel speichern unter" unter smss.exe abspeichern!
Besonders hartnäckige Malware erkennt eine combofix.exe und würde sich vor ihr gezielt verstecken!

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die in smss.exe umbenannte combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:

[HTML]

Code:

Hier das Logfile rein!

[/HTML)

Hallo Angel21,

ich verzweifel so langsam am combofix, habe schon ca. 20 mal die Ausführung gestartet und irgendwann kommt ein Bluescreen mit schwerem Ausnahmefehler.
Einige male schafft es combo bis zum Neustart und Schritt 4, dann die Fehlermeldung (Ausnahmefehler adresse etc.). Manchmal kommt der Bluescreen schon vor dem Neustart.
Bis dahin alles nach Vorgaben erledigt. Alle Progs beendet, Virenprog deinstalliert, mit ccleaner alles gescannt und Fehler entfernt oder behoben. combofix in smss umbenannt und natürlich alle Tools als Administrator gestartet. Was nun???

Habe ich was übersehen?? Ist der Trojaner mit einer Formatierung als letzte Möglichkeit zu beseitigen?

Gruss Wolle

Hast du Combofix auch VOR dem auf dem Desktop zu gelangen umbenannt?
Kam bei der Fehlermeldung vielleicht mehr als nur "schwerer Ausnahmefehler?"

Hallo Angel21,

nein habe combo natürlich als combo auf dem Desktop gespeichert und dann umbenannt. Dann werde ich es nochmal anders versuchen. Die Datei welche den Absturz verursacht nennt sich übrigens catchme.sys

Hört sich so an wie "wir holen dich wir kriegen dich"

Gruss wolle

Hallo,

start - ausführen - combofix /u eingeben, ausführen......
Dann nochmal Combofix diesmal _MIT_ Rechtsklick -> Ziel speichern unter... *smss.exe umbenennen* speichern.

Hast du eine Windows CD?

Hallo angel21,

bin am verzweifeln. Immer wieder blue screen. Alles versucht combofix /u bis er wirklich deinstalliert ist. Neu runtergeladen auf Desktop unter smss. Ausgeführt bis Neustart mit Administratorrechten, bluescreen. Unter abgesichertem Modus ausgeführt, blue screen.

Was nun? Formatierung sollte nun wirklich der allerletzte Ausweg sein.

Gruss Wolle

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Starte bitte die OTL.exe.
Vista-User mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die http://billy-oneal.com/Canned%20Spee.../customFix.png Textbox.

Code:

netsvcs

%SYSTEMDRIVE%\*.exe

%SYSTEMDRIVE%\eventlog.dll /s /md5

%SYSTEMDRIVE%\scecli.dll /s /md5

%SYSTEMDRIVE%\netlogon.dll /s /md5

%SYSTEMDRIVE%\cngaudit.dll /s /md5

%SYSTEMDRIVE%\sceclt.dll /s /md5

%SYSTEMDRIVE%\ntelogon.dll /s /md5

%SYSTEMDRIVE%\logevent.dll /s /md5

%SYSTEMDRIVE%\iaStor.sys /s /md5

%SYSTEMDRIVE%\nvstor.sys /s /md5

%SYSTEMDRIVE%\atapi.sys /s /md5

%SYSTEMDRIVE%\IdeChnDr.sys /s /md5

%SYSTEMDRIVE%\viasraid.sys /s /md5

%SYSTEMDRIVE%\AGP440.sys /s /md5

%SYSTEMDRIVE%\vaxscsi.sys /s /md5

%SYSTEMDRIVE%\nvatabus.sys /s /md5

Schliesse bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Quick Scan Button.
Klick auf http://billy-oneal.com/Canned%20Spee.../OTL/btnOK.png.
Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Code-Tags in Deinen Thread

Hallo,

OTL ist also ohne Probleme durchgelaufen. Hier die Protokolle

OTLTxt

Code:

OTL logfile created on: 06.12.2009 21:46:12 - Run 1

OTL by OldTimer - Version 3.1.11.8     Folder = C:\Users\Eifel-Kaffee 2\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18828)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

1021,32 Mb Total Physical Memory | 491,20 Mb Available Physical Memory | 48,10% Memory free

2,25 Gb Paging File | 1,50 Gb Available in Paging File | 66,77% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 74,53 Gb Total Space | 44,20 Gb Free Space | 59,31% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

 

Computer Name: TOSHIBA

Current User Name: Eifel-Kaffee 2

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

 
 ========== Processes (SafeList) ==========

 

PRC - [2009.12.06 21:44:53 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Users\Eifel-Kaffee 2\Desktop\OTL.exe

PRC - [2009.11.10 10:28:08 | 00,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

PRC - [2009.07.02 13:29:14 | 00,161,080 | ---- | M] (AVM Berlin) -- C:\Program Files\FRITZ!Fernzugang\nwtsrv.exe

PRC - [2009.07.02 13:28:18 | 00,132,408 | ---- | M] (AVM Berlin) -- C:\Program Files\FRITZ!Fernzugang\certsrv.exe

PRC - [2009.07.02 13:27:30 | 00,267,576 | ---- | M] (AVM Berlin) -- C:\Program Files\FRITZ!Fernzugang\avmike.exe

PRC - [2009.04.11 07:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2009.04.11 07:27:20 | 00,088,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe

PRC - [2009.03.30 16:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE

PRC - [2009.03.30 16:28:36 | 00,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE

PRC - [2009.02.09 09:26:10 | 00,603,904 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TUProgSt.exe

PRC - [2008.08.14 10:40:44 | 00,103,720 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

PRC - [2008.08.14 10:40:36 | 01,348,904 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

PRC - [2008.08.14 10:14:20 | 00,200,704 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe

PRC - [2008.07.11 13:22:56 | 00,251,184 | ---- | M] (BUFFALO INC.) -- C:\Program Files\BUFFALO\NASNAVI\nassvc.exe

PRC - [2008.02.02 02:20:34 | 00,144,672 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe

PRC - [2008.01.18 23:33:40 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe

PRC - [2007.05.31 08:21:28 | 00,648,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdcBase.exe

PRC - [2006.10.31 21:40:16 | 00,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

 

 
 ========== Modules (SafeList) ==========

 

MOD - [2009.12.06 21:44:53 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Users\Eifel-Kaffee 2\Desktop\OTL.exe

MOD - [2009.04.11 07:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll

 

 
 ========== Win32 Services (SafeList) ==========

 

SRV - [2009.11.10 10:28:08 | 00,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)

SRV - [2009.11.06 14:29:22 | 01,141,712 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)

SRV - [2009.10.30 11:18:16 | 00,359,624 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)

SRV - [2009.09.25 02:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)

SRV - [2009.07.02 13:29:14 | 00,161,080 | ---- | M] (AVM Berlin) -- C:\Program Files\FRITZ!Fernzugang\nwtsrv.exe -- (nwtsrv)

SRV - [2009.07.02 13:28:18 | 00,132,408 | ---- | M] (AVM Berlin) -- C:\Program Files\FRITZ!Fernzugang\certsrv.exe -- (certsrv)

SRV - [2009.07.02 13:27:30 | 00,267,576 | ---- | M] (AVM Berlin) -- C:\Program Files\FRITZ!Fernzugang\avmike.exe -- (avmike)

SRV - [2009.06.05 19:11:31 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9e60912df045e) Google Update Service (gupdate1c9e60912df045e)

SRV - [2009.06.05 19:10:57 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)

SRV - [2009.03.30 16:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)

SRV - [2009.02.09 09:26:10 | 00,603,904 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc)

SRV - [2009.02.09 09:26:02 | 00,360,192 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TuneUpDefragService.exe -- (TuneUp.Defrag)

SRV - [2008.12.11 13:31:36 | 00,027,904 | ---- | M] (TuneUp Software) -- C:\Windows\System32\uxtuneup.dll -- (UxTuneUp)

SRV - [2008.11.04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)

SRV - [2008.07.11 13:22:56 | 00,251,184 | ---- | M] (BUFFALO INC.) -- C:\Program Files\BUFFALO\NASNAVI\nassvc.exe -- (NasPmService)

SRV - [2008.02.02 02:20:34 | 00,144,672 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe -- (PDFProFiltSrv)

SRV - [2008.01.18 23:38:26 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2008.01.16 19:14:20 | 00,053,760 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZipm12.dll -- (Pml Driver HPZ12)

SRV - [2008.01.16 19:14:18 | 00,043,520 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZinw12.dll -- (Net Driver HPZ12)

SRV - [2007.11.06 21:16:54 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)

SRV - [2007.11.06 21:16:54 | 00,139,264 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)

SRV - [2007.10.14 21:15:52 | 00,663,552 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL -- (HPSLPSVC)

SRV - [2007.06.29 19:16:56 | 00,800,040 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService)

SRV - [2007.06.27 19:04:00 | 00,279,848 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)

SRV - [2007.05.31 08:21:24 | 00,379,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)

SRV - [2007.05.31 08:21:18 | 00,183,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)

SRV - [2006.11.02 13:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)

SRV - [2006.10.31 21:40:16 | 00,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)

SRV - [2006.10.26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

 

 
 ========== Standard Registry (SafeList) ==========

 

 
 ========== Internet Explorer ==========

 

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKLM\..\URLSearchHook: {D3F669EB-57CE-4f45-8FBD-E245CBB46366} - C:\Program Files\STOPzilla!\Toolbar\SZIESearchHook.dll (iS3 Inc.)

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = 

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 
 ========== FireFox ==========

 

FF - prefs.js..browser.search.defaultenginename: "Live Search"

FF - prefs.js..browser.search.defaulturl: "http://search.live.com/results.aspx?FORM=IEFM1&q="

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (de)"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "http://home.1und1.de/?__rd=ac170c22xtxW8xC9yO8OVP97HK2fqJ2X&origin[site]=MX.EUE.DE&origin[page]=index&ucuoId=MX.EUE.DE-20090603131513-ac170c57ItANZhiKpcylKQjev0Cg9FOO-S1"

FF - prefs.js..extensions.enabledItems: de-DE@dictionaries.addons.mozilla.org:2.0

FF - prefs.js..extensions.enabledItems: fb_add_on@avm.de:1.4.0

FF - prefs.js..extensions.enabledItems: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}:0.3.1

FF - prefs.js..keyword.URL: "http://www.ask.com/web?&o=13048&l=dis&q="

 

 

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009.04.03 07:29:11 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{780044d1-e8c0-488f-8059-4522ddbfc2ea}: C:\Program Files\Stopzilla!\Toolbar\Extension [2009.12.06 16:29:48 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009.11.07 07:48:12 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009.11.21 22:26:58 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009.11.27 22:48:58 | 00,000,000 | ---D | M]

 

[2008.10.27 08:32:37 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\mozilla\Extensions

[2009.12.06 18:10:46 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\mozilla\Firefox\Profiles\myz50cwr.default\extensions

[2009.07.18 18:46:36 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\mozilla\Firefox\Profiles\myz50cwr.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}

[2009.07.18 18:46:36 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\mozilla\Firefox\Profiles\myz50cwr.default\extensions\{31513E58-F253-47ad-86DB-D5F21E905429}

[2009.07.18 18:46:36 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\mozilla\Firefox\Profiles\myz50cwr.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}

[2009.08.08 21:55:36 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\mozilla\Firefox\Profiles\myz50cwr.default\extensions\de-DE@dictionaries.addons.mozilla.org

[2009.11.30 09:01:05 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\mozilla\Firefox\Profiles\myz50cwr.default\extensions\fb_add_on@avm.de

[2009.02.21 12:48:32 | 00,001,632 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Mozilla\FireFox\Profiles\myz50cwr.default\searchplugins\live-search.xml

[2009.12.06 18:10:46 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2009.09.09 06:45:22 | 00,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml

[2009.09.09 06:45:22 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml

[2009.09.09 06:45:22 | 00,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml

[2009.09.10 20:00:40 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml

[2009.09.09 06:45:22 | 00,000,801 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml

 

O1 HOSTS File: (743 bytes) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1         localhost

O1 - Hosts: ::1         localhost

O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (ZILLAbar Browser Helper Object) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\Toolbar\SZSG.dll (iS3, Inc)

O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)

O2 - BHO: (ZeonIEEventHelper Class) - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)

O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)

O3 - HKLM\..\Toolbar: (STOPzilla) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\Toolbar\SZSG.dll (iS3, Inc)

O3 - HKLM\..\Toolbar: (Nuance PDF) - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)

O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)

O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe (Microsoft Corporation)

O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 60

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present

O8 - Extra context menu item: Mit Nuance PDF Converter 5.0 öffnen - C:\Program Files\Nuance\PDF Professional 5\cnvres_ger.dll (Nuance Communications, Inc.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 0

O32 - AutoRun File - [2006.09.18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{877d5d91-b154-11dd-8dd3-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{877d5d91-b154-11dd-8dd3-00a0d130cf35}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found

O33 - MountPoints2\{a56b087e-7b62-11de-8502-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{a56b087e-7b62-11de-8502-00a0d130cf35}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{a56b08c2-7b62-11de-8502-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{a56b08c2-7b62-11de-8502-00a0d130cf35}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{c0fef388-7f4e-11de-804d-806e6f6e6963}\Shell - "" = AutoRun

O33 - MountPoints2\{c0fef388-7f4e-11de-804d-806e6f6e6963}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{c0fef3e4-7f4e-11de-804d-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{c0fef3e4-7f4e-11de-804d-00a0d130cf35}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{c0fef3e6-7f4e-11de-804d-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{c0fef3e6-7f4e-11de-804d-00a0d130cf35}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{c0fef3f1-7f4e-11de-804d-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{c0fef3f1-7f4e-11de-804d-00a0d130cf35}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{c0fef3f3-7f4e-11de-804d-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{c0fef3f3-7f4e-11de-804d-00a0d130cf35}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{c0fef3fd-7f4e-11de-804d-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{c0fef3fd-7f4e-11de-804d-00a0d130cf35}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{c0fef422-7f4e-11de-804d-00a0d130cf35}\Shell - "" = AutoRun

O33 - MountPoints2\{c0fef422-7f4e-11de-804d-00a0d130cf35}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) -  File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

 

NetSvcs: UxTuneUp - C:\Windows\System32\uxtuneup.dll (TuneUp Software)

NetSvcs: FastUserSwitchingCompatibility -  File not found

NetSvcs: Ias - C:\Windows\System32\ias [2008.10.28 11:15:47 | 00,000,000 | ---D | M]

NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)

NetSvcs: Nla -  File not found

NetSvcs: Ntmssvc -  File not found

NetSvcs: NWCWorkstation -  File not found

NetSvcs: Nwsapagent -  File not found

NetSvcs: SRService -  File not found

NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp -  File not found

NetSvcs: LogonHours -  File not found

NetSvcs: PCAudit -  File not found

NetSvcs: helpsvc -  File not found

NetSvcs: uploadmgr -  File not found

 
 ========== Files/Folders - Created Within 14 Days ==========

 

[2009.12.06 21:44:51 | 00,537,088 | ---- | C] (OldTimer Tools) -- C:\Users\Eifel-Kaffee 2\Desktop\OTL.exe

[2009.12.06 20:25:21 | 00,000,000 | --SD | C] -- C:\cf

[2009.12.06 18:20:51 | 00,000,000 | ---D | C] -- C:\Users\Eifel-Kaffee 2\AppData\Local\Threat Expert

[2009.12.06 16:30:26 | 00,000,000 | ---D | C] -- C:\ProgramData\SITEguard

[2009.12.06 16:29:15 | 00,000,000 | ---D | C] -- C:\Program Files\STOPzilla!

[2009.12.06 16:29:14 | 00,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!

[2009.12.06 16:29:14 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3

[2009.12.06 15:05:44 | 00,000,000 | ---D | C] -- C:\Qoobox

[2009.12.06 08:41:28 | 00,000,000 | ---D | C] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\MozBackup

[2009.12.06 08:33:38 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys

[2009.12.05 21:27:52 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe

[2009.12.05 21:27:52 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2009.12.05 21:27:52 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2009.12.05 21:27:52 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2009.12.05 08:53:55 | 01,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDCore.dll

[2009.12.05 08:53:55 | 00,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDRes.dll

[2009.12.05 08:53:55 | 00,149,456 | ---- | C] (PC Tools) -- C:\Windows\SGDetectionTool.dll

[2009.12.05 08:52:26 | 00,233,136 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys

[2009.12.05 08:52:26 | 00,098,600 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys

[2009.12.05 08:52:20 | 00,207,792 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys

[2009.12.05 08:52:19 | 00,087,784 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys

[2009.12.05 08:51:59 | 00,070,408 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys

[2009.12.05 08:51:38 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools

[2009.12.05 08:51:37 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor

[2009.12.05 08:51:37 | 00,000,000 | ---D | C] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\PC Tools

[2009.12.05 08:51:37 | 00,000,000 | ---D | C] -- C:\ProgramData\PC Tools

[2009.12.03 21:24:44 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009.12.03 21:24:42 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009.12.03 19:43:07 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT

[2009.11.30 09:11:09 | 00,050,480 | ---- | C] (AVM Berlin) -- C:\Windows\System32\AvmColorFaxRender.dll

[2009.11.30 09:11:09 | 00,046,384 | ---- | C] (AVM Berlin) -- C:\Windows\System32\AvmFaxRender.dll

[2009.11.30 09:11:09 | 00,024,880 | ---- | C] (AVM Berlin) -- C:\Windows\System32\FritzVistaMon.dll

[2009.11.30 09:11:09 | 00,024,880 | ---- | C] (AVM Berlin) -- C:\Windows\System32\FritzVistaColorMon.dll

[2009.11.30 09:11:08 | 00,451,888 | ---- | C] (Blue Sky Software Corporation.) -- C:\Windows\System32\HHActiveX.dll

[2009.11.30 09:11:08 | 00,054,576 | ---- | C] (AVM Berlin GmbH) -- C:\Windows\System32\FritzPort.dll

[2009.11.30 09:11:08 | 00,054,576 | ---- | C] (AVM Berlin GmbH) -- C:\Windows\System32\FritzColorPort.dll

[2009.11.30 09:11:08 | 00,042,288 | ---- | C] (AVM Berlin GmbH) -- C:\Windows\System32\Fridru32.dll

[2009.11.30 09:11:07 | 00,000,000 | ---D | C] -- C:\ProgramData\ISDNWatch

[2009.11.30 09:11:07 | 00,000,000 | ---D | C] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\FRITZ!fax für FRITZ!Box

[2009.11.29 21:24:43 | 00,000,000 | ---D | C] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\ImgBurn

[2009.11.29 21:20:25 | 00,000,000 | ---D | C] -- C:\Program Files\ImgBurn

[2009.11.28 16:55:09 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2009.11.28 10:41:24 | 00,000,000 | ---D | C] -- C:\AVZ

[2009.11.28 10:37:16 | 00,000,000 | ---D | C] -- C:\Users\Eifel-Kaffee 2\Desktop\Virus

[2009.11.23 20:23:34 | 00,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group

[2009.11.22 22:37:44 | 00,000,000 | ---D | C] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Malwarebytes

[2009.11.22 22:35:52 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2009.11.22 22:35:02 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

 
 ========== Files - Modified Within 14 Days ==========

 

[2009.12.06 21:45:07 | 03,932,160 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\ntuser.dat

[2009.12.06 21:44:53 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Users\Eifel-Kaffee 2\Desktop\OTL.exe

[2009.12.06 21:43:27 | 00,012,800 | ---- | M] () -- C:\Windows\System32\tdlclk.dll

[2009.12.06 21:40:00 | 00,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2009.12.06 21:18:20 | 00,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job

[2009.12.06 21:00:02 | 00,000,518 | ---- | M] () -- C:\Windows\tasks\1-Klick-Wartung.job

[2009.12.06 20:38:24 | 00,023,552 | ---- | M] () -- C:\Windows\System32\tdlcmd.dll

[2009.12.06 20:35:39 | 00,000,374 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics

[2009.12.06 20:33:53 | 00,016,384 | ---- | M] () -- C:\Windows\System32\Ikeext.etl

[2009.12.06 20:33:47 | 00,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2009.12.06 20:33:41 | 00,004,576 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2009.12.06 20:33:41 | 00,004,576 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2009.12.06 20:33:40 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2009.12.06 20:33:21 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2009.12.06 20:24:34 | 03,581,761 | R--- | M] () -- C:\Users\Eifel-Kaffee 2\Desktop\cf.exe

[2009.12.06 20:07:48 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat

[2009.12.06 20:07:29 | 00,524,288 | -HS- | M] () -- C:\Users\Eifel-Kaffee 2\ntuser.dat{1b370249-9f60-11de-b589-00a0d130cf35}.TMContainer00000000000000000001.regtrans-ms

[2009.12.06 20:07:29 | 00,065,536 | -HS- | M] () -- C:\Users\Eifel-Kaffee 2\ntuser.dat{1b370249-9f60-11de-b589-00a0d130cf35}.TM.blf

[2009.12.06 18:47:42 | 00,000,328 | ---- | M] () -- C:\Windows\System32\drivers\kgpfr2.cfg

[2009.12.06 18:47:39 | 00,001,288 | ---- | M] () -- C:\Windows\System32\drivers\kgpcpy.cfg

[2009.12.06 18:15:08 | 00,000,093 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\Desktop\Viren- und Spywareschutz und Schutz vor schädlicher Software Microsoft Security Essentials.URL

[2009.12.06 16:36:06 | 02,492,046 | -H-- | M] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\IconCache.db

[2009.12.06 15:28:04 | 00,061,056 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\GDIPFONTCACHEV1.DAT

[2009.12.06 09:06:53 | 00,001,604 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\Documents\cc_20091206_090649.reg

[2009.12.04 19:59:35 | 00,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini

[2009.12.04 19:59:34 | 00,049,664 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009.12.03 21:35:23 | 00,269,344 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2009.12.03 21:04:17 | 00,006,404 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\Documents\cc_20091203_210409.reg

[2009.11.29 10:52:41 | 00,051,942 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\Desktop\Kenwwod - PayPal.pdf

[2009.11.29 10:34:38 | 00,000,139 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\Desktop\powernetshop.de - Detailansicht.URL

[2009.11.28 17:01:01 | 00,026,418 | ---- | M] () -- C:\Users\Eifel-Kaffee 2\Documents\cc_20091128_170050.reg

[2009.11.27 22:15:00 | 01,418,612 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2009.11.27 22:15:00 | 00,618,442 | ---- | M] () -- C:\Windows\System32\perfh007.dat

[2009.11.27 22:15:00 | 00,587,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2009.11.27 22:15:00 | 00,122,648 | ---- | M] () -- C:\Windows\System32\perfc007.dat

[2009.11.27 22:15:00 | 00,101,250 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2009.11.23 20:24:29 | 00,000,743 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2009.11.22 23:37:43 | 00,019,944 | ---- | M] () -- C:\Windows\System32\drivers\atapi(46).sys

 
 ========== Files Created - No Company Name ==========

 

[2009.12.06 20:23:06 | 00,023,552 | ---- | C] () -- C:\Windows\System32\tdlcmd.dll

[2009.12.06 20:02:42 | 00,260,608 | ---- | C] () -- C:\Windows\PEV.exe

[2009.12.06 18:58:11 | 00,012,800 | ---- | C] () -- C:\Windows\System32\tdlclk.dll

[2009.12.06 18:47:42 | 00,000,328 | ---- | C] () -- C:\Windows\System32\drivers\kgpfr2.cfg

[2009.12.06 18:46:03 | 00,001,288 | ---- | C] () -- C:\Windows\System32\drivers\kgpcpy.cfg

[2009.12.06 18:15:08 | 00,000,093 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\Desktop\Viren- und Spywareschutz und Schutz vor schädlicher Software Microsoft Security Essentials.URL

[2009.12.06 16:22:00 | 03,581,761 | R--- | C] () -- C:\Users\Eifel-Kaffee 2\Desktop\cf.exe

[2009.12.06 09:06:52 | 00,001,604 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\Documents\cc_20091206_090649.reg

[2009.12.05 21:27:52 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2009.12.05 21:27:52 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2009.12.05 21:27:52 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe

[2009.12.05 21:27:52 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2009.12.05 08:53:57 | 00,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll

[2009.12.05 08:53:56 | 00,000,882 | ---- | C] () -- C:\Windows\RegSDImport.xml

[2009.12.05 08:53:56 | 00,000,880 | ---- | C] () -- C:\Windows\RegISSImport.xml

[2009.12.05 08:53:55 | 01,152,444 | ---- | C] () -- C:\Windows\UDB.zip

[2009.12.05 08:53:55 | 00,000,131 | ---- | C] () -- C:\Windows\IDB.zip

[2009.12.05 08:52:26 | 00,007,387 | ---- | C] () -- C:\Windows\System32\drivers\pctgntdi.cat

[2009.12.05 08:52:20 | 00,007,412 | ---- | C] () -- C:\Windows\System32\drivers\PCTAppEvent.cat

[2009.12.05 08:52:20 | 00,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctcore.cat

[2009.12.05 08:51:59 | 00,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctplsg.cat

[2009.12.03 21:04:11 | 00,006,404 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\Documents\cc_20091203_210409.reg

[2009.11.29 10:52:40 | 00,051,942 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\Desktop\Kenwwod - PayPal.pdf

[2009.11.29 10:34:38 | 00,000,139 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\Desktop\powernetshop.de - Detailansicht.URL

[2009.11.28 17:00:57 | 00,026,418 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\Documents\cc_20091128_170050.reg

[2009.11.15 12:37:55 | 00,000,085 | -HS- | C] () -- C:\ProgramData\.zreglib

[2009.09.17 20:44:02 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009.09.17 20:43:20 | 00,019,944 | ---- | C] () -- C:\Windows\System32\drivers\atapi(46).sys

[2009.08.03 20:54:36 | 00,000,020 | ---- | C] () -- C:\Windows\tm.ini

[2009.08.03 20:49:04 | 00,130,560 | ---- | C] () -- C:\Windows\System32\ZipDll.dll

[2009.07.31 07:06:03 | 00,000,082 | ---- | C] () -- C:\Windows\odbc_merge.INI

[2009.05.01 19:41:36 | 00,000,680 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\d3d9caps.dat

[2009.03.08 08:18:28 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini

[2009.03.08 08:14:20 | 00,288,627 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\yqiui_nav.dat

[2009.03.08 08:13:50 | 00,002,973 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\yqiui.dat

[2009.03.08 08:13:50 | 00,000,322 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\yqiui_navps.dat

[2009.03.08 08:13:50 | 00,000,097 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\yqiui.bat

[2009.02.09 20:45:57 | 00,009,728 | ---- | C] () -- C:\Windows\System32\BASSMOD.dll

[2008.12.10 19:55:10 | 00,303,104 | ---- | C] () -- C:\Windows\System32\dnt27VC8.dll

[2008.12.10 19:53:30 | 00,090,112 | ---- | C] () -- C:\Windows\System32\dntvmc27VC8.dll

[2008.12.10 19:53:18 | 00,086,016 | ---- | C] () -- C:\Windows\System32\dntvm27VC8.dll

[2008.11.07 20:16:48 | 00,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

[2008.11.03 20:02:36 | 00,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys

[2008.11.03 18:17:40 | 00,049,664 | ---- | C] () -- C:\Users\Eifel-Kaffee 2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008.10.30 09:49:34 | 00,000,022 | ---- | C] () -- C:\ProgramData\8f01a90e-7eb3-48d3-93b1-50d88fd146fb

[2008.10.30 08:00:19 | 00,001,551 | ---- | C] () -- C:\ProgramData\hpzinstall.log

[2008.10.26 20:46:55 | 00,000,306 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2006.11.02 13:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006.11.02 11:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll

[2006.11.02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006.10.31 16:37:00 | 00,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll

[2006.08.10 14:00:52 | 00,094,208 | ---- | C] () -- C:\Windows\System32\TosBtHcrpAPI.dll

[2006.06.02 11:54:00 | 00,015,648 | ---- | C] () -- C:\Windows\UN060501.INI

[2005.07.22 20:30:20 | 00,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

 
 ========== LOP Check ==========

 

[2009.09.23 17:01:05 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\1&1

[2009.03.14 08:26:38 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\AceBIT

[2009.07.28 11:58:04 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Bytemobile

[2009.11.17 09:09:10 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\FileZilla

[2009.08.25 06:51:32 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\FRITZ!

[2009.11.30 09:11:07 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\FRITZ!fax für FRITZ!Box

[2009.11.30 20:01:42 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\GoodSync

[2009.07.28 11:59:05 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\HCM Updater

[2009.08.03 20:31:17 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\hed

[2009.11.29 21:27:48 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\ImgBurn

[2009.11.12 08:11:53 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Internet-Radio Player

[2009.04.24 06:41:00 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Internetradio Player

[2009.06.03 08:00:23 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\IrfanView

[2009.11.11 09:04:39 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Lexware

[2009.12.06 08:41:28 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\MozBackup

[2009.11.15 18:49:31 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\NASNaviator2

[2009.05.21 07:49:56 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\phonostar-Player

[2009.02.08 20:32:05 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\RapidSolution

[2008.10.27 08:34:54 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Thunderbird

[2009.05.04 19:44:11 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Toshiba

[2009.02.09 09:01:00 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\TuneUp Software

[2008.10.27 11:01:23 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Uniblue

[2009.12.06 18:09:39 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\UseNeXT

[2008.10.27 08:19:27 | 00,000,000 | ---D | M] -- C:\Users\Eifel-Kaffee 2\AppData\Roaming\Zeon

[2009.12.06 21:00:02 | 00,000,518 | ---- | M] () -- C:\Windows\Tasks\1-Klick-Wartung.job

[2009.12.06 20:07:51 | 00,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

 
 ========== Purity Check ==========

 

 

 
 ========== Custom Scans ==========

 

 
 < %SYSTEMDRIVE%\*.exe >

 
 < %SYSTEMDRIVE%\eventlog.dll /s /md5 >

 
 < %SYSTEMDRIVE%\scecli.dll /s /md5 >

[2009.04.11 07:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll

[2008.01.18 23:36:20 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll

[2009.04.11 07:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

 
 < %SYSTEMDRIVE%\netlogon.dll /s /md5 >

[2009.04.11 07:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll

[2008.01.18 23:35:38 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

[2009.04.11 07:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll

 
 < %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

[2006.11.02 10:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll

[2006.11.02 10:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

 
 < %SYSTEMDRIVE%\sceclt.dll /s /md5 >

 
 < %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

 
 < %SYSTEMDRIVE%\logevent.dll /s /md5 >

 
 < %SYSTEMDRIVE%\iaStor.sys /s /md5 >

 
 < %SYSTEMDRIVE%\nvstor.sys /s /md5 >

[2006.11.02 10:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys

[2008.01.18 23:42:10 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys

[2006.11.02 10:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys

[2008.01.18 23:42:10 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

 
 < %SYSTEMDRIVE%\atapi.sys /s /md5 >

[2009.04.11 07:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\drivers\atapi.sys

[2008.10.26 21:11:29 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys

[2009.04.11 07:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys

[2006.11.02 10:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

[2008.01.18 23:41:32 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys

[2008.10.26 21:11:29 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys

[2008.10.26 21:11:29 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

[2008.01.18 23:41:32 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys

[2009.04.11 07:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys

 
 < %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

 
 < %SYSTEMDRIVE%\viasraid.sys /s /md5 >

 
 < %SYSTEMDRIVE%\AGP440.sys /s /md5 >

[2006.11.02 10:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys

[2008.01.18 23:42:26 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys

[2006.11.02 10:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

[2008.01.18 23:42:26 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys

[2008.01.18 23:42:26 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys

[2008.01.18 23:42:26 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys

 
 < %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

 
 < %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

 
 ========== Alternate Data Streams ==========

 

@Alternate Data Stream - 180 bytes -> C:\ProgramData\TEMP:DFC5A2B2

@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:E29ACA54

@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8

< End of report >

Und Extras.Txt

Code:

OTL Extras logfile created on: 06.12.2009 21:46:12 - Run 1

OTL by OldTimer - Version 3.1.11.8     Folder = C:\Users\Eifel-Kaffee 2\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18828)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

1021,32 Mb Total Physical Memory | 491,20 Mb Available Physical Memory | 48,10% Memory free

2,25 Gb Paging File | 1,50 Gb Available in Paging File | 66,77% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 74,53 Gb Total Space | 44,20 Gb Free Space | 59,31% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

 

Computer Name: TOSHIBA

Current User Name: Eifel-Kaffee 2

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

 
 ========== Extra Registry (SafeList) ==========

 

 
 ========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

 
 ========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

chm.file [open] -- "%SystemRoot%\hh.exe" %1

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

 
 ========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

 
 ========== Authorized Applications List ==========

 

 
 ========== Vista Active Open Ports Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{03AEB1D6-316A-425B-A028-3A5D871E959A}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 

"{0D040324-126B-493C-93C5-0DB64C1F909C}" = rport=138 | protocol=17 | dir=out | app=system | 

"{0F2A5917-C585-4F47-926C-1F8F17C63767}" = rport=139 | protocol=6 | dir=out | app=system | 

"{1E4157A5-FE2F-4E6F-89D3-6A10E43C6789}" = lport=10243 | protocol=6 | dir=in | app=system | 

"{22D84576-5FE4-4906-BBD8-CE102604E9E0}" = lport=5031 | protocol=17 | dir=in | name=avm tapi services for fritz!box - udp 5031 | 

"{2BA1E7CD-2A7E-4D05-9DC6-113FA9317363}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{30BE8358-4715-4AD9-A37D-945421953053}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 

"{378E1153-B451-413E-810E-04EA72D0ECE9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 

"{3D1BC1BC-D9DC-461E-AA8E-2229F9770235}" = lport=2869 | protocol=6 | dir=in | app=system | 

"{4090A722-3F47-4693-A2CD-511B618ADF75}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{44DCA9C2-7676-4EB5-987A-471E307E2099}" = rport=445 | protocol=6 | dir=out | app=system | 

"{4B0E4A95-FD0E-4247-B32C-104133EAA1B6}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 

"{4BD8067F-23DE-4C43-BBD7-9904738FF9FD}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=c:\windows\system32\spoolsv.exe | 

"{5362725E-FCCE-4113-980D-FC9D6218A5DF}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 

"{61DCFD93-B07E-4732-92EE-996E939CAC29}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{64B768D0-5104-4E35-A105-80C69493600F}" = lport=138 | protocol=17 | dir=in | app=system | 

"{6EE6B1BD-5928-4225-B2CD-852795E11DC6}" = lport=139 | protocol=6 | dir=in | app=system | 

"{6F0D0BE2-D9A8-4512-A075-1E65E02C428D}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 

"{6FD3497D-2ADE-4C9F-AA04-49CBA491A052}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 | 

"{7515502D-6C13-4222-8E93-A2D01B8C3100}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 

"{8395BB33-102F-4B51-9B74-C95578C2D41C}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{9123368A-7054-45F2-A8BA-18EC37EF8CB3}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{92A6181C-3995-481A-953D-23EE078C3709}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 

"{9BA1AD5C-AE4E-4C62-96AA-5D342755399D}" = lport=137 | protocol=17 | dir=in | app=system | 

"{9DEA75B9-CD84-4E21-8EE3-B61229206118}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 

"{A0E475FB-9985-4B18-85F3-660F6A62973A}" = rport=2869 | protocol=6 | dir=out | app=system | 

"{A6DB7D0F-CD12-4DBF-BDBE-46114DABF7A7}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 

"{AFB0A8BC-7C9A-4AA9-8979-C00E4E5EBC1A}" = rport=137 | protocol=17 | dir=out | app=system | 

"{D46C9286-C099-4F6E-96E5-55B6543650AC}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 

"{D4AD6D6F-3668-4AA4-924D-9C556DFE7E7C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=datei- und druckerfreigabe (spoolerdienst - rpc-epmap) | 

"{D4E70EBD-FE27-4031-9F87-20E6EA2AD255}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 | 

"{D81B24B6-7588-4197-B3BB-8460BC332BBB}" = rport=10243 | protocol=6 | dir=out | app=system | 

"{DB2DAD60-1D27-413B-BE5A-57D44CC5E3FF}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 

"{DCAF6D3D-6268-46A5-9DC8-13554165C3BE}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{E275A021-6254-4CF4-B8DF-43FC2F10E327}" = lport=445 | protocol=6 | dir=in | app=system | 

"{E6F94FFD-155F-4EC2-A957-FC6E8F3FBE5C}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 

"{EBCF2295-1EF8-478F-9565-CFF53339C3F4}" = lport=2869 | protocol=6 | dir=in | app=system | 

"{EE530C87-9A37-4C53-8FB6-1BD346852562}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 

"{F1C926D2-EF5F-4907-BB87-DE397B0B51D2}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 

"{F5C76F02-A348-420C-82FC-8D11B300F60C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 

 
 ========== Vista Active Application Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{03EA08DB-8FFC-43D2-810B-9097555DF205}" = protocol=6 | dir=in | app=c:\users\eifel-kaffee 2\appdata\local\apps\2.0\ha4w3e1a.45t\998j5n1q.040\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\fritzbox-usb-fernanschluss.exe | 

"{073EA634-8750-4776-8CD0-696CACE24895}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 

"{0A5956F1-3486-4488-8694-8F468176E6EB}" = protocol=6 | dir=in | app=c:\program files\tapi services for fritz!box\fboxset.exe | 

"{1828AD09-ADB7-4B5E-B3B1-21F778D75B0F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 

"{218C0136-1A91-45AA-8EEB-41B6D41BAC6F}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 

"{24E10276-E850-4202-A22B-39FCDA5387B3}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{303A9EE8-D018-4DF4-9963-3FC951BE3155}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 

"{313ADBB7-B719-479C-B882-86712257E627}" = protocol=17 | dir=in | app=c:\program files\tapi services for fritz!box\fboxset.exe | 

"{3B5A23D6-7C22-4DEF-8494-6EA1DF88074F}" = protocol=17 | dir=in | app=c:\users\eifel-kaffee 2\appdata\local\apps\2.0\ha4w3e1a.45t\998j5n1q.040\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\fritzbox-usb-fernanschluss.exe | 

"{3CDE2F4B-776D-4E26-8D00-607C21574984}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 

"{3D063818-8EEF-4D98-82EA-46DFEDE690C6}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 

"{50CDBC6D-5623-4D81-942D-FB21B2B3D5C3}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 | 

"{57215715-11A2-49AF-B505-1E907C0E07F5}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{5D5654A1-0123-4E8D-B66F-321B22958312}" = protocol=58 | dir=out | name=datei- und druckerfreigabe (echoanforderung - icmpv6 ausgehend) | 

"{62322491-D8CD-4FEE-9ACC-D1C13918E513}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe | 

"{63151601-5EB1-4ED5-B4B8-846CEF8EF2B8}" = protocol=6 | dir=in | app=c:\program files\fritz!\igd_finder.exe | 

"{64013DAF-035F-4235-AD37-B46F8CE3FC2B}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe | 

"{6698F1BC-EF11-4310-9FBE-64FF9C31E771}" = protocol=6 | dir=in | app=c:\program files\buffalo\nasnavi\nasnavi.exe | 

"{66DE9A73-C10E-4930-B49E-F7BC59E6BC32}" = protocol=17 | dir=in | app=c:\program files\fritz!\igd_finder.exe | 

"{8963FFEF-5947-4BD1-B906-80A07C667BA5}" = protocol=1 | dir=out | name=datei- und druckerfreigabe (echoanforderung - icmpv4 ausgehend) | 

"{89BA1CA1-F071-4C35-BB33-3996A9F38190}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 

"{8D831126-B729-43EC-84EE-6D70F6C38AC2}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 

"{9405FEC9-64A7-46D7-B2BD-50555828DAC1}" = protocol=1 | dir=in | name=datei- und druckerfreigabe (echoanforderung - icmpv4 eingehend) | 

"{94AAEA25-9ABB-4683-BD9A-C4C2F430C8F8}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{9820ABE9-8A10-41D8-AB72-A46529685AF9}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 

"{99FABDB8-8809-4820-B179-8F1EE7548E13}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 

"{9C90D155-E574-4DF0-AB56-59FD9FAD4EE6}" = protocol=17 | dir=in | app=c:\program files\buffalo\nasnavi\nasnavi.exe | 

"{A411668E-B050-403E-9CDA-C80836B4195E}" = protocol=6 | dir=in | app=c:\program files\tapi services for fritz!box\igd_finder.exe | 

"{A6341A6C-E6D2-48D9-861E-74C915912E47}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 

"{B21DB6E8-7839-4EB7-BD12-B0DC35A3D5A0}" = protocol=6 | dir=out | app=system | 

"{B224000F-69B4-4B1D-9857-A40497F0E220}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 

"{C576F0C1-FC4F-4C91-BCDF-9C3850A9BB50}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 

"{C5F6245B-F3DC-4A06-93D7-9B088E2DE39D}" = protocol=6 | dir=in | app=c:\users\eifel-kaffee 2\appdata\local\apps\2.0\ha4w3e1a.45t\998j5n1q.040\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\fritzbox-usb-fernanschluss.exe | 

"{C8E815EF-B189-4808-A0B7-2B8AA599C198}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 

"{D1AFDC57-4E2B-4211-9DB1-AD5741196871}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 

"{D2321DE1-67E6-4CFD-A485-2062898F0C31}" = protocol=17 | dir=in | app=c:\users\eifel-kaffee 2\appdata\local\apps\2.0\ha4w3e1a.45t\998j5n1q.040\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\fritzbox-usb-fernanschluss.exe | 

"{D476F701-18A1-4F74-96CE-CCDEB8624920}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 

"{D945F86C-6B1C-4E99-8E3E-1F653B23A936}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 

"{DA7F92C4-5E22-4D63-9463-F0536DA2FE42}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqsudi.exe | 

"{DF35FEFE-CBB1-4A18-9358-98E7DF308996}" = protocol=17 | dir=in | app=c:\program files\tapi services for fritz!box\igd_finder.exe | 

"{E27C0915-4351-46A0-B277-F20355826123}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 

"{E67ACE1E-64FC-4346-9999-7108A6A4469A}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 

"{E8B5DE5C-5B71-4518-869E-07075E90910B}" = protocol=58 | dir=in | name=datei- und druckerfreigabe (echoanforderung - icmpv6 eingehend) | 

"{EC8E1940-423E-4B97-9FBE-0AD334F538B9}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe | 

"{F062CF74-4E50-4C9D-96B7-2B0387A743CD}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 

"TCP Query User{1B54E4BE-99AD-4A21-BBCD-5F9746A52162}C:\program files\common files\ahead\nero web\setupx.exe" = protocol=6 | dir=in | app=c:\program files\common files\ahead\nero web\setupx.exe | 

"TCP Query User{8CFFAFFB-DE3B-490D-A765-43383B7CFD2C}\\eifel-kaffee\share\wolle soft\philips\media manager\philips media manager.exe" = protocol=6 | dir=in | app=\\eifel-kaffee\share\wolle soft\philips\media manager\philips media manager.exe | 

"TCP Query User{C16C7F39-2BFE-4E53-B353-E35204D68ED4}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe | 

"TCP Query User{CE31147B-B367-4C47-8670-D7BD68834E41}C:\program files\namo\webeditor 2006\bin\webeditor.exe" = protocol=6 | dir=in | app=c:\program files\namo\webeditor 2006\bin\webeditor.exe | 

"TCP Query User{F56EDF58-216F-4731-9EBA-90512B088FE1}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | 

"UDP Query User{0A3F064A-CF55-443D-8142-82EBFEF123C0}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | 

"UDP Query User{4DCD6078-479D-41F5-BC35-DE1B85698425}C:\program files\namo\webeditor 2006\bin\webeditor.exe" = protocol=17 | dir=in | app=c:\program files\namo\webeditor 2006\bin\webeditor.exe | 

"UDP Query User{A071577C-F780-4D76-A933-D085C5D356A9}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe | 

"UDP Query User{C8B70624-17E8-4DE8-A727-840F4F0D9AFC}\\eifel-kaffee\share\wolle soft\philips\media manager\philips media manager.exe" = protocol=17 | dir=in | app=\\eifel-kaffee\share\wolle soft\philips\media manager\philips media manager.exe | 

"UDP Query User{D5007418-44EF-4B0B-B08B-A97EFDC22CB3}C:\program files\common files\ahead\nero web\setupx.exe" = protocol=17 | dir=in | app=c:\program files\common files\ahead\nero web\setupx.exe | 

 
 ========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu

"{068724F8-D8BE-4B43-8DDD-B9FE9E49FD76}" = Scansoft PDF Professional

"{09BDEEF0-5590-457D-89A9-5DB2742F9BBF}" = 32 Bit HP CIO Components Installer

"{0C72C79F-2ECA-4595-B5FB-DDBE62D06B46}" = Lexware Elster

"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox

"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID-Anmelde-Assistent

"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update

"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1

"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService

"{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax

"{20B30DC1-E423-4939-B51D-05C58B0F9BBB}" = HP Photosmart All-In-One Driver Software 10.0 Rel .2

"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 13

"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE

"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant

"{37888B36-58B5-41C6-BE67-B846BB4809FF}" = iS3 STOPzilla Toolbar

"{482019C6-E633-443F-A8D8-96F1915FECC5}" = CAS Interface Studio 8.6c

"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout

"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC

"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery

"{55A29068-F2CE-456C-9148-C869879E2357}" = TuneUp Utilities 2009

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc

"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1

"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

"{6B437F94-056F-4791-AF2C-0D10E2706AF0}" = PanoStandAlone

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan

"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport

"{90120000-0016-0000-0000-0000000FF1CE}" = Microsoft Office Excel 2007

"{90120000-0016-0000-0000-0000000FF1CE}_EXCEL_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0000-0000-0000000FF1CE}_EXCEL_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007

"{90120000-0016-0407-0000-0000000FF1CE}_EXCEL_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0000-0000-0000000FF1CE}" = Microsoft Office PowerPoint 2007

"{90120000-0018-0000-0000-0000000FF1CE}_POWERPOINT_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0000-0000-0000000FF1CE}_POWERPOINT_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007

"{90120000-0018-0407-0000-0000000FF1CE}_POWERPOINT_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007

"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007

"{90120000-001B-0407-0000-0000000FF1CE}_WORD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007

"{90120000-001F-0407-0000-0000000FF1CE}_EXCEL_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0407-0000-0000000FF1CE}_POWERPOINT_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0407-0000-0000000FF1CE}_WORD_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_EXCEL_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}_POWERPOINT_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}_WORD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_EXCEL_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}_POWERPOINT_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}_WORD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007

"{90120000-001F-0410-0000-0000000FF1CE}_EXCEL_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0410-0000-0000000FF1CE}_POWERPOINT_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0410-0000-0000000FF1CE}_WORD_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007

"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007

"{90120000-006E-0407-0000-0000000FF1CE}_EXCEL_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0407-0000-0000000FF1CE}_POWERPOINT_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0407-0000-0000000FF1CE}_WORD_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{980A3C34-1652-472D-84AC-2A4D3D4955BF}" = Namo WebEditor 2006

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel

"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter

"{A7B5CF5F-6BB3-4616-950E-0CF3C9A023AD}" = Namo WebUtilities 2006

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AC76BA86-7AD7-1031-7B44-A81300000003}" = Adobe Reader 8.1.3 - Deutsch

"{ACDE260A-602B-4cfb-A650-D0DBA6FFAD85}" = NetDeviceManager

"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin

"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4

"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan

"{B26B00DA-2E5D-4CF2-83C5-911198C0F009}" = GoodSync

"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc

"{b9be267c-e096-4cce-a4fd-f24eec004938}" = PS_AIO_02_ProductContext

"{c4549405-195f-4450-8865-6be9dc5ad136}" = PS_AIO_02_Software_Min

"{c600ab3d-8b64-41df-bf36-b3d87ce0706b}" = C7200_Help

"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg

"{cd0b9359-b716-4fd0-8e0a-09b3e312e8a4}" = PS_AIO_02_Software

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba

"{CECEB0FF-5C45-4b50-9A00-C596E36D88F4}" = C7200

"{CF097717-F174-4144-954A-FBC4BF301031}" = Nero 7 Ultra Edition

"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential

"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component

"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01

"{E11DFB49-0F7A-4FC5-B6D2-AD0A3CA7F152}" = AVM FRITZ!Fernzugang

"{EBFF3839-5A5B-400A-B8A2-4A627C4B29B4}" = Nuance PDF Professional 5

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy

"{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = TIPCI

"1&1 MultiMessenger" = 1&1 MultiMessenger

"1&1 SmartFax" = 1&1 SmartFax

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe SVG Viewer" = Adobe SVG Viewer 3.0

"AVMFBoxPrinter" = AVM FRITZ!Box Druckeranschluss

"AVS Update Manager_is1" = AVS Update Manager 1.0

"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3

"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6

"Backup4all 3_is1" = Backup4all 3

"Browser Defender_is1" = Browser Defender 2.0.6.11

"CCleaner" = CCleaner

"EXCEL" = Microsoft Office Excel 2007

"Fausto" = Fausto

"FRITZ! 2.0" = AVM FRITZ!fax für FRITZ!Box

"Google Updater" = Google Updater

"HP Imaging Device Functions" = HP Imaging Device Functions 10.0

"HP Photosmart Essential" = HP Photosmart Essential 3.5

"HP Smart Web Printing" = HP Smart Web Printing

"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0

"HPOCR" = OCR Software by I.R.I.S. 10.0

"ImgBurn" = ImgBurn

"InstallShield_{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = Texas Instruments PCIxx21/x515/xx12 drivers.

"Internet-Radio Player_is1" = Internet-Radio Player Version 2.01.4

"IrfanView" = IrfanView (remove only)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)

"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)

"POWERPOINT" = Microsoft Office PowerPoint 2007

"RealPlayer 6.0" = RealPlayer

"SetEditArgus" = SetEditArgus (remove only)

"Spyware Doctor" = Spyware Doctor 7.0

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"SystemRequirementsLab" = System Requirements Lab

"TAPI" = AVM TAPI Services for FRITZ!Box

"UN060501" = BUFFALO NAS Navigator2

"UseNeXT_is1" = UseNeXT

"VLC media player" = VLC media player 0.9.9

"web'n'walk Manager" = web'n'walk Manager

"WinRAR archiver" = WinRAR archiver

"WORD" = Microsoft Office Word 2007

 
 ========== HKEY_CURRENT_USER Uninstall List ==========

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"f6791b188d8f3ff8" = AVM FRITZ!Box USB-Fernanschluss

 
 ========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 06.12.2009 03:31:50 | Computer Name = Toshiba | Source = VSS | ID = 8194

Description = 

 

Error - 06.12.2009 03:41:57 | Computer Name = Toshiba | Source = Application Error | ID = 1000

Description = Fehlerhafte Anwendung Explorer.EXE, Version 6.0.6002.18005, Zeitstempel

 0x49e01da5, fehlerhaftes Modul SHELL32.dll, Version 6.0.6002.18005, Zeitstempel

 0x49e037ec, Ausnahmecode 0xc0000005, Fehleroffset 0x002d2c67,  Prozess-ID 0x7cc, 

Anwendungsstartzeit 01ca76441ef2c489.

 

Error - 06.12.2009 03:44:39 | Computer Name = Toshiba | Source = Application Hang | ID = 1002

Description = Programm MozBackup.exe, Version 1.4.8.0 arbeitet nicht mehr mit Windows

 zusammen und wurde beendet. Überprüfen Sie den Problemverlauf im Applet "Lösungen

 für Probleme" in der Systemsteuerung, um nach weiteren Informationen über das Problem

 zu suchen.  Prozess-ID: fcc  Anfangszeit: 01ca764785408ee9  Zeitpunkt der Beendigung:

 5

 

Error - 06.12.2009 07:44:03 | Computer Name = Toshiba | Source = RasClient | ID = 20227

Description = 

 

Error - 06.12.2009 09:19:16 | Computer Name = Toshiba | Source = EventSystem | ID = 4609

Description = 

 

Error - 06.12.2009 09:19:59 | Computer Name = Toshiba | Source = EventSystem | ID = 4609

Description = 

 

Error - 06.12.2009 09:19:59 | Computer Name = Toshiba | Source = VSS | ID = 19

Description = 

 

Error - 06.12.2009 09:19:59 | Computer Name = Toshiba | Source = VSS | ID = 8193

Description = 

 

Error - 06.12.2009 09:29:37 | Computer Name = Toshiba | Source = EventSystem | ID = 4609

Description = 

 

Error - 06.12.2009 10:00:37 | Computer Name = Toshiba | Source = EventSystem | ID = 4609

Description = 

 

[ System Events ]

Error - 06.12.2009 13:45:17 | Computer Name = Toshiba | Source = Service Control Manager | ID = 7026

Description = 

 

Error - 06.12.2009 15:04:37 | Computer Name = Toshiba | Source = Service Control Manager | ID = 7030

Description = 

 

Error - 06.12.2009 15:11:19 | Computer Name = Toshiba | Source = Service Control Manager | ID = 7022

Description = 

 

Error - 06.12.2009 15:12:57 | Computer Name = Toshiba | Source = Service Control Manager | ID = 7030

Description = 

 

Error - 06.12.2009 15:18:06 | Computer Name = Toshiba | Source = EventLog | ID = 6008

Description = Das System wurde zuvor am 06.12.2009 um 20:15:57 unerwartet heruntergefahren.

 

Error - 06.12.2009 15:20:07 | Computer Name = Toshiba | Source = Service Control Manager | ID = 7022

Description = 

 

Error - 06.12.2009 15:27:47 | Computer Name = Toshiba | Source = Service Control Manager | ID = 7030

Description = 

 

Error - 06.12.2009 15:33:25 | Computer Name = Toshiba | Source = EventLog | ID = 6008

Description = Das System wurde zuvor am 06.12.2009 um 20:28:55 unerwartet heruntergefahren.

 

Error - 06.12.2009 15:35:25 | Computer Name = Toshiba | Source = Service Control Manager | ID = 7022

Description = 

 

Error - 06.12.2009 16:51:58 | Computer Name = Toshiba | Source = ipnathlp | ID = 31004

Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet

 werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner 

Fehler ist im Speicher-Manager aufgetreten.

 

[ TuneUp Events ]

Error - 22.11.2009 17:37:59 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-11-22 22:37:59', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbam.exe','4612',0)

 

Error - 22.11.2009 17:40:10 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-11-22 22:40:10', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbam.exe','5796',0)

 

Error - 22.11.2009 17:42:15 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-11-22 22:42:15', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbam.exe','6080',0)

 

Error - 22.11.2009 17:57:45 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-11-22 22:57:45', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbamgui.exe','1864',0)

 

Error - 22.11.2009 17:59:55 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-11-22 22:59:55', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbam.exe','4600',0)

 

Error - 23.11.2009 03:18:22 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-11-23 08:18:21', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\unins000.exe','5164',0)

 

Error - 23.11.2009 03:23:54 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-11-23 08:23:54', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbam.exe','5996',0)

 

Error - 23.11.2009 03:24:34 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-11-23 08:24:34', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbamgui.exe','4620',0)

 

Error - 03.12.2009 16:24:50 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-12-03 21:24:50', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbam.exe','3980',0)

 

Error - 03.12.2009 16:25:00 | Computer Name = Toshiba | Source = TuneUp Program Statistics | ID = 131840

Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO

 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-12-03 21:25:00', '\device\harddiskvolume1\program

 files\malwarebytes' anti-malware\mbam.exe','4728',0)

 

 

< End of report >

Hoffe es gibt eine Lösung.

Bis Dann, Wolle

Hallo,

ich möchte dir nicht zu Nahe treten, aber ist dies ein Geschäftsrechner? :)

ist dies deine Seite? Eifel Kaffee

Hallo Angel21,

der Name und die Homepage sind wohl richtig, jedoch dient der Laptop nur der Datensicherung. Wenn dies ein Problem sein sollte kann ich ihn gerne umtaufen :-(

Gruss Wolle

Hallo,

VERSCHIEBE die Atapi.sys aus dem C.\Windows\system32\drivers Ordner bitte auf dem Desktop. Wie gesagt VERSCHIEBEN nicht kopieren.

Danach drücke F5 um zu sehen, ob die atapi.sys wieder in dem Ordner drivers ist, wenn ja alles okeh, dann Rechner rebooten und neues Gmer Logfile.

Hm, atapi.sys lässt sich nicht verschieben. Ist zwar nach dem Befehl ausschneiden heller wie die anderen Symbole aber bleibt im Ordner Drivers. ?!?
Gibts eine andere Möglichkeit?

Gruss Wolle

Habe gmer trotzdem laufen lasse. Vielleicht war es ja richtig. Hier das Protokoll:

Code:

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-12-07 21:37:46

Windows 6.0.6002 Service Pack 2

Running: imjdsm3r.exe; Driver: C:\Users\EIFEL-~1\AppData\Local\Temp\pwldipow.sys
 
 

---- System - GMER 1.0.15 ----
 

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                                       ZwCreateProcess [0x86813CDE]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                                       ZwCreateProcessEx [0x86813ED0]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                                       ZwTerminateProcess [0x86813984]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                                       ZwCreateUserProcess [0x868140D8]
 

---- Kernel code sections - GMER 1.0.15 ----
 

.text           ntoskrnl.exe!KeInsertQueue + 3F9                                                                                                                   8247EA30 8 Bytes  [DE, 3C, 81, 86, D0, 3E, 81, ...]

.text           ntoskrnl.exe!KeInsertQueue + 811                                                                                                                   8247EE48 4 Bytes  [84, 39, 81, 86]

.text           ntoskrnl.exe!KeInsertQueue + 8D5                                                                                                                   8247EF0C 4 Bytes  [D8, 40, 81, 86]

.rsrc           C:\Windows\system32\drivers\atapi.sys                                                                                                              entry point in ".rsrc" section [0x82FB8000]
 

---- User IAT/EAT - GMER 1.0.15 ----
 

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                                              [748A7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                                               [748FA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                                                           [748ABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                                                     [7489F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                                               [748A75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                                                            [7489E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]                                                [748D8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]                                                   [748ADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                                                           [7489FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                                                            [7489FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                                             [748971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]                                                     [7492CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]                                                        [748CC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                                                           [7489D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                                                     [74896853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                                                    [7489687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1936] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                                                       [748A2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                                                            Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                                                            Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice  \Driver\tdx \Device\Tcp                                                                                                                            tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
 

Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0                                                                                                        [82FB49B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                                 [82FB49B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                                 [82FB49B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2                                                                                                        [82FB49B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
 

---- Modules - GMER 1.0.15 ----
 

Module          \SystemRoot\system32\DRIVERS\serscan.sys (*** hidden *** )                                                                                         9C20F000-9C217000 (32768 bytes)                                                                                                                                      
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Control\Print\Printers\HP Photosmart C7200 series@PrinterOnLine      0

Reg             HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Control\Print\Printers\HP Photosmart C7200 series fax@PrinterOnLine  0

Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd502966                                                                        

Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd502966 (not active ControlSet)                                                    
 

---- Files - GMER 1.0.15 ----
 

File            C:\Windows\system32\drivers\atapi.sys                                                                                                              suspicious modification
 

---- EOF - GMER 1.0.15 ----

Hoffe es war richtig,

thx wolle

Wieso ausschneiden? Du sollst sie lediglich mit Drag and Drop verschieben auf deinem Desktop. ;)

Ja, hab ich versucht und es kommt immer die Meldung "Die Aktion kann nicht abgeschlossen werden, da die Datei in einem anderem Programm geöffnet ist"

Meldung erscheint auch im abgesichertem Modus

Start --> ausführen (Vista User: suche starten) --> notepad (reinschreiben)
Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:

@echo off

cd \

copy C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys C:\

Speichere diese unter service.bat auf Deinem Desktop.
Wähle bei Dateityp alle Dateien aus.
Bei Codierung bitte ANSI auswählen.
Doppelklick auf die service.bat
Vista- User: Mit Rechtsklick "als Administrator starten" ausführen.

......................................................................................................................

Anleitung Avenger (by swandog46)

Lade dir das Tool Hopsassa und speichere es auf dem Desktop:

Doppelklick auf das Avenger-Symbol http://saved.im/mzi3ntr4adf5/trert.jpg

Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"

Code:

Files to move:

C:\atapi.sys | C:\Windows\System32\drivers\atapi.sys

http://saved.im/mzi3ndg3nta0/aven.jpg

Schliesse nun alle Programme und Browser-Fenster

Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet

Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt

Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Hier nun die avenger.txt

Code:

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com
 

Platform:  Windows Vista
 

*******************
 

Script file opened successfully.

Script file read successfully.
 

Backups directory opened successfully at C:\Avenger
 

*******************
 

Beginning to process script file:
 

Rootkit scan active.

No rootkits found!
 

File move operation "C:\atapi.sys|C:\Windows\System32\drivers\atapi.sys" completed successfully.
 

Completed script processing.
 

*******************
 

Finished!  Terminate.

Liest sich gut, ist es auch so??? ;-)

Gruss wolle

Hallo angel21,

hier der gmer scan von eben:

Code:

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-12-08 19:03:20

Windows 6.0.6002 Service Pack 2

Running: imjdsm3r.exe; Driver: C:\Users\EIFEL-~1\AppData\Local\Temp\pwldipow.sys
 
 

---- System - GMER 1.0.15 ----
 

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                         ZwCreateProcess [0x86810CDE]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                         ZwCreateProcessEx [0x86810ED0]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                         ZwTerminateProcess [0x86810984]

SSDT            \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                         ZwCreateUserProcess [0x868110D8]
 

---- Kernel code sections - GMER 1.0.15 ----
 

.text           ntoskrnl.exe!KeInsertQueue + 3F9                                                                     82476A30 8 Bytes  [DE, 0C, 81, 86, D0, 0E, 81, ...]

.text           ntoskrnl.exe!KeInsertQueue + 811                                                                     82476E48 4 Bytes  [84, 09, 81, 86]

.text           ntoskrnl.exe!KeInsertQueue + 8D5                                                                     82476F0C 4 Bytes  [D8, 10, 81, 86]
 

---- User IAT/EAT - GMER 1.0.15 ----
 

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                [745F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                 [7464A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]             [745FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]       [745EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                 [745F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]              [745EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]  [74628395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]     [745FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]             [745EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]              [745EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]               [745E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]       [7467CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]          [7461C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]             [745ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                       [745E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                      [745E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[1792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]         [745F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                              Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                              Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice  \Driver\tdx \Device\Tcp                                                                              tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd502966                          

Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd502966 (not active ControlSet)      
 

---- EOF - GMER 1.0.15 ----

Gruss wolle

Gibt es noch Fehler?
wie fühlt sich der Rechner zur Zeit an?

Zur Zeit einwandfrei. Keine Fehlermeldung mehr. Zur Zeit läuft Microsoft Essentials und seit ich den Rechner Heute gestartet habe keine Meldung mehr.
Sollte das Übel nun überstanden sein?

Hallo,

okeh, lass uns mal deinen normalen Antiviren Scanner starten - und eine komplette Systemprüfung durchnehmen. Das Log hier in deinen Thread.

Danach:

http://www.trojaner-board.de/51187-a...i-malware.html

Hier der mbam-log:

Code:

Malwarebytes' Anti-Malware 1.41

Datenbank Version: 3288

Windows 6.0.6002 Service Pack 2
 

09.12.2009 02:15:28

mbam-log-2009-12-09 (02-15-27).txt
 

Scan-Methode: Vollständiger Scan (C:\|D:\|)

Durchsuchte Objekte: 219362

Laufzeit: 1 hour(s), 49 minute(s), 36 second(s)
 

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschlüssel: 0

Infizierte Registrierungswerte: 0

Infizierte Dateiobjekte der Registrierung: 0

Infizierte Verzeichnisse: 0

Infizierte Dateien: 0
 

Infizierte Speicherprozesse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Speichermodule:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungsschlüssel:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungswerte:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateiobjekte der Registrierung:

(Keine bösartigen Objekte gefunden)
 

Infizierte Verzeichnisse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateien:

(Keine bösartigen Objekte gefunden)

Virendurchsung fand diesen:
Alert level
VirTool:Win32/VBInject.BE

wurde entfernt. Leider keine Logdatei von Microsoft Essentials.

Gruss Wolle

ESET Online Scanner
- Anmerkung für Vista-User: Bitte den Browser unbedingt als Administrator starten.
- Button "ESET Online Scanner" drücken.
- Firefox-User müssen ein zusätzliches Addon (esetsmartinstaller_enu.exe) installieren.
- Das Firefox-Addon auf dem Desktop speichern und dann installieren.
- IE-User müssen das Installieren eines ActiveX Elements erlauben.
- Einen Haken bei "Remove found threads" und "Scan archives" machen.
- Start drücken.
- Der Scan beginnt automatisch.
- Finish drücken.
- Browser schließen.
- Explorer öffnen.
- C:\Programme\Eset\EsetOnlineScanner\log.txt suchen und mit Deinem Editor öffnen.
- Logfile hier posten.
- Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
- Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset
- IE-User zusätzlich: mit HJT folgenden Eintrag fixen:
- O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)

Hallo angel21,

nun also der Log von Eset:

Code:

ESETSmartInstaller@High as downloader log:

all ok

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=52207f7f96789e488397b1cd3d3dabeb

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-09 08:08:33

# local_time=2009-12-09 09:08:33 (+0100, Mitteleuropäische Zeit)

# country="Germany"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776574 100 100 171287 97914705 0 0

# compatibility_mode=8192 67108863 100 0 4608 4608 0 0

# scanned=115745

# found=1

# cleaned=1

# scan_time=7334

C:\Users\Eifel-Kaffee 2\AppData\Local\Temp\Av-test.txt        Eicar test file (cleaned by deleting - quarantined)        00000000000000000000000000000000        C

Gruss Wolle

Zitat:

C:\Users\Eifel-Kaffee 2\AppData\Local\Temp\Av-test.txt Eicar test file (cleaned by deleting - quarantined)

hehe, die liebe Eicar Testdatei. :)

Wie fühlt sich denn der Rechner an? Treten noch irgendwelche Probleme, Schwierigkeiten oder dergleichen auf?

Hi,

alles läuft einwandfrei, keine Meldungen mehr und keine Probleme.
Ist es überstanden???

Gruss Wolle

Machen wir nochmal 1 Scan.

Panda Active Scan

Folgende Seite führt dich durch die Installation: PandaActiveScan2.0 Installation

Drücke auf Jetzt Scannen!

Eine Registrierung ist nicht erforderlich!

Nachdem der Scan abgeschlossen ist drücke auf das Text-Icon Export und speichere das log auf dem Desktop.
Öffne die Datei ActiveScan.txt die sich nun auf deinem Desktop befindet und poste uns den Inhalt.

Also hier der Panda Scan mit einem Fund.

Code:

;***********************************************************************************************************************************************************************************

ANALYSIS: 2009-12-10 18:50:37

PROTECTIONS: 1

MALWARE: 1

SUSPECTS: 1

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description                                  Version                       Active    Updated

;===================================================================================================================================================================================

Microsoft Security Essentials                                              Yes       Yes

;===================================================================================================================================================================================

MALWARE

Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location

;===================================================================================================================================================================================

03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           c:\$recycle.bin\s-1-5-21-1540689520-2443425850-2373690623-1000\$rhrztye.exe

;===================================================================================================================================================================================

SUSPECTS

Sent      Location

;===================================================================================================================================================================================

No        c:\$recycle.bin\s-1-5-21-1540689520-2443425850-2373690623-1000\$r8g5vuw.exe

;===================================================================================================================================================================================

VULNERABILITIES

Id        Severity       Description

;===================================================================================================================================================================================

;===================================================================================================================================================================================

Gruss Wolle

Gut Funde löschen von Panda Sctive Scan.
Poste mir eine Uninstall Liste von Hijackthis.

Öffne Hijackthis.exe -> Open The Misc Tool Section -> Open Uninstall manager -> Save List.
Liste hier herein posten.

Hier die uninstall List:

Code:

1&1 MultiMessenger

1&1 SmartFax

32 Bit HP CIO Components Installer

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.4 - Deutsch

Adobe SVG Viewer 3.0

AVM FRITZ!Box Druckeranschluss

AVM FRITZ!Fernzugang

AVS Update Manager 1.0

AVS Video Converter 6

AVS4YOU Software Navigator 1.3

Backup4all 3

Bluetooth Stack for Windows by Toshiba

BUFFALO NAS Navigator

CAS Interface Studio 8.6c

Fausto

GoodSync

Google Update Helper

Google Updater

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Imaging Device Functions 10.0

HP Photosmart All-In-One Driver Software 10.0 Rel .2

HP Photosmart Essential 3.5

HP Smart Web Printing

HP Solution Center 10.0

HP Update

ImgBurn

Internet-Radio Player Version 2.01.4

IrfanView (remove only)

Java(TM) 6 Update 13

Lexware Elster

Microsoft .NET Framework 3.5 Language Pack SP1 - deu

Microsoft .NET Framework 3.5 Language Pack SP1 - DEU

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1

Microsoft Antimalware

Microsoft Antimalware Service DE-DE Language Pack

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel 2007

Microsoft Office Excel 2007

Microsoft Office Excel MUI (German) 2007

Microsoft Office Live Add-in 1.4

Microsoft Office PowerPoint 2007

Microsoft Office PowerPoint 2007

Microsoft Office PowerPoint MUI (German) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (German) 2007

Microsoft Office Proof (Italian) 2007

Microsoft Office Proofing (German) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (German) 2007

Microsoft Office Word 2007

Microsoft Office Word 2007

Microsoft Office Word MUI (German) 2007

Microsoft Security Essentials

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Mozilla Firefox (3.5.5)

Mozilla Thunderbird (2.0.0.23)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Namo WebEditor 2006

Namo WebUtilities 2006

Nero 7 Ultra Edition

neroxml

Nuance PDF Professional 5

OCR Software by I.R.I.S. 10.0

Panda ActiveScan 2.0

RealPlayer

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB973704)

Security Update for 2007 Microsoft Office System (KB973704)

Security Update for CAPICOM (KB931906)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft Office Excel 2007 (KB973593)

Security Update for Microsoft Office PowerPoint 2007 (KB957789)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB969613)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office system 2007 (KB974234)

SetEditArgus (remove only)

Spyware Doctor 7.0

Synaptics Pointing Device Driver

System Requirements Lab

Texas Instruments PCIxx21/x515/xx12 drivers.

TuneUp Utilities 2009

Update for 2007 Microsoft Office System (KB967642)

Update for 2007 Microsoft Office System (KB967642)

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office InfoPath 2007 (KB976416)

Update for Microsoft Office InfoPath 2007 (KB976416)

Update for Microsoft Office InfoPath 2007 (KB976416)

Update for Microsoft Office Word 2007 (KB974561)

Update für Microsoft Office Excel 2007 Help (KB963678)

Update für Microsoft Office Powerpoint 2007 Help (KB963669)

Update für Microsoft Office Word 2007 Help (KB963665)

UseNeXT

VLC media player 0.9.9

web'n'walk Manager

Windows Live ID-Anmelde-Assistent

Windows Media Player Firefox Plugin

WinRAR archiver

Wolle

Deinstalliere: ALLE Programme die wir verwendet haben bei der Bereinigung.

Außer Combofix das machen wir anders. Und zwar Start - Ausführen - combofix /uninstall

Deinstalliere noch:
Adobe Reader 8.1.4 - Deutsch<<wird durch neue Version ersetzt
Java Runtime Update 13 - wird durch neue Version ersetzt

Hi angel21,

combofix hatte ich wohl schon entfernt. Wird nicht mehr gefunden. Ansonsten alles deinstalliert. Soll ich java und adobe neu laden? und was darf ich noch machen?

Gruss Wolle

Adobe:
Adobe - Adobe Reader herunterladen - Alle Versionen

Java:
Java-Downloads für alle Betriebssysteme - Sun Microsystems

Installieren danach ein neues Hijackthis Log -> Öffne Hijackthis -> Do a system scan and save Logfile -> hier in deinen Thread hereinstellen.

Hallo, der hijack logfile:

Code:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:03:25, on 10.12.2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18865)

Boot mode: Normal
 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\WindowsMobile\wmdcBase.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

C:\Program Files\BUFFALO\NASNAVI\nassche.exe

C:\Program Files\Synaptics\SynTP\SynToshiba.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe

O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Windows\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

O4 - Startup: NAS Scheduler.lnk = C:\Program Files\BUFFALO\NASNAVI\nassche.exe

O4 - Global Startup: McAfee Security Scan.lnk = ?

O8 - Extra context menu item: Mit Nuance PDF Converter 5.0 öffnen - res://C:\Program Files\Nuance\PDF Professional 5\cnvres_ger.dll /100

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O23 - Service: AVM FRITZ!Fernzugang IKE Service (avmike) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\avmike.exe

O23 - Service: AVM FRITZ!Fernzugang Cert Service (certsrv) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\certsrv.exe

O23 - Service: Google Update Service (gupdate1c9e60912df045e) (gupdate1c9e60912df045e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: AVM FRITZ!Fernzugang Client (nwtsrv) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\nwtsrv.exe

O23 - Service: PDFProFiltSrv - Nuance Communications, Inc. - C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe

O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
 

--

End of file - 5999 bytes

Gruss Wolle

Die Google Toolbar kannst du entfernen, sie ist unnötig für Dein System. Danach neues HJT Log :)

Also hier der nächste hija:

Code:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:52:35, on 10.12.2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18865)

Boot mode: Normal
 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\WindowsMobile\wmdcBase.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

C:\Program Files\BUFFALO\NASNAVI\nassche.exe

C:\Program Files\Synaptics\SynTP\SynToshiba.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1und1.de/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe

O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

O4 - Startup: NAS Scheduler.lnk = C:\Program Files\BUFFALO\NASNAVI\nassche.exe

O4 - Global Startup: McAfee Security Scan.lnk = ?

O8 - Extra context menu item: Mit Nuance PDF Converter 5.0 öffnen - res://C:\Program Files\Nuance\PDF Professional 5\cnvres_ger.dll /100

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O23 - Service: AVM FRITZ!Fernzugang IKE Service (avmike) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\avmike.exe

O23 - Service: AVM FRITZ!Fernzugang Cert Service (certsrv) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\certsrv.exe

O23 - Service: Google Update Service (gupdate1c9e60912df045e) (gupdate1c9e60912df045e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: AVM FRITZ!Fernzugang Client (nwtsrv) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\nwtsrv.exe

O23 - Service: PDFProFiltSrv - Nuance Communications, Inc. - C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe

O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
 

--

End of file - 5756 bytes

Gruss Wolle

Sorry, sollte die Toolbar wohl im hija löschen. Habe ich soeben nachgeholt:

Code:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:57:15, on 10.12.2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18865)

Boot mode: Normal
 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\WindowsMobile\wmdcBase.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

C:\Program Files\BUFFALO\NASNAVI\nassche.exe

C:\Program Files\Synaptics\SynTP\SynToshiba.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1und1.de/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe

O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

O4 - Startup: NAS Scheduler.lnk = C:\Program Files\BUFFALO\NASNAVI\nassche.exe

O4 - Global Startup: McAfee Security Scan.lnk = ?

O8 - Extra context menu item: Mit Nuance PDF Converter 5.0 öffnen - res://C:\Program Files\Nuance\PDF Professional 5\cnvres_ger.dll /100

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O23 - Service: AVM FRITZ!Fernzugang IKE Service (avmike) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\avmike.exe

O23 - Service: AVM FRITZ!Fernzugang Cert Service (certsrv) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\certsrv.exe

O23 - Service: Google Update Service (gupdate1c9e60912df045e) (gupdate1c9e60912df045e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: AVM FRITZ!Fernzugang Client (nwtsrv) - AVM Berlin - C:\Program Files\FRITZ!Fernzugang\nwtsrv.exe

O23 - Service: PDFProFiltSrv - Nuance Communications, Inc. - C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe

O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
 

--

End of file - 5531 bytes

Deaktiviere die Systemwiederherstellung in Vista.
Grund: Durch die Systemwiederherstellung wurden alte Systemwiederherstellungspunkte gespeichert, durch diese könntest du dich REinfizieren.

Hallo angel21,

vielen vielen vielen Dank für Deine Hilfe. Es kommt wirklich keine Fehlermeldung mehr. Hätte ich diesen Schädling auch mit einer Formatierung beseitigen können?

Ich wollte dich auch fragen welches Antiviren Programm du empfehlen würdest, aber aus deiner letzten Nachricht entnehme ich das es Kaspersky sein dürfte.

Letzte Frage, ich würde mich schon gerne erkenntlich zeigen. Nimmt euer Board auch eine kleine Spende an, oder soll ich vielleicht einen Banner Eures Boards auf meiner Homepage verlinken? Da ich nicht der Fan von unendlichen Partnerseiten bin wäre euer Banner der zweite.

Gruss und nochmals Danke,

Wolle

Zitat:

Es kommt wirklich keine Fehlermeldung mehr. Hätte ich diesen Schädling auch mit einer Formatierung beseitigen können?

Den hättest du auch mit Format C beseitigen können ja.

Zitat:

Ich wollte dich auch fragen welches Antiviren Programm du empfehlen würdest, aber aus deiner letzten Nachricht entnehme ich das es Kaspersky sein dürfte.

Ich genieße den kostenlosen Schutz von Avira Antivir Personal ;)
Aber mag Deine Entscheidung bleiben, welches du verwendest.

Zitat:

Nimmt euer Board auch eine kleine Spende an, oder soll ich vielleicht einen Banner Eures Boards auf meiner Homepage verlinken? Da ich nicht der Fan von unendlichen Partnerseiten bin wäre euer Banner der zweite.

http://www.trojaner-board.de/79994-s...ndenkonto.html

Zitat:

vielen vielen vielen Dank für Deine Hilfe.

Bitteschööööön, keine Ursache :)

BTW: Ändere nochmal alle Passwörter zu Mailkonto etc. :)