Trojaner-Board
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Trojaner weg? (https://www.trojaner-board.de/91253-trojaner-weg.html)

jonno 28.09.2010 18:49
Trojaner weg?
 
Folgendes Problem:
Meine Online-Banking Seite meldete mir, ich solle sämtliche TAN eingeben. Ein netter Mensch bei der Deutschen Bank erklärte mir, ich seie einem Trojaner aufgesessen. Ich habe Sophos checken lassen und tatsächlich wurde was gefunden: Troj/Zbot Mem-A.
Allerdings konnte der Virus nicht bereinigt oder gelöscht werden, sondern wurde nur in Quarantäne gestellt. Das Problem beim Online Banking war noch immer da.
Danach habe ich es mit allem versucht was ich gefunden habe: zbot killer; malwarebytes; HiJackthis; AVIRA; Superantispyware....
Die haben auch alle was gefunden und fleißig gearbeitet. Das Problem scheint nun erledigt. Zumindest kann ich mich wieder normal einloggen ohne diese merkwürdige Maske.
Meine Fragen:
1.) Wars das wirklich oder schlummert da noch irgendwo was?
2.) Was hab ich falsch gemacht? Hatte Sophos Anti Virus plus Firewall immer aktiv. Gibts bessere Programme, die ein weiteres Auftreten verhindern können?


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:17:18, on 28.09.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sophos\Sophos Client Firewall\SCFManager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Sophos\Sophos Client Firewall\SCFService.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\GIGABYTE\EnergySaver\GSvr.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
C:\Programme\Avira\AntiVir Desktop\avshadow.exe
C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Programme\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Canon\MyPrinter\BJMyPrt.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Nikon\Monitor\NkMonitor.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\pdf24\pdf24.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Sophos\AutoUpdate\almon.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\Rainlendar2\Rainlendar2.exe
C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programme\NETGEAR\WG111v3\WG111v3.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Mozilla Firefox\plugin-container.exe
C:\Programme\HJT\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://google.icq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Programme\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Programme\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Programme\Gemeinsame Dateien\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [PDFPrint] C:\Programme\pdf24\pdf24.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Programme\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Rainlendar2] C:\Programme\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Programme\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Programme\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Update Service (gupdate1caf1aa3fae2b56) (gupdate1caf1aa3fae2b56) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Programme\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Client Firewall - Sophos Plc - C:\Programme\Sophos\Sophos Client Firewall\SCFService.exe
O23 - Service: Sophos Client Firewall Manager - Sophos Plc - C:\Programme\Sophos\Sophos Client Firewall\SCFManager.exe
O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

--
End of file - 9622 bytes

cosinus 28.09.2010 19:48
Zitat:
Ich habe Sophos checken lassen und tatsächlich wurde was gefunden: Troj/Zbot Mem-A.
Wo genau wurde was gefunden?!

Immer die genauen Schädlingsnamen und Pfadangaben notieren und posten!

Aus den Regeln:

5. Beschreibe Dein Problem in einigen Sätzen und arbeite diese Anleitung ab Punkt 2. durch
Auch Funde von deiner Sicherheitssoftware bitte im Thema nennen: (z.B. c:\windows\virus.exe)
Fehlen diese Angaben, kann und wird dir hier niemand helfen.

jonno 28.09.2010 20:02
also:
befallene Dateien:
c:\\windows\system32\ctfmon.exe
c:\\Windows\explorer.exe
Sophos gibt als Name des Virus Troj/ZbotMem-A an.

cosinus 28.09.2010 20:41
Zitat:
c:\\windows\system32\ctfmon.exe
c:\\Windows\explorer.exe
Das sind an für sich Windows-Systemdateien.

Bitte routinemäßig einen Vollscan mit malwarebytes machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Danach OTL:

Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Doppelklick auf die OTL.exe
  • Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
  • Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
  • Unter Extra Registry, wähle bitte Use SafeList
  • Klicke nun auf Run Scan links oben
  • Wenn der Scan beendet wurde werden 2 Logfiles erstellt
  • Poste die Logfiles hier in den Thread.

jonno 29.09.2010 08:27
also:

Malwarebytes Vollscan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4714

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29.09.2010 08:33:04
mbam-log-2010-09-29 (08-33-04).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 258467
Laufzeit: 59 Minute(n), 21 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)


OTL Output:OTL Logfile:
Code:
OTL logfile created on: 29.09.2010 08:58:58 - Run 1
OTL by OldTimer - Version 3.2.14.1    Folder = C:\Dokumente und Einstellungen\Jon\Desktop\Antivirus
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 70,00% Memory free
5,00 Gb Paging File | 4,00 Gb Available in Paging File | 82,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 97,65 Gb Total Space | 62,09 Gb Free Space | 63,59% Space Free | Partition Type: NTFS
Drive D: | 368,10 Gb Total Space | 101,17 Gb Free Space | 27,48% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: JONSEINPC
Current User Name: Jon
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Processes (SafeList) ==========
 
PRC - C:\Dokumente und Einstellungen\Jon\Desktop\Antivirus\OTL.exe (OldTimer Tools)
PRC - C:\Programme\sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc)
PRC - C:\Programme\sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc)
PRC - C:\Programme\sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe (Sophos Plc)
PRC - C:\Programme\sophos\AutoUpdate\ALsvc.exe (Sophos Plc)
PRC - C:\Programme\sophos\AutoUpdate\ALMon.exe (Sophos Plc)
PRC - C:\Programme\sophos\Sophos Client Firewall\SCFManager.exe (Sophos Plc)
PRC - C:\Programme\sophos\Sophos Client Firewall\SCFService.exe (Sophos Plc)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Mozilla Firefox\plugin-container.exe (Mozilla Corporation)
PRC - C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Programme\pdf24\pdf24.exe (Geek Software GmbH)
PRC - C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
PRC - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Programme\Rainlendar2\Rainlendar2.exe ()
PRC - C:\Programme\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
PRC - C:\Programme\Gemeinsame Dateien\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
PRC - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\Programme\GIGABYTE\EnergySaver\GSvr.exe ()
PRC - C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)
PRC - C:\Programme\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Programme\NETGEAR\WG111v3\WG111v3.exe ()
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Dokumente und Einstellungen\Jon\Desktop\Antivirus\OTL.exe (OldTimer Tools)
MOD - C:\Programme\sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (SAVAdminService) -- C:\Programme\sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc)
SRV - (SAVService) -- C:\Programme\sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc)
SRV - (swi_service) -- C:\Programme\sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe (Sophos Plc)
SRV - (Sophos AutoUpdate Service) -- C:\Programme\sophos\AutoUpdate\ALsvc.exe (Sophos Plc)
SRV - (Sophos Client Firewall Manager) -- C:\Programme\Sophos\Sophos Client Firewall\SCFManager.exe (Sophos Plc)
SRV - (Sophos Client Firewall) -- C:\Programme\Sophos\Sophos Client Firewall\SCFService.exe (Sophos Plc)
SRV - (Akamai) -- c:\Programme\Gemeinsame Dateien\Akamai\netsession_win_062a651.dll ()
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Apple Mobile Device) -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (ICQ Service) -- C:\Programme\ICQ6Toolbar\ICQ Service.exe ()
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (GEST Service) -- C:\Programme\GIGABYTE\EnergySaver\GSvr.exe ()
SRV - (IJPLMSVC) -- C:\Programme\Canon\IJPLM\ijplmsvc.exe ()
SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (esgiguard) -- C:\Programme\Enigma Software Group\SpyHunter\esgiguard.sys File not found
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows (R) 2000 DDK provider)
DRV - (SAVOnAccessControl) -- C:\WINDOWS\system32\drivers\savonaccesscontrol.sys (Sophos Plc)
DRV - (SAVOnAccessFilter) -- C:\WINDOWS\system32\drivers\savonaccessfilter.sys (Sophos Plc)
DRV - (SophosBootDriver) -- C:\WINDOWS\system32\drivers\SophosBootDriver.sys (Sophos Plc)
DRV - (sdcfilter) -- C:\WINDOWS\system32\drivers\sdcfilter.sys (Sophos Plc)
DRV - (scfdriver) -- C:\WINDOWS\system32\drivers\scfdriver.sys (Sophos Plc)
DRV - (scfint) -- C:\WINDOWS\system32\drivers\scfint.sys (Sophos Plc)
DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (SCR3XX2K) -- C:\WINDOWS\system32\drivers\scr3xx2k.sys (SCM Microsystems Inc.)
DRV - (ithsgt) -- C:\WINDOWS\system32\drivers\ithsgt.sys ()
DRV - (lilsgt) -- C:\WINDOWS\system32\drivers\lilsgt.sys ()
DRV - (ACEDRV05) -- C:\WINDOWS\system32\drivers\ACEDRV05.sys (Protect Software GmbH)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation                          )
DRV - (Changer) -- C:\WINDOWS\System32\drivers\changer.sys (Microsoft Corporation)
DRV - (lbrtfdc) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys (Toshiba Corp.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (RTL8187B) -- C:\WINDOWS\system32\drivers\wg111v3.sys (Realtek Semiconductor Corporation                          )
DRV - (Aspi32) -- C:\WINDOWS\System32\drivers\ASPI32.SYS (Adaptec)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://google.icq.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
IE - HKCU\..\URLSearchHook: {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll (DeviceVM Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "https://login.rz.ruhr-uni-bochum.de/cgi-bin/start"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000004
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
 
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.09.16 17:19:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.09.16 17:19:01 | 000,000,000 | ---D | M]
 
[2009.02.12 11:26:55 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Mozilla\Extensions
[2010.09.28 11:55:07 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Mozilla\Firefox\Profiles\smukwdok.default\extensions
[2009.09.11 11:49:53 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Mozilla\Firefox\Profiles\smukwdok.default\extensions\{156d36f6-b68b-11db-96eb-005056c00008}
[2010.06.16 09:33:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Mozilla\Firefox\Profiles\smukwdok.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.03.25 13:40:04 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Mozilla\Firefox\Profiles\smukwdok.default\extensions\moveplayer@movenetworks.com
[2010.09.27 17:56:39 | 000,000,944 | ---- | M] () -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Mozilla\Firefox\Profiles\smukwdok.default\searchplugins\icqplugin.xml
[2010.09.28 11:55:07 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.05.12 10:07:43 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010.07.26 08:08:07 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.07.26 08:08:07 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.07.26 08:08:07 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.07.26 08:08:07 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.07.26 08:08:07 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2010.09.28 16:50:45 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1      loc
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Sophos Web Content Scanner) - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Programme\sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\alcwzrd.exe (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Programme\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Programme\Gemeinsame Dateien\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz]  File not found
O4 - HKLM..\Run: [PDFPrint] C:\Programme\pdf24\pdf24.exe (Geek Software GmbH)
O4 - HKLM..\Run: [Sophos AutoUpdate Monitor] C:\Programme\sophos\AutoUpdate\ALMon.exe (Sophos Plc)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Programme\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Rainlendar2] C:\Programme\Rainlendar2\Rainlendar2.exe ()
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\NETGEAR WG111v3 Smart Wizard.lnk = C:\Programme\NETGEAR\WG111v3\WG111v3.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &ICQ Toolbar Search - C:\Programme\ICQToolbar\toolbaru.dll (ICQ Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) - C:\Programme\sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Programme\SUPERAntiSpyware\SASWINLO.DLL - C:\Programme\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Jon\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Jon\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Programme\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.02.11 22:50:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\Shell\AutoRun\command - "" = G:\System\Security\DriveGuard.exe -- File not found
O33 - MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\Shell\Explore\Command - "" = G:\System\Security\DriveGuard.exe -- File not found
O33 - MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\Shell\Open\Command - "" = G:\System\Security\DriveGuard.exe -- File not found
O33 - MountPoints2\{28eac279-4fb4-11de-8052-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{28eac279-4fb4-11de-8052-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f70e69a-deb5-11de-815a-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{5f70e69a-deb5-11de-815a-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8f9d392e-6738-11de-807f-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{8f9d392e-6738-11de-807f-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b47f286a-1622-11de-8005-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{b47f286a-1622-11de-8005-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ccca739a-fd9a-11dd-bfe6-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{ccca739a-fd9a-11dd-bfe6-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.09.29 07:28:30 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Jon\Desktop\Antivirus
[2010.09.28 16:07:52 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\SUPERAntiSpyware.com
[2010.09.28 16:07:52 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
[2010.09.28 16:07:43 | 000,000,000 | ---D | C] -- C:\Programme\SUPERAntiSpyware
[2010.09.28 15:33:22 | 000,000,000 | ---D | C] -- C:\Programme\Enigma Software Group
[2010.09.28 15:32:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\95431C66CF9A4913BFFF6050785AFB65.TMP
[2010.09.28 15:22:53 | 000,131,824 | ---- | C] (Sophos Plc) -- C:\WINDOWS\System32\sdccoinstaller.dll
[2010.09.28 14:21:42 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Malwarebytes
[2010.09.28 14:21:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.09.28 14:21:30 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.09.28 14:21:30 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.09.28 14:21:29 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.09.28 10:38:50 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Avira
[2010.09.28 10:37:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010.09.28 10:31:12 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010.09.28 10:31:11 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010.09.28 10:31:11 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010.09.28 10:31:11 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010.09.28 10:31:11 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010.09.28 10:31:11 | 000,000,000 | ---D | C] -- C:\Programme\Avira
[2010.09.28 10:31:11 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
[2010.09.28 10:08:40 | 000,000,000 | ---D | C] -- C:\Programme\HJT
[2010.09.28 10:05:53 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010.09.28 09:54:41 | 000,000,000 | ---D | C] -- C:\Programme\CleanUp!
[2010.09.28 08:48:32 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos Web Intelligence
[2010.09.28 08:48:08 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Cisco Systems
[2010.09.28 08:48:06 | 000,028,912 | ---- | C] (Sophos Plc) -- C:\WINDOWS\System32\SophosBootTasks.exe
[2010.09.28 08:46:58 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Sophos
[2010.09.28 08:44:45 | 000,014,976 | ---- | C] (Sophos Plc) -- C:\WINDOWS\System32\drivers\SophosBootDriver.sys
[2010.09.28 08:44:31 | 000,023,928 | ---- | C] (Sophos Plc) -- C:\WINDOWS\System32\drivers\sdcfilter.sys
[2010.09.28 08:40:54 | 000,052,984 | ---- | C] (Sophos Plc) -- C:\WINDOWS\System32\drivers\scfint.sys
[2010.09.23 16:39:43 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Zegok
[2010.09.23 16:39:43 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Pymuy
[2010.09.20 22:15:39 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Jon\Eigene Dateien\DivX Movies
[2010.09.14 10:49:44 | 000,048,128 | ---- | C] (Adaptec) -- C:\WINDOWS\System32\WNASPI32.DLL
[2010.09.14 10:49:44 | 000,023,936 | ---- | C] (Adaptec) -- C:\WINDOWS\System32\drivers\ASPI32.SYS
[2010.09.14 10:49:44 | 000,005,600 | ---- | C] (Adaptec) -- C:\WINDOWS\System\WINASPI.DLL
[2010.09.14 10:49:44 | 000,004,672 | ---- | C] (Adaptec) -- C:\WINDOWS\System\WOWPOST.EXE
[2010.09.06 13:47:36 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Last.fm
[2010.09.06 13:47:07 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Jon\Lokale Einstellungen\Anwendungsdaten\Last.fm
[2010.09.06 13:47:05 | 000,000,000 | ---D | C] -- C:\Programme\Last.fm
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2010.09.29 08:31:01 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010.09.29 07:31:50 | 007,077,888 | -H-- | M] () -- C:\Dokumente und Einstellungen\Jon\NTUSER.DAT
[2010.09.29 07:09:06 | 000,267,719 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010.09.29 07:08:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.09.29 07:08:25 | 000,016,608 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2010.09.29 07:08:23 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010.09.29 07:08:23 | 000,000,514 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010.09.29 07:08:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.09.29 07:08:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.09.28 19:23:51 | 000,002,537 | ---- | M] () -- C:\Dokumente und Einstellungen\Jon\Desktop\Microsoft Office Excel 2003.lnk
[2010.09.28 08:46:15 | 000,131,824 | ---- | M] (Sophos Plc) -- C:\WINDOWS\System32\sdccoinstaller.dll
[2010.09.28 08:45:43 | 000,151,936 | ---- | M] (Sophos Plc) -- C:\WINDOWS\System32\drivers\savonaccesscontrol.sys
[2010.09.28 08:45:17 | 000,024,064 | ---- | M] (Sophos Plc) -- C:\WINDOWS\System32\drivers\savonaccessfilter.sys
[2010.09.28 08:44:45 | 000,014,976 | ---- | M] (Sophos Plc) -- C:\WINDOWS\System32\drivers\SophosBootDriver.sys
[2010.09.28 08:44:31 | 000,023,928 | ---- | M] (Sophos Plc) -- C:\WINDOWS\System32\drivers\sdcfilter.sys
[2010.09.28 08:44:16 | 000,028,912 | ---- | M] (Sophos Plc) -- C:\WINDOWS\System32\SophosBootTasks.exe
[2010.09.28 08:41:12 | 000,086,264 | ---- | M] (Sophos Plc) -- C:\WINDOWS\System32\drivers\scfdriver.sys
[2010.09.28 08:40:54 | 000,052,984 | ---- | M] (Sophos Plc) -- C:\WINDOWS\System32\drivers\scfint.sys
[2010.09.28 08:01:06 | 000,002,509 | ---- | M] () -- C:\Dokumente und Einstellungen\Jon\Desktop\Microsoft Office Word 2003.lnk
[2010.09.25 10:11:00 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010.09.24 17:47:10 | 000,000,020 | -H-- | M] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PKP_DLdu.DAT
[2010.09.23 11:21:30 | 000,002,121 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\iTunes.lnk
[2010.09.16 08:26:30 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010.09.15 16:20:07 | 000,114,176 | ---- | M] () -- C:\Dokumente und Einstellungen\Jon\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.09.14 15:59:02 | 000,006,908 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010.09.06 13:47:06 | 000,000,591 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Last.fm.lnk
[2010.09.02 22:31:28 | 000,030,208 | ---- | M] () -- C:\Dokumente und Einstellungen\Jon\Desktop\Ebay texte.doc
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010.09.06 13:47:06 | 000,000,591 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Last.fm.lnk
[2010.09.02 22:31:28 | 000,030,208 | ---- | C] () -- C:\Dokumente und Einstellungen\Jon\Desktop\Ebay texte.doc
[2010.07.27 19:24:27 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2010.07.15 11:24:35 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010.06.14 17:45:44 | 000,000,012 | ---- | C] () -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\qcopjv.dat
[2010.05.28 11:45:10 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2010.05.28 11:45:10 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2010.01.18 20:37:32 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2010.01.18 11:27:23 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2009.10.23 15:11:32 | 000,022,053 | ---- | C] () -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Kommagetrennte Werte (Windows).ADR
[2009.09.27 15:53:52 | 000,006,908 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009.09.05 19:20:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2009.09.05 19:16:53 | 000,000,268 | RH-- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Classical
[2009.09.05 19:16:53 | 000,000,268 | RH-- | C] () -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Channel
[2009.09.05 19:16:53 | 000,000,020 | -H-- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PKP_DLdw.DAT
[2009.09.05 19:16:53 | 000,000,012 | RH-- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Command Line Utility
[2009.09.05 18:30:56 | 000,000,268 | RH-- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Chorus
[2009.09.05 18:30:56 | 000,000,268 | RH-- | C] () -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\Calibrators
[2009.09.05 18:30:56 | 000,000,020 | -H-- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PKP_DLdu.DAT
[2009.09.05 18:30:56 | 000,000,012 | RH-- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ColorSync
[2009.07.21 13:27:06 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009.06.14 21:51:50 | 000,162,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\ithsgt.sys
[2009.06.14 21:51:49 | 000,012,032 | ---- | C] () -- C:\WINDOWS\System32\drivers\lilsgt.sys
[2009.06.06 23:55:56 | 000,000,211 | ---- | C] () -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\default.rss
[2009.03.15 23:36:19 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009.02.12 21:08:08 | 000,114,176 | ---- | C] () -- C:\Dokumente und Einstellungen\Jon\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.02.12 10:56:00 | 000,004,767 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009.02.12 10:05:02 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009.02.11 23:23:21 | 000,000,514 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009.02.11 23:04:31 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2003.02.20 18:53:42 | 000,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >
--- --- ---

cosinus 29.09.2010 10:16
Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:
:OTL
O33 - MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\Shell\AutoRun\command - "" = G:\System\Security\DriveGuard.exe -- File not found
O33 - MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\Shell\Explore\Command - "" = G:\System\Security\DriveGuard.exe -- File not found
O33 - MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\Shell\Open\Command - "" = G:\System\Security\DriveGuard.exe -- File not found
O33 - MountPoints2\{28eac279-4fb4-11de-8052-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{28eac279-4fb4-11de-8052-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f70e69a-deb5-11de-815a-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{5f70e69a-deb5-11de-815a-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8f9d392e-6738-11de-807f-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{8f9d392e-6738-11de-807f-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b47f286a-1622-11de-8005-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{b47f286a-1622-11de-8005-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ccca739a-fd9a-11dd-bfe6-001fd08cfe17}\Shell - "" = AutoRun
O33 - MountPoints2\{ccca739a-fd9a-11dd-bfe6-001fd08cfe17}\Shell\AutoRun - "" = Auto&Play
[2010.09.28 15:32:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\95431C66CF9A4913BFFF6050785AFB65.TMP
[2010.06.14 17:45:44 | 000,000,012 | ---- | C] () -- C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\qcopjv.dat
:Commands
[purity]
[resethosts]
[emptytemp]
Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

jonno 29.09.2010 11:43
All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1cb758b1-5baa-11df-8210-00223febc84b}\ not found.
File G:\System\Security\DriveGuard.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1cb758b1-5baa-11df-8210-00223febc84b}\ not found.
File G:\System\Security\DriveGuard.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1cb758b1-5baa-11df-8210-00223febc84b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1cb758b1-5baa-11df-8210-00223febc84b}\ not found.
File G:\System\Security\DriveGuard.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{28eac279-4fb4-11de-8052-001fd08cfe17}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28eac279-4fb4-11de-8052-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{28eac279-4fb4-11de-8052-001fd08cfe17}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28eac279-4fb4-11de-8052-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5f70e69a-deb5-11de-815a-001fd08cfe17}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5f70e69a-deb5-11de-815a-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5f70e69a-deb5-11de-815a-001fd08cfe17}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5f70e69a-deb5-11de-815a-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f9d392e-6738-11de-807f-001fd08cfe17}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f9d392e-6738-11de-807f-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f9d392e-6738-11de-807f-001fd08cfe17}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f9d392e-6738-11de-807f-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b47f286a-1622-11de-8005-001fd08cfe17}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b47f286a-1622-11de-8005-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b47f286a-1622-11de-8005-001fd08cfe17}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b47f286a-1622-11de-8005-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ccca739a-fd9a-11dd-bfe6-001fd08cfe17}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ccca739a-fd9a-11dd-bfe6-001fd08cfe17}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ccca739a-fd9a-11dd-bfe6-001fd08cfe17}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ccca739a-fd9a-11dd-bfe6-001fd08cfe17}\ not found.
C:\WINDOWS\95431C66CF9A4913BFFF6050785AFB65.TMP folder moved successfully.
C:\Dokumente und Einstellungen\Jon\Anwendungsdaten\qcopjv.dat moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Jon
->Temp folder emptied: 20097075 bytes
->Temporary Internet Files folder emptied: 6653792 bytes
->Java cache emptied: 95021532 bytes
->FireFox cache emptied: 86862495 bytes
->Google Chrome cache emptied: 6050707 bytes
->Flash cache emptied: 65907 bytes

User: LocalService
->Temp folder emptied: 730 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 15785961 bytes
%systemroot%\System32 .tmp files removed: 2951 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21153906 bytes
RecycleBin emptied: 273671624 bytes

Total Files Cleaned = 501,00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 09292010_123543

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_27c.dat not found!

Registry entries deleted on Reboot...

cosinus 29.09.2010 12:24
Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.
http://saved.im/mtm0nzyzmzd5/cofi.jpg
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

jonno 29.09.2010 14:16
Combofix Logfile:
Code:
ComboFix 10-09-28.03 - Jon 29.09.2010  15:10:36.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.3326.2977 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Jon\Desktop\cofi.exe

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll

.
(((((((((((((((((((((((  Dateien erstellt von 2010-08-28 bis 2010-09-29  ))))))))))))))))))))))))))))))
.

2010-09-29 12:35 . 2010-09-29 12:35        --------        d-----w-        c:\programme\CCleaner
2010-09-29 10:35 . 2010-09-29 10:35        --------        d-----w-        C:\_OTL
2010-09-28 14:08 . 2010-09-28 16:59        63488        ----a-w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-28 14:08 . 2010-09-28 14:08        52224        ----a-w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-28 14:08 . 2010-09-28 16:59        117760        ----a-w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-28 14:07 . 2010-09-28 14:07        --------        d-----w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\SUPERAntiSpyware.com
2010-09-28 14:07 . 2010-09-28 14:07        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2010-09-28 14:07 . 2010-09-28 14:07        --------        d-----w-        c:\programme\SUPERAntiSpyware
2010-09-28 13:33 . 2010-09-28 13:33        --------        d-----w-        c:\programme\Enigma Software Group
2010-09-28 12:21 . 2010-09-28 12:21        --------        d-----w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\Malwarebytes
2010-09-28 12:21 . 2010-04-29 13:39        38224        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-28 12:21 . 2010-09-28 12:21        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-09-28 12:21 . 2010-04-29 13:39        20952        ----a-w-        c:\windows\system32\drivers\mbam.sys
2010-09-28 12:21 . 2010-09-28 12:21        --------        d-----w-        c:\programme\Malwarebytes' Anti-Malware
2010-09-28 09:37 . 2010-09-28 09:37        --------        d-----r-        c:\dokumente und einstellungen\LocalService\Favoriten
2010-09-28 09:36 . 2010-09-28 09:36        --------        d-sh--w-        c:\dokumente und einstellungen\LocalService\IETldCache
2010-09-28 08:37 . 2010-09-28 09:21        --------        d-----w-        c:\windows\system32\NtmsData
2010-09-28 08:08 . 2010-09-28 08:08        388096        ----a-r-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-28 08:08 . 2010-09-28 08:08        --------        d-----w-        c:\programme\HJT
2010-09-28 08:05 . 2010-09-28 08:05        --------        d--h--w-        c:\windows\PIF
2010-09-28 07:54 . 2010-09-28 07:54        --------        d-----w-        c:\programme\CleanUp!
2010-09-23 14:39 . 2010-09-28 15:01        --------        d-----w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\Pymuy
2010-09-23 14:39 . 2010-09-24 07:23        --------        d-----w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\Zegok
2010-09-14 08:49 . 1997-12-23 00:00        5600        ----a-w-        c:\windows\system\WINASPI.DLL
2010-09-14 08:49 . 1997-12-23 00:00        48128        ----a-w-        c:\windows\system32\WNASPI32.DLL
2010-09-14 08:49 . 1997-12-23 00:00        4672        ----a-w-        c:\windows\system\WOWPOST.EXE
2010-09-14 08:49 . 1997-12-23 00:00        23936        ----a-w-        c:\windows\system32\drivers\ASPI32.SYS
2010-09-06 11:47 . 2010-09-06 11:47        683801        ----a-w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Last.fm\Client\UninstWMP\unins000.exe
2010-09-06 11:47 . 2010-09-06 11:47        683801        ----a-w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Last.fm\Client\UninstITW\unins000.exe
2010-09-06 11:47 . 2010-09-06 11:47        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Last.fm
2010-09-06 11:47 . 2010-09-06 11:47        --------        d-----w-        c:\dokumente und einstellungen\Jon\Lokale Einstellungen\Anwendungsdaten\Last.fm
2010-09-06 11:47 . 2010-09-06 11:47        --------        d-----w-        c:\programme\Last.fm

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 13:08 . 2010-05-25 11:10        --------        d-----w-        c:\programme\Gemeinsame Dateien\Akamai
2010-09-29 13:08 . 2009-02-11 20:55        16608        ----a-w-        c:\windows\gdrv.sys
2010-09-29 13:08 . 2009-02-11 21:19        --------        d-----w-        c:\programme\sophos
2010-09-29 13:06 . 2009-03-14 10:42        --------        d-----w-        c:\programme\Canon
2010-09-29 13:04 . 2010-01-18 18:37        --------        d-----w-        c:\programme\FreePDF_XP
2010-09-29 13:04 . 2010-01-18 18:37        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\FreePDF
2010-09-29 13:03 . 2010-01-18 09:50        --------        d-----w-        c:\programme\PDF2TXT v3.2
2010-09-29 13:02 . 2009-02-11 21:20        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Sophos
2010-09-29 12:47 . 2009-02-12 08:23        --------        d-----w-        c:\programme\DAEMON Tools Toolbar
2010-09-28 13:32 . 2009-02-11 21:15        --------        d-----w-        c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2010-09-27 13:58 . 2010-05-12 08:08        --------        d-----w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\Skype
2010-09-27 13:57 . 2010-05-12 08:16        --------        d-----w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\skypePM
2010-09-24 15:47 . 2009-09-05 16:30        20        ---h--w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\PKP_DLdu.DAT
2010-09-16 15:47 . 2009-03-14 10:54        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\CanonIJPLM
2010-09-15 14:09 . 2009-07-09 09:23        --------        d-----w-        c:\programme\Ubisoft
2010-09-15 14:08 . 2009-02-11 20:56        --------        d--h--w-        c:\programme\InstallShield Installation Information
2010-09-06 11:47 . 2009-03-14 13:59        --------        d-----w-        c:\programme\iTunes
2010-08-26 07:57 . 2009-11-08 14:08        --------        d-----w-        c:\programme\Ask.com
2010-08-26 06:57 . 2010-08-26 06:57        --------        d-----w-        c:\dokumente und einstellungen\LocalService\Anwendungsdaten\McAfee
2010-08-17 18:16 . 2010-06-16 07:08        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\NOS
2010-08-17 13:17 . 2008-04-14 05:53        58880        ----a-w-        c:\windows\system32\spoolsv.exe
2010-08-17 10:35 . 2010-08-17 10:35        2788816        ----a-w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\NOS\Adobe_Downloads\install_flash_player.exe
2010-08-11 06:49 . 2004-08-04 12:00        81126        ----a-w-        c:\windows\system32\perfc007.dat
2010-08-11 06:49 . 2004-08-04 12:00        452300        ----a-w-        c:\windows\system32\perfh007.dat
2010-08-09 14:36 . 2010-08-09 14:36        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\2434B
2010-08-02 17:52 . 2009-07-14 08:34        197688        ----a-w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\Microsoft\Clip Organizer\mstore10.mgc
2010-08-02 17:52 . 2009-07-14 08:34        148512        ----a-w-        c:\dokumente und einstellungen\Jon\Anwendungsdaten\Microsoft\Clip Organizer\Offic10.MGC
2010-07-22 15:48 . 2008-04-14 05:52        590848        ----a-w-        c:\windows\system32\rpcrt4.dll
2010-07-22 06:19 . 2008-05-05 06:25        5632        ----a-w-        c:\windows\system32\xpsp4res.dll
.

((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\programme\Rainlendar2\Rainlendar2.exe" [2009-02-21 4333568]
"SUPERAntiSpyware"="c:\programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-27 16875008]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"CanonMyPrinter"="c:\programme\Canon\MyPrinter\BJMyPrt.exe" [2008-03-03 1848648]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"Nikon Transfer Monitor"="c:\programme\Gemeinsame Dateien\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
NETGEAR WG111v3 Smart Wizard.lnk - c:\programme\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21        548352        ----a-w-        c:\programme\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Programme\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Programme\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Programme\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1038:TCP"= 1038:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [17.02.2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [10.05.2010 20:41 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14.04.2008 07:53 14336]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [09.10.2007 14:13 38144]
R2 GEST Service;GEST Service for program management.;c:\programme\GIGABYTE\EnergySaver\GSvr.exe [11.02.2009 22:56 80392]
S2 gupdate1caf1aa3fae2b56;Google Update Service (gupdate1caf1aa3fae2b56);c:\programme\Google\Update\GoogleUpdate.exe [12.05.2010 10:08 133104]
S3 esgiguard;esgiguard;\??\c:\programme\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\programme\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [28.12.2007 16:02 224896]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\scr3xx2k.sys [25.10.2009 05:44 57600]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12.02.2009 10:05 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai        REG_MULTI_SZ          Akamai
.
Inhalt des "geplante Tasks" Ordners

2010-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2010-05-12 08:07]

2010-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2010-05-12 08:07]
.
.
------- Zusätzlicher Suchlauf -------
.
IE: &ICQ Toolbar Search - c:\programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\dokumente und einstellungen\Jon\Anwendungsdaten\Mozilla\Firefox\Profiles\smukwdok.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://login.rz.ruhr-uni-bochum.de/cgi-bin/start
FF - component: c:\programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\dokumente und einstellungen\Jon\Anwendungsdaten\Mozilla\Firefox\Profiles\smukwdok.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\programme\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programme\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-nwiz - nwiz.exe



**************************************************************************
Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien:

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1409082233-2077806209-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,ad,9c,11,4f,a4,33,19,73,9d,77,27,33,36,5b,72,ab,00,d7,2c,1c,2c,59,
  9e,8e,c2,9a,b4,8d,e6,f9,f9,dd,cb,c0,63,95,bc,ed,95,8e,cd,4e,75,8a,3f,66,69,\
"??"=hex:26,6c,2c,61,d5,f2,1f,3d,63,22,42,f5,16,b5,bf,1d

[HKEY_USERS\S-1-5-21-1409082233-2077806209-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:b0,59,b3,a3,4e,84,42,3b,c5,1b,e5,cb,87,e2,ed,0b,75,db,7c,48,48,
  c0,a6,88,29,c8,6b,5c,70,82,b9,90,16,06,4e,f6,0c,85,a8,80,27,2b,9b,0d,87,94,\
"rkeysecu"=hex:4a,38,5c,5c,83,46,46,9e,f8,76,4c,0c,74,f5,33,61
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\programme\SUPERAntiSpyware\SASWINLO.DLL
.
Zeit der Fertigstellung: 2010-09-29  15:13:03
ComboFix-quarantined-files.txt  2010-09-29 13:13

Vor Suchlauf: 11 Verzeichnis(se), 68.675.141.632 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 68.713.414.656 Bytes frei

- - End Of File - - F4F6A505D02898945C7A44EE7B512A79
--- --- ---

cosinus 30.09.2010 11:17
Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus

Anschließend den bootkit_remover herunterladen. Entpacke das Tool in einen eigenen Ordner auf dem Desktop und führe in diesem Ordner die Datei remove.exe aus.

Wenn Du Windows Vista oder Windows 7 verwendest, musst Du die remover.exe über ein Rechtsklick => als Administrator ausführen

Ein schwarzes Fenster wird sich öffnen und automatisch nach bösartigen Veränderungen im MBR suchen.
Poste dann bitte, ob es Veränderungen gibt und wenn ja in welchem device. Am besten alles posten was die remover.exe ausgibt.

jonno 01.10.2010 15:31
also:

GMER Logfile:
Code:
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-10-01 15:49:44
Windows 5.1.2600 Service Pack 3
Running: 430rzomp.exe; Driver: C:\DOKUME~1\Jon\LOKALE~1\Temp\uxliqpoc.sys


---- System - GMER 1.0.15 ----

SSDT    B871C23E                                                                                                  ZwCreateKey
SSDT    B871C234                                                                                                  ZwCreateThread
SSDT    B871C243                                                                                                  ZwDeleteKey
SSDT    B871C24D                                                                                                  ZwDeleteValueKey
SSDT    B871C252                                                                                                  ZwLoadKey
SSDT    B871C220                                                                                                  ZwOpenProcess
SSDT    B871C225                                                                                                  ZwOpenThread
SSDT    B871C25C                                                                                                  ZwReplaceKey
SSDT    B871C257                                                                                                  ZwRestoreKey
SSDT    B871C248                                                                                                  ZwSetValueKey
SSDT    \??\C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)  ZwTerminateProcess [0xB49B4620]

---- Kernel code sections - GMER 1.0.15 ----

.text    C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                  section is writeable [0xB73D8380, 0x550AF5, 0xE8000020]
.text    C:\WINDOWS\system32\drivers\ACEDRV05.sys                                                                  section is writeable [0xB4AC9000, 0x30A4A, 0xE8000020]
.pklstb  C:\WINDOWS\system32\drivers\ACEDRV05.sys                                                                  entry point in ".pklstb" section [0xB4B0B000]
.relo2  C:\WINDOWS\system32\drivers\ACEDRV05.sys                                                                  unknown last section [0xB4B26000, 0x8E, 0x42000040]
.text    C:\WINDOWS\system32\DRIVERS\ithsgt.sys                                                                    section is writeable [0xB3E0E300, 0x21770, 0xE8000020]

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                        0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0xD5 0x4C 0xCF 0x9C ...
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)     
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                            0
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                        0xD5 0x4C 0xCF 0x9C ...

---- EOF - GMER 1.0.15 ----
--- --- ---

jonno 01.10.2010 15:36
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 16:20:05 on 01.10.2010
OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Mozilla Corporation Firefox 3.6.10

Scanner Settings
Rootkits detection (hidden registry)
Rootkits detection (hidden files)
Retrieve files information
Check Microsoft signatures

Filters
Trusted entries
Empty entries
Hidden registry entries (rootkit activity)
Exclusively opened files
Not found files
Files without detailed information
Existing files
Non-startable services
Non-startable drivers
Active entries
Disabled entries

Risk Name Publisher Full Path Status
Common
%SystemRoot%\Tasks
|||| "AppleSoftwareUpdate.job" "Apple Inc." C:\Programme\Apple Software Update\SoftwareUpdate.exe File exists
|||| "GoogleUpdateTaskMachineCore.job" "Google Inc." C:\Programme\Google\Update\GoogleUpdate.exe File exists
|||| "GoogleUpdateTaskMachineUA.job" "Google Inc." C:\Programme\Google\Update\GoogleUpdate.exe File exists
Control Panel Objects
%SystemRoot%\system32
|||||| "infocardcpl.cpl" "Microsoft Corporation" C:\WINDOWS\system32\infocardcpl.cpl File exists
|||||| "javacpl.cpl" "Sun Microsystems, Inc." C:\WINDOWS\system32\javacpl.cpl File exists
|||||| "nvcpl.cpl" "NVIDIA Corporation" C:\WINDOWS\system32\nvcpl.cpl File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
|||||| "Avira AntiVir Personal" "Avira GmbH" C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl File exists
|||||| "Nero BurnRights" "Nero AG" C:\Programme\Nero\Nero 9\Nero BurnRights\NeroBurnRights_cpl.cpl File exists
|||||| "QuickTime" "Apple Inc." C:\Programme\QuickTime\QTSystem\QuickTime.cpl File exists
Drivers
HKLM\SYSTEM\CurrentControlSet\Services
|||||| "ACEDRV05" (ACEDRV05) "Protect Software GmbH" C:\WINDOWS\system32\drivers\ACEDRV05.sys File exists
|||||| "AEGIS Protocol (IEEE 802.1x) v3.4.5.0" (AegisP) "Meetinghouse Data Communications" C:\WINDOWS\System32\DRIVERS\AegisP.sys File exists
|||||| "Aspi32" (Aspi32) "Adaptec" C:\WINDOWS\system32\drivers\Aspi32.sys File exists
|||||| "avgio" (avgio) "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\avgio.sys File exists
|||||| "avgntflt" (avgntflt) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\avgntflt.sys File exists
|||||| "avipbb" (avipbb) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\avipbb.sys File exists
"catchme" (catchme) C:\DOKUME~1\Jon\LOKALE~1\Temp\catchme.sys File not found
"esgiguard" (esgiguard) C:\Programme\Enigma Software Group\SpyHunter\esgiguard.sys File not found
|||||| "gdrv" (gdrv) "Windows (R) 2000 DDK provider" C:\WINDOWS\gdrv.sys File exists
|||||| "ithsgt" (ithsgt) C:\WINDOWS\System32\DRIVERS\ithsgt.sys File found, but it contains no detailed information
|||||| "lilsgt" (lilsgt) C:\WINDOWS\System32\DRIVERS\lilsgt.sys File found, but it contains no detailed information
"PCIDump" (PCIDump) C:\WINDOWS\system32\drivers\PCIDump.sys File not found
"PDCOMP" (PDCOMP) C:\WINDOWS\system32\drivers\PDCOMP.sys File not found
"PDFRAME" (PDFRAME) C:\WINDOWS\system32\drivers\PDFRAME.sys File not found
"PDRELI" (PDRELI) C:\WINDOWS\system32\drivers\PDRELI.sys File not found
"PDRFRAME" (PDRFRAME) C:\WINDOWS\system32\drivers\PDRFRAME.sys File not found
|||||| "PxHelp20" (PxHelp20) "Sonic Solutions" C:\WINDOWS\System32\Drivers\PxHelp20.sys File exists
|||||| "Realtek EAPPkt Protocol" (EAPPkt) "Realtek" C:\WINDOWS\System32\DRIVERS\EAPPkt.sys File exists
|||||| "SASDIFSV" (SASDIFSV) "SUPERAdBlocker.com and SUPERAntiSpyware.com" C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS File exists
|||||| "SASKUTIL" (SASKUTIL) "SUPERAdBlocker.com and SUPERAntiSpyware.com" C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS File exists
|||||| "ssmdrv" (ssmdrv) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\ssmdrv.sys File exists
"WDICA" (WDICA) C:\WINDOWS\system32\drivers\WDICA.sys File not found
Explorer
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
|||||| {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" "Microsoft Corporation" C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install File exists
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
|||||| {C9E60ED7-FEAE-477b-B6A6-7D62103A0C6B} "NeroDigitalColumnHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\SMC\NeroDigitalExt.dll File exists
|||||| {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" "Adobe Systems, Inc." C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll File exists
HKLM\Software\Classes\Protocols\Filter
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL File exists
HKLM\Software\Classes\Protocols\Handler
|||||| {9462A756-7B47-47BC-8C80-C34B9B80B32B} "BackWeb GA Pluggable Protocol" "Logitech Inc." C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll File exists
|||||| {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL File exists
|||||| {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL File exists
|||||| {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" "Skype Technologies" C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
|||||| {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "SABShellExecuteHook Class" "SuperAdBlocker.com" C:\Programme\SUPERAntiSpyware\SASSEH.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" deskpan.dll File not found
|||||| {1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\nView\nvshell.dll File exists
|||||| {1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\nView\nvshell.dll File exists
|||||| {A70C977A-BF00-412C-90B7-034C51DA2439} "DesktopContext Class" "NVIDIA Corporation" C:\WINDOWS\system32\nvcpl.dll File exists
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" File not found | COM-object registry key not found
|||||| {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" "Apple Inc." C:\Programme\iTunes\iTunesMiniPlayer.dll File exists
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" File not found | COM-object registry key not found
{73B24247-042E-4EF5-ADC2-42F62E6FD654} "MCLiteShellExt Class" C:\Programme\ICQLite\ICQLiteShell.dll File exists
|||||| {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" "Microsoft Corporation" C:\Programme\Microsoft Office\OFFICE11\msohev.dll File exists
|||||| {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll File exists
|||||| {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL File exists
|||||| {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll File exists
|||||| {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" "Nero AG" C:\Programme\Nero\Nero 9\Nero CoverDesigner\CoverEdExtension.dll File exists
|||||| {C9E60ED7-FEAE-477b-B6A6-7D62103A0C6B} "NeroDigitalColumnHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\SMC\NeroDigitalExt.dll File exists
|||||| {1CA6BBC9-E9FA-4021-822B-075DF1837B63} "NeroDigitalIconHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\SMC\NeroDigitalExt.dll File exists
|||||| {4FBFFA8D-F390-471a-AE46-FEB93623AD63} "NeroDigitalInfoHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\SMC\NeroDigitalExt.dll File exists
|||||| {846083A4-BFC6-4447-985C-6578B466A7D7} "NeroDigitalPropSheetHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\SMC\NeroDigitalExt.dll File exists
|||||| {EDCC595A-F0EE-4d81-B554-D5D01C7AFB87} "NeroDigitalThumbnailHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\SMC\NeroDigitalExt.dll File exists
|||||| {FFB699E0-306A-11d3-8BD1-00104B6F7516} "NVIDIA CPL Extension" "NVIDIA Corporation" C:\WINDOWS\system32\nvcpl.dll File exists
|||||| {1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\nView\nvshell.dll File exists
|||||| {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL File exists
|||||| {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\shlext.dll File exists
|||||| {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" "Microsoft Corporation" C:\WINDOWS\system32\dfshim.dll File exists
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" File not found | COM-object registry key not found
|||||| {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" "Microsoft Corporation" C:\WINDOWS\system32\dfshim.dll File exists
|||||| {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL File exists
|||||| {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" C:\Programme\WinRAR\rarext.dll File found, but it contains no detailed information
Internet Explorer
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
|||| "DAEMON Tools Toolbar" C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll File exists
ITBar7Height "ITBar7Height" File not found | COM-object registry key not found
"ITBar7Layout" File not found | COM-object registry key not found
"ITBarLayout" File not found | COM-object registry key not found
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" File not found | COM-object registry key not found
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
|| {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} "DeviceVM Url Search Hook" "DeviceVM Inc." C:\WINDOWS\system32\dvmurl.dll File exists
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
|||| {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_13"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\npjpi160_13.dll File exists
|||| {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} "Java Plug-in 1.6.0_13"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\npjpi160_13.dll File exists
|||| {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_13"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\npjpi160_13.dll File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
|||| {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
|||| "DAEMON Tools Toolbar" C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
|||||| {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" "Adobe Systems Incorporated" C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll File exists
|||| {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\jp2ssv.dll File exists
|||| {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" "Sun Microsystems, Inc." C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File exists
Logon
%AllUsersProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini File exists
|||| "NETGEAR WG111v3 Smart Wizard.lnk" C:\Programme\NETGEAR\WG111v3\WG111v3.exe Shortcut exists | File exists
%UserProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\Jon\Startmenü\Programme\Autostart\desktop.ini File exists
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|||||| "Rainlendar2" C:\Programme\Rainlendar2\Rainlendar2.exe File exists
"SUPERAntiSpyware" "SUPERAntiSpyware.com" C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|||| "Adobe ARM" "Adobe Systems Incorporated" "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" File exists
|||| "Adobe Reader Speed Launcher" "Adobe Systems Incorporated" "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" File exists
|||||| "avgnt" "Avira GmbH" "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min File exists
|||| "CanonMyPrinter" "CANON INC." C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon File exists
|||| "iTunesHelper" "Apple Inc." "C:\Programme\iTunes\iTunesHelper.exe" File exists
|||| "Nikon Transfer Monitor" "Nikon Corporation" C:\Programme\Gemeinsame Dateien\Nikon\Monitor\NkMonitor.exe File exists
|||||| "NvCplDaemon" "NVIDIA Corporation" RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup File exists
|||| "NvMediaCenter" "NVIDIA Corporation" RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit File exists
|||| "QuickTime Task" "Apple Inc." "C:\Programme\QuickTime\QTTask.exe" -atboottime File exists
|||| "SunJavaUpdateSched" "Sun Microsystems, Inc." "C:\Programme\Java\jre6\bin\jusched.exe" File exists
Print Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
|||||| "Microsoft Document Imaging Writer Monitor" "Microsoft Corporation" C:\WINDOWS\system32\mdimon.dll File exists
|||||| "PDFCreator" C:\WINDOWS\system32\pdfcmnnt.dll File found, but it contains no detailed information
|||||| "Redirected Port" C:\WINDOWS\system32\redmonnt.dll File found, but it contains no detailed information
Services
HKLM\SYSTEM\CurrentControlSet\Services
|||||| ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe File exists
"Akamai NetSession Interface" (Akamai) c:\programme\gemeinsame dateien\akamai\netsession_win_062a651.dll File found, but it contains no detailed information
|||||| "Apple Mobile Device" (Apple Mobile Device) "Apple Inc." C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe File exists
|||||| "ASP.NET State Service" (aspnet_state) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe File exists
|||||| "Avira AntiVir Guard" (AntiVirService) "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\avguard.exe File exists
|||||| "Avira AntiVir Planer" (AntiVirSchedulerService) "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\sched.exe File exists
|||||| "GEST Service for program management." (GEST Service) C:\Programme\GIGABYTE\EnergySaver\GSvr.exe File found, but it contains no detailed information
|||| "Google Update Service (gupdate1caf1aa3fae2b56)" (gupdate1caf1aa3fae2b56) "Google Inc." C:\Programme\Google\Update\GoogleUpdate.exe File exists
|||||| "Inkjet Printer/Scanner Extended Survey Program" (IJPLMSVC) C:\Programme\Canon\IJPLM\IJPLMSVC.EXE File exists
|||| "InstallDriver Table Manager" (IDriverT) "Macrovision Corporation" C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe File exists
|||||| "iPod-Dienst" (iPod Service) "Apple Inc." C:\Programme\iPod\bin\iPodService.exe File exists
|||||| "Java Quick Starter" (JavaQuickStarterService) "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\jqs.exe File exists
|||||| "Nero BackItUp Scheduler 4.0" (Nero BackItUp Scheduler 4.0) "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe File exists
|||||| "NVIDIA Display Driver Service" (NVSvc) "NVIDIA Corporation" C:\WINDOWS\system32\nvsvc32.exe File exists
|||||| "Office Source Engine" (ose) "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE File exists
|||||| "Windows CardSpace" (idsvc) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe File exists
|||||| "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe File exists
Winlogon
HKCU\Control Panel\IOProcs
"MVB" mvfs32.dll File not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
|||||| "!SASWinLogon" "SUPERAntiSpyware.com" C:\Programme\SUPERAntiSpyware\SASWINLO.DLL File exists
|||| "WgaLogon" "Microsoft Corporation" C:\WINDOWS\system32\WgaLogon.dll File exists

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

jonno 01.10.2010 15:40
Nach dem Ausführen des Bootkit Removers steht im schwarzen Fenster:
"Unknown boot code has been found on some on your physical disc"

logfile:

.\debug.cpp(238) : Debug log started at 01.10.2010 - 14:39:45
.\boot_cleaner.cpp(527) : Bootkit Remover
.\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
.\boot_cleaner.cpp(529) : www.esagelab.com
.\boot_cleaner.cpp(533) : Program version: 1.2.0.0
.\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x804d7000 0x0020e000 "\WINDOWS\system32\ntkrnlpa.exe"
.\debug.cpp(256) : 0x806e5000 0x00020d00 "\WINDOWS\system32\hal.dll"
.\debug.cpp(256) : 0xb85a8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
.\debug.cpp(256) : 0xb84b8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
.\debug.cpp(256) : 0xb7f78000 0x0002f000 "ACPI.sys"
.\debug.cpp(256) : 0xb85aa000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
.\debug.cpp(256) : 0xb7f67000 0x00011000 "pci.sys"
.\debug.cpp(256) : 0xb80a8000 0x0000a000 "isapnp.sys"
.\debug.cpp(256) : 0xb8670000 0x00001000 "pciide.sys"
.\debug.cpp(256) : 0xb8328000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xb80b8000 0x0000b000 "MountMgr.sys"
.\debug.cpp(256) : 0xb7f48000 0x0001f000 "ftdisk.sys"
.\debug.cpp(256) : 0xb85ac000 0x00002000 "dmload.sys"
.\debug.cpp(256) : 0xb7f22000 0x00026000 "dmio.sys"
.\debug.cpp(256) : 0xb8330000 0x00005000 "PartMgr.sys"
.\debug.cpp(256) : 0xb80c8000 0x0000e000 "VolSnap.sys"
.\debug.cpp(256) : 0xb7f0a000 0x00018000 "atapi.sys"
.\debug.cpp(256) : 0xb80d8000 0x00009000 "disk.sys"
.\debug.cpp(256) : 0xb80e8000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xb7eea000 0x00020000 "fltMgr.sys"
.\debug.cpp(256) : 0xb7ed8000 0x00012000 "sr.sys"
.\debug.cpp(256) : 0xb80f8000 0x0000a000 "PxHelp20.sys"
.\debug.cpp(256) : 0xb7ec1000 0x00017000 "KSecDD.sys"
.\debug.cpp(256) : 0xb7e34000 0x0008d000 "Ntfs.sys"
.\debug.cpp(256) : 0xb7e07000 0x0002d000 "NDIS.sys"
.\debug.cpp(256) : 0xb7ded000 0x0001a000 "Mup.sys"
.\debug.cpp(256) : 0xb82c8000 0x0000a000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
.\debug.cpp(256) : 0xb73d8000 0x009cd000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
.\debug.cpp(256) : 0xb73c4000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xb8420000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0xb73a0000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0xb8428000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
.\debug.cpp(256) : 0xb7378000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
.\debug.cpp(256) : 0xb735d000 0x0001b000 "\SystemRoot\system32\DRIVERS\Rtenicxp.sys"
.\debug.cpp(256) : 0xb82d8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
.\debug.cpp(256) : 0xb8588000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
.\debug.cpp(256) : 0xb7349000 0x00014000 "\SystemRoot\system32\DRIVERS\parport.sys"
.\debug.cpp(256) : 0xb82e8000 0x0000d000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
.\debug.cpp(256) : 0xb8430000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xb8438000 0x00007000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xb82f8000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
.\debug.cpp(256) : 0xb8308000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0xb8318000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
.\debug.cpp(256) : 0xb7326000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0xb8440000 0x00006000 "\SystemRoot\System32\Drivers\GEARAspiWDM.sys"
.\debug.cpp(256) : 0xb87a1000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
.\debug.cpp(256) : 0xb8128000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0xb8590000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0xb730f000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0xb8138000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
.\debug.cpp(256) : 0xb8148000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0xb8448000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
.\debug.cpp(256) : 0xb72fe000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
.\debug.cpp(256) : 0xb8158000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
.\debug.cpp(256) : 0xb8450000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
.\debug.cpp(256) : 0xb8458000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
.\debug.cpp(256) : 0xb72ce000 0x00030000 "\SystemRoot\system32\DRIVERS\rdpdr.sys"
.\debug.cpp(256) : 0xb8168000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0xb85d8000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xb7213000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xb7db9000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0xb8178000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0xb81a8000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xb85dc000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xb4b9b000 0x004b0000 "\SystemRoot\system32\drivers\RtkHDAud.sys"
.\debug.cpp(256) : 0xb4b77000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
.\debug.cpp(256) : 0xb81b8000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
.\debug.cpp(256) : 0xb72be000 0x00003000 "\SystemRoot\System32\Drivers\i2omgmt.SYS"
.\debug.cpp(256) : 0xb4ac8000 0x0005f000 "\??\C:\WINDOWS\system32\drivers\ACEDRV05.sys"
.\debug.cpp(256) : 0xb85fa000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xb86ff000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xb85fc000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xb8480000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xb8600000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
.\debug.cpp(256) : 0xb8602000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
.\debug.cpp(256) : 0xb8488000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xb8490000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xb72b6000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0xb4a95000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
.\debug.cpp(256) : 0xb4a3c000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
.\debug.cpp(256) : 0xb4a14000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
.\debug.cpp(256) : 0xb49ee000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
.\debug.cpp(256) : 0xb49cc000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
.\debug.cpp(256) : 0xb81d8000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
.\debug.cpp(256) : 0xb81e8000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
.\debug.cpp(256) : 0xb8498000 0x00006000 "\SystemRoot\system32\DRIVERS\ssmdrv.sys"
.\debug.cpp(256) : 0xb49aa000 0x00022000 "\??\C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS"
.\debug.cpp(256) : 0xb84a0000 0x00006000 "\??\C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS"
.\debug.cpp(256) : 0xb497f000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
.\debug.cpp(256) : 0xb490f000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
.\debug.cpp(256) : 0xb81f8000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
.\debug.cpp(256) : 0xb48ed000 0x00022000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
.\debug.cpp(256) : 0xb8608000 0x00002000 "\??\C:\Programme\Avira\AntiVir Desktop\avgio.sys"
.\debug.cpp(256) : 0xb8248000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
.\debug.cpp(256) : 0xb48ad000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
.\debug.cpp(256) : 0xb8614000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
.\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
.\debug.cpp(256) : 0xb4b67000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
.\debug.cpp(256) : 0xb8380000 0x00005000 "\SystemRoot\System32\watchdog.sys"
.\debug.cpp(256) : 0xbd000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
.\debug.cpp(256) : 0xb8787000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
.\debug.cpp(256) : 0xbd012000 0x00611000 "\SystemRoot\System32\nv4_disp.dll"
.\debug.cpp(256) : 0xbffa0000 0x00046000 "\SystemRoot\System32\ATMFD.DLL"
.\debug.cpp(256) : 0xb4580000 0x00015000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
.\debug.cpp(256) : 0xb83b8000 0x00005000 "\SystemRoot\system32\DRIVERS\AegisP.sys"
.\debug.cpp(256) : 0xb463d000 0x0000a000 "\SystemRoot\system32\DRIVERS\EAPPkt.sys"
.\debug.cpp(256) : 0xb4b63000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
.\debug.cpp(256) : 0xb425b000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
.\debug.cpp(256) : 0xb421e000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
.\debug.cpp(256) : 0xb4330000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
.\debug.cpp(256) : 0xb862a000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
.\debug.cpp(256) : 0xb4108000 0x00004000 "\SystemRoot\System32\Drivers\Aspi32.SYS"
.\debug.cpp(256) : 0xb3de6000 0x00028000 "\SystemRoot\system32\DRIVERS\ithsgt.sys"
.\debug.cpp(256) : 0xb3f12000 0x00003000 "\SystemRoot\system32\DRIVERS\lilsgt.sys"
.\debug.cpp(256) : 0xb3d67000 0x00057000 "\SystemRoot\system32\DRIVERS\srv.sys"
.\debug.cpp(256) : 0xb2e08000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
.\debug.cpp(256) : 0xb3c53000 0x00003000 "\??\C:\WINDOWS\gdrv.sys"
.\debug.cpp(256) : 0xb2a86000 0x00037000 "\SystemRoot\system32\DRIVERS\wg111v3.sys"
.\debug.cpp(256) : 0xb2a5b000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
.\debug.cpp(256) : 0x7c910000 0x000b9000 "\WINDOWS\system32\ntdll.dll"
.\debug.cpp(263) : **********************************************
.\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
.\debug.cpp(308) : **********************************************
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
.\debug.cpp(400) : Destination "\Device\Ndis"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
.\debug.cpp(400) : Destination "\Device\Video0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
.\debug.cpp(400) : Destination "\Device\Video1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000038"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000047"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
.\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000048"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458A002&REV_1000#4&24734d84&0&0201#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
.\debug.cpp(400) : Destination "\Device\Video2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
.\debug.cpp(400) : Destination "\Device\Ip"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureADB4ADB4Offset1869E59800Length5C06B2EA00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
.\debug.cpp(400) : Destination "\Device\IPSEC"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgio"
.\debug.cpp(400) : Destination "\Device\avgio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
.\debug.cpp(400) : Destination "\Device\Video3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{840abc02-f880-11dd-bab8-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
.\debug.cpp(400) : Destination "\Device\NDProxy"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi4:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&2b98ef05&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{493A94C6-FB53-426F-9195-7295A63B7D5C}"
.\debug.cpp(400) : Destination "\Device\{493A94C6-FB53-426F-9195-7295A63B7D5C}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\$VDMLPT1"
.\debug.cpp(400) : Destination "\Device\ParallelVdm0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskSAMSUNG_HD501LJ_________________________CR100-13#3053554d314a5142314139353431202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP3T0L0-7"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
.\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{61095E30-EAE6-4E4E-940C-01794C7851A5}"
.\debug.cpp(400) : Destination "\Device\{61095E30-EAE6-4E4E-940C-01794C7851A5}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi5:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
.\debug.cpp(400) : Destination "\Device\Serial0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS40________________NL00____#374b384f52393036313320332020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP2T1L0-16"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
.\debug.cpp(400) : Destination "\Device\WMIDataDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
.\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ithsgt"
.\debug.cpp(400) : Destination "\Device\ithsgt"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000046"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) : Destination "\Device\NamedPipe"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
.\debug.cpp(400) : Destination "\Device\PSched"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
.\debug.cpp(400) : Destination "\Device\Mup"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
.\debug.cpp(400) : Destination "\Device\IPNAT"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
.\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination "\Device\USBFDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
.\debug.cpp(400) : Destination "\Device\Tcp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\I2OExec"
.\debug.cpp(400) : Destination "\Device\I2OExec"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
.\debug.cpp(400) : Destination "\Device\VideoPdo0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&25712375&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination "\Device\USBFDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000003d"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
.\debug.cpp(400) : Destination "\DosDevices\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A34&SUBSYS_50041458&REV_00#3&13c0b0c5&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
.\debug.cpp(400) : Destination "\Device\USBFDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
.\debug.cpp(400) : Destination "\Device\sysaudio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
.\debug.cpp(400) : Destination "\Device\FsWrap"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
.\debug.cpp(400) : Destination "\Device\USBFDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000003a"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbMmDp32"
.\debug.cpp(400) : Destination "\Device\MbMmDp32"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
.\debug.cpp(400) : Destination "\Device\USBFDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{5862657D-9BFC-44AD-9A42-EDCE54F96095}"
.\debug.cpp(400) : Destination "\Device\{5862657D-9BFC-44AD-9A42-EDCE54F96095}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458A002&REV_1000#4&24734d84&0&0201#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AegisP_{5DC7F407-D1B0-4BF0-B045-771510098746}"
.\debug.cpp(400) : Destination "\Device\AegisP_{5DC7F407-D1B0-4BF0-B045-771510098746}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Eappkt"
.\debug.cpp(400) : Destination "\Device\Eappkt"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
.\debug.cpp(400) : Destination "\GLOBAL??"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD5"
.\debug.cpp(400) : Destination "\Device\USBFDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&de4d8cf&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\0000006c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\0000004c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AegisP_{61095E30-EAE6-4E4E-940C-01794C7851A5}"
.\debug.cpp(400) : Destination "\Device\AegisP_{61095E30-EAE6-4E4E-940C-01794C7851A5}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination "\Device\00000069"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6"
.\debug.cpp(400) : Destination "\Device\USBFDO-6"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02#4&2182fe78&0&00E5#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0020"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A39&SUBSYS_50041458&REV_00#3&13c0b0c5&0&D2#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GIO"
.\debug.cpp(400) : Destination "\Device\GIO"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0846&Pid_4260#00223FEBC84B#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\USBPDO-8"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD7"
.\debug.cpp(400) : Destination "\Device\USBFDO-7"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS40________________NL00____#374b384f52393036313320332020202020202020#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP2T1L0-16"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A36&SUBSYS_50041458&REV_00#3&13c0b0c5&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0012"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&22dcf096&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A37&SUBSYS_50041458&REV_00#3&13c0b0c5&0&D0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458A002&REV_1000#4&24734d84&0&0201#{dda54a40-1e4c-11d1-a050-405705c10000}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&24c89052&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
.\debug.cpp(400) : Destination "\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
.\debug.cpp(400) : Destination "\Device\00000069"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&6427700&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-6"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458A002&REV_1000#4&24734d84&0&0201#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0612&SUBSYS_900C1ACC&REV_A2#4&242dc0f1&0&0008#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0019"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&de4d8cf&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000006c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0400#4&de4d8cf&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
.\debug.cpp(400) : Destination "\Device\0000006a"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&14e368e2&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ssmctl"
.\debug.cpp(400) : Destination "\Device\ssmctl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{13DB12B9-BF0D-4659-8214-5CC9E653449B}"
.\debug.cpp(400) : Destination "\Device\{13DB12B9-BF0D-4659-8214-5CC9E653449B}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000036"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
.\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
.\debug.cpp(400) : Destination "\Device\MountPointManager"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
.\debug.cpp(400) : Destination "\Device\WANARP"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F13#4&de4d8cf&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000006b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&5e0d3c3&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\RealTekCard"
.\debug.cpp(400) : Destination "\Device\RealTekCard"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000003"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3ae06be8&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{0A848F62-9D58-4F22-AD77-EC83AB5C67A9}"
.\debug.cpp(400) : Destination "\Device\{0A848F62-9D58-4F22-AD77-EC83AB5C67A9}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
.\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0846&Pid_4260#00223FEBC84B#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-8"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SASKUTIL"
.\debug.cpp(400) : Destination "\Device\SASKUTIL"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
.\debug.cpp(400) : Destination "\Device\NdisWanIp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureADB4ADB4Offset7E0000Length1869679800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AegisP"
.\debug.cpp(400) : Destination "\Device\AegisP"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{6E6D78C3-FB49-4E71-8B46-E1C2C2C94A1E}"
.\debug.cpp(400) : Destination "\Device\{6E6D78C3-FB49-4E71-8B46-E1C2C2C94A1E}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{840abc06-f880-11dd-bab8-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458A002&REV_1000#4&24734d84&0&0201#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{5DC7F407-D1B0-4BF0-B045-771510098746}"
.\debug.cpp(400) : Destination "\Device\{5DC7F407-D1B0-4BF0-B045-771510098746}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000039"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
.\debug.cpp(400) : Destination "\Device\ParTechInc0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
.\debug.cpp(400) : Destination "\Device\NdisTapi"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
.\debug.cpp(400) : Destination "\Device\NdisWan"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
.\debug.cpp(400) : Destination "\Device\NamedPipe\Spooler\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
.\debug.cpp(400) : Destination "\Device\IPMULTICAST"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{BAABC4EC-4892-4EE9-9E9B-48A2528F03A2}"
.\debug.cpp(400) : Destination "\Device\{BAABC4EC-4892-4EE9-9E9B-48A2528F03A2}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
.\debug.cpp(400) : Destination "\Device\ParTechInc1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
.\debug.cpp(400) : Destination "\Device\DmLoader"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
.\debug.cpp(400) : Destination "\Device\LanmanRedirector"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\lilsgt"
.\debug.cpp(400) : Destination "\Device\lilsgt"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACEDRV05"
.\debug.cpp(400) : Destination "\Device\ACEDRV05"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A3A&SUBSYS_50061458&REV_00#3&13c0b0c5&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0013"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{738D8136-96B4-41D6-BA77-CAA1FA70C218}"
.\debug.cpp(400) : Destination "\Device\{738D8136-96B4-41D6-BA77-CAA1FA70C218}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
.\debug.cpp(400) : Destination "\Device\ParTechInc2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{840abc04-f880-11dd-bab8-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SABDIFSV"
.\debug.cpp(400) : Destination "\Device\SASDIFSV"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A38&SUBSYS_50041458&REV_00#3&13c0b0c5&0&D1#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
.\debug.cpp(400) : Destination "\Device\FtControl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
.\debug.cpp(400) : Destination "\Device\MailSlot"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
.\debug.cpp(400) : Destination "\DosDevices\COM1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&1828fff1&1#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-7"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A35&SUBSYS_50041458&REV_00#3&13c0b0c5&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
.\debug.cpp(400) : Destination ""
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
.\debug.cpp(400) : Destination "\Device\Null"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
.\debug.cpp(400) : Destination "\Device\Ndisuio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NONSPOOLED_LPT1"
.\debug.cpp(400) : Destination "\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000003f"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
.\debug.cpp(400) : Destination "\Device\avipbb"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS40________________NL00____#374b384f52393036313320332020202020202020#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP2T1L0-16"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A3C&SUBSYS_50061458&REV_00#3&13c0b0c5&0&D7#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
.\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
.\debug.cpp(409) : --
.\debug.cpp(453) : **********************************************
.\boot_cleaner.cpp(565) : System volume is \\.\C:
.\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`007e0000
.\boot_cleaner.cpp(276) : Boot sector MD5 is: 5ddc20efcc4d1dab37c348c7db7289cf
.\boot_cleaner.cpp(1060) :
.\boot_cleaner.cpp(1061) : Size Device Name MBR Status
.\boot_cleaner.cpp(1062) : --------------------------------------------
.\boot_cleaner.cpp(1106) : 465 GB \\.\PhysicalDrive0 Unknown boot code
.\boot_cleaner.cpp(1112) :
.\boot_cleaner.cpp(1118) : Unknown boot code has been found on some of your physical disks.
.\boot_cleaner.cpp(1120) : To inspect the boot code manually, dump the master boot sector:
.\boot_cleaner.cpp(1121) : remover.exe dump <device_name> [output_file]
.\boot_cleaner.cpp(1125) : To disinfect the master boot sector, use the following command:
.\boot_cleaner.cpp(1126) : remover.exe fix <device_name>
.\boot_cleaner.cpp(1129) :
.\boot_cleaner.cpp(1151) : Done;

cosinus 01.10.2010 18:54
Downloade Dir bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
  • Doppelklick auf die MBRCheck.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Das Tool braucht nur eine Sekunde.
  • Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.
Poste mir bitte den Inhalt des .txt Dokumentes

jonno 01.10.2010 21:44
BRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 119):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F78000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F67000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F48000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F22000 dmio.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F0A000 atapi.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EEA000 fltMgr.sys
0xB7ED8000 sr.sys
0xB80F8000 PxHelp20.sys
0xB7EC1000 KSecDD.sys
0xB7E34000 Ntfs.sys
0xB7E07000 NDIS.sys
0xB7DED000 Mup.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB73D8000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB73C4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8420000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB73A0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8428000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7378000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB735D000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB82D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8588000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB7349000 \SystemRoot\system32\DRIVERS\parport.sys
0xB82E8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB8430000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB8438000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB82F8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8308000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8318000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7326000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8440000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB87A1000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8128000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8590000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB730F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8138000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8148000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8448000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB72FE000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8158000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8450000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8458000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB72CE000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8168000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB85D8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7213000 \SystemRoot\system32\DRIVERS\update.sys
0xB7DB9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8178000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB81A8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85DC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB4B9B000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB4B77000 \SystemRoot\system32\drivers\portcls.sys
0xB81B8000 \SystemRoot\system32\drivers\drmk.sys
0xB72BE000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xB4AC8000 \??\C:\WINDOWS\system32\drivers\ACEDRV05.sys
0xB85FA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB86FF000 \SystemRoot\System32\Drivers\Null.SYS
0xB85FC000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8480000 \SystemRoot\System32\drivers\vga.sys
0xB8600000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB8602000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8488000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8490000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB72B6000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB4A95000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4A3C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB4A14000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB49EE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB49CC000 \SystemRoot\System32\drivers\afd.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB8498000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB49AA000 \??\C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS
0xB84A0000 \??\C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS
0xB497F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB490F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB81F8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB48ED000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xB8608000 \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys
0xB8248000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB48AD000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB8614000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB4B67000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8380000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB8787000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB4580000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB83B8000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB463D000 \SystemRoot\system32\DRIVERS\EAPPkt.sys
0xB4B63000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB425B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB421E000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4330000 \SystemRoot\system32\drivers\sysaudio.sys
0xB862A000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB4108000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xB3DE6000 \SystemRoot\system32\DRIVERS\ithsgt.sys
0xB3F12000 \SystemRoot\system32\DRIVERS\lilsgt.sys
0xB3D67000 \SystemRoot\system32\DRIVERS\srv.sys
0xB2E08000 \SystemRoot\System32\Drivers\HTTP.sys
0xB3C53000 \??\C:\WINDOWS\gdrv.sys
0xB2A86000 \SystemRoot\system32\DRIVERS\wg111v3.sys
0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
648 C:\WINDOWS\system32\smss.exe
696 csrss.exe
720 C:\WINDOWS\system32\winlogon.exe
764 C:\WINDOWS\system32\services.exe
776 C:\WINDOWS\system32\lsass.exe
960 C:\WINDOWS\system32\nvsvc32.exe
984 C:\WINDOWS\system32\svchost.exe
1052 svchost.exe
1092 C:\WINDOWS\system32\svchost.exe
1228 svchost.exe
1256 svchost.exe
1416 C:\WINDOWS\system32\spoolsv.exe
1488 scardsvr.exe
1508 C:\Programme\Avira\AntiVir Desktop\sched.exe
1556 svchost.exe
1892 C:\WINDOWS\explorer.exe
1960 C:\WINDOWS\system32\svchost.exe
1984 C:\Programme\Avira\AntiVir Desktop\avguard.exe
2004 C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
172 C:\Programme\GIGABYTE\EnergySaver\GSvr.exe
200 C:\Programme\Canon\IJPLM\ijplmsvc.exe
256 C:\Programme\Java\jre6\bin\jqs.exe
348 C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
380 C:\Programme\Avira\AntiVir Desktop\avshadow.exe
540 C:\WINDOWS\system32\svchost.exe
1584 C:\WINDOWS\RTHDCPL.exe
1588 C:\WINDOWS\SoundMan.exe
1600 C:\Programme\Canon\MyPrinter\BJMYPRT.EXE
1624 C:\Programme\Java\jre6\bin\jusched.exe
1340 C:\Programme\Gemeinsame Dateien\Nikon\Monitor\NkMonitor.exe
1664 C:\Programme\QuickTime\QTTask.exe
1628 C:\Programme\iTunes\iTunesHelper.exe
1708 C:\WINDOWS\system32\rundll32.exe
1764 C:\Programme\Avira\AntiVir Desktop\avgnt.exe
1800 C:\Programme\Rainlendar2\Rainlendar2.exe
1796 C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
1840 C:\Programme\NETGEAR\WG111v3\WG111v3.exe
3432 C:\Programme\iPod\bin\iPodService.exe
3720 C:\WINDOWS\system32\wbem\wmiapsrv.exe
3852 alg.exe
3368 C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE
2908 C:\Programme\Mozilla Firefox\firefox.exe
3444 C:\Dokumente und Einstellungen\Jon\Desktop\MBRCheck.exe
2292 C:\Programme\Skype\Toolbars\Shared\SkypeNames2.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`007e0000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`69e59800 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD501LJ, Rev: CR100-13

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: ADFE55CD0C6ED2E00B22375835E4C2736CE9AD11


Done!


Alle Zeitangaben in WEZ +1. Es ist jetzt 17:57 Uhr.
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131