Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Tr/psw papras ab (https://www.trojaner-board.de/88745-tr-psw-papras-ab.html)

RealSnapshot 27.07.2010 17:05
Tr/psw papras ab
 
Hallo,

wie es aussieht hab ich mir einen Trojaner eingefangen...Da ich auf dem Gebiet keine Ahnung habe bitte ich hier um Hilfe.

Bitte sagt mir doch welche Logs von welchen Programmen ihr bracuht um diesen loszuwerden.

Danke im Voraus.

Angel21 27.07.2010 17:08
Hallo :hallo:

Arbeite folgende Liste ab:

1.) Lade dir Malwarebytes herunter - Starte nach dem installieren und Updaten die Funktion Quick Scan und Scanne deinen PC durch. Bitte alle Funde entfernen.

2.) CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5

3.) Starte einen Scan mit Gmer laut Anleitung.

Postings von dir:
-OTL Logs
-Malwarebytes Logfile (zu finden unter Scan-Berichte Reiter oben)
-Gmer Log

RealSnapshot 27.07.2010 17:38
OTL Logfile:
Code:
OTL logfile created on: 27.07.2010 18:34:36 - Run 1
OTL by OldTimer - Version 3.2.9.1    Folder = C:\Users\Snapshot\Downloads
 Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 70,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 77,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68,74 Gb Total Space | 50,48 Gb Free Space | 73,43% Space Free | Partition Type: NTFS
Drive D: | 50,01 Gb Total Space | 25,33 Gb Free Space | 50,66% Space Free | Partition Type: NTFS
Drive E: | 114,14 Gb Total Space | 41,94 Gb Free Space | 36,75% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: SNAPSHOT-PC
Current User Name: Snapshot
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2010.07.27 18:28:43 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Snapshot\Downloads\OTL.exe
PRC - [2010.07.21 22:03:31 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.09.27 17:48:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009.09.08 09:48:55 | 000,066,048 | ---- | M] (PostgreSQL Global Development Group) -- D:\PostgreSQL\8.4\bin\pg_ctl.exe
PRC - [2009.09.08 09:47:07 | 004,513,792 | ---- | M] (PostgreSQL Global Development Group) -- D:\PostgreSQL\8.4\bin\postgres.exe
PRC - [2009.09.05 18:29:06 | 000,385,024 | ---- | M] (shbox.de) -- C:\Programme\FreePDF_XP\fpassist.exe
PRC - [2009.07.21 15:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2009.07.14 03:14:47 | 001,121,280 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2009.07.14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009.07.14 03:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009.05.13 17:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2009.05.07 03:01:00 | 001,904,640 | ---- | M] (AVM Berlin) -- C:\Programme\avmwlanstick\WLanGUI.exe
PRC - [2009.05.07 03:01:00 | 000,368,640 | ---- | M] (AVM Berlin) -- C:\Programme\avmwlanstick\WLanNetService.exe
PRC - [2009.03.02 14:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009.01.08 17:10:00 | 000,187,456 | ---- | M] (DATA BECKER GmbH & Co KG) -- C:\Programme\Common Files\DATA BECKER Shared\DBService.exe
PRC - [2005.12.18 15:18:56 | 000,307,200 | ---- | M] (Team H2O) -- C:\Programme\Syncrosoft\POS\H2O\cledx.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010.07.27 18:28:43 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Snapshot\Downloads\OTL.exe
MOD - [2009.07.14 03:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009.07.14 03:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009.07.14 03:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009.07.14 03:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009.07.14 03:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009.07.14 03:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009.07.14 03:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009.07.14 03:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009.07.14 03:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009.07.14 03:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009.07.14 03:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009.07.14 03:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2009.12.15 22:07:16 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- E:\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009.09.27 17:48:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009.09.08 09:48:55 | 000,066,048 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- D:\PostgreSQL\8.4\bin\pg_ctl.exe -- (postgresql-8.4)
SRV - [2009.07.21 15:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.07.16 17:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009.07.14 03:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009.07.14 03:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009.07.14 03:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009.07.14 03:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009.07.14 03:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009.07.14 03:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009.07.14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009.07.14 03:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009.07.14 03:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.07.14 03:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009.07.14 03:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009.07.14 03:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009.07.14 03:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009.07.14 03:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009.07.14 03:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX-Installer (AxInstSV)
SRV - [2009.07.14 03:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009.07.14 03:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009.05.13 17:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009.05.07 03:01:00 | 000,368,640 | ---- | M] (AVM Berlin) [Auto | Running] -- C:\Programme\avmwlanstick\WLanNetService.exe -- (AVM WLAN Connection Service)
SRV - [2009.01.08 17:10:00 | 000,187,456 | ---- | M] (DATA BECKER GmbH & Co KG) [Auto | Running] -- C:\Programme\Common Files\DATA BECKER Shared\DBService.exe -- (DBService)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Snapshot\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010.03.12 19:45:40 | 000,139,128 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2009.12.11 09:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009.12.09 18:35:49 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009.11.08 17:39:06 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2009.09.27 17:12:22 | 009,509,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009.08.13 23:09:58 | 000,060,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\xusb21.sys -- (xusb21)
DRV - [2009.07.14 03:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009.07.14 03:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009.07.14 03:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009.07.14 03:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009.07.14 03:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009.07.14 03:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009.07.14 03:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009.07.14 03:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009.07.14 03:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009.07.14 03:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009.07.14 03:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009.07.14 03:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009.07.14 03:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009.07.14 03:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009.07.14 03:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009.07.14 03:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009.07.14 03:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009.07.14 03:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009.07.14 03:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009.07.14 03:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009.07.14 03:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009.07.14 03:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009.07.14 03:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009.07.14 03:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009.07.14 03:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009.07.14 03:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009.07.14 03:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009.07.14 03:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009.07.14 03:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009.07.14 03:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009.07.14 03:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009.07.14 03:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009.07.14 03:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009.07.14 03:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009.07.14 03:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009.07.14 03:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009.07.14 03:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009.07.14 03:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009.07.14 03:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009.07.14 03:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009.07.14 03:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009.07.14 02:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC-Seriellschnittstellentreiber (WDM)
DRV - [2009.07.14 02:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009.07.14 02:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009.07.14 01:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009.07.14 01:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009.07.14 01:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009.07.14 01:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009.07.14 01:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009.07.14 01:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009.07.14 01:51:23 | 000,080,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB-Audiotreiber (WDM)
DRV - [2009.07.14 01:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009.07.14 01:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009.07.14 01:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009.07.14 01:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009.07.14 01:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009.07.14 01:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009.07.14 01:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009.07.14 01:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009.07.14 01:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009.07.14 01:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009.07.14 01:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009.07.14 00:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009.07.14 00:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm) Brother MFC-nur-Fax-Modem (USB)
DRV - [2009.07.14 00:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer) Brother MFC-WDM-Treiber (USB,seriell)
DRV - [2009.07.14 00:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm) Brother WDM-Treiber (seriell)
DRV - [2009.07.14 00:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009.07.14 00:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009.07.14 00:02:50 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2009.07.14 00:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009.07.14 00:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009.07.14 00:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009.05.11 11:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.05.07 03:01:00 | 000,265,088 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\fwlanusb.sys -- (FWLANUSB)
DRV - [2009.03.30 11:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2009.03.02 00:05:32 | 000,139,776 | ---- | M] (Realtek Corporation                                            ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2009.02.13 13:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2005.05.09 21:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cledx.sys -- (CLEDX)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C4 FC 8D E1 22 60 CA 01  [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.21 22:03:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.22 10:52:09 | 000,000,000 | ---D | M]
 
[2009.11.08 05:31:36 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\mozilla\Extensions
[2009.11.08 05:31:36 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\mozilla\Firefox\Profiles\rmejjtr4.default\extensions
[2010.07.27 17:26:58 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.07.22 10:29:31 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010.07.22 10:52:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.04.12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2008.02.22 17:24:06 | 000,095,832 | ---- | M] () -- C:\Programme\Mozilla Firefox\plugins\NPPDLicenseHelper.dll
[2010.01.07 23:35:19 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.01.07 23:35:19 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.01.07 23:35:19 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.01.07 23:35:19 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.01.07 23:35:19 | 000,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2010.07.27 17:41:01 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1      localhost
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\WLanGUI.exe (AVM Berlin)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [H2O] C:\Programme\Syncrosoft\POS\H2O\cledx.exe (Team H2O)
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [ICQ] C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.220.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
 
========== Files/Folders - Created Within 90 Days ==========
 
[2010.07.27 18:20:29 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\Malwarebytes
[2010.07.27 18:20:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.07.27 18:20:14 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.07.27 18:20:14 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.07.27 18:20:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.07.27 18:16:02 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010.07.27 18:09:48 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Documents\Simply Super Software
[2010.07.27 18:09:10 | 000,000,000 | ---D | C] -- C:\Programme\Trojan Remover
[2010.07.27 18:09:10 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\Simply Super Software
[2010.07.27 18:09:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software
[2010.07.27 17:43:10 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010.07.27 17:42:24 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010.07.27 17:32:49 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010.07.27 17:32:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010.07.27 17:32:49 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010.07.27 17:29:44 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010.07.27 17:26:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.07.27 17:26:04 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010.07.25 20:32:09 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Steam
[2010.07.25 20:32:08 | 000,000,000 | ---D | C] -- C:\Programme\Steam
[2010.07.22 11:24:29 | 000,000,000 | ---D | C] -- C:\Programme\RVG Software
[2010.07.22 10:52:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010.07.22 10:52:23 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Java
[2010.07.22 10:33:07 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\skypePM
[2010.07.22 10:29:38 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\Skype
[2010.07.22 10:29:08 | 000,000,000 | R--D | C] -- C:\Programme\Skype
[2010.07.22 10:29:08 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Skype
[2010.07.22 10:29:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2010.07.21 17:50:25 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\TeamViewer
[2010.07.15 15:27:02 | 000,000,000 | ---D | C] -- C:\Programme\PSQLINSTALL
[2010.07.15 13:43:25 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\postgresql
[2010.07.01 19:17:48 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Documents\Soulseek Chat Logs
[2010.06.11 14:20:41 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Desktop\HHMiner_V1_21
[2010.06.11 09:26:10 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Local\Microsoft Games
[2010.06.03 16:23:58 | 000,000,000 | ---D | C] -- C:\Programme\TableScan Turbo
[2010.05.29 13:37:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Soulseek
[2010.05.29 13:37:35 | 000,000,000 | ---D | C] -- C:\Programme\SoulseekNS
[2010.05.25 16:22:52 | 000,000,000 | ---D | C] -- C:\Programme\PokerStove
[2010.05.15 04:17:34 | 000,000,000 | ---D | C] -- C:\HMArchive
[2010.05.15 02:41:00 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Local\Boss Media
[2010.05.15 02:41:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Boss Media
[2010.05.08 10:52:07 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\AppData\Roaming\runic games
[2010.05.06 23:48:51 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Documents\CAPCOM
[2010.05.04 22:52:17 | 000,000,000 | ---D | C] -- C:\Users\Snapshot\Documents\Settlers7
[2010.05.04 22:42:34 | 000,000,000 | ---D | C] -- C:\Programme\Ubisoft
[2010.05.03 18:52:51 | 000,000,000 | ---D | C] -- C:\Programme\uTorrent
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 90 Days ==========
 
[2010.07.27 18:34:33 | 002,097,152 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat
[2010.07.27 18:04:54 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010.07.27 18:04:54 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010.07.27 17:59:44 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.07.27 17:59:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.07.27 17:59:39 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2010.07.27 17:57:00 | 002,185,398 | -H-- | M] () -- C:\Users\Snapshot\AppData\Local\IconCache.db
[2010.07.27 17:41:07 | 000,000,243 | ---- | M] () -- C:\Windows\system.ini
[2010.07.27 17:41:01 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010.07.26 12:34:23 | 000,027,003 | ---- | M] () -- C:\Users\Snapshot\Documents\Kündigung.docx
[2010.07.26 11:47:07 | 000,047,104 | ---- | M] () -- C:\Windows\System32\forficli.dll
[2010.07.26 11:46:21 | 000,000,913 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2010.07.26 10:55:57 | 000,001,021 | ---- | M] () -- C:\Users\Public\Desktop\Full Tilt Poker.lnk
[2010.07.25 20:32:08 | 000,002,527 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2010.07.25 20:14:50 | 000,000,471 | ---- | M] () -- C:\Windows\System32\Datei4
[2010.07.25 20:14:50 | 000,000,471 | ---- | M] () -- C:\Windows\System32\Datei2
[2010.07.25 20:14:50 | 000,000,470 | ---- | M] () -- C:\Windows\System32\Datei3
[2010.07.25 20:14:50 | 000,000,470 | ---- | M] () -- C:\Windows\System32\Datei1
[2010.07.25 20:14:50 | 000,000,469 | ---- | M] () -- C:\Windows\System32\Datei7
[2010.07.25 20:14:50 | 000,000,469 | ---- | M] () -- C:\Windows\System32\Datei5
[2010.07.25 20:14:50 | 000,000,468 | ---- | M] () -- C:\Windows\System32\Datei0
[2010.07.25 20:14:50 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei9
[2010.07.25 20:14:50 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei8
[2010.07.25 20:14:50 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei10
[2010.07.25 20:14:50 | 000,000,465 | ---- | M] () -- C:\Windows\System32\Datei6
[2010.07.22 21:02:07 | 000,001,678 | ---- | M] () -- C:\Users\Snapshot\Desktop\HoldemManager - Verknüpfung.lnk
[2010.07.22 10:55:19 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010.07.22 10:29:09 | 000,002,505 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2010.07.14 15:23:12 | 003,493,161 | ---- | M] () -- C:\Users\Snapshot\Desktop\BillBrandonVsSnapshot.mp3
[2010.06.19 18:04:53 | 000,483,227 | ---- | M] () -- C:\Users\Snapshot\Desktop\MilkHoneyBonnieDobson.mp3
[2010.06.17 18:47:31 | 001,472,002 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010.06.17 18:47:31 | 000,643,628 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.06.17 18:47:31 | 000,606,992 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.06.17 18:47:31 | 000,126,188 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.06.17 18:47:31 | 000,103,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.06.17 14:31:50 | 000,018,753 | ---- | M] () -- C:\Users\Snapshot\Desktop\Antragsformular.pdf
[2010.06.11 17:07:16 | 000,015,857 | ---- | M] () -- C:\Windows\unins000.dat
[2010.06.11 17:06:55 | 000,678,746 | ---- | M] () -- C:\Windows\unins000.exe
[2010.06.11 14:12:54 | 000,302,352 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010.06.03 16:23:58 | 000,000,953 | ---- | M] () -- C:\Users\Public\Desktop\TableScan Turbo.lnk
[2010.05.29 15:23:14 | 000,016,499 | -HS- | M] () -- C:\Users\Snapshot\Desktop\Folder.jpg
[2010.05.29 15:23:14 | 000,016,499 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArt_{9B1E2307-1987-4E6C-93DF-92B98F8CB373}_Large.jpg
[2010.05.29 15:23:14 | 000,002,139 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArtSmall.jpg
[2010.05.29 15:23:14 | 000,002,139 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArt_{9B1E2307-1987-4E6C-93DF-92B98F8CB373}_Small.jpg
[2010.05.29 15:22:51 | 000,013,244 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArt_{688C9A63-C5AF-44C8-882F-0407866D362E}_Large.jpg
[2010.05.29 15:22:51 | 000,003,242 | -HS- | M] () -- C:\Users\Snapshot\Desktop\AlbumArt_{688C9A63-C5AF-44C8-882F-0407866D362E}_Small.jpg
[2010.05.29 13:41:47 | 000,600,899 | ---- | M] () -- C:\Users\Snapshot\Desktop\tpipsmb.mp3
[2010.05.28 20:38:35 | 000,001,599 | ---- | M] () -- C:\Windows\win.ini
[2010.05.25 16:22:53 | 000,000,933 | ---- | M] () -- C:\Users\Snapshot\Desktop\PokerStove.lnk
[2010.05.18 17:38:57 | 001,048,576 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.2.regtrans-ms
[2010.05.18 17:38:57 | 001,048,576 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.1.regtrans-ms
[2010.05.18 17:38:57 | 001,048,576 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.0.regtrans-ms
[2010.05.18 17:38:57 | 000,065,536 | -HS- | M] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.blf
[2010.05.15 11:52:40 | 000,001,695 | ---- | M] () -- C:\Users\Snapshot\Desktop\PartyPoker.lnk
[2010.05.15 02:39:04 | 000,004,608 | ---- | M] () -- C:\Users\Snapshot\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.04.29 12:19:24 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.04.29 12:19:14 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010.07.27 18:09:12 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2010.07.27 18:09:12 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll
[2010.07.27 18:09:12 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2010.07.27 18:09:12 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2010.07.27 17:32:49 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010.07.27 17:32:49 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010.07.27 17:32:49 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010.07.27 17:32:49 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010.07.27 17:32:49 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010.07.26 11:47:07 | 000,047,104 | ---- | C] () -- C:\Windows\System32\forficli.dll
[2010.07.26 11:46:21 | 000,000,913 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2010.07.26 10:55:57 | 000,001,021 | ---- | C] () -- C:\Users\Public\Desktop\Full Tilt Poker.lnk
[2010.07.25 20:32:08 | 000,002,527 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2010.07.22 21:02:07 | 000,001,678 | ---- | C] () -- C:\Users\Snapshot\Desktop\HoldemManager - Verknüpfung.lnk
[2010.07.22 10:55:19 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010.07.22 10:29:09 | 000,002,505 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2010.07.21 20:48:44 | 000,027,003 | ---- | C] () -- C:\Users\Snapshot\Documents\Kündigung.docx
[2010.07.14 15:22:44 | 003,493,161 | ---- | C] () -- C:\Users\Snapshot\Desktop\BillBrandonVsSnapshot.mp3
[2010.06.19 18:04:52 | 000,483,227 | ---- | C] () -- C:\Users\Snapshot\Desktop\MilkHoneyBonnieDobson.mp3
[2010.06.17 14:31:50 | 000,018,753 | ---- | C] () -- C:\Users\Snapshot\Desktop\Antragsformular.pdf
[2010.06.11 17:07:11 | 000,678,746 | ---- | C] () -- C:\Windows\unins000.exe
[2010.06.11 17:07:11 | 000,015,857 | ---- | C] () -- C:\Windows\unins000.dat
[2010.06.03 16:23:58 | 000,000,953 | ---- | C] () -- C:\Users\Public\Desktop\TableScan Turbo.lnk
[2010.05.29 15:23:14 | 000,016,499 | -HS- | C] () -- C:\Users\Snapshot\Desktop\AlbumArt_{9B1E2307-1987-4E6C-93DF-92B98F8CB373}_Large.jpg
[2010.05.29 15:23:14 | 000,002,139 | -HS- | C] () -- C:\Users\Snapshot\Desktop\AlbumArt_{9B1E2307-1987-4E6C-93DF-92B98F8CB373}_Small.jpg
[2010.05.29 15:22:51 | 000,013,244 | -HS- | C] () -- C:\Users\Snapshot\Desktop\AlbumArt_{688C9A63-C5AF-44C8-882F-0407866D362E}_Large.jpg
[2010.05.29 15:22:51 | 000,003,242 | -HS- | C] () -- C:\Users\Snapshot\Desktop\AlbumArt_{688C9A63-C5AF-44C8-882F-0407866D362E}_Small.jpg
[2010.05.29 13:41:45 | 000,600,899 | ---- | C] () -- C:\Users\Snapshot\Desktop\tpipsmb.mp3
[2010.05.25 16:22:53 | 000,000,933 | ---- | C] () -- C:\Users\Snapshot\Desktop\PokerStove.lnk
[2010.05.18 17:38:57 | 001,048,576 | -HS- | C] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.2.regtrans-ms
[2010.05.18 17:38:57 | 001,048,576 | -HS- | C] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.1.regtrans-ms
[2010.05.18 17:38:57 | 001,048,576 | -HS- | C] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.0.regtrans-ms
[2010.05.18 17:38:57 | 000,065,536 | -HS- | C] () -- C:\Users\Snapshot\ntuser.dat{65c99bb4-0dc2-11df-8712-00040ec0e511}.TxR.blf
[2010.05.15 11:52:40 | 000,001,695 | ---- | C] () -- C:\Users\Snapshot\Desktop\PartyPoker.lnk
[2010.05.03 22:01:47 | 000,004,608 | ---- | C] () -- C:\Users\Snapshot\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.03.06 17:43:24 | 000,139,128 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009.12.05 21:19:29 | 000,007,680 | ---- | C] () -- C:\Windows\System32\CNMVS5y.DLL
[2009.11.22 16:04:35 | 000,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2009.11.09 18:46:07 | 000,000,000 | ---- | C] () -- C:\Windows\HMHud.INI
[2009.10.31 03:56:44 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009.08.16 12:08:36 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009.08.03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009.08.03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009.08.03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009.08.03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009.05.29 17:52:26 | 000,204,800 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009.05.29 17:47:06 | 000,881,664 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009.04.22 01:19:06 | 000,172,173 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2007.02.05 21:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
 
========== LOP Check ==========
 
[2010.04.12 23:40:48 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\Azureus
[2009.11.08 20:42:46 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\DAEMON Tools Lite
[2010.01.18 23:25:40 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\FOG Downloader
[2010.07.27 17:27:43 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\ICQ
[2010.07.15 13:43:32 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\postgresql
[2009.11.15 13:55:16 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\ProtectDisc
[2010.05.08 10:52:07 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\runic games
[2010.07.27 18:09:10 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\Simply Super Software
[2010.07.21 17:50:25 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\TeamViewer
[2010.07.27 17:58:40 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\uTorrent
[2009.11.08 17:23:29 | 000,000,000 | ---D | M] -- C:\Users\Snapshot\AppData\Roaming\Win7codecs
[2010.07.10 13:31:37 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.* >
[2009.06.10 23:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009.07.14 03:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009.11.08 05:10:42 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010.07.27 17:42:22 | 000,010,774 | ---- | M] () -- C:\ComboFix.txt
[2009.06.10 23:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010.01.19 15:42:21 | 000,002,580 | ---- | M] () -- C:\fpRedmon.log
[2010.07.27 17:59:39 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2010.05.15 02:42:19 | 000,000,066 | ---- | M] () -- C:\ICSYSINF.log
[2010.07.27 17:59:39 | 2145,902,592 | -HS- | M] () -- C:\pagefile.sys
[2009.11.08 05:20:21 | 000,171,136 | RHS- | M] () -- C:\w7ldr
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
 
< %systemroot%\Tasks\*.job /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
 
< %systemroot%\system32\drivers\*.sys /90 >
[2010.04.29 12:19:14 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.04.29 12:19:24 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
 
< %systemroot%\system32\user32.dll /md5 >
[2009.07.14 03:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\System32\user32.dll
 
< %systemroot%\system32\ws2_32.dll /md5 >
[2009.07.14 03:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\System32\ws2_32.dll

< End of report >
--- --- ---

RealSnapshot 27.07.2010 17:39
OTL EXTRAS Logfile:
Code:
OTL Extras logfile created on: 27.07.2010 18:34:36 - Run 1
OTL by OldTimer - Version 3.2.9.1    Folder = C:\Users\Snapshot\Downloads
 Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 70,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 77,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68,74 Gb Total Space | 50,48 Gb Free Space | 73,43% Space Free | Partition Type: NTFS
Drive D: | 50,01 Gb Total Space | 25,33 Gb Free Space | 50,66% Space Free | Partition Type: NTFS
Drive E: | 114,14 Gb Total Space | 41,94 Gb Free Space | 36,75% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: SNAPSHOT-PC
Current User Name: Snapshot
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable
"{0B82D6C6-9ECC-4710-97AB-5CE482E72852}_is1" = TableScan Turbo v0.48c (BETA)
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 20
"{311EEFFE-8354-42D8-B2A0-A0666689F69F}" = Alesis io|2 ASIO Driver
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE
"{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{6D0C6BE4-F674-43D2-96BC-3509345108C9}_is1" = PokerStove version 1.23
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89286F5B-4B78-41DE-9982-B7AD010DE01B}" = *tmx englisch
"{8C0CAA7A-3272-4991-A808-2C7559DE3409}" = Win7codecs
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_STANDARD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_STANDARD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_STANDARD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_STANDARD_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_STANDARD_{A0516415-ED61-419A-981D-93596DA74165}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_STANDARD_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_STANDARD_{26454C26-D259-4543-AA60-3189E09C5F76}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C916142-C18C-429D-BFED-40094A7E0BEB}" = Die Siedler 7
"{9FCCC8D1-3152-4699-8793-6CB0B9E26EBB}" = Miroslav Philharmonik Instruments
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.2 - Deutsch
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BA0D0121-A3BA-487D-9C78-7AB0E676C722}" = Miroslav Philharmonik
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Audition 3.0" = Adobe Audition 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AVMWLANCLI" = AVM FRITZ!WLAN
"CANONBJ_Deinstall_CNMCP5y.DLL" = Canon PIXMA iP1500
"CANONIJINBOXADDON100" = Canon Inkjet Printer Driver Add-On Module
"FL Studio 8" = FL Studio 8
"FreePDF_XP" = FreePDF (Remove only)
"GPL Ghostscript 8.70" = GPL Ghostscript 8.70
"HS2_is1" = Steinberg Hypersonic 2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.11)" = Mozilla Firefox (3.5.11)
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PartyPoker" = PartyPoker
"PI13765_HPR_SE_Con" = Schnelleinstieg Controlling
"PokerStars" = PokerStars
"PostgreSQL 8.4" = PostgreSQL 8.4
"Protect Disc License Helper" = Protect Disc License Helper 1.0.118
"PunkBusterSvc" = PunkBuster Services
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"rgcAudio z3ta Plus v1.40" = rgcAudio z3ta Plus v1.40
"Sonalksis Plug-Ins for Windows_is1" = Sonalksis Plug-Ins for Windows 2.00
"Soulseek2" = SoulSeek 157 NS 13e
"STANDARD" = Microsoft Office Standard 2007
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft's License Control" = Syncrosofts Lizenz Kontrolle
"Trojan Remover_is1" = Trojan Remover 6.8.2
"uTorrent" = µTorrent
"Winamp" = Winamp
"WinRAR archiver" = WinRAR
"XBCD" = XBCD 1.03
"Zero-X BeatSlicer" = Zero-X BeatSlicer
 
========== Last 10 Event Log Errors ==========
 
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
 
< End of report >
--- --- ---

RealSnapshot 27.07.2010 17:40
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4357

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

27.07.2010 18:26:32
mbam-log-2010-07-27 (18-26-32).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 138367
Laufzeit: 4 Minute(n), 30 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

RealSnapshot 27.07.2010 17:49
GMER Logfile:
Code:
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-07-27 18:49:15
Windows 6.1.7600
Running: pb0do0jm.exe; Driver: C:\Users\Snapshot\AppData\Local\Temp\kwlorkoc.sys


---- System - GMER 1.0.15 ----

SSDT            813843D4                                                                                                            ZwCreateThread
SSDT            813843C0                                                                                                            ZwOpenProcess
SSDT            813843C5                                                                                                            ZwOpenThread
SSDT            813843CF                                                                                                            ZwTerminateProcess

INT 0x1F        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A34AF8
INT 0x37        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A34104
INT 0xC1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A343F4
INT 0xD1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A1C634
INT 0xD2        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A1C898
INT 0xDF        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A341DC
INT 0xE1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A34958
INT 0xE3        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A346F8
INT 0xFD        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A34F2C
INT 0xFE        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            81A351A8

---- Kernel code sections - GMER 1.0.15 ----

.text          ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                                                    81A94599 1 Byte  [06]
.text          ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                              81AB8F52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text          ntkrnlpa.exe!RtlSidHashLookup + 34C                                                                                81AC085C 3 Bytes  [D4, 43, 38]
.text          ntkrnlpa.exe!RtlSidHashLookup + 4E8                                                                                81AC09F8 3 Bytes  [C0, 43, 38]
.text          ntkrnlpa.exe!RtlSidHashLookup + 508                                                                                81AC0A18 3 Bytes  [C5, 43, 38] {LDS EAX, DWORD [EBX+0x38]}
.text          ntkrnlpa.exe!RtlSidHashLookup + 7B8                                                                                81AC0CC8 3 Bytes  [CF, 43, 38]
.text          peauth.sys                                                                                                          97288C9D 28 Bytes  [9E, 95, 33, 78, FB, E3, 63, ...]
.text          peauth.sys                                                                                                          97288CC1 28 Bytes  [9E, 95, 33, 78, FB, E3, 63, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                    [74442494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                [74425624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                              [744256E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                      [7444250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                            [74438573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                              [74434D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                            [744350CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                            [744351A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]                  [744366D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                            [744382CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                        [74438819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                      [7443907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                            [7443E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1148] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                [74434C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\0000004b                                                                                  halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \FileSystem\fastfat \Fat                                                                                            fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                   
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                C:\Program Files\DAEMON Tools Lite\
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                0xD4 0xC3 0x97 0x02 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                0
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x8F 0x5B 0xF9 0x68 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                         
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                    0xF7 0x17 0x70 0x86 ...
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                     
Reg            HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x88 0x79 0x40 0x73 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)               
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                    C:\Program Files\DAEMON Tools Lite\
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                    0xD4 0xC3 0x97 0x02 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                    0
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x8F 0x5B 0xF9 0x68 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)     
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                        0xF7 0x17 0x70 0x86 ...
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x88 0x79 0x40 0x73 ...
Reg            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System                                                             
Reg            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL                              90F28113CE8C7EE6F5A97D46A38B23475927727C401C6EED492DCE49BC67821FFC987C5F2E386BF1F864E2101425A3C151F9EEA55E07ABE56E4B36017C42B0C167CDA3158360431E7332B6A5DE779D57D9F950DE90657ADA065416B908D0F7729CD2D8AF8389155EA6661BBDFEAFB2C84E2F1BBCBB282B7A27247103CDE7FAEA09F842DA450FF39CFC67F8C1574A85CBB0391685A99294E58C2E13A2A1325E5A422ACA78C29D753400B379D1AA9ABC092647CE3687BD8D349278870F37AB4D63FD5F9F1EDD37B3F3E15A0D3F2248069D769F147C6893F1EF3C1D9F762AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A9C6AECB7A5D1407FEBC9E127BECC74CEC37D480C4D13F1BBD87DCBB5CE6D59A9FBFAAB943575584ADB92D3B03932D3921C878678A3E4B7F888C3F558189F55CCDE0A12585AB04EF1649C7AC20D4626DDF80D03320446798840A0C38B062F9DAFCD908CFD4757FE8788AEF0F1ED727EBC824B20343CB7CCE98F3063D7CDA488AF3712F6D38BECA092233218E19E73C19CC7A669CC403A3F07944E1E2899E7840CF70D7D44AD69AD0B580CBFA4013143EB44E2A688B572E30B3F3CB4B159F58B602A63B813B4ED7A428AD5348D82ED3851AF0AEF40F7F1FA1A808DFBBE992E68CCD620

---- EOF - GMER 1.0.15 ----
--- --- ---

Angel21 28.07.2010 17:12
Bitte die Punkte NACHEINANDER ausführen.

1.) Scan mit SystemLook

Lade SystemLook von jpshortstuff von einem der folgenden Spiegel herunter und speichere das Tool auf dem Desktop.

Download Mirror #1 - Download Mirror #2
  • Doppelklick auf die SystemLook.exe, um das Tool zu starten.
    Vista-User mit Rechtsklick und als Administrator starten.
  • Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:

    Code:
    :file
    C:\Windows\System32\Datei4
  • Klicke nun auf den Button Look, um den Scan zu starten.
  • Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten.
  • Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert.

2.) Ordneransichten ändern
Ändere deine Ordneransicht wie folgt:
Folge dem Pfad-> Gehe auf den "Arbeitsplatz" bei deinem PC gehe auf "Extras" -> "Ordneroptionen" -> "Ansicht" .....dort bitte folgendes umändern:
1.) Geschützte Systemdatein ausblenden (empfohlen) = Haken rausnehmen
2.) Alle Datein und ordner anzeigen = Markierung hinein

Lade nun folgende Datei bei www.virustotal.com hoch (folge dabei dem fett markiertem Pfad):
Zitat:
C:\Windows\System32\forficli.dll
3.) Frage:
[2010.07.27 17:26:34 | 000,000,000 | ---D | C] -- C:\Qoobox
Bei dir lief mal Combofix, hast du das Log? Wenn ja, dann bitte zusätzlich posten.

4.)
  • ESET Online Scanner
    • Anmerkung für Vista-User: Bitte den Browser unbedingt als Administrator starten.
    • Button "ESET Online Scanner" drücken.
    • Firefox-User müssen ein zusätzliches Addon (esetsmartinstaller_enu.exe) installieren.
    • Das Firefox-Addon auf dem Desktop speichern und dann installieren.
    • IE-User müssen das Installieren eines ActiveX Elements erlauben.
    • Einen Haken bei "Remove found threads" und "Scan archives" machen.
    • Start drücken.
    • Der Scan beginnt automatisch.
    • Finish drücken.
    • Browser schließen.
    • Explorer öffnen.
    • C:\Programme\Eset\EsetOnlineScanner\log.txt suchen und mit Deinem Editor öffnen.
    • Logfile hier posten.
    • Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
    • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset
    • IE-User zusätzlich: mit HJT folgenden Eintrag fixen:
    • O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)

RealSnapshot 03.08.2010 17:05
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:04 on 03/08/2010 by Snapshot (Administrator - Elevation successful)

========== file ==========

C:\Windows\System32\Datei4 - File found and opened.
MD5: C03233226BC02337262AEF4C72B79E18
Created at 17:14 on 13/11/2009
Modified at 19:11 on 28/07/2010
Size: 471 bytes
Attributes: --a---
No version information available.

-=End Of File=-

RealSnapshot 03.08.2010 17:29
die forficili.dll scheint plötzlich weg zu sein

Angel21 03.08.2010 17:33
Was ist mit Punkt 3 und 4? Bitte noch tun, falls noch nicht getan wurde.

Scan mit SystemLook

Lade SystemLook von jpshortstuff von einem der folgenden Spiegel herunter und speichere das Tool auf dem Desktop.

Download Mirror #1 - Download Mirror #2
  • Doppelklick auf die SystemLook.exe, um das Tool zu starten.
    Vista-User mit Rechtsklick und als Administrator starten.
  • Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:

    Code:
    :file
    C:\Windows\System32\forficli.dll
  • Klicke nun auf den Button Look, um den Scan zu starten.
  • Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten.
  • Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert.

RealSnapshot 03.08.2010 18:16
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0a1cdc2735481445a1985629d3cb5803
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-03 05:15:30
# local_time=2010-08-03 07:15:30 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1797 16775165 100 100 196980 56363517 0 0
# compatibility_mode=5893 16776573 100 94 11550 33290553 0 0
# compatibility_mode=8192 67108863 100 0 89 89 0 0
# scanned=130416
# found=5
# cleaned=5
# scan_time=3919
C:\Users\Snapshot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\13ecae4c-3133ba89 a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Snapshot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\4c08fc3-7c249697 probably a variant of Java/TrojanDownloader.Agent.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Snapshot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\e958e72-240e2a6f multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Snapshot\Downloads\fileutild.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll probably a variant of Win32/Delf trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

RealSnapshot 03.08.2010 19:04
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:04 on 03/08/2010 by Snapshot (Administrator - Elevation successful)

========== file ==========

C:\Windows\System32\forficli.dll - Unable to find/read file.

-=End Of File=-

Angel21 03.08.2010 19:45
Punkt 3.)
Du hattest doch Combofix gespeichert. bzw draufgehabt, gibt es hiervon denn ein Log?
Ich würde es gerne sehen.

Findest du unter C:\Qoobox

RealSnapshot 04.08.2010 22:29
Nur das hier in nem txt file:

2010-07-27 15:42:04 . 2010-07-27 15:42:04 682 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Everest Poker.reg.dat
2010-07-27 15:39:34 . 2010-07-27 15:39:34 6,211 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-27 15:29:45 . 2010-07-27 15:34:34 113 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\sslibeh.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\slibddf.dll.vir
2010-06-11 15:07:16 . 2009-07-14 02:37:05 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\slibff.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\ssoleht.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\sslibkh.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\sslibfg.dll.vir
2010-06-11 15:07:16 . 2010-06-11 15:07:16 2,756 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\sslibjy.dll.vir

Angel21 06.08.2010 16:05
Fixen mit OTL
Code:
:OTL
[2010.07.26 11:47:07 | 000,047,104 | ---- | C] () -- C:\Windows\System32\forficli.dll
[2010.07.22 10:55:19 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
:Services
:Reg
:Files
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Schliesse bitte nun alle Programme.
  • Klicke nun bitte auf den Fix Button.
  • Klick auf http://billy-oneal.com/Canned%20Spee.../OTL/btnOK.png.
  • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
  • Nach dem Neustart findest Du ein Textdokument.
    Kopiere nun den Inhalt hier in Deinen Thread


Alle Zeitangaben in WEZ +1. Es ist jetzt 18:49 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129