|
Plagegeister aller Art und deren Bekämpfung: TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
08.06.2010, 14:10 | #1 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Hi, ich war neulich auf einer Webseite unterwegs auf der plötzlich verschiedene Fenster aufgingen die mich dazu zwingen wollten eine neue Version von Java runter zu laden. Als schlauer Internetnutzer bin ich natürlich misstrauisch geworden und wollte die Fenster und die Seite schließen, allerdings hat sich der Browser aufgehängt und ich musste ihn im Task manager beenden. Als bald bekam ich die typischen Probleme von Antimalware Doctor. Über google kam ich an eine anleitung aus diesem Forum mit deren hilfe ich den Doctor vermutlich losgeworden bin. Allerdings habe ich immer noch Probleme mit Viren. AUsserdem wird mein Browser (Firefox) des öfteren auf andere Seiten geleitet. Ausserdem funktionieren seit einiger Zeit weder Windows Updates, noch Updates des Windows defenders. Soviel erstmal zu meinem Problem. Im folgenden Infos zu meinem System, ein Scan von OTL und 2 von SuperAntiSpyware. Einer direkt nachdem ich den Malware Doctor hatte und einen von heute morgen. Ausserdem 3 Screenshots meines geHIJACKten Browsers Code:
ATTFilter Betriebssystemname Microsoft® Windows Vista™ Home Premium Version 6.0.6002 Service Pack 2 Build 6002 Zusätzliche Betriebssystembeschreibung Nicht verfügbar Betriebssystemhersteller Microsoft Corporation Systemname *** Systemhersteller System manufacturer Systemmodell System Product Name Systemtyp X86-basierter PC Prozessor Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz, 2133 MHz, 2 Kern(e), 2 logische(r) Prozessor(en) BIOS-Version/-Datum Phoenix Technologies, LTD ASUS P5N-E SLI ACPI BIOS Revision 0505, 05.03.2007 SMBIOS-Version 2.4 Windows-Verzeichnis C:\Windows Systemverzeichnis C:\Windows\system32 Startgerät \Device\HarddiskVolume1 Gebietsschema Deutschland Hardwareabstraktionsebene Version = "6.0.6002.18005" Benutzername *** Zeitzone Mitteleuropäische Sommerzeit Installierter physikalischer Speicher (RAM) 2,00 GB Gesamter realer Speicher 2,00 GB Verfügbarer realer Speicher 951 MB Gesamter virtueller Speicher 4,23 GB Verfügbarer virtueller Speicher 2,76 GB Größe der Auslagerungsdatei 2,29 GB Auslagerungsdatei C:\pagefile.sys Code:
ATTFilter OTL logfile created on: 08.06.2010 12:23:21 - Run 2 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Carso\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 7.0.6002.18005) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 60,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 75,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 39,08 Gb Total Space | 4,22 Gb Free Space | 10,79% Space Free | Partition Type: NTFS Drive D: | 129,56 Gb Total Space | 58,90 Gb Free Space | 45,46% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive J: | 129,45 Gb Total Space | 49,22 Gb Free Space | 38,02% Space Free | Partition Type: NTFS Drive L: | 931,51 Gb Total Space | 797,19 Gb Free Space | 85,58% Space Free | Partition Type: NTFS Computer Name: *** Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 60 Days Output = Minimal ========== Processes (SafeList) ========== PRC - D:\SuperAntiSpyWare\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com) PRC - C:\Users\Carso\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Windows Media Player\wmplayer.exe (Microsoft Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation) PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) PRC - C:\Programme\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) PRC - D:\Kalenderchen\Kalenderchen.exe (Daniel Manger Software) ========== Modules (SafeList) ========== MOD - C:\Users\Carso\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (TuneUp.Defrag) -- C:\Windows\System32\TuneUpDefragService.exe (TuneUp Software GmbH) SRV - (UxTuneUp) -- C:\Windows\System32\uxtuneup.dll (TuneUp Software GmbH) SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (LBTServ) -- C:\Programme\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.) SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) SRV - (de_serv) -- C:\Programme\Common Files\AVM\De_serv.exe (AVM Berlin) ========== Driver Services (SafeList) ========== DRV - (SASKUTIL) -- D:\SuperAntiSpyWare\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.) DRV - (SASDIFSV) -- D:\SuperAntiSpyWare\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH) DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc) DRV - (Lbd) -- C:\Windows\system32\DRIVERS\Lbd.sys (Lavasoft AB) DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys () DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (RMCAST) RMCAST (Pgm) -- C:\Windows\System32\drivers\rmcast.sys (Microsoft Corporation) DRV - (usbaudio) USB-Audiotreiber (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH) DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (Cdralw2k) -- C:\Windows\System32\drivers\cdralw2k.sys (Sonic Solutions) DRV - (61883) -- C:\Windows\System32\drivers\61883.sys (Microsoft Corporation) DRV - (Avc) -- C:\Windows\System32\drivers\avc.sys (Microsoft Corporation) DRV - (MSDV) -- C:\Windows\System32\drivers\msdv.sys (Microsoft Corporation) DRV - (MSTAPE) -- C:\Windows\System32\drivers\mstape.sys (Microsoft Corporation) DRV - (AVCSTRM) -- C:\Windows\System32\drivers\avcstrm.sys (Microsoft Corporation) DRV - (tbhsd) -- C:\Windows\System32\drivers\tbhsd.sys (RapidSolution Software AG) DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation) DRV - (LUsbFilt) -- C:\Windows\System32\drivers\LUsbFilt.sys (Logitech, Inc.) DRV - (LMouKE) -- C:\Windows\System32\drivers\LMouKE.Sys (Logitech, Inc.) DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.) DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.) DRV - (L8042mou) -- C:\Windows\System32\drivers\L8042mou.Sys (Logitech, Inc.) DRV - (L8042Kbd) -- C:\Windows\System32\drivers\L8042Kbd.sys (Logitech, Inc.) DRV - (nvstor32) -- C:\Windows\system32\DRIVERS\nvstor32.sys (NVIDIA Corporation) DRV - (timounter) -- C:\Windows\system32\DRIVERS\timntr.sys (Acronis) DRV - (tifsfilter) -- C:\Windows\System32\drivers\tifsfilt.sys (Acronis) DRV - (snapman) -- C:\Windows\system32\DRIVERS\snapman.sys (Acronis) DRV - (AnyDVD) -- C:\Windows\System32\drivers\AnyDVD.sys (SlySoft, Inc.) DRV - (ElbyCDIO) -- C:\Windows\System32\drivers\ElbyCDIO.sys (Elaborate Bytes AG) DRV - (CVirtA) -- C:\Windows\System32\drivers\CVirtA.sys (Cisco Systems, Inc.) DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.) DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation) DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.) DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex) DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.) DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.) DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation) DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.) DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.) DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation) DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.) DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.) DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation) DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems) DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic) DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.) DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company) DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.) DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.) DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.) DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic) DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic) DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic) DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic) DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation) DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic) DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation) DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.) DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.) DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.) DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.) DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.) DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies) DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation) DRV - (sonypvs1) -- C:\Windows\System32\drivers\sonypvs1.sys (Sony Corporation) DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.openintab: true FF - prefs.js..browser.startup.homepage: "hxxp://www.facebook.com/" FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7 FF - prefs.js..extensions.enabledItems: dvscontextmenuy@dvdvideosoft.com:1.0 FF - prefs.js..extensions.enabledItems: {c50ca3c4-5656-43c2-a061-13e717f73fc8}:3.0.8 FF - prefs.js..extensions.enabledItems: {8620c15f-30dc-4dba-a131-7c5d20cf4a29}:2.0.3 FF - prefs.js..extensions.enabledItems: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca}:1.2.4 FF - prefs.js..network.proxy.autoconfig_url: "file:///C:/Users/Carso/AppData/Local/RapidSolution/Videoraptor/WebRip/profile/rrproxy_ffox_4984e93c.pac" FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: D:\RealPlayer\browserrecord [2008.01.29 15:43:59 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.05.08 15:16:44 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.04.21 21:05:46 | 000,000,000 | ---D | M] [2008.08.31 15:50:47 | 000,000,000 | ---D | M] -- C:\Users\Carso\AppData\Roaming\mozilla\Extensions [2010.06.07 22:32:11 | 000,000,000 | ---D | M] -- C:\Users\Carso\AppData\Roaming\mozilla\Firefox\Profiles\ahsvcjx6.default\extensions [2009.09.02 16:46:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Carso\AppData\Roaming\mozilla\Firefox\Profiles\ahsvcjx6.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.01.25 21:09:30 | 000,000,000 | ---D | M] (Nightly Tester Tools) -- C:\Users\Carso\AppData\Roaming\mozilla\Firefox\Profiles\ahsvcjx6.default\extensions\{8620c15f-30dc-4dba-a131-7c5d20cf4a29} [2010.01.25 21:09:30 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Carso\AppData\Roaming\mozilla\Firefox\Profiles\ahsvcjx6.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2009.12.18 13:29:15 | 000,000,000 | ---D | M] (Fast Video Download (with SearchMenu)) -- C:\Users\Carso\AppData\Roaming\mozilla\Firefox\Profiles\ahsvcjx6.default\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8} [2010.01.25 21:08:59 | 000,000,000 | ---D | M] (Torbutton) -- C:\Users\Carso\AppData\Roaming\mozilla\Firefox\Profiles\ahsvcjx6.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca} [2010.06.07 22:32:11 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2010.01.14 00:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npwachk.dll [2010.01.16 03:15:29 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.01.16 03:15:29 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.01.16 03:15:29 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.01.16 03:15:29 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.01.16 03:15:29 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.) O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [DMS-Kalenderchen] D:\Kalenderchen\Kalenderchen.exe (Daniel Manger Software) O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.) O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [SUPERAntiSpyware] D:\SuperAntiSpyWare\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com) O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - J:\poker\PartyPoker\RunApp.exe File not found O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - J:\poker\PartyPoker\RunApp.exe File not found O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\ICQ6\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\ICQ6\ICQ6.5\ICQ.exe (ICQ, LLC.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Users\Carso\AppData\Roaming\sdra64.exe) - C:\Users\Carso\AppData\Roaming\sdra64.exe File not found O20 - Winlogon\Notify\!SASWinLogon: DllName - D:\SuperAntiSpyWare\SASWINLO.dll - D:\SuperAntiSpyWare\SASWINLO.dll (SUPERAntiSpyware.com) O22 - SharedTaskScheduler: {da3b49f6-8c54-4429-a275-21a86dcca413} - admissibility - Reg Error: Key error. File not found O24 - Desktop WallPaper: D:\Kalenderchen\hgdesktop.bmp O24 - Desktop BackupWallPaper: D:\Kalenderchen\hgdesktop.bmp O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\SuperAntiSpyWare\SASSEH.DLL (SuperAdBlocker.com) O30 - LSA: Authentication Packages - (relog_ap) - C:\Windows\System32\relog_ap.dll (Acronis) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{78d3952b-0adf-11dc-a949-00040effffff}\Shell\Open(0)\command - "" = K:\Recycled\ctfmon.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk /r \??\K:) - File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe () O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O36 - AppCertDlls: chkdinst - (C:\Windows\system32\cmstNAME.dll) - C:\Windows\System32\cmstNAME.dll File not found O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 60 Days ========== [2010.06.08 03:13:46 | 000,000,000 | ---D | C] -- C:\Windows\pss [2010.06.04 18:17:05 | 000,000,000 | ---D | C] -- C:\Users\Carso\Downloads\Crazy Browser [2010.05.18 17:32:20 | 000,000,000 | -HSD | C] -- C:\Users\Carso\AppData\Roaming\lowsec [2010.05.17 23:07:28 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_40.dll [2010.05.17 23:07:28 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_40.dll [2010.05.17 23:07:27 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_40.dll [2010.05.16 15:39:41 | 000,000,000 | ---D | C] -- C:\Users\Carso\AppData\Roaming\LolClient [2010.05.07 20:30:34 | 000,000,000 | ---D | C] -- C:\Users\Carso\AppData\Local\Activision [2010.05.05 23:09:01 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\DivX Shared [2010.05.05 23:07:41 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX [2010.05.05 23:07:26 | 001,180,952 | ---- | C] (DivX, Inc. ) -- C:\Users\Carso\Downloads\DivXInstaller.exe [2010.05.03 13:06:44 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com [2010.05.03 13:06:36 | 000,000,000 | ---D | C] -- C:\Users\Carso\AppData\Roaming\SUPERAntiSpyware.com [2010.05.03 12:42:47 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Users\Carso\Desktop\OTL.exe [2010.05.02 20:31:11 | 000,000,000 | ---D | C] -- C:\Users\Carso\AppData\Roaming\Malwarebytes [2010.05.02 20:30:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.05.02 20:30:53 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.05.02 20:30:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010.05.02 18:58:57 | 006,153,648 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Carso\Downloads\herbert-setup.exe [2010.05.02 17:10:38 | 000,000,000 | ---D | C] -- C:\Users\Carso\AppData\Roaming\BA7DEBABCC77DDAA9D3B4E471F112208 [2010.04.28 17:23:33 | 000,000,000 | ---D | C] -- C:\Users\Carso\Downloads\%userprofile% [2010.04.27 00:04:42 | 000,353,592 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\DivXControlPanelApplet.cpl [2010.04.21 21:38:25 | 000,000,000 | ---D | C] -- C:\Users\Carso\Downloads\GTA San Andreas User Files [2010.04.21 04:55:28 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe [2010.04.14 15:52:07 | 003,600,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2010.04.14 15:52:07 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2010.04.14 15:52:04 | 000,430,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll [2010.04.14 15:51:48 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codecp.acm [2010.04.14 15:51:48 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm [3 C:\Users\Carso\Desktop\*.tmp files -> C:\Users\Carso\Desktop\*.tmp -> ] ========== Files - Modified Within 60 Days ========== [2010.06.08 12:26:04 | 005,505,024 | ---- | M] () -- C:\Users\Carso\ntuser.dat [2010.06.08 12:25:28 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\bgcctfx.sys [2010.06.08 12:25:11 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{4318E496-D163-410D-9ABB-89E26924B160}.job [2010.06.08 12:19:39 | 001,418,612 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010.06.08 12:19:39 | 000,618,204 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.06.08 12:19:39 | 000,586,980 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.06.08 12:19:39 | 000,122,442 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.06.08 12:19:39 | 000,101,052 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.06.08 12:17:31 | 000,001,022 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2010.06.08 12:16:03 | 000,245,596 | ---- | M] () -- C:\ProgramData\nvModes.dat [2010.06.08 12:16:00 | 000,245,596 | ---- | M] () -- C:\ProgramData\nvModes.001 [2010.06.08 12:15:04 | 000,000,500 | ---- | M] () -- C:\Windows\tasks\1-Klick-Wartung.job [2010.06.08 12:14:56 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010.06.08 12:14:56 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010.06.08 12:14:55 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010.06.08 12:14:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.06.08 12:11:38 | 000,524,288 | -HS- | M] () -- C:\Users\Carso\ntuser.dat{a1e6e1b3-2616-11de-a110-001a92821b19}.TMContainer00000000000000000001.regtrans-ms [2010.06.08 12:11:38 | 000,065,536 | -HS- | M] () -- C:\Users\Carso\ntuser.dat{a1e6e1b3-2616-11de-a110-001a92821b19}.TM.blf [2010.06.08 12:11:36 | 004,116,005 | -H-- | M] () -- C:\Users\Carso\AppData\Local\IconCache.db [2010.06.07 14:49:09 | 000,093,696 | ---- | M] () -- C:\Users\Carso\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.06.07 13:28:37 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini [2010.06.07 02:19:46 | 000,000,474 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job [2010.06.03 23:59:54 | 000,022,224 | ---- | M] () -- C:\Users\Carso\Desktop\Protokoll_01_02_2010.pdf [2010.06.03 23:59:47 | 000,019,331 | ---- | M] () -- C:\Users\Carso\Desktop\Protokoll_01_02_2010.doc [2010.05.29 16:53:14 | 000,002,379 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk [2010.05.27 23:50:12 | 000,004,804 | ---- | M] () -- C:\Users\Carso\Downloads\torrentdownloads net Sucking On Her Clit - A Guide That Will Teach You How To Make Her Clitoris Cum Like Crazy.torrent [2010.05.27 23:47:49 | 000,011,743 | ---- | M] () -- C:\Users\Carso\Downloads\torrentdownloads net Wolfgang & Heike Hohlbein Märchenmond Hoerbuch (German).torrent [2010.05.27 19:00:35 | 000,008,944 | ---- | M] () -- C:\Users\Carso\Desktop\Aufgabenblatt3.pdf [2010.05.26 13:48:26 | 000,000,150 | ---- | M] () -- C:\Windows\System32\ImportDF.ini [2010.05.17 22:47:12 | 000,000,277 | ---- | M] () -- C:\Windows\VideodeLuxe.INI [2010.05.17 14:59:26 | 000,025,088 | ---- | M] () -- C:\Users\Carso\Downloads\Sprechstundenliste.xls [2010.05.05 23:07:31 | 001,180,952 | ---- | M] (DivX, Inc. ) -- C:\Users\Carso\Downloads\DivXInstaller.exe [2010.05.04 16:14:31 | 000,071,168 | ---- | M] () -- C:\Users\Carso\Downloads\chall_für_MPs.xls [2010.05.03 13:06:37 | 000,000,567 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2010.05.03 12:47:19 | 008,050,208 | ---- | M] () -- C:\Users\Carso\Downloads\SUPERAntiSpyware.exe [2010.05.03 12:42:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Carso\Desktop\OTL.exe [2010.05.03 00:45:24 | 000,335,069 | ---- | M] () -- C:\Users\Carso\Downloads\plugin-Aufgabenblatt_1_Montag.pdf [2010.05.02 19:22:41 | 000,363,520 | ---- | M] () -- C:\Users\Carso\Downloads\rkill.com [2010.05.02 19:22:41 | 000,363,520 | ---- | M] () -- C:\Users\Carso\Desktop\rkill.com [2010.05.02 18:59:08 | 006,153,648 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Carso\Downloads\herbert-setup.exe [2010.05.02 04:43:43 | 000,000,398 | ---- | M] () -- C:\Users\Carso\Downloads\LauncherFix.zip [2010.04.29 20:10:48 | 000,523,712 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010.04.29 18:07:31 | 000,000,016 | ---- | M] () -- C:\Users\Carso\AppData\Roaming\wzmjhy.dat [2010.04.29 12:19:24 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.04.29 12:19:14 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.04.28 18:02:52 | 000,000,653 | ---- | M] () -- C:\Users\Public\Desktop\League of Legends.lnk [2010.04.28 17:23:22 | 001,302,136 | ---- | M] () -- C:\Users\Carso\Downloads\loleudownloader.exe [2010.04.27 00:04:42 | 000,353,592 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\DivXControlPanelApplet.cpl [2010.04.14 23:11:35 | 013,707,362 | ---- | M] () -- C:\Users\Carso\Downloads\PC-Installer.zip [2010.04.14 20:48:06 | 000,136,187 | ---- | M] () -- C:\Users\Carso\Desktop\CHATROULETTE-BINGO-BOARD.jpg [2010.04.12 05:47:15 | 000,091,937 | ---- | M] () -- C:\Users\Carso\Desktop\polen.jpg [2010.04.11 04:14:58 | 000,000,599 | ---- | M] () -- C:\Windows\ULead32.ini [2010.04.09 15:02:38 | 000,005,125 | ---- | M] () -- C:\Users\Carso\Desktop\1-2b404e8d6149ef0d.jpg [2010.04.09 14:11:04 | 000,160,644 | ---- | M] () -- C:\Users\Carso\Desktop\Mobilfunkantrag_56266.pdf [3 C:\Users\Carso\Desktop\*.tmp files -> C:\Users\Carso\Desktop\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.06.03 23:28:51 | 000,019,331 | ---- | C] () -- C:\Users\Carso\Desktop\Protokoll_01_02_2010.doc [2010.06.03 23:27:06 | 000,022,224 | ---- | C] () -- C:\Users\Carso\Desktop\Protokoll_01_02_2010.pdf [2010.05.27 19:00:35 | 000,008,944 | ---- | C] () -- C:\Users\Carso\Desktop\Aufgabenblatt3.pdf [2010.05.26 13:48:26 | 000,000,150 | ---- | C] () -- C:\Windows\System32\ImportDF.ini [2010.05.17 14:59:26 | 000,025,088 | ---- | C] () -- C:\Users\Carso\Downloads\Sprechstundenliste.xls [2010.05.04 16:14:30 | 000,071,168 | ---- | C] () -- C:\Users\Carso\Downloads\chall_für_MPs.xls [2010.05.03 13:06:37 | 000,000,567 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2010.05.03 12:46:58 | 008,050,208 | ---- | C] () -- C:\Users\Carso\Downloads\SUPERAntiSpyware.exe [2010.05.03 12:29:22 | 000,363,520 | ---- | C] () -- C:\Users\Carso\Desktop\rkill.com [2010.05.03 00:45:13 | 000,335,069 | ---- | C] () -- C:\Users\Carso\Downloads\plugin-Aufgabenblatt_1_Montag.pdf [2010.05.02 19:22:39 | 000,363,520 | ---- | C] () -- C:\Users\Carso\Downloads\rkill.com [2010.05.02 17:11:30 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\bgcctfx.sys [2010.05.02 04:43:42 | 000,000,398 | ---- | C] () -- C:\Users\Carso\Downloads\LauncherFix.zip [2010.04.29 18:07:06 | 000,000,016 | ---- | C] () -- C:\Users\Carso\AppData\Roaming\wzmjhy.dat [2010.04.28 18:02:52 | 000,000,653 | ---- | C] () -- C:\Users\Public\Desktop\League of Legends.lnk [2010.04.28 17:23:19 | 001,302,136 | ---- | C] () -- C:\Users\Carso\Downloads\loleudownloader.exe [2010.04.14 23:11:16 | 013,707,362 | ---- | C] () -- C:\Users\Carso\Downloads\PC-Installer.zip [2010.04.14 20:48:06 | 000,136,187 | ---- | C] () -- C:\Users\Carso\Desktop\CHATROULETTE-BINGO-BOARD.jpg [2010.04.12 05:47:14 | 000,091,937 | ---- | C] () -- C:\Users\Carso\Desktop\polen.jpg [2010.04.09 15:02:38 | 000,005,125 | ---- | C] () -- C:\Users\Carso\Desktop\1-2b404e8d6149ef0d.jpg [2010.04.09 14:11:03 | 000,160,644 | ---- | C] () -- C:\Users\Carso\Desktop\Mobilfunkantrag_56266.pdf [2009.10.26 13:42:08 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009.05.21 16:06:27 | 000,721,904 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys [2009.02.09 01:14:50 | 000,000,086 | ---- | C] () -- C:\Windows\EmperorEdit.INI [2009.01.27 18:17:22 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll [2009.01.27 18:17:11 | 000,019,968 | ---- | C] () -- C:\Windows\System32\cpuinf32.dll [2009.01.27 17:10:42 | 000,002,856 | ---- | C] () -- C:\Windows\mgxoschk.ini [2009.01.23 02:38:54 | 000,000,073 | ---- | C] () -- C:\Windows\maplev4.ini [2008.11.06 18:37:32 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll [2008.11.06 18:34:00 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest [2008.10.07 18:07:43 | 000,000,374 | ---- | C] () -- C:\Windows\capture.ini [2008.09.06 19:21:42 | 000,003,654 | ---- | C] () -- C:\Windows\System32\drivers\Sonyhcp.dll [2008.06.18 15:59:56 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll [2007.11.13 22:31:59 | 000,000,023 | ---- | C] () -- C:\Windows\SLAY.INI [2007.10.30 23:28:54 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll [2007.10.30 00:24:52 | 000,001,414 | ---- | C] () -- C:\Windows\disney.ini [2007.06.11 22:23:52 | 000,000,277 | ---- | C] () -- C:\Windows\VideodeLuxe.INI [2007.06.04 21:06:58 | 000,000,030 | ---- | C] () -- C:\Windows\Iedit.INI [2007.05.20 15:28:49 | 000,034,308 | ---- | C] () -- C:\Windows\System32\Chip.dll [2007.05.14 14:49:33 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini [2007.05.10 16:16:03 | 000,000,599 | ---- | C] () -- C:\Windows\ULead32.ini [2007.05.08 15:10:28 | 000,000,403 | ---- | C] () -- C:\Windows\ODBC.INI [2007.05.08 15:10:27 | 000,000,000 | ---- | C] () -- C:\Windows\NSREX.INI [2007.04.16 09:03:57 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys [2007.04.16 09:03:55 | 000,012,231 | ---- | C] () -- C:\Windows\Ascd_tmp.ini [2007.04.16 09:03:47 | 000,010,288 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini ========== Alternate Data Streams ========== @Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:1247C505 @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:8173A019 @Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:ECF5194F < End of report > |
08.06.2010, 14:12 | #2 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Text war zu lang für einen Post
__________________OTL log 2 (Extras.txt) Code:
ATTFilter OTL Extras logfile created on: 08.06.2010 12:23:21 - Run 2 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Carso\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 7.0.6002.18005) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 60,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 75,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 39,08 Gb Total Space | 4,22 Gb Free Space | 10,79% Space Free | Partition Type: NTFS Drive D: | 129,56 Gb Total Space | 58,90 Gb Free Space | 45,46% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive J: | 129,45 Gb Total Space | 49,22 Gb Free Space | 38,02% Space Free | Partition Type: NTFS Drive L: | 931,51 Gb Total Space | 797,19 Gb Free Space | 85,58% Space Free | Partition Type: NTFS Computer Name: *** Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 60 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) .html [@ = Opera.HTML] -- C:\Program Files\Opera\opera.exe (Opera Software) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- "D:\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "D:\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation) http [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software) https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{01A9194A-4226-4EC7-96E6-E884AFE33D09}" = lport=6930 | protocol=6 | dir=in | name=league of legends launcher | "{090DA493-1C43-424A-A477-BDD645E74502}" = lport=8376 | protocol=17 | dir=in | name=league of legends launcher | "{0A2B512F-D038-486C-A31A-C68D0A76FB81}" = lport=6946 | protocol=17 | dir=in | name=league of legends launcher | "{0A8AE859-5ED9-43FD-B55A-3D8517A36A99}" = lport=6881 | protocol=17 | dir=in | name=league of legends launcher | "{0E3DB9DB-63A4-4AF1-91CA-F7373ADAAA59}" = lport=6959 | protocol=6 | dir=in | name=league of legends launcher | "{11CBB220-4E2B-42C1-8D50-A2CE64B31433}" = lport=6961 | protocol=17 | dir=in | name=league of legends launcher | "{163403BC-3D47-4DBA-8CEC-FD1C1E1B6AF3}" = lport=6914 | protocol=6 | dir=in | name=league of legends launcher | "{2D1BD9D4-7B7D-400E-B04E-71970458D38E}" = lport=8377 | protocol=17 | dir=in | name=league of legends launcher | "{3F1553D1-1924-48B6-95E0-388D3A616E01}" = lport=8376 | protocol=6 | dir=in | name=league of legends launcher | "{4B7FD147-D49A-4302-842A-349C5E97CDA5}" = lport=6961 | protocol=6 | dir=in | name=league of legends launcher | "{55C58D22-DC92-45CB-84A8-A87AC886EF17}" = lport=8394 | protocol=17 | dir=in | name=league of legends launcher | "{661FE7E9-8FE4-474A-85F9-C2E66120F8DC}" = lport=6947 | protocol=6 | dir=in | name=league of legends launcher | "{70677510-C97B-4C1F-81F8-F7DF2E9D47CA}" = lport=6970 | protocol=6 | dir=in | name=league of legends launcher | "{75340188-981D-4073-B0A3-38492A2C0F52}" = lport=6914 | protocol=17 | dir=in | name=league of legends launcher | "{7E881FB8-E864-4EEB-831D-C32C2F845361}" = lport=6939 | protocol=17 | dir=in | name=league of legends launcher | "{7F4B987C-6A09-4094-90FA-C80C30A8CBF2}" = lport=6947 | protocol=17 | dir=in | name=league of legends launcher | "{867A2E8A-CAE2-4C38-9525-D7B698841E25}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 | "{91002B1D-111D-4A5B-951B-CF73AE20A142}" = lport=6881 | protocol=6 | dir=in | name=league of legends launcher | "{94CBC4D9-70D3-435A-88CD-45ABD13DCDCA}" = lport=6980 | protocol=6 | dir=in | name=league of legends launcher | "{9735D267-477F-44F2-9DFB-B98655075C7A}" = lport=6939 | protocol=6 | dir=in | name=league of legends launcher | "{99D5D1B2-BC19-40F5-BBC2-A3E4A9548589}" = lport=8377 | protocol=6 | dir=in | name=league of legends launcher | "{A1F1FAF6-F38D-4A98-8FEB-A45751083358}" = lport=6959 | protocol=17 | dir=in | name=league of legends launcher | "{AAB36251-F5B2-4907-A678-8B20D6A0F5A7}" = lport=8394 | protocol=6 | dir=in | name=league of legends launcher | "{C4A6D7C9-1C50-4734-A6B1-CB1BCDB15843}" = lport=6930 | protocol=17 | dir=in | name=league of legends launcher | "{D7AB2FB3-1161-4680-B7A3-DD7E7742CA5A}" = lport=6946 | protocol=6 | dir=in | name=league of legends launcher | "{DE765BF6-1525-45D6-A0F4-9D98FDF56F52}" = lport=6970 | protocol=17 | dir=in | name=league of legends launcher | "{E066B5AA-1E44-4244-A44A-F4CDAC999213}" = lport=6980 | protocol=17 | dir=in | name=league of legends launcher | "{F8791BEE-AFDF-41BC-81E7-B9CFA3811A9F}" = lport=6985 | protocol=6 | dir=in | name=league of legends launcher | "{FB458CB1-8590-4F04-8B2E-8C8FB4BE069B}" = lport=6985 | protocol=17 | dir=in | name=league of legends launcher | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0C9AA41F-05EF-4ECC-99F8-EEDA70DD77AE}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-dede-downloader.exe | "{0DC0FDD9-20F5-43CE-AECC-B7083C1C0835}" = protocol=17 | dir=in | app=j:\wow\world of warcraft\backgrounddownloader.exe | "{0E801E20-BA36-46E9-91E3-1A446C604F4B}" = protocol=6 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe | "{1341D069-EB91-40A5-80FD-A5C497D179C8}" = protocol=6 | dir=in | app=j:\wow\world of warcraft\wow-2.4.0-dede-downloader.exe | "{1593459E-13C3-41D8-BDAD-B84930D8DF30}" = protocol=6 | dir=in | app=j:\age of empires iii\age3.exe | "{17A47C47-3007-4E5A-9718-90919AD0B41D}" = protocol=6 | dir=in | app=d:\itunes\itunes.exe | "{2195D975-6FD4-412D-B675-0A79CA4F4897}" = protocol=17 | dir=in | app=j:\wow\world of warcraft\wow-2.4.0-dede-downloader.exe | "{22E39BC9-1CB7-402B-BD86-832122E939F9}" = protocol=6 | dir=in | app=d:\itunes\itunes.exe | "{286041CA-562A-4F1B-94AA-4C95F4AC808F}" = protocol=6 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe | "{3195954C-BE49-4DEB-A103-6554255620D2}" = protocol=6 | dir=in | app=d:\limewire\limewire.exe | "{35230386-8591-4177-B631-A9BCA470CA65}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-dede-downloader.exe | "{37871AEC-7A81-4579-B3F0-6832C60682B9}" = protocol=6 | dir=in | app=j:\wow\world of warcraft\backgrounddownloader.exe | "{3AB57D6D-21AF-4525-ABD2-77004A491BF3}" = protocol=17 | dir=in | app=j:\league of legends\air\lolclient.exe | "{42D66F00-089E-4B18-9BD3-CEB8E83382C4}" = protocol=6 | dir=in | app=j:\league of legends\game\league of legends.exe | "{44BAEAB7-CB46-4F7E-B77B-1195DF8C9EB6}" = protocol=6 | dir=in | app=j:\league o.l. deutsch\air\lolclient.exe | "{4706DEC5-D44D-40F6-8F23-87324DA48FD0}" = protocol=17 | dir=in | app=j:\league o.l. deutsch\air\lolclient.exe | "{4F6B2E17-BB83-4A16-A296-0503F8FB7356}" = protocol=17 | dir=in | app=d:\limewire\limewire.exe | "{51C5B3D8-2F51-4A28-B816-A8C2922AD688}" = protocol=6 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe | "{54E05B1F-57ED-43E5-832E-BF6C138C010F}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-dede-downloader.exe | "{5675E682-1380-4E9B-886C-218393484967}" = protocol=6 | dir=in | app=j:\league of legends\air\lolclient.exe | "{591A2037-9773-4DF3-855A-B101222A0721}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-dede-downloader.exe | "{5CD7119F-05CC-44D8-90FB-6522E0CB0539}" = protocol=17 | dir=in | app=d:\itunes\itunes.exe | "{5E7C1841-6790-4FD9-A5F5-5DEA34D9EA2D}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-dede-downloader.exe | "{69B5458A-5F08-44D0-BFC9-6803F7278EC7}" = protocol=6 | dir=in | app=j:\league o.l. deutsch\game\league of legends.exe | "{6E3161FD-2207-43ED-BFEC-25E3E2A1C013}" = protocol=6 | dir=in | app=d:\skype\skype.exe | "{712D25A1-965E-4DD9-946C-8F490E4147CE}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.0.1-to-3.0.2-dede-win-update-downloader.exe | "{75090772-24ED-4A24-818C-5A0CEC98CB7B}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.1.0-dede-downloader.exe | "{76073B40-94AF-484C-9D6A-190BEACE5001}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{839BEBD1-8DFC-4356-B0D1-E06A2B16FD33}" = protocol=17 | dir=in | app=j:\wow\addons\curse\curseclient.exe | "{91C01C01-BFB3-4CA7-8F36-27C2D764AA3D}" = protocol=17 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe | "{9A980ED6-C5FC-4CB2-860E-7128CFCDAC1E}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{9E85A428-C436-4A4B-86BE-D054043005DB}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.1.0-dede-downloader.exe | "{A2AD8AE8-93AB-450B-85FE-74415158D3AF}" = protocol=17 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe | "{A6BEF88D-458F-4632-92DD-3EB3D62DF48E}" = protocol=17 | dir=in | app=d:\itunes\itunes.exe | "{B7EFA533-B5C5-48DC-A2BE-4E0B91FB3CF1}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-dede-downloader.exe | "{B97FE284-A65D-4136-B35B-301D449DEE3F}" = protocol=17 | dir=in | app=j:\steam\steamapps\*****\counter-strike\hl.exe | "{BA589C2C-CE3F-4DED-931E-C732228F9FF0}" = protocol=17 | dir=in | app=j:\league o.l. deutsch\game\league of legends.exe | "{CD390F9F-2DE5-4AAA-9B65-3F296E2AF03F}" = protocol=17 | dir=in | app=j:\league of legends\game\league of legends.exe | "{CF2AA6D4-8DA0-4A9C-BF3F-6A12B833B80F}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-dede-downloader.exe | "{D1E4F10A-F294-4360-8A8D-F20DCDB162F7}" = protocol=17 | dir=in | app=d:\skype\skype.exe | "{DBA0D724-7D9D-4B7D-AE57-3525695F241C}" = protocol=6 | dir=in | app=j:\wow\addons\curse\curseclient.exe | "{DEA54743-1D44-49AD-ACD3-47FFEAB612A5}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.0.1-to-3.0.2-dede-win-update-downloader.exe | "{E17110D0-B0EA-4AE1-A292-2F479840C0B8}" = protocol=17 | dir=in | app=j:\age of empires iii\age3.exe | "{EC69B6AE-023F-4B1F-AD80-EFCCE4AF81DE}" = protocol=17 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe | "{F7510BED-163B-44AD-88A7-875C5CF9813E}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-dede-downloader.exe | "{F9D85C05-5E73-4E13-A936-54D296906349}" = protocol=6 | dir=in | app=j:\steam\steamapps\****\counter-strike\hl.exe | "TCP Query User{01AD3700-4D61-469C-8434-3FBFAAB48239}J:\bf1942\bf1942.exe" = protocol=6 | dir=in | app=j:\bf1942\bf1942.exe | "TCP Query User{040A7B80-A44D-4DB9-974B-FE3658E9BF7F}D:\limewire\limewire.exe" = protocol=6 | dir=in | app=d:\limewire\limewire.exe | "TCP Query User{1D65FACD-84BB-427F-B2B3-01505CBF8C74}C:\users\carso\appdata\local\temp\blizzard launcher temporary - d323bd40\launcher.exe" = protocol=6 | dir=in | app=c:\users\carso\appdata\local\temp\blizzard launcher temporary - d323bd40\launcher.exe | "TCP Query User{24BE1D21-9E08-49E5-B1BA-D26486C8AB86}D:\zattoo\zattood.exe" = protocol=6 | dir=in | app=d:\zattoo\zattood.exe | "TCP Query User{2B61B161-A028-4D59-835B-42C7625690CE}J:\warcraft an x force (name-33cba6fdd0)\war3.exe" = protocol=6 | dir=in | app=j:\warcraft an x force (name-33cba6fdd0)\war3.exe | "TCP Query User{3285DFA6-5294-4EBD-9289-CFC1637AF81B}K:\stronghold 2\stronghold2.exe" = protocol=6 | dir=in | app=k:\stronghold 2\stronghold2.exe | "TCP Query User{3338B1B1-1944-4280-9CFC-87957C9866E2}D:\icq6\icq6.5\icq.exe" = protocol=6 | dir=in | app=d:\icq6\icq6.5\icq.exe | "TCP Query User{3AFE4B61-ECDC-4DD2-B509-D740C0ECAD63}J:\warcraft iii\war3.exe" = protocol=6 | dir=in | app=j:\warcraft iii\war3.exe | "TCP Query User{3C2DF961-4E6F-4F6B-838D-5BA031FC9345}D:\crazy browser\crazy browser.exe" = protocol=6 | dir=in | app=d:\crazy browser\crazy browser.exe | "TCP Query User{448A4995-EAFC-459D-BF2E-AA409BE8F22D}D:\azureus\azureus.exe" = protocol=6 | dir=in | app=d:\azureus\azureus.exe | "TCP Query User{4639FA02-7EB4-4538-8609-3F3ECBF53A98}D:\icq6\icq6\icq.exe" = protocol=6 | dir=in | app=d:\icq6\icq6\icq.exe | "TCP Query User{48CD1430-531E-469B-9D1D-B1B8B9CB7C72}C:\program files\nero\nero8\nero home\nerohome.exe" = protocol=6 | dir=in | app=c:\program files\nero\nero8\nero home\nerohome.exe | "TCP Query User{59812612-BA56-4272-9074-1F0D3C5704D6}J:\wow\world of warcraft public test\launcher.exe" = protocol=6 | dir=in | app=j:\wow\world of warcraft public test\launcher.exe | "TCP Query User{5A6A166D-0D24-457F-88C8-FD6355E5498B}D:\chilirec\chilirec.exe" = protocol=6 | dir=in | app=d:\chilirec\chilirec.exe | "TCP Query User{6018DDEF-B319-4039-A7C1-7BFAE64F769F}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe | "TCP Query User{6BE05EB7-788E-4E09-BCB4-AC639A17A682}C:\users\carso\appdata\local\temp\blizzard launcher temporary - 25e1ebf8\launcher.exe" = protocol=6 | dir=in | app=c:\users\carso\appdata\local\temp\blizzard launcher temporary - 25e1ebf8\launcher.exe | "TCP Query User{6F076E97-46C6-4562-8133-153E983D7389}J:\battlefield1942\bf1942.exe" = protocol=6 | dir=in | app=j:\battlefield1942\bf1942.exe | "TCP Query User{761C9B68-80C3-43A0-9683-4A70DD23CD85}J:\modern warfare 2\iw4sp.exe" = protocol=6 | dir=in | app=j:\modern warfare 2\iw4sp.exe | "TCP Query User{77932AD7-C118-4F74-A006-F424DD6AE2D7}D:\xampp\apache\bin\httpd.exe" = protocol=6 | dir=in | app=d:\xampp\apache\bin\httpd.exe | "TCP Query User{787E7E81-4EEF-4F01-A5D0-06CFBD39639D}J:\stronghold 2\stronghold2.exe" = protocol=6 | dir=in | app=j:\stronghold 2\stronghold2.exe | "TCP Query User{7D8C8B0E-1D35-4420-A026-863C69EA76EB}C:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe" = protocol=6 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe | "TCP Query User{7E6BCCE1-36DF-410B-9BD7-855DDA1368CA}D:\foxit.pdf.editor.v2.0.1011-yag\pdf editor\pdfedit.exe" = protocol=6 | dir=in | app=d:\foxit.pdf.editor.v2.0.1011-yag\pdf editor\pdfedit.exe | "TCP Query User{8BFC35D1-F0A2-4D0E-8C56-FA1E10DAC94B}D:\realplayer\realplay.exe" = protocol=6 | dir=in | app=d:\realplayer\realplay.exe | "TCP Query User{A0C3C2A5-E68C-4A24-B2C5-3CD47E4D5A8F}J:\die siedler ii - die nächste generation\bin\s2dng.exe" = protocol=6 | dir=in | app=j:\die siedler ii - die nächste generation\bin\s2dng.exe | "TCP Query User{A3598138-54B9-4B51-86BF-96FDCF0F463A}J:\warcraft an x force (name-33cba6fdd0)\war3.exe" = protocol=6 | dir=in | app=j:\warcraft an x force (name-33cba6fdd0)\war3.exe | "TCP Query User{A58CCE47-2859-41C6-8C2F-012105893C85}J:\warcraft 3 - lan - flow\war3.exe" = protocol=6 | dir=in | app=j:\warcraft 3 - lan - flow\war3.exe | "TCP Query User{AAD97362-2B6A-41CE-827D-A3A8BC384A23}C:\users\carso\documents\copy of hansoft documents\bunda_uni_paderborn_de.politworld.****\projects\politworld prototype 2\build\politworld.exe" = protocol=6 | dir=in | app=c:\users\carso\documents\copy of hansoft documents\bunda_uni_paderborn_de.politworld.****\projects\politworld prototype 2\build\politworld.exe | "TCP Query User{B16F2820-844A-4654-B022-4F33DD8E6EBC}J:\ut2004\system\ut2004.exe" = protocol=6 | dir=in | app=j:\ut2004\system\ut2004.exe | "TCP Query User{B5F44899-A1BD-487C-AAF9-0E863F91FE64}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe | "TCP Query User{B758E308-C4FD-40F7-AA19-17094E32C5AD}J:\warcraft iii\war3.exe" = protocol=6 | dir=in | app=j:\warcraft iii\war3.exe | "TCP Query User{BD5E21CF-098F-4207-92BA-65703ED3A775}D:\napster\napster.exe" = protocol=6 | dir=in | app=d:\napster\napster.exe | "TCP Query User{C339629F-DD7F-4D81-B6C2-22AEBCFD204D}D:\zattoo\zattoo.exe" = protocol=6 | dir=in | app=d:\zattoo\zattoo.exe | "TCP Query User{CBEE4966-58FA-4443-AD61-345B2CC36C3A}D:\crazy browser\crazy browser.exe" = protocol=6 | dir=in | app=d:\crazy browser\crazy browser.exe | "TCP Query User{CE3285A3-3543-480D-A83E-A2727A01B67E}J:\warcraft an x force (name-33cba6fdd0)\warcraft englisch\warcraft iii\war3.exe" = protocol=6 | dir=in | app=j:\warcraft an x force (name-33cba6fdd0)\warcraft englisch\warcraft iii\war3.exe | "TCP Query User{D1322D26-3B4B-4B24-823E-1019EFAC505B}C:\program files\skype\phone\skype.exe" = protocol=6 | dir=in | app=c:\program files\skype\phone\skype.exe | "TCP Query User{D2E5012C-25E6-40A6-B7ED-B429C3627AD2}J:\tony hawk american wasteland\tony hawk american wasteland\game\thaw.exe" = protocol=6 | dir=in | app=j:\tony hawk american wasteland\tony hawk american wasteland\game\thaw.exe | "TCP Query User{D390BA8B-3360-4FAA-B5FA-03C70E12BEA9}C:\program files\nero\nero8\nero home\nerohome.exe" = protocol=6 | dir=in | app=c:\program files\nero\nero8\nero home\nerohome.exe | "TCP Query User{D68859EA-5889-4E6C-BBA5-B79C3E3DDADC}D:\icq6\icq6\icq.exe" = protocol=6 | dir=in | app=d:\icq6\icq6\icq.exe | "TCP Query User{D8BC1DD2-E765-4E63-A145-D29EEECC3C49}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "TCP Query User{D9549FD3-17B9-4A68-B114-267BD7F14BF2}C:\users\carso\desktop\3\dslan\mysql\bin\mysqld.exe" = protocol=6 | dir=in | app=c:\users\carso\desktop\3\dslan\mysql\bin\mysqld.exe | "TCP Query User{D9FB2E10-73D1-4C54-870E-B8DBCAF1E009}D:\icecast\analogx\simpleserver\shout\shout.exe" = protocol=6 | dir=in | app=d:\icecast\analogx\simpleserver\shout\shout.exe | "TCP Query User{DB15C434-6085-4224-949B-50A8FB51ACCA}D:\realplayer\realplay.exe" = protocol=6 | dir=in | app=d:\realplayer\realplay.exe | "TCP Query User{EBB1049F-0C17-4663-B951-CD5ECEB24E16}J:\wow\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=j:\wow\world of warcraft\launcher.exe | "TCP Query User{F0C12C0C-E845-45A9-AFAD-6ACFD646154B}C:\program files\java\jdk1.6.0_07\jre\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jdk1.6.0_07\jre\bin\java.exe | "TCP Query User{F3840DA7-3021-40D4-809C-988C23075CC1}C:\users\carso\desktop\3\dslan\apache\bin\apache.exe" = protocol=6 | dir=in | app=c:\users\carso\desktop\3\dslan\apache\bin\apache.exe | "TCP Query User{F538AD8F-9D29-4233-B05A-E718C1096D5A}D:\icecast\shout.exe" = protocol=6 | dir=in | app=d:\icecast\shout.exe | "TCP Query User{FC765806-CF7A-4FDD-BC32-CE9798A2F01C}J:\stronghold 2\stronghold2.exe" = protocol=6 | dir=in | app=j:\stronghold 2\stronghold2.exe | "TCP Query User{FCCEF871-93C4-4D40-BEBC-2350883DF177}L:\zoggerei\call of duty 5 - world at war\call of duty 5\codwaw_lanfixed.exe" = protocol=6 | dir=in | app=l:\zoggerei\call of duty 5 - world at war\call of duty 5\codwaw_lanfixed.exe | "UDP Query User{01B0C4AC-EC84-408A-A01B-DC9AFE8CE8D8}D:\zattoo\zattoo.exe" = protocol=17 | dir=in | app=d:\zattoo\zattoo.exe | "UDP Query User{11CAC876-AA5E-430C-BBEE-E441A84B04CF}J:\warcraft an x force (name-33cba6fdd0)\war3.exe" = protocol=17 | dir=in | app=j:\warcraft an x force (name-33cba6fdd0)\war3.exe | "UDP Query User{172CE249-C86D-48BF-BC77-B376DFB1B4FB}J:\tony hawk american wasteland\tony hawk american wasteland\game\thaw.exe" = protocol=17 | dir=in | app=j:\tony hawk american wasteland\tony hawk american wasteland\game\thaw.exe | "UDP Query User{22BD4430-DF0B-41B7-BBC0-C3CD547A8EA8}D:\xampp\apache\bin\httpd.exe" = protocol=17 | dir=in | app=d:\xampp\apache\bin\httpd.exe | "UDP Query User{23DB6E82-65BB-4822-A721-0A8F720B5C33}D:\realplayer\realplay.exe" = protocol=17 | dir=in | app=d:\realplayer\realplay.exe | "UDP Query User{24720F25-C6DB-450B-BD3C-C4221DB7D76C}D:\icecast\shout.exe" = protocol=17 | dir=in | app=d:\icecast\shout.exe | "UDP Query User{29448E0E-1E9A-4B36-A28E-0EA4C38F6540}C:\program files\skype\phone\skype.exe" = protocol=17 | dir=in | app=c:\program files\skype\phone\skype.exe | "UDP Query User{2BDB7191-5865-4338-96A7-5C02EFDF38EF}C:\users\carso\desktop\3\dslan\mysql\bin\mysqld.exe" = protocol=17 | dir=in | app=c:\users\carso\desktop\3\dslan\mysql\bin\mysqld.exe | "UDP Query User{2FDA1855-8C6F-4BAA-A41B-D9D58BE97BDD}J:\warcraft iii\war3.exe" = protocol=17 | dir=in | app=j:\warcraft iii\war3.exe | "UDP Query User{34EA02A6-89A4-4A0B-9297-70862381E2E4}J:\warcraft 3 - lan - flow\war3.exe" = protocol=17 | dir=in | app=j:\warcraft 3 - lan - flow\war3.exe | "UDP Query User{4052BABC-0DEF-4254-AD7D-02EC0FE0F377}J:\battlefield1942\bf1942.exe" = protocol=17 | dir=in | app=j:\battlefield1942\bf1942.exe | "UDP Query User{4AA0C45C-07B0-4FCD-99D8-1FD6DEECA8BB}C:\program files\nero\nero8\nero home\nerohome.exe" = protocol=17 | dir=in | app=c:\program files\nero\nero8\nero home\nerohome.exe | "UDP Query User{5647390E-3902-4FD5-92D8-8050015CBC20}C:\program files\nero\nero8\nero home\nerohome.exe" = protocol=17 | dir=in | app=c:\program files\nero\nero8\nero home\nerohome.exe | "UDP Query User{5AC92322-4192-4AEF-B285-89176535C15A}D:\icq6\icq6.5\icq.exe" = protocol=17 | dir=in | app=d:\icq6\icq6.5\icq.exe | "UDP Query User{5FA24528-455C-400C-B37D-10753A012DDA}D:\icq6\icq6\icq.exe" = protocol=17 | dir=in | app=d:\icq6\icq6\icq.exe | "UDP Query User{5FFAC164-E30D-4E66-A1AC-DC7CD5482B44}J:\cs gecrackt\hl.exe" = protocol=17 | dir=in | app=j:\cs gecrackt\hl.exe | "UDP Query User{622DB403-3E26-488E-94CD-0E7A0BD4461F}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{667186AC-8402-458B-AA0C-E26F689E4755}C:\users\carso\desktop\3\dslan\apache\bin\apache.exe" = protocol=17 | dir=in | app=c:\users\carso\desktop\3\dslan\apache\bin\apache.exe | "UDP Query User{69B76B89-56AB-4B45-8774-C409B42AB391}J:\die siedler ii - die nächste generation\bin\s2dng.exe" = protocol=17 | dir=in | app=j:\die siedler ii - die nächste generation\bin\s2dng.exe | "UDP Query User{72014B1D-3A7A-4655-88D2-0DED77074DBA}D:\azureus\azureus.exe" = protocol=17 | dir=in | app=d:\azureus\azureus.exe | "UDP Query User{7A7A3E54-98FF-44BA-91FF-549F90E5EAC9}D:\crazy browser\crazy browser.exe" = protocol=17 | dir=in | app=d:\crazy browser\crazy browser.exe | "UDP Query User{7F9B8A33-B12C-4500-8E7B-E2C2AED8FF93}D:\zattoo\zattood.exe" = protocol=17 | dir=in | app=d:\zattoo\zattood.exe | "UDP Query User{89605DAF-1A3D-40C8-9BCB-F02179A1AD4E}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe | "UDP Query User{8A2247C5-B62A-43EB-8F5E-7B69188B235A}J:\warcraft an x force (name-33cba6fdd0)\war3.exe" = protocol=17 | dir=in | app=j:\warcraft an x force (name-33cba6fdd0)\war3.exe | "UDP Query User{994EF7B8-7029-4EE1-858A-6DE3E3CE7F73}J:\ut2004\system\ut2004.exe" = protocol=17 | dir=in | app=j:\ut2004\system\ut2004.exe | "UDP Query User{9BDF6D3C-1B2F-4F7C-A200-CB5FFAC4E4B0}D:\napster\napster.exe" = protocol=17 | dir=in | app=d:\napster\napster.exe | "UDP Query User{A4425F34-C607-4A16-B11E-3F056F9B5D86}D:\chilirec\chilirec.exe" = protocol=17 | dir=in | app=d:\chilirec\chilirec.exe | "UDP Query User{A74E8B04-EAA8-4675-BB54-F570F3D38C8B}J:\wow\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=j:\wow\world of warcraft\launcher.exe | "UDP Query User{AAE9500E-9047-4BF1-A9FF-B4EAA1C95897}D:\icecast\analogx\simpleserver\shout\shout.exe" = protocol=17 | dir=in | app=d:\icecast\analogx\simpleserver\shout\shout.exe | "UDP Query User{AC6FB0E1-69E2-47AF-A088-B200D3BCE654}J:\wow\world of warcraft public test\launcher.exe" = protocol=17 | dir=in | app=j:\wow\world of warcraft public test\launcher.exe | "UDP Query User{B35318E9-DEBB-4E96-AA6E-0D1E41E19C4A}J:\stronghold 2\stronghold2.exe" = protocol=17 | dir=in | app=j:\stronghold 2\stronghold2.exe | "UDP Query User{B506B1DC-A9A4-47EE-A7D3-B5D4DE414341}D:\icq6\icq6\icq.exe" = protocol=17 | dir=in | app=d:\icq6\icq6\icq.exe | "UDP Query User{BCBA774B-2713-4733-B886-0718508FF16B}C:\users\carso\appdata\local\temp\blizzard launcher temporary - 25e1ebf8\launcher.exe" = protocol=17 | dir=in | app=c:\users\carso\appdata\local\temp\blizzard launcher temporary - 25e1ebf8\launcher.exe | "UDP Query User{BCBE3E5D-B89B-424A-A2B0-D647D3EAE7EB}J:\warcraft an x force (name-33cba6fdd0)\warcraft englisch\warcraft iii\war3.exe" = protocol=17 | dir=in | app=j:\warcraft an x force (name-33cba6fdd0)\warcraft englisch\warcraft iii\war3.exe | "UDP Query User{C6E5763F-0D46-4F42-ACCA-00AEA7C00A3E}C:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe" = protocol=17 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe | "UDP Query User{C94EEC13-F84A-4296-8601-7EF169636837}D:\limewire\limewire.exe" = protocol=17 | dir=in | app=d:\limewire\limewire.exe | "UDP Query User{CDC1F0D0-F704-498A-99D8-794B3280B3C0}C:\users\carso\appdata\local\temp\blizzard launcher temporary - d323bd40\launcher.exe" = protocol=17 | dir=in | app=c:\users\carso\appdata\local\temp\blizzard launcher temporary - d323bd40\launcher.exe | "UDP Query User{D2029A18-9982-4F9B-BCCD-9ED03EFB95F1}L:\zoggerei\call of duty 5 - world at war\call of duty 5\codwaw_lanfixed.exe" = protocol=17 | dir=in | app=l:\zoggerei\call of duty 5 - world at war\call of duty 5\codwaw_lanfixed.exe | "UDP Query User{D478A131-A162-46D6-A094-1D9B6954EAA8}K:\stronghold 2\stronghold2.exe" = protocol=17 | dir=in | app=k:\stronghold 2\stronghold2.exe | "UDP Query User{D589D5F9-99BC-407B-9B16-726B269B32A0}C:\program files\java\jdk1.6.0_07\jre\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jdk1.6.0_07\jre\bin\java.exe | "UDP Query User{D99A11F5-05FB-4006-9BA3-C029B783F486}D:\crazy browser\crazy browser.exe" = protocol=17 | dir=in | app=d:\crazy browser\crazy browser.exe | "UDP Query User{DA269367-00ED-49C8-9D44-6B6136672E79}J:\modern warfare 2\iw4sp.exe" = protocol=17 | dir=in | app=j:\modern warfare 2\iw4sp.exe | "UDP Query User{DF34D957-8321-45CA-B75E-0B5F800A1C3D}J:\warcraft iii\war3.exe" = protocol=17 | dir=in | app=j:\warcraft iii\war3.exe | "UDP Query User{E291E665-5241-4777-9296-CEA093C7EE0D}D:\foxit.pdf.editor.v2.0.1011-yag\pdf editor\pdfedit.exe" = protocol=17 | dir=in | app=d:\foxit.pdf.editor.v2.0.1011-yag\pdf editor\pdfedit.exe | "UDP Query User{E51937EB-9018-48D1-A742-835CD79D915B}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe | "UDP Query User{EEF82905-2762-4B40-928E-668C43883B49}J:\bf1942\bf1942.exe" = protocol=17 | dir=in | app=j:\bf1942\bf1942.exe | "UDP Query User{EF70B379-8AFB-4E0F-AB17-97A974ED31B1}J:\stronghold 2\stronghold2.exe" = protocol=17 | dir=in | app=j:\stronghold 2\stronghold2.exe | "UDP Query User{FC99ED7F-85E1-43FE-8908-64E19F8E379D}C:\users\carso\documents\copy of hansoft documents\bunda_uni_paderborn_de.politworld.***\projects\politworld prototype 2\build\politworld.exe" = protocol=17 | dir=in | app=c:\users\carso\documents\copy of hansoft documents\bunda_uni_paderborn_de.politworld.***\projects\politworld prototype 2\build\politworld.exe | "UDP Query User{FCA2AFC7-E382-4345-85BE-1FA9CF93ED22}D:\realplayer\realplay.exe" = protocol=17 | dir=in | app=d:\realplayer\realplay.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00000407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium "{04830D0F-F980-4EC0-89F1-594F2FD2A1B5}" = ElsterFormular 2008/2009 "{04B45310-A5FE-4425-BFCA-1A6D8920DE74}" = OpenOffice.org 3.0 "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer "{13B792AA-C078-43A4-8A3A-8B12D629940D}" = Counter-Strike 1.6 "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{1A2000AF-79DE-47FB-8411-BA22F981917F}" = Tropico 2: Die Pirateninsel "{1C63DD23-6554-4A1F-8D0D-B5A6B49D8015}" = Corel Graphics Suite 11 "{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 13 "{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper "{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1 "{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java(TM) 6 Update 6 "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7 "{32A3A4F4-B792-11D6-A78A-00B0D0160070}" = Java(TM) SE Development Kit 6 Update 7 "{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup "{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}" = Acronis True Image Home "{432E898E-207A-475C-B6E8-0317C4A08A46}" = Jaws PDF Editor 3.5 "{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{5888428E-699C-4E71-BF71-94EE06B497DA}" = TuneUp Utilities 2008 "{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053 "{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5 "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}" = Battlefield 1942 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{8795CBED-55E2-4693-9F14-84EC446935BE}" = SpeechRedist "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player "{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer "{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger "{90120000-0015-0000-0000-0000000FF1CE}" = Microsoft Office Access 2007 "{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{96C39A4E-8636-439B-B439-02E908C05A2A}" = League of Legends "{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6 "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AC76BA86-7AD7-1031-7B44-A70900000002}" = Adobe Reader 7.0.9 - Deutsch "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter "{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}" = PixiePack Codec Pack "{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6 "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{B944FA21-81AF-4A77-8328-CE4F4CC51031}" = Nero 8 "{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1 "{D9B4D7EE-481C-4C36-86AB-A8F7417725FF}" = LightScribe 1.6.43.1 "{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware "{E1BBBAC5-2857-4155-82A6-54492CE88620}" = Opera 9.64 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint "{F76FFCC7-DFCE-4764-954F-DBB03CE89AF5}" = Opera 9.50 "Acala DVD Copy_is1" = Acala DVD Copy 2.8.2 "Access" = Microsoft Office Access 2007 "Ad-Aware" = Ad-Aware "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11 "AnyDVD" = AnyDVD "Ashampoo Burning Studio 2009_is1" = Ashampoo Burning Studio 2009 "AudioConverter Studio_is1" = AudioConverter Studio 6.0 "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "BlueJ_is1" = BlueJ 2.5.0 "Busspur Auskunft für den Padersprinter E.ON 2009" = Busspur Auskunft für den Padersprinter E.ON 2009 "Call of Duty Modern Warfare 2_is1" = Call of Duty Modern Warfare 2 "Chilirec_0" = Chilirec 1.01 "Crazy Browser 3.0.0 Beta2_is1" = Crazy Browser version 3.0.0 Beta2 "Crazy Browser 3.0.3_is1" = Crazy Browser version 3.0.3 "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters "DivX Setup.divx.com" = DivX-Setup "EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v4.60 "FLV Player" = FLV Player 2.0 (build 25) "Foxit PDF Editor" = Foxit PDF Editor "Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2 "Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.3 "FujiDirekt_is1" = FujiDirekt "Geany" = Geany 0.14 "Google Updater" = Google Updater "Hamachi" = Hamachi 1.0.1.5 "Hansoft Project Manager Client" = Hansoft Project Manager Client "InstallShield_{1C63DD23-6554-4A1F-8D0D-B5A6B49D8015}" = Corel Graphics Suite 11 "IsoBuster_is1" = IsoBuster 2.5 "JDownloader" = JDownloader "Kalenderchen_is1" = Kalenderchen 4 "Kyocera Product Library" = Kyocera Product Library "League of Legends_is1" = League of Legends "MAGIX Foto Clinic 4.5 D" = MAGIX Foto Clinic 4.5 (D) "MAGIX Foto Manager 2006 D" = MAGIX Foto Manager 2006 (D) "MAGIX Music Manager D" = MAGIX Music Manager (D) "MAGIX Online Druck Service" = MAGIX Online Druck Service "MAGIX Video deLuxe 2006 PLUS D" = MAGIX Video deLuxe 2006 PLUS (D) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3) "myphotobook" = myphotobook 3.63 "NVIDIA Drivers" = NVIDIA Drivers "RealPlayer 6.0" = RealPlayer "Ruby-186-25" = Ruby-186-25 "S2TNG" = Die Siedler II - Die nächste Generation "SHOUTcastDSP" = SHOUTcast Source DSP 1.9.1 (remove only) "SystemRequirementsLab" = System Requirements Lab "Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2 "Uninstall_is1" = Uninstall 1.0.0.1 "UT2004" = Unreal Tournament 2004 "VLC media player" = VideoLAN VLC media player 0.8.6i "Winamp" = Winamp "WinRAR archiver" = WinRAR Archivierer "WordToPDF_is1" = WordToPDF 2.4 "Zattoo" = Zattoo 3.2.2 Beta ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Winamp Detect" = Winamp Erkennungs-Plug-in ========== Last 10 Event Log Errors ========== Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt! < End of report > Alter SUPERAntiSpyware Scan log Code:
ATTFilter SUPERAntiSpyware Scan Log hxxp://www.superantispyware.com Generated 05/03/2010 at 02:21 PM Application Version : 4.36.1006 Core Rules Database Version : 4881 Trace Rules Database Version: 2693 Scan type : Complete Scan Total Scan Time : 01:12:50 Memory items scanned : 638 Memory threats detected : 0 Registry items scanned : 8291 Registry threats detected : 13 File items scanned : 38507 File threats detected : 14 Adware.Tracking Cookie C:\Users\Carso\AppData\Roaming\Microsoft\Windows\Cookies\carso@ad.adition[2].txt C:\Users\Carso\AppData\Roaming\Microsoft\Windows\Cookies\carso@ad.yieldmanager[2].txt C:\Users\Carso\AppData\Roaming\Microsoft\Windows\Cookies\carso@ad.zanox[1].txt C:\Users\Carso\AppData\Roaming\Microsoft\Windows\Cookies\carso@adfarm1.adition[1].txt C:\Users\Carso\AppData\Roaming\Microsoft\Windows\Cookies\carso@zanox[1].txt C:\Users\Carso\AppData\Roaming\Microsoft\Windows\Cookies\carso@content.yieldmanager[2].txt C:\Users\Carso\AppData\Roaming\Microsoft\Windows\Cookies\carso@ad.adc-serv[1].txt C:\Users\Carso\AppData\Roaming\Microsoft\Windows\Cookies\carso@content.yieldmanager[3].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clicksor[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@myroitracking[1].txt Malware.SpyLocked HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708} HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\dNcYAymEsizyb HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\ifeczclqgv HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\InprocServer32 HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\InprocServer32#ThreadingModel HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\isxFar HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\NrxlpdMP HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\ProgID HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\pvHV HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\sAai HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\VersionIndependentProgID HKCR\CLSID\{D06E2EAE-1922-4A0B-6A7C-8D9E3DE0E708}\ywtc Trojan.Media-Codec/V2 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FC80E00-41B0-4F74-BC16-2C83ED49CAC9} Trojan.Agent/Gen-FakeAlert C:\USERS\CARSO\APPDATA\LOCAL\TEMP\FPC.EXE C:\WINDOWS\FHEQIA.EXE Trojan.RootKit/Gen C:\WINDOWS\SYSTEM32\DRIVERS\BGCCTFX.SYS Adware.Vundo/Variant-MSFake J:\AGE OF EMPIRES II\AGE2_X1.EXE neuer Super ANtiSpyware Scan log Code:
ATTFilter SUPERAntiSpyware Scan Log hxxp://www.superantispyware.com Generated 06/08/2010 at 05:22 AM Application Version : 4.37.1000 Core Rules Database Version : 5045 Trace Rules Database Version: 2857 Scan type : Complete Scan Total Scan Time : 02:00:26 Memory items scanned : 659 Memory threats detected : 1 Registry items scanned : 8293 Registry threats detected : 0 File items scanned : 38676 File threats detected : 5 Trojan.Agent/Gen-FakeAlert[ClientNotify] C:\WINDOWS\SYSTEM32\CMSTNAME.DLL C:\WINDOWS\SYSTEM32\CMSTNAME.DLL Adware.Flash Tracking Cookie C:\Users\Carso\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\45ZUG8AN\IA.MEDIA-IMDB.COM C:\Users\Carso\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\45ZUG8AN\MEDIA.MTVNSERVICES.COM C:\Users\Carso\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\45ZUG8AN\SECURE-US.IMRWORLDWIDE.COM Trojan.RootKit/Gen C:\WINDOWS\SYSTEM32\DRIVERS\BGCCTFX.SYS hier noch 3 Bilder von Seiten auf die mein Browser entführt wird (Nein ich suche nicht nach "porn" ) Ich hoffe das sind schon genug Informationen für euch. Ansonsten könnt ihr mir gerne sagen mit was ich noch scannen kann/soll oder welche infos ihr sonst noch braucht. Liebe Grüße und vielen Dank schonmal! Carso |
11.06.2010, 17:23 | #3 |
/// Malware-holic | TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Fixen mit OTL
__________________• Starte bitte die OTL.exe. Vista-User mit Rechtsklick "als Administrator starten" • Kopiere nun das Folgende in die Textbox. :OTL O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O36 - AppCertDlls: chkdinst - (C:\Windows\system32\cmstNAME.dll) - C:\Windows\System32\cmstNAME.dll File not found [2010.05.02 17:11:30 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\bgcctfx.sys [2010.04.29 18:07:06 | 000,000,016 | ---- | C] () -- C:\Users\Carso\AppData\Roaming\wzmjhy.dat :Files :Commands [purity] [EMPTYFLASH] [emptytemp] [start explorer] [Reboot] • Schliesse bitte nun alle Programme. • Klicke nun bitte auf den Run Fix Button. • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen. • Nach dem Neustart findest Du ein Textdokument dieses posten |
11.06.2010, 20:07 | #4 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Hey, danke für die schnelle Antwort. Hier der Log File: All processes killed ========== OTL ========== Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\chkdinst:C:\Windows\system32\cmstNAME.dll deleted successfully. File C:\Windows\System32\drivers\bgcctfx.sys not found. C:\Users\Carso\AppData\Roaming\wzmjhy.dat moved successfully. ========== FILES ========== ========== COMMANDS ========== [EMPTYFLASH] User: All Users User: Carso ->Flash cache emptied: 1938055 bytes User: Default ->Flash cache emptied: 41620 bytes User: Default User ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 2,00 mb [EMPTYTEMP] User: All Users User: Carso ->Temp folder emptied: 508812 bytes ->Temporary Internet Files folder emptied: 607284 bytes ->Java cache emptied: 69007821 bytes ->FireFox cache emptied: 51990764 bytes ->Apple Safari cache emptied: 996215 bytes ->Opera cache emptied: 338822 bytes ->Flash cache emptied: 0 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 2352247 bytes RecycleBin emptied: 2269923479 bytes Total Files Cleaned = 2.285,00 mb OTL by OldTimer - Version 3.2.4.1 log created on 06112010_203845 Files\Folders moved on Reboot... Registry entries deleted on Reboot... |
11.06.2010, 20:19 | #5 |
/// Malware-holic | TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen bitte erstelle und poste ein combofix log. Ein Leitfaden und Tutorium zur Nutzung von ComboFix |
11.06.2010, 21:05 | #6 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladenCode:
ATTFilter ComboFix 10-06-10.06 - Carso 11.06.2010 21:48:54.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.2046.1052 [GMT 2:00] ausgeführt von:: c:\users\Carso\Downloads\ComboFix.exe SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22} SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows-Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} * Neuer Wiederherstellungspunkt wurde erstellt . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycled\Recycled c:\users\Carso\AppData\Roaming\BA7DEBABCC77DDAA9D3B4E471F112208 c:\users\Carso\AppData\Roaming\BA7DEBABCC77DDAA9D3B4E471F112208\enemies-names.txt c:\users\Carso\AppData\Roaming\inst.exe c:\users\Carso\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor c:\windows\system32\Chip.dll Infizierte Kopie von c:\windows\system32\drivers\crcdisk.sys wurde gefunden und desinfiziert Kopie von - Kitty had a snack :p wurde wiederhergestellt . ((((((((((((((((((((((( Dateien erstellt von 2010-05-11 bis 2010-06-11 )))))))))))))))))))))))))))))) . 2010-06-11 19:56 . 2010-06-11 19:57 -------- d-----w- c:\users\Carso\AppData\Local\temp 2010-06-11 19:56 . 2010-06-11 19:56 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-06-11 18:38 . 2010-06-11 18:38 -------- d-----w- C:\_OTL 2010-06-09 23:24 . 2010-06-09 23:26 -------- d-----w- c:\users\Carso\AppData\Roaming\TS3Client 2010-06-09 12:54 . 2010-06-09 12:54 46592 ---ha-w- c:\windows\system32\cmstNAME.dll 2010-05-20 12:39 . 2010-05-20 12:39 3774 ----a-r- c:\users\Carso\AppData\Roaming\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\controlPanelIcon.exe 2010-05-20 12:39 . 2010-05-20 12:39 3774 ----a-r- c:\users\Carso\AppData\Roaming\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\BoneTown.exe 2010-05-20 12:39 . 2010-05-20 12:39 10134 ----a-r- c:\users\Carso\AppData\Roaming\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\SystemFolder_msiexec.exe 2010-05-20 12:05 . 2010-06-08 01:17 63488 ----a-w- c:\users\Carso\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-05-18 15:32 . 2010-05-25 17:50 -------- d-sh--w- c:\users\Carso\AppData\Roaming\lowsec 2010-05-17 21:07 . 2008-10-15 04:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll 2010-05-17 21:07 . 2008-10-15 04:22 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll 2010-05-17 21:07 . 2008-10-15 04:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll 2010-05-16 13:39 . 2010-05-16 13:39 -------- d-----w- c:\users\Carso\AppData\Roaming\LolClient . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-11 19:54 . 2006-11-02 15:33 618204 ----a-w- c:\windows\system32\perfh007.dat 2010-06-11 19:54 . 2006-11-02 15:33 122442 ----a-w- c:\windows\system32\perfc007.dat 2010-06-11 19:47 . 2009-05-14 10:31 245596 ----a-w- c:\programdata\nvModes.dat 2010-06-11 13:23 . 2007-11-21 21:18 -------- d-----w- c:\users\Carso\AppData\Roaming\Azureus 2010-06-10 00:12 . 2009-10-30 23:27 -------- d-----w- c:\users\Carso\AppData\Roaming\Skype 2010-06-09 15:04 . 2008-11-19 00:32 -------- d-----w- c:\users\Carso\AppData\Roaming\gtk-2.0 2010-06-09 14:09 . 2008-11-14 00:36 1 ----a-w- c:\users\Carso\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-06-08 20:18 . 2007-05-03 19:57 -------- d-----w- c:\users\Carso\AppData\Roaming\ICQ 2010-06-08 01:17 . 2010-05-03 11:07 117760 ----a-w- c:\users\Carso\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-05-26 02:21 . 2007-09-26 18:43 -------- d-----w- c:\users\Carso\AppData\Roaming\Onpa 2010-05-25 18:49 . 2009-08-25 20:04 -------- d-----w- c:\users\Carso\AppData\Roaming\Xaakgy 2010-05-05 21:07 . 2010-05-05 21:07 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe 2010-05-05 21:07 . 2010-05-05 21:09 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe 2010-05-03 11:07 . 2010-05-03 11:07 52224 ----a-w- c:\users\Carso\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-03 11:06 . 2010-05-03 11:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2010-05-03 11:06 . 2010-05-03 11:06 -------- d-----w- c:\users\Carso\AppData\Roaming\SUPERAntiSpyware.com 2010-05-03 11:05 . 2007-05-08 18:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-05-02 18:31 . 2010-05-02 18:31 -------- d-----w- c:\users\Carso\AppData\Roaming\Malwarebytes 2010-05-02 18:30 . 2010-05-02 18:30 -------- d-----w- c:\programdata\Malwarebytes 2010-04-29 10:19 . 2010-05-02 18:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 10:19 . 2010-05-02 18:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-28 16:21 . 2007-04-16 07:04 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-04-21 19:05 . 2008-07-25 14:47 -------- d-----w- c:\programdata\Napster 2010-04-17 19:13 . 2010-04-01 12:26 -------- d-----w- c:\users\Carso\AppData\Roaming\Winamp 2010-04-15 08:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-04-13 13:37 . 2007-05-08 18:33 -------- d-----w- c:\users\Carso\AppData\Roaming\dvdcss 2010-04-06 16:43 . 2010-04-06 16:43 98304 ----a-w- c:\windows\system32\CmdLineExt.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "SUPERAntiSpyware"="d:\superantispyware\SUPERAntiSpyware.exe" [2010-05-08 2017280] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 4186112] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13781536] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824] "DMS-Kalenderchen"="d:\kalenderchen\Kalenderchen.exe" [2005-07-20 1445376] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 13:21 548352 ----a-w- d:\superantispyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *\0lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup backupExtension=.CommonStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] 2007-02-16 16:49 149024 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor] 2007-02-17 11:35 1966928 ----a-w- d:\trueimage\TimounterMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-11-12 15:33 141600 ----a-w- d:\itunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe] 2007-02-17 11:31 1194728 ----a-w- d:\trueimage\TrueImageMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime "NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe "iTunesHelper"="d:\itunes\iTunesHelper.exe" "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" "Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls] chkdinst REG_SZ [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):5d,33,54,d5,44,57,ca,01 R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-05 1029456] R3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\DRIVERS\NETFWDSL.SYS [x] R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-05-21 721904] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-07-03 64160] S1 SASDIFSV;SASDIFSV;d:\superantispyware\SASDIFSV.SYS [2010-02-17 12872] S1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [2010-05-08 68168] S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] --- Andere Dienste/Treiber im Speicher --- *Deregistered* - bgcctfx [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-04-19 12:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}] 2008-06-18 14:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Inhalt des "geplante Tasks" Ordners 2010-06-11 c:\windows\Tasks\1-Klick-Wartung.job - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-08-21 16:47] 2010-06-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 01:11] 2010-06-11 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-05 11:16] 2010-06-11 c:\windows\Tasks\User_Feed_Synchronization-{4318E496-D163-410D-9ABB-89E26924B160}.job - c:\windows\system32\msfeedssync.exe [2008-06-24 07:33] . . ------- Zusätzlicher Suchlauf ------- . uInternet Settings,ProxyOverride = *.local Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\users\Carso\AppData\Roaming\Mozilla\Firefox\Profiles\ahsvcjx6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/ FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll FF - plugin: d:\acrobat 7.0\Reader\browser\nppdf32.dll FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll FF - plugin: d:\opera\program\plugins\NPSWF32.dll FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll FF - plugin: d:\realplayer\Netscape6\nppl3260.dll FF - plugin: d:\realplayer\Netscape6\nprjplug.dll FF - plugin: d:\realplayer\Netscape6\nprpjplug.dll FF - plugin: d:\videolanclient\npvlc.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX Richtlinien ---- FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: content.max.tokenizing.time - 200000 FF - user.js: content.notify.interval - 100000 FF - user.js: content.switch.threshold - 650000 FF - user.js: nglayout.initialpaint.delay - 300 c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - Entfernte verwaiste Registrierungseinträge - - - - ActiveSetup-{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E555} - d:\anydvd\AnyDVD.Leftover.Killer.v1.5-RES-tool\Anydvd_Leftover_Killer15.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net Rootkit scan 2010-06-11 21:57 Windows 6.0.6002 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bgcctfx] . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_USERS\S-1-5-21-3613740406-4026114824-2014430648-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DBFC8F15-FAD2-F8BB-4B26-406F8A2FEF79}*] @Allowed: (Read) (RestrictedCode) "ialgjlgmfkcaeilmfe"=hex:6b,61,61,6b,70,69,6e,64,64,64,62,63,6b,70,65,69,66,69, 67,70,6f,6d,00,00 "hafgdpalhgpjamdk"=hex:6b,61,61,6b,70,69,6e,64,64,64,62,63,6b,70,65,69,66,69, 67,70,6f,6d,00,00 [HKEY_USERS\S-1-5-21-3613740406-4026114824-2014430648-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:18,d6,a1,d4,8f,85,c1,f6,3a,c9,af,59,a5,90,58,b1,68,b6,51,76,36,27,a7, 30,c4,5c,54,72,dc,58,91,e5,59,59,9b,75,d1,80,6c,a5,78,b6,7a,e8,d0,21,16,83,\ "??"=hex:ac,b0,2f,fd,e2,b4,70,94,55,fb,ff,00,02,5b,e3,7e [HKEY_USERS\S-1-5-21-3613740406-4026114824-2014430648-1001\Software\SecuROM\License information*] "datasecu"=hex:aa,5b,f5,62,43,33,1e,fc,2e,af,60,a8,96,bc,a8,22,20,53,98,83,84, cb,53,72,0f,70,db,cb,a1,9b,86,62,b0,bc,b2,10,f5,a6,74,d6,06,da,b9,e6,87,16,\ "rkeysecu"=hex:8f,b9,0e,46,e4,68,30,8c,4f,b5,e4,e1,3d,65,a8,5a . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'lsass.exe'(856) c:\windows\system32\relog_ap.dll . Zeit der Fertigstellung: 2010-06-11 21:59:41 ComboFix-quarantined-files.txt 2010-06-11 19:59 Vor Suchlauf: 5.151.240.192 Bytes frei Nach Suchlauf: 5.098.254.336 Bytes frei - - End Of File - - 0EFDD9010F742E68CAE9D0C57E3AD590 |
12.06.2010, 10:48 | #7 |
/// Malware-holic | TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Klicke start, programme, zubehör, editor, kopiere rein: Killall:: Rootkit:: C:\windows\system32\drivers\bgcctfx.sys Folder:: c:\users\Carso\AppData\Roaming\lowsec Driver:: bgcctfx Registry:: [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bgcctfx] Datei speichern unter, typ, alle, name cfscript.txt speicherort, dort wo sich combofix.exe befindet. ziehe cfscript auf combofix, programm startet, log posten. |
12.06.2010, 13:56 | #8 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Hi, danke für die erneute schnelle Antwort. Hier die Log Datei Code:
ATTFilter ComboFix 10-06-11.01 - Carso 12.06.2010 14:39:26.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.2046.1032 [GMT 2:00] ausgeführt von:: c:\users\Carso\Downloads\ComboFix.exe Benutzte Befehlsschalter :: c:\users\Carso\Downloads\cfscript.txt SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22} SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows-Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\Carso\AppData\Roaming\lowsec c:\users\Carso\AppData\Roaming\lowsec\local.ds c:\users\Carso\AppData\Roaming\lowsec\user.ds . ((((((((((((((((((((((((((((((((((((((( Treiber/Dienste ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BGCCTFX -------\Service_bgcctfx ((((((((((((((((((((((( Dateien erstellt von 2010-05-12 bis 2010-06-12 )))))))))))))))))))))))))))))) . 2010-06-12 12:45 . 2010-06-12 12:47 -------- d-----w- c:\users\Carso\AppData\Local\temp 2010-06-12 12:45 . 2010-06-12 12:45 -------- d-----w- c:\users\Public\AppData\Local\temp 2010-06-12 12:45 . 2010-06-12 12:45 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-06-11 21:26 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll 2010-06-11 21:26 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll 2010-06-11 18:38 . 2010-06-11 18:38 -------- d-----w- C:\_OTL 2010-06-09 23:24 . 2010-06-09 23:26 -------- d-----w- c:\users\Carso\AppData\Roaming\TS3Client 2010-06-09 12:54 . 2010-06-09 12:54 46592 ---ha-w- c:\windows\system32\cmstNAME.dll 2010-05-17 21:07 . 2008-10-15 04:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll 2010-05-17 21:07 . 2008-10-15 04:22 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll 2010-05-17 21:07 . 2008-10-15 04:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll 2010-05-16 13:39 . 2010-05-16 13:39 -------- d-----w- c:\users\Carso\AppData\Roaming\LolClient . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-12 12:47 . 2009-05-14 10:31 245596 ----a-w- c:\programdata\nvModes.dat 2010-06-12 12:45 . 2010-05-02 15:11 823808 ----a-w- c:\windows\system32\drivers\bgcctfx.sys 2010-06-12 12:02 . 2006-11-02 15:33 618204 ----a-w- c:\windows\system32\perfh007.dat 2010-06-12 12:02 . 2006-11-02 15:33 122442 ----a-w- c:\windows\system32\perfc007.dat 2010-06-12 01:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-06-11 13:23 . 2007-11-21 21:18 -------- d-----w- c:\users\Carso\AppData\Roaming\Azureus 2010-06-10 00:12 . 2009-10-30 23:27 -------- d-----w- c:\users\Carso\AppData\Roaming\Skype 2010-06-09 15:04 . 2008-11-19 00:32 -------- d-----w- c:\users\Carso\AppData\Roaming\gtk-2.0 2010-06-09 14:09 . 2008-11-14 00:36 1 ----a-w- c:\users\Carso\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-06-08 20:18 . 2007-05-03 19:57 -------- d-----w- c:\users\Carso\AppData\Roaming\ICQ 2010-06-08 01:17 . 2010-05-20 12:05 63488 ----a-w- c:\users\Carso\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-08 01:17 . 2010-05-03 11:07 117760 ----a-w- c:\users\Carso\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-05-26 17:06 . 2010-06-11 21:25 34304 ----a-w- c:\windows\system32\atmlib.dll 2010-05-26 14:47 . 2010-06-11 21:25 289792 ----a-w- c:\windows\system32\atmfd.dll 2010-05-26 02:21 . 2007-09-26 18:43 -------- d-----w- c:\users\Carso\AppData\Roaming\Onpa 2010-05-25 18:49 . 2009-08-25 20:04 -------- d-----w- c:\users\Carso\AppData\Roaming\Xaakgy 2010-05-21 12:14 . 2009-10-03 00:01 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-20 12:39 . 2010-05-20 12:39 3774 ----a-r- c:\users\Carso\AppData\Roaming\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\controlPanelIcon.exe 2010-05-20 12:39 . 2010-05-20 12:39 3774 ----a-r- c:\users\Carso\AppData\Roaming\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\BoneTown.exe 2010-05-20 12:39 . 2010-05-20 12:39 10134 ----a-r- c:\users\Carso\AppData\Roaming\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\SystemFolder_msiexec.exe 2010-05-05 21:07 . 2010-05-05 21:07 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe 2010-05-05 21:07 . 2010-05-05 21:09 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe 2010-05-04 19:15 . 2010-06-11 21:25 834048 ----a-w- c:\windows\system32\wininet.dll 2010-05-04 18:37 . 2010-06-11 21:25 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-05-03 11:07 . 2010-05-03 11:07 52224 ----a-w- c:\users\Carso\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-03 11:06 . 2010-05-03 11:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2010-05-03 11:06 . 2010-05-03 11:06 -------- d-----w- c:\users\Carso\AppData\Roaming\SUPERAntiSpyware.com 2010-05-03 11:05 . 2007-05-08 18:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-05-02 18:31 . 2010-05-02 18:31 -------- d-----w- c:\users\Carso\AppData\Roaming\Malwarebytes 2010-05-02 18:30 . 2010-05-02 18:30 -------- d-----w- c:\programdata\Malwarebytes 2010-05-01 14:13 . 2010-06-11 21:25 2037248 ----a-w- c:\windows\system32\win32k.sys 2010-04-29 10:19 . 2010-05-02 18:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 10:19 . 2010-05-02 18:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-28 16:21 . 2007-04-16 07:04 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-04-23 14:13 . 2010-06-11 21:25 2048 ----a-w- c:\windows\system32\tzres.dll 2010-04-21 19:05 . 2008-07-25 14:47 -------- d-----w- c:\programdata\Napster 2010-04-17 19:13 . 2010-04-01 12:26 -------- d-----w- c:\users\Carso\AppData\Roaming\Winamp 2010-04-13 13:37 . 2007-05-08 18:33 -------- d-----w- c:\users\Carso\AppData\Roaming\dvdcss 2010-04-06 16:43 . 2010-04-06 16:43 98304 ----a-w- c:\windows\system32\CmdLineExt.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "SUPERAntiSpyware"="d:\superantispyware\SUPERAntiSpyware.exe" [2010-05-08 2017280] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 4186112] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13781536] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824] "DMS-Kalenderchen"="d:\kalenderchen\Kalenderchen.exe" [2005-07-20 1445376] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 13:21 548352 ----a-w- d:\superantispyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *\0lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup backupExtension=.CommonStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] 2007-02-16 16:49 149024 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor] 2007-02-17 11:35 1966928 ----a-w- d:\trueimage\TimounterMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-11-12 15:33 141600 ----a-w- d:\itunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe] 2007-02-17 11:31 1194728 ----a-w- d:\trueimage\TrueImageMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime "NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe "iTunesHelper"="d:\itunes\iTunesHelper.exe" "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" "Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls] chkdinst REG_SZ [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):5d,33,54,d5,44,57,ca,01 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-04-19 12:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}] 2008-06-18 14:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Inhalt des "geplante Tasks" Ordners 2010-06-12 c:\windows\Tasks\1-Klick-Wartung.job - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-08-21 16:47] 2010-06-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 01:11] 2010-06-12 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-05 11:16] 2010-06-12 c:\windows\Tasks\User_Feed_Synchronization-{4318E496-D163-410D-9ABB-89E26924B160}.job - c:\windows\system32\msfeedssync.exe [2008-06-24 07:33] . . ------- Zusätzlicher Suchlauf ------- . uInternet Settings,ProxyOverride = *.local Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\users\Carso\AppData\Roaming\Mozilla\Firefox\Profiles\ahsvcjx6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/ FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll FF - plugin: d:\acrobat 7.0\Reader\browser\nppdf32.dll FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll FF - plugin: d:\realplayer\Netscape6\nppl3260.dll FF - plugin: d:\realplayer\Netscape6\nprjplug.dll FF - plugin: d:\realplayer\Netscape6\nprpjplug.dll FF - plugin: d:\videolanclient\npvlc.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX Richtlinien ---- FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: content.max.tokenizing.time - 200000 FF - user.js: content.notify.interval - 100000 FF - user.js: content.switch.threshold - 650000 FF - user.js: nglayout.initialpaint.delay - 300 c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net Rootkit scan 2010-06-12 14:50 Windows 6.0.6002 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_USERS\S-1-5-21-3613740406-4026114824-2014430648-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DBFC8F15-FAD2-F8BB-4B26-406F8A2FEF79}*] @Allowed: (Read) (RestrictedCode) "ialgjlgmfkcaeilmfe"=hex:6b,61,61,6b,70,69,6e,64,64,64,62,63,6b,70,65,69,66,69, 67,70,6f,6d,00,00 "hafgdpalhgpjamdk"=hex:6b,61,61,6b,70,69,6e,64,64,64,62,63,6b,70,65,69,66,69, 67,70,6f,6d,00,00 [HKEY_USERS\S-1-5-21-3613740406-4026114824-2014430648-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:18,d6,a1,d4,8f,85,c1,f6,3a,c9,af,59,a5,90,58,b1,68,b6,51,76,36,27,a7, 30,c4,5c,54,72,dc,58,91,e5,59,59,9b,75,d1,80,6c,a5,78,b6,7a,e8,d0,21,16,83,\ "??"=hex:ac,b0,2f,fd,e2,b4,70,94,55,fb,ff,00,02,5b,e3,7e [HKEY_USERS\S-1-5-21-3613740406-4026114824-2014430648-1001\Software\SecuROM\License information*] "datasecu"=hex:aa,5b,f5,62,43,33,1e,fc,2e,af,60,a8,96,bc,a8,22,20,53,98,83,84, cb,53,72,0f,70,db,cb,a1,9b,86,62,b0,bc,b2,10,f5,a6,74,d6,06,da,b9,e6,87,16,\ "rkeysecu"=hex:8f,b9,0e,46,e4,68,30,8c,4f,b5,e4,e1,3d,65,a8,5a . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'lsass.exe'(920) c:\windows\system32\relog_ap.dll . ------------------------ Weitere laufende Prozesse ------------------------ . c:\windows\system32\nvvsvc.exe c:\windows\system32\nvvsvc.exe c:\windows\system32\conime.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe c:\windows\system32\WUDFHost.exe c:\windows\RtHDVCpl.exe c:\program files\Windows Media Player\wmplayer.exe c:\windows\ehome\ehmsas.exe . ************************************************************************** . Zeit der Fertigstellung: 2010-06-12 14:54:01 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2010-06-12 12:53 ComboFix2.txt 2010-06-11 19:59 Vor Suchlauf: 3.504.103.424 Bytes frei Nach Suchlauf: 3.140.767.744 Bytes frei - - End Of File - - A815B2E00346475319244CEF142A2E69 |
16.06.2010, 21:12 | #9 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Hmm, mein Browser wird zwar jetzt nicht mehr entführt. (Ist zumindest ne ganze Zeit nicht meghr vorgekommen.) Und ich kann auch wieder PDF Dokumente im Browser öffnen, was vorher einen Fehler gab, aber es kommen von ANtiVir immer noch ab und zu Virenwarnungen... |
17.06.2010, 11:14 | #10 |
/// Malware-holic | TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen sorry. kannst du mal avira öffnen, ereignisse klicken und mal die meldungen von avira posten? |
17.06.2010, 16:21 | #11 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Kein Problem, ich bin sicher nicht der einzige der hier Hilfe benötigt und du hast sicherlich auch keine 4 Arme um alles gleichzeitig zu machen Hier die letzten Funde. die ersten beiden sind vom 16.06, der rest vom 13.06. lg carso Die Datei 'C:\Windows\System32\cmstNAME.dll' enthielt einen Virus oder unerwünschtes Programm 'BDS/Papras.HI' [backdoor]. Durchgeführte Aktion(en): Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '48f31d69.qua' verschoben! ____________________________ In der Datei 'C:\Windows\System32\cmstNAME.dll' wurde ein Virus oder unerwünschtes Programm 'BDS/Papras.HI' [backdoor] gefunden. Ausgeführte Aktion: Zugriff verweigern ____________________________ Die Datei 'C:\Users\Carso\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UULGTRK6\tonysteenies_com[1].htm' enthielt einen Virus oder unerwünschtes Programm 'HEUR/HTML.Malware' [heuristic]. Durchgeführte Aktion(en): Der Fund wurde als verdächtig eingestuft. Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '4811806e.qua' verschoben! ____________________________ In der Datei 'C:\Users\Carso\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UULGTRK6\tonysteenies_com[2].htm' wurde ein Virus oder unerwünschtes Programm 'HEUR/HTML.Malware' [heuristic] gefunden. Ausgeführte Aktion: Zugriff verweigern _____________________________ In der Datei 'C:\Users\Carso\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5RV9PD8L\tonysteenies_com[1].htm' wurde ein Virus oder unerwünschtes Programm 'HEUR/HTML.Malware' [heuristic] gefunden. Ausgeführte Aktion: Zugriff verweigern _______________________________ In der Datei 'C:\Users\Carso\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3DF3EJGE\tubesexmovies_com[1].htm' wurde ein Virus oder unerwünschtes Programm 'HTML/Crypted.Gen' [virus] gefunden. Ausgeführte Aktion: Zugriff verweigern _________________________________ Die Datei 'C:\Windows\System32\drivers\bgcctfx.sys' enthielt einen Virus oder unerwünschtes Programm 'TR/Rootkit.Gen' [trojan]. Durchgeführte Aktion(en): Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '4fd5803e.qua' verschoben! ___________________________________ In der Datei 'C:\Windows\System32\drivers\bgcctfx.sys' wurde ein Virus oder unerwünschtes Programm 'TR/Rootkit.Gen' [trojan] gefunden. Ausgeführte Aktion: Zugriff verweigern ____________________________________ In der Datei 'C:\Windows\System32\drivers\bgcctfx.sys' wurde ein Virus oder unerwünschtes Programm 'TR/Rootkit.Gen' [trojan] gefunden. Ausgeführte Aktion: Zugriff verweigern |
17.06.2010, 16:27 | #12 |
/// Malware-holic | TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen avira avira so instalieren bzw. dann konfigurieren. wenn du die konfiguration übernommen hast, update das programm. scanne dann über lokaler schutz, lokale laufwerke. funde in quarantäne log posten. bitte poste auch eine neue otl.txt wie in post1 |
18.06.2010, 12:50 | #13 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen Hi, hier die beiden Logs: Code:
ATTFilter Avira AntiVir Personal Erstellungsdatum der Reportdatei: Donnerstag, 17. Juni 2010 21:43 Es wird nach 2223370 Virenstämmen gesucht. Das Programm läuft als uneingeschränkte Vollversion. Online-Dienste stehen zur Verfügung. Lizenznehmer : Avira AntiVir Personal - FREE Antivirus Seriennummer : 0000149996-ADJIE-0000001 Plattform : Windows Vista Windowsversion : (Service Pack 2) [6.0.6002] Boot Modus : Normal gebootet Benutzername : *** Computername : *** Versionsinformationen: BUILD.DAT : 10.0.0.567 32097 Bytes 19.04.2010 15:50:00 AVSCAN.EXE : 10.0.3.0 433832 Bytes 01.04.2010 11:37:35 AVSCAN.DLL : 10.0.3.0 56168 Bytes 30.03.2010 10:42:16 LUKE.DLL : 10.0.2.3 104296 Bytes 07.03.2010 17:32:59 LUKERES.DLL : 10.0.0.0 13672 Bytes 14.01.2010 10:59:47 VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 08:05:36 VBASE001.VDF : 7.10.1.0 1372672 Bytes 19.11.2009 18:27:49 VBASE002.VDF : 7.10.3.1 3143680 Bytes 20.01.2010 16:37:42 VBASE003.VDF : 7.10.3.75 996864 Bytes 26.01.2010 15:37:42 VBASE004.VDF : 7.10.4.203 1579008 Bytes 05.03.2010 10:29:03 VBASE005.VDF : 7.10.6.82 2494464 Bytes 15.04.2010 17:53:29 VBASE006.VDF : 7.10.7.218 2294784 Bytes 02.06.2010 17:53:30 VBASE007.VDF : 7.10.7.219 2048 Bytes 02.06.2010 17:53:30 VBASE008.VDF : 7.10.7.220 2048 Bytes 02.06.2010 17:53:30 VBASE009.VDF : 7.10.7.221 2048 Bytes 02.06.2010 17:53:30 VBASE010.VDF : 7.10.7.222 2048 Bytes 02.06.2010 17:53:30 VBASE011.VDF : 7.10.7.223 2048 Bytes 02.06.2010 17:53:30 VBASE012.VDF : 7.10.7.224 2048 Bytes 02.06.2010 17:53:30 VBASE013.VDF : 7.10.8.37 270336 Bytes 10.06.2010 17:53:31 VBASE014.VDF : 7.10.8.69 138752 Bytes 14.06.2010 11:26:39 VBASE015.VDF : 7.10.8.102 130560 Bytes 16.06.2010 19:42:57 VBASE016.VDF : 7.10.8.103 2048 Bytes 16.06.2010 19:42:57 VBASE017.VDF : 7.10.8.104 2048 Bytes 16.06.2010 19:42:57 VBASE018.VDF : 7.10.8.105 2048 Bytes 16.06.2010 19:42:57 VBASE019.VDF : 7.10.8.106 2048 Bytes 16.06.2010 19:42:57 VBASE020.VDF : 7.10.8.107 2048 Bytes 16.06.2010 19:42:57 VBASE021.VDF : 7.10.8.108 2048 Bytes 16.06.2010 19:42:57 VBASE022.VDF : 7.10.8.109 2048 Bytes 16.06.2010 19:42:57 VBASE023.VDF : 7.10.8.110 2048 Bytes 16.06.2010 19:42:57 VBASE024.VDF : 7.10.8.111 2048 Bytes 16.06.2010 19:42:58 VBASE025.VDF : 7.10.8.112 2048 Bytes 16.06.2010 19:42:58 VBASE026.VDF : 7.10.8.113 2048 Bytes 16.06.2010 19:42:58 VBASE027.VDF : 7.10.8.114 2048 Bytes 16.06.2010 19:42:58 VBASE028.VDF : 7.10.8.115 2048 Bytes 16.06.2010 19:42:58 VBASE029.VDF : 7.10.8.116 2048 Bytes 16.06.2010 19:42:58 VBASE030.VDF : 7.10.8.117 2048 Bytes 16.06.2010 19:42:58 VBASE031.VDF : 7.10.8.122 43008 Bytes 17.06.2010 19:42:58 Engineversion : 8.2.2.6 AEVDF.DLL : 8.1.2.0 106868 Bytes 12.06.2010 17:53:34 AESCRIPT.DLL : 8.1.3.31 1352058 Bytes 12.06.2010 17:53:34 AESCN.DLL : 8.1.6.1 127347 Bytes 12.06.2010 17:53:34 AESBX.DLL : 8.1.3.1 254324 Bytes 12.06.2010 17:53:34 AERDL.DLL : 8.1.4.6 541043 Bytes 12.06.2010 17:53:33 AEPACK.DLL : 8.2.1.1 426358 Bytes 19.03.2010 11:34:51 AEOFFICE.DLL : 8.1.1.0 201081 Bytes 12.06.2010 17:53:33 AEHEUR.DLL : 8.1.1.33 2724214 Bytes 12.06.2010 17:53:33 AEHELP.DLL : 8.1.11.5 242038 Bytes 12.06.2010 17:53:32 AEGEN.DLL : 8.1.3.10 377205 Bytes 12.06.2010 17:53:32 AEEMU.DLL : 8.1.2.0 393588 Bytes 12.06.2010 17:53:32 AECORE.DLL : 8.1.15.3 192886 Bytes 12.06.2010 17:53:32 AEBB.DLL : 8.1.1.0 53618 Bytes 12.06.2010 17:53:32 AVWINLL.DLL : 10.0.0.0 19304 Bytes 14.01.2010 10:59:10 AVPREF.DLL : 10.0.0.0 44904 Bytes 14.01.2010 10:59:07 AVREP.DLL : 10.0.0.8 62209 Bytes 18.02.2010 15:47:40 AVREG.DLL : 10.0.3.0 53096 Bytes 01.04.2010 11:35:44 AVSCPLR.DLL : 10.0.3.0 83816 Bytes 01.04.2010 11:39:49 AVARKT.DLL : 10.0.0.14 227176 Bytes 01.04.2010 11:22:11 AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26.01.2010 08:53:25 SQLITE3.DLL : 3.6.19.0 355688 Bytes 28.01.2010 11:57:53 AVSMTP.DLL : 10.0.0.17 63848 Bytes 16.03.2010 14:38:54 NETNT.DLL : 10.0.0.0 11624 Bytes 19.02.2010 13:40:55 RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28.01.2010 12:10:08 RCTEXT.DLL : 10.0.53.0 98152 Bytes 09.04.2010 13:14:28 Konfiguration für den aktuellen Suchlauf: Job Name..............................: Lokale Festplatten Konfigurationsdatei...................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avp Protokollierung.......................: niedrig Primäre Aktion........................: interaktiv Sekundäre Aktion......................: ignorieren Durchsuche Masterbootsektoren.........: ein Durchsuche Bootsektoren...............: ein Bootsektoren..........................: C:, D:, J:, L:, Durchsuche aktive Programme...........: ein Durchsuche Registrierung..............: ein Suche nach Rootkits...................: aus Integritätsprüfung von Systemdateien..: ein Optimierter Suchlauf..................: ein Datei Suchmodus.......................: Intelligente Dateiauswahl Durchsuche Archive....................: aus Makrovirenheuristik...................: ein Dateiheuristik........................: hoch Abweichende Gefahrenkategorien........: +PCK,+PFS,+SPR, Beginn des Suchlaufs: Donnerstag, 17. Juni 2010 21:43 Der Suchlauf über gestartete Prozesse wird begonnen: Durchsuche Prozess 'avscan.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'taskeng.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'wmplayer.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'firefox.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'OTL.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'avcenter.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'wmpnetwk.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'ehmsas.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'wmpnscfg.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'SUPERANTISPYWARE.EXE' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'ehtray.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'avgnt.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'Kalenderchen.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'RtHDVCpl.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'MSASCui.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'Explorer.EXE' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'taskeng.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'Dwm.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'taskeng.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'WUDFHost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'SearchIndexer.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'avshadow.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'NBService.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'LSSrvc.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'mDNSResponder.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'AppleMobileDeviceService.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'avguard.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'schedul2.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'sched.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'spoolsv.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'nvvsvc.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'SLsvc.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'nvvsvc.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'winlogon.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'lsm.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'lsass.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'services.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'csrss.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'wininit.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'csrss.exe' - '1' Modul(e) wurden durchsucht Durchsuche Prozess 'smss.exe' - '1' Modul(e) wurden durchsucht Untersuchung der Systemdateien wird begonnen: Signiert -> 'C:\Windows\system32\svchost.exe' Signiert -> 'C:\Windows\system32\winlogon.exe' Signiert -> 'C:\Windows\explorer.exe' Signiert -> 'C:\Windows\system32\smss.exe' Signiert -> 'C:\Windows\system32\wininet.DLL' Signiert -> 'C:\Windows\system32\wsock32.DLL' Signiert -> 'C:\Windows\system32\ws2_32.DLL' Signiert -> 'C:\Windows\system32\services.exe' Signiert -> 'C:\Windows\system32\lsass.exe' Signiert -> 'C:\Windows\system32\csrss.exe' Signiert -> 'C:\Windows\system32\drivers\kbdclass.sys' Signiert -> 'C:\Windows\system32\spoolsv.exe' Signiert -> 'C:\Windows\system32\alg.exe' Signiert -> 'C:\Windows\system32\wuauclt.exe' Signiert -> 'C:\Windows\system32\advapi32.DLL' Signiert -> 'C:\Windows\system32\user32.DLL' Signiert -> 'C:\Windows\system32\gdi32.DLL' Signiert -> 'C:\Windows\system32\kernel32.DLL' Signiert -> 'C:\Windows\system32\ntdll.DLL' Signiert -> 'C:\Windows\system32\ntoskrnl.exe' Signiert -> 'C:\Windows\system32\ctfmon.exe' Die Systemdateien wurden durchsucht ('21' Dateien) Der Suchlauf über die Masterbootsektoren wird begonnen: Masterbootsektor HD0 [INFO] Es wurde kein Virus gefunden! Masterbootsektor HD1 [INFO] Es wurde kein Virus gefunden! Masterbootsektor HD2 [INFO] Es wurde kein Virus gefunden! Masterbootsektor HD3 [INFO] Es wurde kein Virus gefunden! Masterbootsektor HD4 [INFO] Es wurde kein Virus gefunden! Masterbootsektor HD5 [INFO] Es wurde kein Virus gefunden! Der Suchlauf über die Bootsektoren wird begonnen: Bootsektor 'C:\' [INFO] Es wurde kein Virus gefunden! Bootsektor 'D:\' [INFO] Es wurde kein Virus gefunden! Bootsektor 'J:\' [INFO] Es wurde kein Virus gefunden! Bootsektor 'L:\' [INFO] Es wurde kein Virus gefunden! Der Suchlauf auf Verweise zu ausführbaren Dateien (Registry) wird begonnen: Die Registry wurde durchsucht ( '542' Dateien ). Der Suchlauf über die ausgewählten Dateien wird begonnen: Beginne mit der Suche in 'C:\' <Vista Home Premium> Beginne mit der Suche in 'D:\' <Daten> Beginne mit der Suche in 'J:\' <Spiele> Beginne mit der Suche in 'L:\' <VERBATIM> Ende des Suchlaufs: Donnerstag, 17. Juni 2010 22:37 Benötigte Zeit: 53:46 Minute(n) Der Suchlauf wurde vollständig durchgeführt. 39794 Verzeichnisse wurden überprüft 356478 Dateien wurden geprüft 0 Viren bzw. unerwünschte Programme wurden gefunden 0 Dateien wurden als verdächtig eingestuft 0 Dateien wurden gelöscht 0 Viren bzw. unerwünschte Programme wurden repariert 0 Dateien wurden in die Quarantäne verschoben 0 Dateien wurden umbenannt 0 Dateien konnten nicht durchsucht werden 356478 Dateien ohne Befall 0 Archive wurden durchsucht 0 Warnungen 0 Hinweise Code:
ATTFilter All processes killed ========== OTL ========== Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ not found. Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\chkdinst:C:\Windows\system32\cmstNAME.dll deleted successfully. File C:\Windows\System32\drivers\bgcctfx.sys not found. File C:\Users\Carso\AppData\Roaming\wzmjhy.dat not found. ========== FILES ========== ========== COMMANDS ========== [EMPTYFLASH] User: All Users User: Carso ->Flash cache emptied: 10023 bytes User: Default ->Flash cache emptied: 0 bytes User: Default User ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0,00 mb [EMPTYTEMP] User: All Users User: Carso ->Temp folder emptied: 763259 bytes ->Temporary Internet Files folder emptied: 406949748 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 36386282 bytes ->Apple Safari cache emptied: 0 bytes ->Opera cache emptied: 50932 bytes ->Flash cache emptied: 0 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 539558 bytes RecycleBin emptied: 14623316 bytes Total Files Cleaned = 438,00 mb OTL by OldTimer - Version 3.2.4.1 log created on 06182010_022030 Files\Folders moved on Reboot... File\Folder C:\Windows\temp\TMP0000000178DCBA41BBF3AE85 not found! Registry entries deleted on Reboot... |
22.06.2010, 14:09 | #14 |
| TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen *push* |
22.06.2010, 14:31 | #15 |
/// Malware-holic | TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen |
Themen zu TR/Spy.Gen / Antimalware Doctor / Browser wird geHIJACKt & neue Viren geladen |
0x00000001, acroiehelper.dll, ad-aware, alternate, antivir, aufgehängt, avgntflt.sys, avira, bho, bonjour, browser, components, corp./icp, cpu, error, firefox, firefox 3.6.3, firefox.exe, fontcache, format, google, home, immer noch probleme, internet, location, logfile, mozilla, neue version, nvlddmkm.sys, nvstor.sys, oldtimer, otl logfile, otl.exe, otl.txt, physikalischer speicher, plug-in, programdata, realtek, registry, scan, sched.exe, searchplugins, software, sptd.sys, system, updates, viren, windows, windows updates |