![]() |
Log-Analyse und Auswertung: Persistance durch Patch bekommenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
![]() |
![]() | #1 |
![]() ![]() | ![]() Persistance durch Patch bekommen Hallo, ich habe einen Patch für Gothic 3 starten wollen aber leider war es ein getarnter Virus... die Datei war auch nicht sonderlich groß hätte mir eigentlich auffallen müssen. Naja ich konnte ihn erfolgreich 5 minuten später entfernen. wurde auch nur von MBAM als Malware erkannt. Leider musste ich ihn per Hand löschen. hxxp://greatis.com/blog/how-to-remove-malware/persistance-exe.htm ich habe das Lankabel getrennt und den beiden Dateien die Adminrechte gegeben, neugestartet und konnte alles löschen + Registryeinträge nachdem ich den obrigen Link gefunden hatte. Könnte man bitte noch überprüfen ob der Rest sauber ist? ESET und MBAM haben nach aktualisierung und einem Vollscan nichts mehr gefunden. OTL Code:
ATTFilter OTL logfile created on: 06.10.2011 14:27:17 - Run 5 OTL by OldTimer - Version Folder = C:\Users\Markus\Downloads 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,98 Gb Total Physical Memory | 6,62 Gb Available Physical Memory | 82,92% Memory free 15,96 Gb Paging File | 14,52 Gb Available in Paging File | 90,95% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 146,39 Gb Total Space | 62,66 Gb Free Space | 42,80% Space Free | Partition Type: NTFS Drive D: | 552,15 Gb Total Space | 91,76 Gb Free Space | 16,62% Space Free | Partition Type: NTFS Drive E: | 7,80 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: MARKUS-PC | User Name: Markus | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011.10.06 14:26:24 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Users\Markus\Downloads\OTL.exe PRC - [2011.09.29 03:16:53 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe PRC - [2011.09.23 00:41:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe PRC - [2011.09.22 12:29:48 | 000,381,248 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2010.05.14 07:02:56 | 000,075,048 | ---- | M] (cyberlink) -- C:\Program Files (x86)\CyberLink\Shared files\brs.exe PRC - [2010.05.05 19:56:42 | 000,025,600 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\Ctxfihlp.exe PRC - [2010.05.05 19:51:56 | 001,212,928 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\CTxfispi.exe PRC - [2009.08.28 19:45:56 | 000,286,720 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe PRC - [2009.07.06 14:22:04 | 000,087,336 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe ========== Modules (No Company Name) ========== MOD - [2009.10.02 16:07:14 | 000,176,128 | ---- | M] () -- C:\Windows\SysWOW64\APOMngr.DLL ========== Win32 Services (SafeList) ========== SRV:64bit: - [2011.04.27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv) SRV:64bit: - [2011.04.27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc) SRV - [2011.09.29 03:16:53 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA) SRV - [2011.09.28 00:37:29 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2011.09.23 00:41:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService) SRV - [2011.09.22 12:29:48 | 000,381,248 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011.05.28 18:58:39 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service) SRV - [2010.05.14 14:02:54 | 000,246,256 | ---- | M] (CyberLink) [Auto | Stopped] -- C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe -- (CLKMSVC10_9EC60124) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.08.28 19:45:56 | 000,286,720 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2011.10.02 01:16:59 | 000,270,912 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV:64bit: - [2011.09.28 03:03:03 | 000,314,016 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt) DRV:64bit: - [2011.09.28 03:03:02 | 000,043,680 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt) DRV:64bit: - [2011.08.31 17:00:50 | 000,025,416 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector) DRV:64bit: - [2011.08.15 14:32:10 | 000,146,736 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys -- (VBoxNetAdp) DRV:64bit: - [2011.07.08 01:21:28 | 000,174,184 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA) DRV:64bit: - [2011.04.27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv) DRV:64bit: - [2011.04.06 06:11:44 | 009,323,520 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2011.04.06 03:21:42 | 000,304,128 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2011.03.21 13:22:06 | 000,452,200 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010.11.17 14:04:32 | 000,115,216 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2010.10.19 23:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel(R) DRV:64bit: - [2010.07.01 14:21:50 | 000,038,992 | ---- | M] (Screaming Bee LLC) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ScreamingBAudio64.sys -- (ScreamBAudioSvc) DRV:64bit: - [2010.05.05 21:30:52 | 001,561,688 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ha20x2k.sys -- (ha20x2k) DRV:64bit: - [2010.05.05 21:30:42 | 000,118,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\emupia2k.sys -- (emupia) DRV:64bit: - [2010.05.05 21:30:34 | 000,213,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctsfm2k.sys -- (ctsfm2k) DRV:64bit: - [2010.05.05 21:30:26 | 000,015,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctprxy2k.sys -- (ctprxy2k) DRV:64bit: - [2010.05.05 21:30:18 | 000,179,288 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctoss2k.sys -- (ossrv) DRV:64bit: - [2010.05.05 21:30:10 | 000,684,376 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM) DRV:64bit: - [2010.05.05 21:30:02 | 000,580,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctac32k.sys -- (ctac32k) DRV:64bit: - [2010.05.05 21:29:52 | 001,417,304 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CTEXFIFX.sys -- (CTEXFIFX.SYS) DRV:64bit: - [2010.05.05 21:29:52 | 001,417,304 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CTEXFIFX.sys -- (CTEXFIFX) DRV:64bit: - [2010.05.05 21:29:42 | 000,094,808 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CTHWIUT.sys -- (CTHWIUT.SYS) DRV:64bit: - [2010.05.05 21:29:42 | 000,094,808 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CTHWIUT.sys -- (CTHWIUT) DRV:64bit: - [2010.05.05 21:29:34 | 000,202,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CT20XUT.sys -- (CT20XUT.SYS) DRV:64bit: - [2010.05.05 21:29:34 | 000,202,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CT20XUT.sys -- (CT20XUT) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2008.12.26 12:56:04 | 000,021,504 | ---- | M] (Avnex) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vcsvad.sys -- (VCSVADHWSer) Avnex Virtual Audio Device (WDM) DRV:64bit: - [2008.03.26 15:55:00 | 000,033,792 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lgx64modem.sys -- (USBModem) DRV:64bit: - [2008.03.26 15:55:00 | 000,027,136 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lgx64diag.sys -- (UsbDiag) DRV:64bit: - [2008.03.26 15:55:00 | 000,017,408 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lgx64bus.sys -- (usbbus) DRV:64bit: - [2007.08.08 09:31:16 | 000,034,336 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\scramby_out.sys -- (scramby_out) DRV:64bit: - [2007.06.01 18:37:00 | 001,037,312 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WG111Tvx.sys -- (WG111T) DRV:64bit: - [2007.02.13 18:41:26 | 000,029,480 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\scramby.sys -- (scramby) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,DefaultNetworkProfile = 475640049 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 BC 2A 33 66 7D CC 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Google Deutschland" FF - prefs.js..browser.search.useDBForOrder: true FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.0: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll (ESN Social Software AB) FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=0.80.0: C:\Program Files (x86)\Battlelog Web Plugins\0.80.0\npesnlaunch.dll (ESN Social Software AB) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011.10.02 02:16:46 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011.04.27 20:20:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Markus\AppData\Roaming\mozilla\Extensions [2011.10.01 12:19:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Markus\AppData\Roaming\mozilla\Firefox\Profiles\jgn0wioz.default\extensions [2011.10.01 01:34:01 | 000,002,563 | ---- | M] () -- C:\Users\Markus\AppData\Roaming\Mozilla\Firefox\Profiles\jgn0wioz.default\searchplugins\google-auf-gut-glck.xml [2011.10.01 01:34:01 | 000,002,454 | ---- | M] () -- C:\Users\Markus\AppData\Roaming\Mozilla\Firefox\Profiles\jgn0wioz.default\searchplugins\google-deutschland.xml [2011.08.08 02:12:54 | 000,002,330 | ---- | M] () -- C:\Users\Markus\AppData\Roaming\Mozilla\Firefox\Profiles\jgn0wioz.default\searchplugins\wowprogresscom.xml [2011.10.05 14:26:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2011.10.05 14:26:15 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2011.04.27 23:47:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} [2011.06.24 23:20:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011.10.02 02:20:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} () (No name found) -- C:\USERS\MARKUS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\JGN0WIOZ.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI [2011.10.02 02:16:46 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2011.10.02 02:16:45 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2011.10.02 02:16:45 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2011.10.02 02:16:45 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2011.10.02 02:16:45 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2011.10.02 02:16:45 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2011.10.02 02:16:45 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) O4:64bit: - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation) O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe (cyberlink) O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\SysWow64\Ctxfihlp.exe (Creative Technology Ltd) O4 - HKLM..\Run: [LGODDFU] C:\Program Files (x86)\lg_fwupdate\fwupdate.exe (BitLeader) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [RemoteControl9] C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe (CyberLink Corp.) O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O4 - HKCU..\Run: [NCsoft] File not found O4 - HKCU..\Run: [Steam] D:\Program Files (x86)\Steam\steam.exe (Valve Corporation) O4 - HKCU..\Run: [updateswindows] C:\Users\Markus\AppData\Roaming\WindowsUpdates\winupdates.exe File not found O4 - Startup: C:\Users\Markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: ICQ7.6 - {7644E42D-B096-457F-8B5B-901238FC81AE} - C:\Program Files (x86)\ICQ7.6\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.6 - {7644E42D-B096-457F-8B5B-901238FC81AE} - C:\Program Files (x86)\ICQ7.6\ICQ.exe (ICQ, LLC.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab (Creative Software AutoUpdate Support Package 2) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6F3451B1-3848-401C-A835-19810DB66043}: DhcpNameServer = O18:64bit: - Protocol\Handler\wlpg - No CLSID value found O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008.11.06 18:33:09 | 000,000,043 | R--- | M] () - E:\Autorun.inf -- [ UDF ] O33 - MountPoints2\{acc8aca5-c03f-11e0-9e83-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{acc8aca5-c03f-11e0-9e83-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Start.exe -- [2006.01.10 15:49:24 | 000,492,032 | R--- | M] () O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011.10.05 14:42:48 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonBJ [2011.10.05 14:27:14 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Roaming\OpenOffice.org [2011.10.05 14:26:43 | 000,000,000 | --SD | C] -- C:\Users\Markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.3 [2011.10.05 14:26:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenOffice.org 3 [2011.10.04 00:52:25 | 000,000,000 | ---D | C] -- C:\Users\Markus\Documents\gothic3aa [2011.10.02 17:50:24 | 000,000,000 | ---D | C] -- C:\Users\Markus\Documents\gothic3 [2011.10.02 15:40:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gothic III [2011.10.02 02:20:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java [2011.10.02 02:20:35 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe [2011.10.02 02:20:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe [2011.10.02 02:20:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe [2011.10.02 01:38:29 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\{2832E37A-99BE-4AE6-88E0-F6A6A0131632} [2011.10.02 01:38:18 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\{179A18F5-3FF3-43C5-89EB-3EBF87D56B0C} [2011.10.02 01:37:46 | 000,000,000 | ---D | C] -- C:\Windows\de [2011.10.02 01:31:55 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\{FD6E79D5-D09E-4892-A151-DA9DD77F8D05} [2011.10.02 01:19:28 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\DAEMON Tools Images [2011.10.02 01:16:59 | 000,270,912 | ---- | C] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys [2011.10.02 01:16:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DAEMON Tools Lite [2011.10.02 01:16:32 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Roaming\DAEMON Tools Lite [2011.10.02 01:16:30 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite [2011.09.29 13:02:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET [2011.09.29 03:29:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation [2011.09.29 03:26:44 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA [2011.09.29 03:26:21 | 005,067,584 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvsvc64.dll [2011.09.29 03:26:21 | 000,137,536 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvshext.dll [2011.09.29 03:26:20 | 010,406,208 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcpl.dll [2011.09.29 03:26:20 | 003,074,368 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvsvcr.dll [2011.09.29 03:26:20 | 000,837,952 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\easyupdatusapiu64.dll [2011.09.29 03:26:20 | 000,222,528 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvmctray.dll [2011.09.29 03:26:03 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation [2011.09.29 03:21:58 | 024,796,480 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcompiler.dll [2011.09.29 03:21:58 | 024,743,232 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvoglv64.dll [2011.09.29 03:21:58 | 018,870,592 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvoglv32.dll [2011.09.29 03:21:58 | 017,248,576 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvcompiler.dll [2011.09.29 03:21:58 | 015,688,512 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvd3dumx.dll [2011.09.29 03:21:58 | 013,200,704 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvd3dum.dll [2011.09.29 03:21:58 | 008,930,624 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvwgf2umx.dll [2011.09.29 03:21:58 | 007,580,992 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcuda.dll [2011.09.29 03:21:58 | 007,183,168 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvwgf2um.dll [2011.09.29 03:21:58 | 005,576,000 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvcuda.dll [2011.09.29 03:21:58 | 002,808,640 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvapi64.dll [2011.09.29 03:21:58 | 002,542,912 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcuvid.dll [2011.09.29 03:21:58 | 002,458,432 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvapi.dll [2011.09.29 03:21:58 | 002,401,088 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvcuvid.dll [2011.09.29 03:21:58 | 002,232,128 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcuvenc.dll [2011.09.29 03:21:58 | 002,099,520 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvcuvenc.dll [2011.09.29 03:21:58 | 001,533,248 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvdispco64.dll [2011.09.29 03:21:58 | 001,454,400 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvgenco64.dll [2011.09.29 03:21:58 | 001,452,648 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvhdagenco6420102.dll [2011.09.29 03:21:58 | 000,174,184 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\drivers\nvhda64v.sys [2011.09.29 03:21:58 | 000,068,928 | ---- | C] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll [2011.09.29 03:21:58 | 000,061,248 | ---- | C] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll [2011.09.29 03:21:58 | 000,029,288 | ---- | C] (NVIDIA Corporation) -- C:\Windows\SysNative\nvhdap64.dll [2011.09.29 03:18:28 | 000,000,000 | ---D | C] -- C:\Users\Markus\Documents\Battlefield 3 Open Beta [2011.09.29 03:18:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Battlelog Web Plugins [2011.09.28 03:04:15 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\Risen [2011.09.27 13:22:54 | 000,000,000 | ---D | C] -- C:\Users\Markus\Documents\FIFA 12 [2011.09.27 00:01:44 | 001,037,312 | ---- | C] (Atheros Communications, Inc.) -- C:\Windows\SysNative\drivers\WG111Tvx.sys [2011.09.27 00:01:44 | 000,043,328 | ---- | C] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Windows\SysNative\drivers\PCAMp50a64.sys [2011.09.27 00:01:44 | 000,041,280 | ---- | C] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Windows\SysNative\drivers\PCASp50a64.sys [2011.09.26 23:34:17 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\Common Files\EAInstaller [2011.09.26 14:11:13 | 000,000,000 | ---D | C] -- C:\Users\Markus\Documents\Witcher 2 [2011.09.26 14:11:13 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\The Witcher 2 [2011.09.26 14:08:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Witcher 2 [2011.09.26 01:09:47 | 000,000,000 | ---D | C] -- C:\Users\Markus\Documents\ArcaniA - Gothic 4 [2011.09.26 01:06:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ArcaniA - Gothic 4 [2011.09.25 23:28:25 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\{DBDCF523-3272-4238-B8A0-4CA13A9CBAFC} [2011.09.21 14:47:37 | 000,000,000 | ---D | C] -- C:\Users\Markus\Documents\Eidos [2011.09.21 14:43:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard [2011.09.21 14:41:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eidos [2011.09.16 15:54:38 | 000,000,000 | ---D | C] -- C:\Users\Markus\Documents\Virtual Machines [2011.09.16 15:48:04 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\VMware [2011.09.16 15:47:31 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Roaming\VMware [2011.09.16 15:40:21 | 000,000,000 | ---D | C] -- C:\ProgramData\VMware [2011.09.15 21:14:10 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Blizzard Entertainment [2011.09.15 20:48:41 | 000,000,000 | ---D | C] -- C:\Users\Markus\VirtualBox VMs [2011.09.15 20:48:18 | 000,000,000 | ---D | C] -- C:\Users\Markus\.VirtualBox [2011.09.15 20:47:49 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE [2011.09.15 20:12:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard [2011.09.12 15:47:00 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Roaming\Xfire [2011.09.12 15:46:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Xfire [2011.09.12 15:46:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xfire [2011.09.12 15:46:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Xfire [2011.09.11 18:16:24 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\NCSoft [2011.09.11 15:08:31 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCsoft [2011.09.11 15:08:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NCsoft [2011.09.11 15:07:44 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\assembly [2011.09.11 15:07:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCsoft [2011.09.11 15:04:10 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Roaming\GetRightToGo [2011.09.07 17:02:52 | 000,000,000 | ---D | C] -- C:\Users\Markus\AppData\Local\SCE [2010.05.05 19:59:10 | 000,060,928 | ---- | C] ( ) -- C:\Windows\SysWow64\a3d.dll [2010.05.05 19:38:18 | 000,012,800 | ---- | C] ( ) -- C:\Windows\SysWow64\killapps.exe [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2011.10.06 14:23:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2011.10.06 14:23:02 | 2132,991,999 | -HS- | M] () -- C:\hiberfil.sys [2011.10.06 14:22:34 | 000,061,256 | ---- | M] () -- C:\Windows\SysNative\BMXStateBkp-{00000004-00000000-00000000-00001102-00000005-00211102}.rfx [2011.10.06 14:22:34 | 000,061,256 | ---- | M] () -- C:\Windows\SysNative\BMXState-{00000004-00000000-00000000-00001102-00000005-00211102}.rfx [2011.10.06 14:22:34 | 000,000,788 | ---- | M] () -- C:\Windows\SysNative\DVCState-{00000004-00000000-00000000-00001102-00000005-00211102}.rfx [2011.10.06 14:22:13 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2011.10.06 14:22:13 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2011.10.06 04:32:25 | 001,651,022 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2011.10.06 04:32:25 | 000,710,036 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2011.10.06 04:32:25 | 000,663,632 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2011.10.06 04:32:25 | 000,154,422 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2011.10.06 04:32:25 | 000,126,618 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2011.10.06 03:25:05 | 000,294,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2011.10.05 14:27:45 | 000,001,239 | ---- | M] () -- C:\Users\Markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk [2011.10.03 02:18:18 | 000,280,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr [2011.10.03 02:18:18 | 000,280,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe [2011.10.02 01:16:59 | 000,270,912 | ---- | M] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys [2011.10.01 13:09:47 | 000,280,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0 [2011.09.30 18:05:18 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2011.09.29 03:16:53 | 000,075,136 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe [2011.09.28 03:03:03 | 000,314,016 | ---- | M] () -- C:\Windows\SysNative\drivers\atksgt.sys [2011.09.28 03:03:02 | 000,043,680 | ---- | M] () -- C:\Windows\SysNative\drivers\lirsgt.sys [2011.09.27 02:43:43 | 000,001,080 | ---- | M] () -- C:\Windows\SysNative\settingsbkup.sfm [2011.09.27 02:43:43 | 000,001,080 | ---- | M] () -- C:\Windows\SysNative\settings.sfm [2011.09.27 02:10:24 | 000,000,267 | RH-- | M] () -- C:\Windows\ctfile.rfc [2011.09.26 20:55:26 | 000,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Origin.lnk [2011.09.26 13:10:22 | 000,000,372 | ---- | M] () -- C:\Windows\lgfwup.ini [2011.09.23 19:57:48 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2011.09.23 00:41:00 | 024,796,480 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcompiler.dll [2011.09.23 00:41:00 | 024,743,232 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvoglv64.dll [2011.09.23 00:41:00 | 018,870,592 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvoglv32.dll [2011.09.23 00:41:00 | 017,248,576 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvcompiler.dll [2011.09.23 00:41:00 | 015,688,512 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvd3dumx.dll [2011.09.23 00:41:00 | 013,200,704 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvd3dum.dll [2011.09.23 00:41:00 | 010,406,208 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcpl.dll [2011.09.23 00:41:00 | 008,930,624 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvwgf2umx.dll [2011.09.23 00:41:00 | 007,580,992 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcuda.dll [2011.09.23 00:41:00 | 007,183,168 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvwgf2um.dll [2011.09.23 00:41:00 | 005,576,000 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvcuda.dll [2011.09.23 00:41:00 | 005,067,584 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvsvc64.dll [2011.09.23 00:41:00 | 003,074,368 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvsvcr.dll [2011.09.23 00:41:00 | 002,808,640 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvapi64.dll [2011.09.23 00:41:00 | 002,542,912 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcuvid.dll [2011.09.23 00:41:00 | 002,458,432 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvapi.dll [2011.09.23 00:41:00 | 002,401,088 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvcuvid.dll [2011.09.23 00:41:00 | 002,232,128 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvcuvenc.dll [2011.09.23 00:41:00 | 002,099,520 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWow64\nvcuvenc.dll [2011.09.23 00:41:00 | 001,533,248 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvdispco64.dll [2011.09.23 00:41:00 | 001,454,400 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvgenco64.dll [2011.09.23 00:41:00 | 000,837,952 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\easyupdatusapiu64.dll [2011.09.23 00:41:00 | 000,222,528 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvmctray.dll [2011.09.23 00:41:00 | 000,137,536 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysNative\nvshext.dll [2011.09.23 00:41:00 | 000,068,928 | ---- | M] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll [2011.09.23 00:41:00 | 000,061,248 | ---- | M] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll [2011.09.23 00:41:00 | 000,007,384 | ---- | M] () -- C:\Windows\SysNative\nvinfo.pb [2011.09.22 12:29:58 | 000,321,856 | ---- | M] () -- C:\Windows\SysWow64\nvStreaming.exe [2011.09.16 15:40:48 | 000,001,024 | ---- | M] () -- C:\.rnd [2011.09.16 15:40:36 | 001,679,256 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2011.10.05 14:27:45 | 000,001,239 | ---- | C] () -- C:\Users\Markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk [2011.09.29 03:21:58 | 000,007,384 | ---- | C] () -- C:\Windows\SysNative\nvinfo.pb [2011.09.28 03:03:03 | 000,314,016 | ---- | C] () -- C:\Windows\SysNative\drivers\atksgt.sys [2011.09.28 03:03:02 | 000,043,680 | ---- | C] () -- C:\Windows\SysNative\drivers\lirsgt.sys [2011.09.22 12:29:58 | 000,321,856 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe [2011.09.16 15:40:48 | 000,001,024 | ---- | C] () -- C:\.rnd [2011.08.27 00:22:30 | 000,042,392 | ---- | C] () -- C:\Windows\SysWow64\xfcodec.dll [2011.08.06 17:15:14 | 000,000,372 | ---- | C] () -- C:\Windows\lgfwup.ini [2011.07.02 17:32:58 | 000,001,801 | ---- | C] () -- C:\Windows\WRcfg.ini [2011.07.02 17:32:58 | 000,000,388 | ---- | C] () -- C:\Windows\WRMCcfg.ini [2011.05.27 20:34:14 | 000,007,599 | ---- | C] () -- C:\Users\Markus\AppData\Local\Resmon.ResmonCfg [2011.04.30 21:46:15 | 000,280,904 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe [2011.04.30 21:46:15 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe [2011.04.30 21:46:13 | 000,794,408 | ---- | C] () -- C:\Windows\SysWow64\pbsvc.exe [2011.04.27 20:54:23 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011.04.27 20:51:32 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2011.04.27 20:31:50 | 000,176,128 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL [2011.04.27 20:31:50 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL [2011.04.27 20:31:31 | 000,003,072 | ---- | C] () -- C:\Windows\SysWow64\CTXFIGER.DLL [2011.04.27 20:22:56 | 001,679,256 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011.04.13 21:59:14 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll [2011.04.09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat [2011.03.01 19:07:08 | 000,003,949 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat [2010.05.05 20:37:52 | 000,021,204 | ---- | C] () -- C:\Windows\SysWow64\instwdm.ini [2010.05.05 20:37:50 | 000,000,054 | ---- | C] () -- C:\Windows\SysWow64\ctzapxx.ini [2010.05.05 19:56:46 | 000,002,560 | ---- | C] () -- C:\Windows\SysWow64\CtxfiRes.dll [2010.05.05 19:46:30 | 000,321,512 | ---- | C] () -- C:\Windows\SysWow64\ctdlang.dat [2010.05.05 19:46:30 | 000,056,509 | ---- | C] () -- C:\Windows\SysWow64\ctdnlstr.dat [2010.05.05 19:38:22 | 000,007,680 | ---- | C] () -- C:\Windows\SysWow64\enlocstr.exe [2009.07.14 07:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2009.07.14 04:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT [2009.07.14 04:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat [2009.07.14 02:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll [2009.07.13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll [2009.07.06 13:47:08 | 000,000,285 | ---- | C] () -- C:\Windows\SysWow64\kill.ini [2009.06.10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat [2002.08.13 17:04:12 | 000,217,088 | R--- | C] () -- C:\Windows\SysWow64\MafiaSetup.exe [2002.08.13 17:04:12 | 000,217,088 | R--- | C] () -- C:\Users\Markus\AppData\Roaming\MafiaSetup.exe ========== LOP Check ========== [2011.04.29 19:02:21 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\Acreon [2011.07.02 17:45:26 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\Avnex [2011.10.02 02:22:36 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\DAEMON Tools Lite [2011.10.06 04:06:54 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\Firstload [2011.09.11 15:08:05 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\GetRightToGo [2011.06.25 16:07:34 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\go [2011.09.27 19:00:13 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\ICQ [2011.08.24 00:44:28 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\ImgBurn [2011.05.25 18:56:30 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\LG Electronics [2011.05.20 14:13:04 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\Lionhead Studios [2011.07.05 00:49:37 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\mp3DirectCut [2011.10.05 14:27:14 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\OpenOffice.org [2011.07.21 00:45:09 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\Origin [2011.07.08 19:19:34 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\Screaming Bee [2011.04.27 20:43:50 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\Trillian [2011.10.06 03:38:09 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\TS3Client [2011.10.02 15:25:00 | 000,000,000 | ---D | M] -- C:\Users\Markus\AppData\Roaming\UseNeXT [2011.08.05 13:07:19 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 06.10.2011 14:27:17 - Run 5 OTL by OldTimer - Version Folder = C:\Users\Markus\Downloads 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,98 Gb Total Physical Memory | 6,62 Gb Available Physical Memory | 82,92% Memory free 15,96 Gb Paging File | 14,52 Gb Available in Paging File | 90,95% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 146,39 Gb Total Space | 62,66 Gb Free Space | 42,80% Space Free | Partition Type: NTFS Drive D: | 552,15 Gb Total Space | 91,76 Gb Free Space | 16,62% Space Free | Partition Type: NTFS Drive E: | 7,80 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: MARKUS-PC | User Name: Markus | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64) "{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1" = Core Temp version 0.99.8 "{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{1280E900-35DA-4E08-A700-B79A5B2B8532}" = Microsoft Antimalware Service DE-DE Language Pack "{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector "{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant "{42738DB0-FC3E-4672-A99B-9372F5696E30}" = Microsoft Security Client "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 "{8219EDCB-CE5A-4348-B056-AAC0FE4E99D0}" = Microsoft IntelliType Pro 8.2 "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 "{8338783A-0968-3B85-AFC7-BAAE0A63DC50}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 "{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting "{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64) "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 285.38 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 285.38 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 285.38 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller-Treiber 285.38 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.11.0621 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.5.20 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD-Audiotreiber "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 "{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 "{DC911ADF-7B60-40F2-A112-FB1EB6402D07}" = Microsoft Security Client DE-DE Language Pack "{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "CCleaner" = CCleaner "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended "Microsoft IntelliType Pro 8.2" = Microsoft IntelliType Pro 8.2 "Microsoft Security Client" = Microsoft Security Essentials "Recuva" = Recuva "TeamSpeak 3 Client" = TeamSpeak 3 Client "WinRAR archiver" = WinRAR 4.00 (64-Bit) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{01521746-02A6-4A72-00BD-A285DF6B80C6}" = Die Sims 2: Wilde Campus-Jahre "{02B244A2-7F6A-42E8-A36F-8C385D7A1625}" = Gothic III "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{058AF8C6-E4DE-4D91-9879-B72860E9F615}" = MorphVOX Pro "{0AF6CFBC-02CB-4B7F-B71D-7B1DBE8A5E7B}" = LG PC Suite II "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer "{0DB44859-4112-4946-BE5E-A4275B3FFB5E}" = Furry Voices for Second Life "{1146E8F3-4057-4F46-B39C-D18AB4BB1523}_is1" = Deus Ex - Human Revolution version 1.0 "{14DCD95A-EBA3-4BF0-B7EF-533852E99BE6}" = LG PC Suite II "{155F4A0E-76ED-45A2-91FB-FF2A2133C31A}" = Risen "{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink Blu-ray Disc Suite "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions "{216E21F4-0489-4311-92D6-20D1FB950FCE}" = Sci-Fi Voice Pack "{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22 "{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 27 "{29C042AB-059B-414C-840E-94775E3F24A8}" = Personality Voices "{2D2D8FE2-605C-4D3C-B706-36E981E7EEF0}" = CyberLink BD Advisor 2.0 "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery "{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack "{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2 "{3FEA6CD1-EA13-4CE7-A74E-A74A4A0A7B5C}" = FIFA 12 DEMO "{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3 "{4343080E-448E-4E2C-B27F-B91000028201}" = Dead Rising 2 "{4343080E-91B7-4388-AB4D-FB1000008200}" = Dead Rising 2 "{45057FCE-5784-48BE-8176-D9D00AF56C3C}" = The Sims™ 3 Late Night "{45BF4F8E-7BE7-4384-94C6-60AC70C401C6}" = Male Voice Pack "{45C8D17D-B5E0-4e93-8370-4329AB16D2A0}" = Battlefield 3™ Open Beta "{4817189D-1785-4627-A33C-39FD90919300}" = Die Sims™ 2 Haustiere "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace "{4D53090A-9B45-437B-A66A-831000008300}" = Fable III "{4D53090A-CE35-42BD-B377-831000018301}" = Fable III "{4D53090A-CE35-42BD-B377-831000028301}" = Fable III "{4E79A60F-15D2-4BEC-91AD-E41EC42E61B0}" = Batman: Arkham Asylum "{5B616A3F-43D9-4F0B-9F49-D39342A98592}" = Creatures of Darkness "{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = NCsoft Launcher "{602A1471-063B-4E03-9DCE-0210B914EFF5}" = Translator Fun Voice Pack "{6033673D-2530-4587-8AD0-EB059FC263F9}" = Crysis® 2 "{6179550A-3E7C-499E-BCC9-9E8113E0A285}" = LG Tool Kit "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE "{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 "{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = Die Sims 2 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{7644E42D-B096-457F-8B5B-901238FC81AE}" = ICQ7.6 "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = Die Sims 2: Open For Business "{7F6D7FD9-648D-4DD9-BB6E-3990C675ECA4}" = NVIDIA PhysX "{8061C2C9-C2A3-4550-A3FC-585B646840CB}" = Fantasy Voice Pack "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{83BEEFB4-8C28-4F4F-8A9D-E0D1ADCE335B}" = Die*Sims*Mittelalter "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT "{910F4A29-1134-49E0-AD8B-56E4A3152BD1}" = The Sims™ 3 Ambitions "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker "{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6 "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A1416622-0DDE-45B5-B06C-DFC3ED94C53B}" = Der Pate® II "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9 "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5 "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.1) - Deutsch "{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie "{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures "{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3 "{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common "{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform "{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = Die Sims™ 2 Vier Jahreszeiten "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10 "{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime "{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker "{EA8ADAA9-6671-4839-A51E-0C6792B78F3E}" = FIFA 12 "{F0A209B7-7F85-4BDD-8F1F-B98EEAD9E04B}" = The Witcher 2 "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F0C9E8E9-C54B-48C1-9192-F5D49633AB5D}" = Harry Potter und die Heiligtümer des Todes(TM) - Teil 2 "{F248ADFA-64E0-4b03-8A83-059078BED6A0}" = Die Sims™ 2 Gute Reise "{F2508213-9989-4E85-A078-72BE483917EF}" = Microsoft Games for Windows - LIVE Redistributable "{F7529650-B9DB-481B-0089-A2AC3C2821C1}" = Die Sims 2: Nightlife "{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Afterburner" = MSI Afterburner 2.1.0 "ArcaniA" = ArcaniA - Gothic 4 "AudioCS" = Creative Audio-Systemsteuerung "Battlelog Web Plugins" = Battlelog Web Plugins "DAEMON Tools Lite" = DAEMON Tools Lite "EAX Unified" = EAX Unified "ESET Online Scanner" = ESET Online Scanner v3 "ESN Sonar-0.70.0" = ESN Sonar "Firstload" = Firstload "Fraps" = Fraps (remove only) "GFWL_{4343080E-91B7-4388-AB4D-FB1000008200}" = Dead Rising 2 "GFWL_{4D53090A-9B45-437B-A66A-831000008300}" = Fable III "ImgBurn" = ImgBurn "InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink Blu-ray Disc Suite "InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9 "Mafia Game" = Mafia Game "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version "Mozilla Firefox 7.0.1 (x86 de)" = Mozilla Firefox 7.0.1 (x86 de) "Novo's Easy WoW Server" = Novo's Easy WoW Server "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver "OpenAL" = OpenAL "Origin" = Origin "PunkBusterSvc" = PunkBuster Services "Steam App 10180" = Call of Duty: Modern Warfare 2 "Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer "Steam App 12210" = Grand Theft Auto IV "Steam App 12220" = Grand Theft Auto: Episodes from Liberty City "Steam App 15120" = Tom Clancy's Rainbow Six: Vegas 2 "Steam App 17300" = Crysis "Steam App 17330" = Crysis Warhead "Steam App 17340" = Crysis Wars "Steam App 19900" = Far Cry 2 "Steam App 220" = Half-Life 2 "Steam App 24200" = DC Universe Online "Steam App 24780" = SimCity 4 Deluxe "Steam App 28000" = Kane & Lynch 2: Dog Days "Steam App 32460" = Monkey Island 2: Special Edition "Steam App 43110" = Metro 2033 "Steam App 440" = Team Fortress 2 "Steam App 50130" = Mafia II "Steam App 620" = Portal 2 "Steam App 6860" = Hitman: Blood Money "Steam App 8190" = Just Cause 2 "Steam App 9880" = Champions Online: Free For All "SysInfo" = Creative Systeminformationen "Trillian" = Trillian "UseNeXT_is1" = UseNeXT "VLC media player" = VLC media player 1.1.5 "WinLiveSuite" = Windows Live Essentials "World of Warcraft" = World of Warcraft "World of Warcraft Public Test" = World of Warcraft Public Test "x264vfw" = x264vfw - H.264/MPEG-4 AVC codec (remove only) "Xfire" = Xfire (remove only) ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "090215de958f1060" = Curse Client "NCsoft-CityOfHeroesEU" = City of Heroes ========== Last 10 Event Log Errors ========== Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt! < End of report > |
![]() | #2 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Persistance durch Patch bekommen hast du den link noch wo man den patch bekommt? den hätte ich gern als private nachicht.
__________________ |
![]() | #3 |
![]() ![]() | ![]() Persistance durch Patch bekommen nö ka den bekam ich von nem kumpel der meinte da gothic 3 immer abstürzt bzw nicht startet (bekanntes problem, alle gothic spieler kennen es) und so wäre nicht sonderlich groß aber wirksam ka ob der mich hier verarschen wollte
__________________ |
![]() | #4 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Persistance durch Patch bekommen ja, na falls du den link hast, als private nachicht an mich. da dein antimalware programm nicht angeschlagen hat muss dieser an software hersteller verteilt werden. poste außerdem alle Malwarebytes logs, du sagst ja du hast nen scan durchgeführt
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
![]() | #5 |
![]() ![]() | ![]() Persistance durch Patch bekommen da hab ich nur den ordner mit der server exe gescanned Code:
ATTFilter Malwarebytes' Anti-Malware www.malwarebytes.org Datenbank Version: 7843 Windows 6.1.7601 Service Pack 1 Internet Explorer 9.0.8112.16421 06.10.2011 03:23:26 mbam-log-2011-10-06 (03-23-26).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 7 Laufzeit: 2 Sekunde(n) Infizierte Speicherprozesse: 1 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 1 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 1 Infizierte Speicherprozesse: c:\Users\Markus\AppData\Roaming\secure-soft bot\Server.exe (Trojan.Agent) -> 4336 -> Unloaded process successfully. Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server.exe (Trojan.Agent) -> Value: Server.exe -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: c:\Users\Markus\AppData\Roaming\secure-soft bot\Server.exe (Trojan.Agent) -> Quarantined and deleted successfully. Code:
ATTFilter Malwarebytes' Anti-Malware www.malwarebytes.org Datenbank Version: 7882 Windows 6.1.7601 Service Pack 1 Internet Explorer 9.0.8112.16421 06.10.2011 05:48:38 mbam-log-2011-10-06 (05-48-38).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Durchsuchte Objekte: 476738 Laufzeit: 1 Stunde(n), 21 Minute(n), 16 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) was meinst du mit "da dein antimalware programm nicht angeschlagen hatt muss dieser an software hersteller verteilt werden"? ich hab die anwendung nur mit MSSE überprüft und das ding hat nix gefunden... MBAM hab ich dann erst benutzt als server.exe schon gestartet war. wie siehts mit den OTL-Logs aus? sind die sauber? Achja was nicht dabei stand war noch eine winupdate.exe die sich mitinstalliert hat aber nicht gestartet wurde. die konnte man ebenfalls ohne problem löschen. die war laut prozesse auch nicht aktiv, sondern nur die beiden anderen. man konnte sie also während der infektion der andern beiden einfach so löschen Geändert von DonSerious (06.10.2011 um 14:26 Uhr) |
![]() | #6 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Persistance durch Patch bekommen dein freund, du solltest übrigens überdenken ob er wirklich so zu nennen ist, hat dir nen passwort stealer geschickt. deswegen hätte ich diesen gern an hersteller von antimalware software geschickt damit sie den erkennen. bitte erstelle und poste ein combofix log. Ein Leitfaden und Tutorium zur Nutzung von ComboFix
__________________ --> Persistance durch Patch bekommen |
![]() | #7 |
![]() ![]() | ![]() Persistance durch Patch bekommenCode:
ATTFilter ComboFix 11-10-06.03 - Markus 06.10.2011 15:32:28.1.4 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.8174.6576 [GMT 2:00] ausgeführt von:: c:\users\Markus\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Neuer Wiederherstellungspunkt wurde erstellt . . ((((((((((((((((((((((( Dateien erstellt von 2011-09-06 bis 2011-10-06 )))))))))))))))))))))))))))))) . . 2011-10-06 13:17 . 2011-09-13 00:26 9049936 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B76978FB-BC28-458F-BFCB-9B2A2A332EF9}\mpengine.dll 2011-10-05 12:42 . 2011-10-05 12:42 -------- d--h--w- c:\programdata\CanonBJ 2011-10-05 12:42 . 2009-07-14 01:40 83968 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNBPP3.DLL 2011-10-05 12:27 . 2011-10-05 12:27 -------- d-----w- c:\users\Markus\AppData\Roaming\OpenOffice.org 2011-10-05 12:26 . 2011-10-05 12:26 -------- d-----w- c:\program files (x86)\OpenOffice.org 3 2011-10-02 00:20 . 2011-10-02 00:20 -------- d-----w- c:\program files (x86)\Common Files\Java 2011-10-01 23:37 . 2011-10-01 23:37 -------- d-----w- c:\windows\de 2011-10-01 23:16 . 2011-10-01 23:16 270912 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys 2011-10-01 23:16 . 2011-10-01 23:16 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite 2011-10-01 23:16 . 2011-10-02 00:22 -------- d-----w- c:\users\Markus\AppData\Roaming\DAEMON Tools Lite 2011-10-01 23:16 . 2011-10-01 23:16 -------- d-----w- c:\programdata\DAEMON Tools Lite 2011-10-01 14:35 . 2011-10-01 14:35 180356 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll 2011-10-01 14:35 . 2004-07-15 22:20 733184 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll 2011-10-01 14:35 . 2004-07-15 22:20 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll 2011-10-01 14:35 . 2004-07-15 22:19 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll 2011-10-01 14:35 . 2004-07-15 22:18 172032 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll 2011-10-01 14:35 . 2004-07-15 22:18 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe 2011-10-01 14:35 . 2011-10-01 14:35 303236 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll 2011-09-29 11:02 . 2011-09-29 11:02 -------- d-----w- c:\program files (x86)\ESET 2011-09-29 01:26 . 2011-10-06 13:36 -------- d-----w- c:\programdata\NVIDIA 2011-09-29 01:26 . 2011-09-22 22:41 5067584 ----a-w- c:\windows\system32\nvsvc64.dll 2011-09-29 01:26 . 2011-09-22 22:41 137536 ----a-w- c:\windows\system32\nvshext.dll 2011-09-29 01:26 . 2011-09-22 22:41 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll 2011-09-29 01:26 . 2011-09-22 22:41 3074368 ----a-w- c:\windows\system32\nvsvcr.dll 2011-09-29 01:26 . 2011-09-22 22:41 222528 ----a-w- c:\windows\system32\nvmctray.dll 2011-09-29 01:26 . 2011-09-22 22:41 1640768 ----a-w- c:\windows\system32\nvvsvc.exe 2011-09-29 01:26 . 2011-09-22 22:41 10406208 ----a-w- c:\windows\system32\nvcpl.dll 2011-09-29 01:26 . 2011-09-29 01:26 -------- d-----w- c:\programdata\NVIDIA Corporation 2011-09-29 01:18 . 2011-09-29 01:18 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins 2011-09-28 01:04 . 2011-09-28 01:04 -------- d-----w- c:\users\Markus\AppData\Local\Risen 2011-09-28 01:03 . 2011-09-28 01:03 314016 ----a-w- c:\windows\system32\drivers\atksgt.sys 2011-09-28 01:03 . 2011-09-28 01:03 43680 ----a-w- c:\windows\system32\drivers\lirsgt.sys 2011-09-28 01:03 . 2011-09-28 01:03 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP 2011-09-26 22:01 . 2007-06-01 16:37 1037312 ----a-w- c:\windows\system32\drivers\WG111Tvx.sys 2011-09-26 22:01 . 2006-11-28 19:46 43328 ----a-w- c:\windows\system32\drivers\PCAMp50a64.sys 2011-09-26 22:01 . 2006-11-28 19:46 41280 ----a-w- c:\windows\system32\drivers\PCASp50a64.sys 2011-09-26 21:34 . 2011-09-29 01:17 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller 2011-09-26 12:11 . 2011-09-26 12:11 -------- d-----w- c:\users\Markus\AppData\Local\The Witcher 2 2011-09-22 10:29 . 2011-09-22 10:29 321856 ----a-w- c:\windows\SysWow64\nvStreaming.exe 2011-09-21 12:43 . 2011-09-21 12:43 -------- d-----w- c:\windows\6833245EDD86479A882A8360D62C8194.TMP 2011-09-21 12:43 . 2011-09-28 01:03 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard 2011-09-16 13:48 . 2011-09-16 14:40 -------- d-----w- c:\users\Markus\AppData\Local\VMware 2011-09-16 13:47 . 2011-09-17 00:10 -------- d-----w- c:\users\Markus\AppData\Roaming\VMware 2011-09-16 13:40 . 2011-09-17 00:14 -------- d-----w- c:\programdata\VMware 2011-09-15 18:48 . 2011-09-15 19:01 -------- d-----w- c:\users\Markus\VirtualBox VMs 2011-09-15 18:48 . 2011-09-15 19:04 -------- d-----w- c:\users\Markus\.VirtualBox 2011-09-15 18:47 . 2011-08-15 12:32 224048 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys 2011-09-15 18:47 . 2011-09-15 19:11 -------- dc----w- c:\windows\system32\DRVSTORE 2011-09-15 18:47 . 2011-08-15 12:32 128816 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys 2011-09-15 18:12 . 2011-09-15 18:12 -------- d-----w- c:\programdata\Blizzard 2011-09-15 13:29 . 2011-09-30 16:05 -------- d-----w- c:\users\UpdatusUser.Markus-PC 2011-09-12 13:47 . 2011-10-01 15:20 -------- d-----w- c:\users\Markus\AppData\Roaming\Xfire 2011-09-12 13:46 . 2011-09-21 16:50 -------- d-----w- c:\programdata\Xfire 2011-09-12 13:46 . 2011-09-12 13:47 -------- d-----w- c:\program files (x86)\Xfire 2011-09-11 16:16 . 2011-09-11 16:16 -------- d-----w- c:\users\Markus\AppData\Local\NCSoft 2011-09-11 13:08 . 2011-09-11 13:08 -------- d-----w- c:\program files (x86)\NCsoft 2011-09-11 13:07 . 2011-09-11 13:07 -------- d-----w- c:\users\Markus\AppData\Local\assembly 2011-09-11 13:04 . 2011-09-11 13:08 -------- d-----w- c:\users\Markus\AppData\Roaming\GetRightToGo 2011-09-08 16:14 . 2010-11-30 09:43 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16AFEC32-5BA1-4D78-AFE5-40B4ADCC5F7B}\gapaengine.dll 2011-09-07 15:02 . 2011-09-07 15:02 -------- d-----w- c:\users\Markus\AppData\Local\SCE . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-03 00:18 . 2011-05-03 12:47 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr 2011-10-03 00:18 . 2011-04-30 19:46 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe 2011-10-01 23:36 . 2009-08-18 09:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2011-10-01 11:09 . 2011-04-30 19:46 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0 2011-09-29 01:16 . 2011-04-30 19:46 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe 2011-09-23 17:57 . 2011-05-19 01:52 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2011-09-13 00:26 . 2011-07-26 15:57 9049936 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-08-31 15:00 . 2011-05-18 17:44 25416 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-29 16:13 . 2011-04-30 19:46 794408 ----a-w- c:\windows\SysWow64\pbsvc.exe 2011-08-26 22:22 . 2011-08-26 22:22 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll 2011-08-26 22:22 . 2011-08-26 22:22 28056 ----a-w- c:\windows\system32\xfcodec64.dll 2011-08-15 12:32 . 2011-08-15 12:32 146736 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys 2011-08-14 01:02 . 2011-08-14 01:02 40960 ----a-r- c:\users\Markus\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe 2011-08-14 01:02 . 2011-08-14 01:02 40960 ----a-r- c:\users\Markus\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe 2011-08-06 15:17 . 2011-08-06 15:15 16384 ----a-w- c:\windows\SysWow64\lgfwunis.exe 2011-08-06 15:13 . 2011-08-06 15:13 29480 ----a-w- c:\windows\SysWow64\msxml3a.dll 2011-08-06 15:13 . 2011-08-06 15:13 353576 ----a-w- c:\windows\SysWow64\msvcr71.dll 2011-08-06 15:13 . 2011-08-06 15:13 505128 ----a-w- c:\windows\SysWow64\msvcp71.dll 2011-07-22 05:42 . 2011-08-10 22:07 2303488 ----a-w- c:\windows\system32\jscript9.dll 2011-07-22 05:36 . 2011-08-10 22:07 1389056 ----a-w- c:\windows\system32\wininet.dll 2011-07-22 05:32 . 2011-08-10 22:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2011-07-22 02:54 . 2011-08-10 22:07 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll 2011-07-22 02:48 . 2011-08-10 22:07 1126912 ----a-w- c:\windows\SysWow64\wininet.dll 2011-07-22 02:44 . 2011-08-10 22:07 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2011-07-19 03:05 . 2011-04-27 21:47 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll 2011-07-16 05:41 . 2011-08-10 18:52 362496 ----a-w- c:\windows\system32\wow64win.dll 2011-07-16 05:41 . 2011-08-10 18:52 243200 ----a-w- c:\windows\system32\wow64.dll 2011-07-16 05:41 . 2011-08-10 18:52 13312 ----a-w- c:\windows\system32\wow64cpu.dll 2011-07-16 05:39 . 2011-08-10 18:52 16384 ----a-w- c:\windows\system32\ntvdm64.dll 2011-07-16 05:37 . 2011-08-10 18:52 421888 ----a-w- c:\windows\system32\KernelBase.dll 2011-07-16 05:21 . 2011-08-10 18:52 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll 2011-07-16 04:29 . 2011-08-10 18:52 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll 2011-07-16 04:26 . 2011-08-10 18:52 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2011-07-16 04:25 . 2011-08-10 18:52 25600 ----a-w- c:\windows\SysWow64\setup16.exe 2011-07-16 04:24 . 2011-08-10 18:52 5120 ----a-w- c:\windows\SysWow64\wow32.dll 2011-07-16 04:24 . 2011-08-10 18:52 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll 2011-07-16 02:21 . 2011-08-10 18:52 7680 ----a-w- c:\windows\SysWow64\instnm.exe 2011-07-16 02:21 . 2011-08-10 18:52 2048 ----a-w- c:\windows\SysWow64\user.exe 2011-07-16 02:17 . 2011-08-10 18:52 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll 2011-07-16 02:17 . 2011-08-10 18:52 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 02:17 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 02:17 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll 2011-07-13 04:53 . 2011-08-09 11:11 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll 2011-07-09 05:26 . 2011-08-24 11:02 2048 ----a-w- c:\windows\system32\tzres.dll 2011-07-09 04:29 . 2011-08-24 11:02 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2011-07-09 02:46 . 2011-08-10 18:52 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="d:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448] "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "CTxfiHlp"="CTXFIHLP.EXE" [2010-05-05 25600] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336] "BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2010-05-14 75048] "LGODDFU"="c:\program files (x86)\lg_fwupdate\fwupdate.exe" [2011-08-06 557056] "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" [2010-06-02 222504] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] . c:\users\Markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/08/06 17:14;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-05-14 246256] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-09-22 2253120] R3 ALSysIO;ALSysIO;c:\users\Markus\AppData\Local\Temp\ALSysIO64.sys [x] R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x] R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x] R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x] R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-28 79360] R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x] R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x] R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x] R3 scramby_out;Scramby Output;c:\windows\system32\drivers\scramby_out.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x] R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x] R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x] R3 WG111T;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WG111Tvx.sys [x] S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-09-22 381248] S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x] S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x] S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x] S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x] S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x] S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x] S3 NisSrv;Microsoft-Netzwerkinspektion;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x] S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [x] S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x] . . --- Andere Dienste/Treiber im Speicher --- . *Deregistered* - CLKMDRV10_9EC60124 . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-01 1873288] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: {{7644E42D-B096-457F-8B5B-901238FC81AE} - c:\program files (x86)\ICQ7.6\ICQ.exe Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com TCP: DhcpNameServer = FF - ProfilePath - c:\users\Markus\AppData\Roaming\Mozilla\Firefox\Profiles\jgn0wioz.default\ FF - prefs.js: browser.search.selectedEngine - Google Deutschland . - - - - Entfernte verwaiste Registrierungseinträge - - - - . Wow6432Node-HKCU-Run-NCsoft - (no file) AddRemove-Mafia Game - c:\windows\system32\MafiaSetup.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7 "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23, 94,30,02,d1,0f,f1,da,12,24,73,56,27,d2 "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:64,7c,54,af,c6,3d,cc,01 . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,bf,77,7d,83,0f,ae,4f,be,c9,66,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,bf,77,7d,83,0f,ae,4f,be,c9,66,\ . [HKEY_USERS\S-1-5-21-2776381635-1646080414-3709318696-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) "??"=hex:25,61,75,b0,a7,e2,59,f6,ce,16,da,2b,a1,b5,21,cb,33,36,ea,46,65,08,09, 80,19,a2,51,4b,15,26,28,0b,66,b1,3a,89,f5,a6,28,1b,e1,95,c5,76,62,6d,b0,6d,\ "??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f . [HKEY_USERS\S-1-5-21-2776381635-1646080414-3709318696-1000\Software\SecuROM\License information*] "datasecu"=hex:d6,85,29,e2,88,2d,36,41,59,b2,13,67,1e,83,18,04,fb,e6,52,f3,eb, 9b,7b,35,97,6b,50,dc,e9,76,2b,a4,78,ff,88,19,ab,9e,22,39,9c,e9,be,90,be,b8,\ "rkeysecu"=hex:73,9a,11,58,27,bf,1d,06,ee,3e,66,13,4a,df,a9,1e . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Weitere laufende Prozesse ------------------------ . c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe c:\windows\SysWOW64\PnkBstrA.exe . ************************************************************************** . Zeit der Fertigstellung: 2011-10-06 15:38:48 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2011-10-06 13:38 . Vor Suchlauf: 11 Verzeichnis(se), 66.814.898.176 Bytes frei Nach Suchlauf: 15 Verzeichnis(se), 66.509.881.344 Bytes frei . - - End Of File - - B58C71C90D2F1A3A7BDA22B2D62E244B |
![]() | #8 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Persistance durch Patch bekommen start programme zubehör editor kopiere rein: killall:: folder:: c:\Users\Markus\AppData\Roaming\secure-soft bot datei speichern unter, typ alle dateien, ort, dort wo sich combofix.exe befindet. name: cfscript.txt ziehe cfscript auf combofix, programm startet log posten.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
![]() | #9 |
![]() ![]() | ![]() Persistance durch Patch bekommen also vorneweg. ich bin kein laie zum thema viren, malware und co. den ordner gibts schon seit 12 stunden nicht mehr, ebenso die anderen beiden mit persistance.exe und der winupdate.exe ich habe es gelöscht wie im link meines ersten posts. combofix konnte wohl auch nix damit anfangen, da die datei weg war, nachdem ich sie in combofixsymbol gezogen habe. danach hat combofix wieder einen normalen log gemacht. ich würde nur gerne wissen, ob mein system sauber ist. ESET hat wie gesagt nichts gefunden, MBAM auch nicht und ich habe OTL + CF gepostet. Code:
ATTFilter ComboFix 11-10-06.03 - Markus 06.10.2011 15:55:58.2.4 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.8174.6261 [GMT 2:00] ausgeführt von:: c:\users\Markus\Desktop\ComboFix.exe Benutzte Befehlsschalter :: c:\users\Markus\Desktop\cfscript.txt AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((( Dateien erstellt von 2011-09-06 bis 2011-10-06 )))))))))))))))))))))))))))))) . . 2011-10-06 13:17 . 2011-09-13 00:26 9049936 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B76978FB-BC28-458F-BFCB-9B2A2A332EF9}\mpengine.dll 2011-10-05 12:42 . 2011-10-05 12:42 -------- d--h--w- c:\programdata\CanonBJ 2011-10-05 12:42 . 2009-07-14 01:40 83968 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNBPP3.DLL 2011-10-05 12:27 . 2011-10-05 12:27 -------- d-----w- c:\users\Markus\AppData\Roaming\OpenOffice.org 2011-10-05 12:26 . 2011-10-05 12:26 -------- d-----w- c:\program files (x86)\OpenOffice.org 3 2011-10-02 00:20 . 2011-10-02 00:20 -------- d-----w- c:\program files (x86)\Common Files\Java 2011-10-01 23:37 . 2011-10-01 23:37 -------- d-----w- c:\windows\de 2011-10-01 23:16 . 2011-10-01 23:16 270912 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys 2011-10-01 23:16 . 2011-10-01 23:16 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite 2011-10-01 23:16 . 2011-10-02 00:22 -------- d-----w- c:\users\Markus\AppData\Roaming\DAEMON Tools Lite 2011-10-01 23:16 . 2011-10-01 23:16 -------- d-----w- c:\programdata\DAEMON Tools Lite 2011-10-01 14:35 . 2011-10-01 14:35 180356 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll 2011-10-01 14:35 . 2004-07-15 22:20 733184 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll 2011-10-01 14:35 . 2004-07-15 22:20 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll 2011-10-01 14:35 . 2004-07-15 22:19 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll 2011-10-01 14:35 . 2004-07-15 22:18 172032 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll 2011-10-01 14:35 . 2004-07-15 22:18 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe 2011-10-01 14:35 . 2011-10-01 14:35 303236 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll 2011-09-29 11:02 . 2011-09-29 11:02 -------- d-----w- c:\program files (x86)\ESET 2011-09-29 01:26 . 2011-10-06 13:59 -------- d-----w- c:\programdata\NVIDIA 2011-09-29 01:26 . 2011-09-22 22:41 5067584 ----a-w- c:\windows\system32\nvsvc64.dll 2011-09-29 01:26 . 2011-09-22 22:41 137536 ----a-w- c:\windows\system32\nvshext.dll 2011-09-29 01:26 . 2011-09-22 22:41 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll 2011-09-29 01:26 . 2011-09-22 22:41 3074368 ----a-w- c:\windows\system32\nvsvcr.dll 2011-09-29 01:26 . 2011-09-22 22:41 222528 ----a-w- c:\windows\system32\nvmctray.dll 2011-09-29 01:26 . 2011-09-22 22:41 1640768 ----a-w- c:\windows\system32\nvvsvc.exe 2011-09-29 01:26 . 2011-09-22 22:41 10406208 ----a-w- c:\windows\system32\nvcpl.dll 2011-09-29 01:26 . 2011-09-29 01:26 -------- d-----w- c:\programdata\NVIDIA Corporation 2011-09-29 01:18 . 2011-09-29 01:18 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins 2011-09-28 01:04 . 2011-09-28 01:04 -------- d-----w- c:\users\Markus\AppData\Local\Risen 2011-09-28 01:03 . 2011-09-28 01:03 314016 ----a-w- c:\windows\system32\drivers\atksgt.sys 2011-09-28 01:03 . 2011-09-28 01:03 43680 ----a-w- c:\windows\system32\drivers\lirsgt.sys 2011-09-28 01:03 . 2011-09-28 01:03 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP 2011-09-26 22:01 . 2007-06-01 16:37 1037312 ----a-w- c:\windows\system32\drivers\WG111Tvx.sys 2011-09-26 22:01 . 2006-11-28 19:46 43328 ----a-w- c:\windows\system32\drivers\PCAMp50a64.sys 2011-09-26 22:01 . 2006-11-28 19:46 41280 ----a-w- c:\windows\system32\drivers\PCASp50a64.sys 2011-09-26 21:34 . 2011-09-29 01:17 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller 2011-09-26 12:11 . 2011-09-26 12:11 -------- d-----w- c:\users\Markus\AppData\Local\The Witcher 2 2011-09-22 10:29 . 2011-09-22 10:29 321856 ----a-w- c:\windows\SysWow64\nvStreaming.exe 2011-09-21 12:43 . 2011-09-21 12:43 -------- d-----w- c:\windows\6833245EDD86479A882A8360D62C8194.TMP 2011-09-21 12:43 . 2011-09-28 01:03 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard 2011-09-16 13:48 . 2011-09-16 14:40 -------- d-----w- c:\users\Markus\AppData\Local\VMware 2011-09-16 13:47 . 2011-09-17 00:10 -------- d-----w- c:\users\Markus\AppData\Roaming\VMware 2011-09-16 13:40 . 2011-09-17 00:14 -------- d-----w- c:\programdata\VMware 2011-09-15 18:48 . 2011-09-15 19:01 -------- d-----w- c:\users\Markus\VirtualBox VMs 2011-09-15 18:48 . 2011-09-15 19:04 -------- d-----w- c:\users\Markus\.VirtualBox 2011-09-15 18:47 . 2011-08-15 12:32 224048 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys 2011-09-15 18:47 . 2011-09-15 19:11 -------- dc----w- c:\windows\system32\DRVSTORE 2011-09-15 18:47 . 2011-08-15 12:32 128816 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys 2011-09-15 18:12 . 2011-09-15 18:12 -------- d-----w- c:\programdata\Blizzard 2011-09-15 13:29 . 2011-09-30 16:05 -------- d-----w- c:\users\UpdatusUser.Markus-PC 2011-09-12 13:47 . 2011-10-01 15:20 -------- d-----w- c:\users\Markus\AppData\Roaming\Xfire 2011-09-12 13:46 . 2011-09-21 16:50 -------- d-----w- c:\programdata\Xfire 2011-09-12 13:46 . 2011-09-12 13:47 -------- d-----w- c:\program files (x86)\Xfire 2011-09-11 16:16 . 2011-09-11 16:16 -------- d-----w- c:\users\Markus\AppData\Local\NCSoft 2011-09-11 13:08 . 2011-09-11 13:08 -------- d-----w- c:\program files (x86)\NCsoft 2011-09-11 13:07 . 2011-09-11 13:07 -------- d-----w- c:\users\Markus\AppData\Local\assembly 2011-09-11 13:04 . 2011-09-11 13:08 -------- d-----w- c:\users\Markus\AppData\Roaming\GetRightToGo 2011-09-08 16:14 . 2010-11-30 09:43 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16AFEC32-5BA1-4D78-AFE5-40B4ADCC5F7B}\gapaengine.dll 2011-09-07 15:02 . 2011-09-07 15:02 -------- d-----w- c:\users\Markus\AppData\Local\SCE . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-03 00:18 . 2011-05-03 12:47 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr 2011-10-03 00:18 . 2011-04-30 19:46 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe 2011-10-01 23:36 . 2009-08-18 09:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2011-10-01 11:09 . 2011-04-30 19:46 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0 2011-09-29 01:16 . 2011-04-30 19:46 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe 2011-09-23 17:57 . 2011-05-19 01:52 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2011-09-13 00:26 . 2011-07-26 15:57 9049936 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-08-31 15:00 . 2011-05-18 17:44 25416 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-29 16:13 . 2011-04-30 19:46 794408 ----a-w- c:\windows\SysWow64\pbsvc.exe 2011-08-26 22:22 . 2011-08-26 22:22 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll 2011-08-26 22:22 . 2011-08-26 22:22 28056 ----a-w- c:\windows\system32\xfcodec64.dll 2011-08-15 12:32 . 2011-08-15 12:32 146736 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys 2011-08-14 01:02 . 2011-08-14 01:02 40960 ----a-r- c:\users\Markus\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe 2011-08-14 01:02 . 2011-08-14 01:02 40960 ----a-r- c:\users\Markus\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe 2011-08-06 15:17 . 2011-08-06 15:15 16384 ----a-w- c:\windows\SysWow64\lgfwunis.exe 2011-08-06 15:13 . 2011-08-06 15:13 29480 ----a-w- c:\windows\SysWow64\msxml3a.dll 2011-08-06 15:13 . 2011-08-06 15:13 353576 ----a-w- c:\windows\SysWow64\msvcr71.dll 2011-08-06 15:13 . 2011-08-06 15:13 505128 ----a-w- c:\windows\SysWow64\msvcp71.dll 2011-07-22 05:42 . 2011-08-10 22:07 2303488 ----a-w- c:\windows\system32\jscript9.dll 2011-07-22 05:36 . 2011-08-10 22:07 1389056 ----a-w- c:\windows\system32\wininet.dll 2011-07-22 05:32 . 2011-08-10 22:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2011-07-22 02:54 . 2011-08-10 22:07 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll 2011-07-22 02:48 . 2011-08-10 22:07 1126912 ----a-w- c:\windows\SysWow64\wininet.dll 2011-07-22 02:44 . 2011-08-10 22:07 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2011-07-19 03:05 . 2011-04-27 21:47 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll 2011-07-16 05:41 . 2011-08-10 18:52 362496 ----a-w- c:\windows\system32\wow64win.dll 2011-07-16 05:41 . 2011-08-10 18:52 243200 ----a-w- c:\windows\system32\wow64.dll 2011-07-16 05:41 . 2011-08-10 18:52 13312 ----a-w- c:\windows\system32\wow64cpu.dll 2011-07-16 05:39 . 2011-08-10 18:52 16384 ----a-w- c:\windows\system32\ntvdm64.dll 2011-07-16 05:37 . 2011-08-10 18:52 421888 ----a-w- c:\windows\system32\KernelBase.dll 2011-07-16 05:21 . 2011-08-10 18:52 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll 2011-07-16 05:21 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll 2011-07-16 04:29 . 2011-08-10 18:52 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll 2011-07-16 04:26 . 2011-08-10 18:52 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2011-07-16 04:25 . 2011-08-10 18:52 25600 ----a-w- c:\windows\SysWow64\setup16.exe 2011-07-16 04:24 . 2011-08-10 18:52 5120 ----a-w- c:\windows\SysWow64\wow32.dll 2011-07-16 04:24 . 2011-08-10 18:52 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll 2011-07-16 04:15 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll 2011-07-16 02:21 . 2011-08-10 18:52 7680 ----a-w- c:\windows\SysWow64\instnm.exe 2011-07-16 02:21 . 2011-08-10 18:52 2048 ----a-w- c:\windows\SysWow64\user.exe 2011-07-16 02:17 . 2011-08-10 18:52 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll 2011-07-16 02:17 . 2011-08-10 18:52 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 02:17 . 2011-08-10 18:52 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 02:17 . 2011-08-10 18:52 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll 2011-07-13 04:53 . 2011-08-09 11:11 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll 2011-07-09 05:26 . 2011-08-24 11:02 2048 ----a-w- c:\windows\system32\tzres.dll 2011-07-09 04:29 . 2011-08-24 11:02 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2011-07-09 02:46 . 2011-08-10 18:52 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="d:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448] "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "CTxfiHlp"="CTXFIHLP.EXE" [2010-05-05 25600] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336] "BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2010-05-14 75048] "LGODDFU"="c:\program files (x86)\lg_fwupdate\fwupdate.exe" [2011-08-06 557056] "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" [2010-06-02 222504] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] . c:\users\Markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ CurseClientStartup.ccip [2011-10-6 0] OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/08/06 17:14;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-05-14 246256] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-09-22 2253120] R3 ALSysIO;ALSysIO;c:\users\Markus\AppData\Local\Temp\ALSysIO64.sys [x] R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x] R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x] R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x] R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-28 79360] R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x] R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x] R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x] R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x] R3 scramby_out;Scramby Output;c:\windows\system32\drivers\scramby_out.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x] R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x] R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x] R3 WG111T;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WG111Tvx.sys [x] S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-09-22 381248] S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x] S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x] S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x] S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x] S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x] S3 NisSrv;Microsoft-Netzwerkinspektion;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x] S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [x] S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x] . . --- Andere Dienste/Treiber im Speicher --- . *Deregistered* - CLKMDRV10_9EC60124 . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-01 1873288] . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: {{7644E42D-B096-457F-8B5B-901238FC81AE} - c:\program files (x86)\ICQ7.6\ICQ.exe Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com TCP: DhcpNameServer = FF - ProfilePath - c:\users\Markus\AppData\Roaming\Mozilla\Firefox\Profiles\jgn0wioz.default\ FF - prefs.js: browser.search.selectedEngine - Google Deutschland . - - - - Entfernte verwaiste Registrierungseinträge - - - - . AddRemove-Mafia Game - c:\windows\system32\MafiaSetup.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7 "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23, 94,30,02,d1,0f,f1,da,12,24,73,56,27,d2 "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:64,7c,54,af,c6,3d,cc,01 . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,bf,77,7d,83,0f,ae,4f,be,c9,66,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,bf,77,7d,83,0f,ae,4f,be,c9,66,\ . [HKEY_USERS\S-1-5-21-2776381635-1646080414-3709318696-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) "??"=hex:25,61,75,b0,a7,e2,59,f6,ce,16,da,2b,a1,b5,21,cb,33,36,ea,46,65,08,09, 80,19,a2,51,4b,15,26,28,0b,66,b1,3a,89,f5,a6,28,1b,e1,95,c5,76,62,6d,b0,6d,\ "??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f . [HKEY_USERS\S-1-5-21-2776381635-1646080414-3709318696-1000\Software\SecuROM\License information*] "datasecu"=hex:d6,85,29,e2,88,2d,36,41,59,b2,13,67,1e,83,18,04,fb,e6,52,f3,eb, 9b,7b,35,97,6b,50,dc,e9,76,2b,a4,78,ff,88,19,ab,9e,22,39,9c,e9,be,90,be,b8,\ "rkeysecu"=hex:73,9a,11,58,27,bf,1d,06,ee,3e,66,13,4a,df,a9,1e . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Weitere laufende Prozesse ------------------------ . c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe c:\windows\SysWOW64\PnkBstrA.exe . ************************************************************************** . Zeit der Fertigstellung: 2011-10-06 16:01:45 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2011-10-06 14:01 ComboFix2.txt 2011-10-06 13:38 . Vor Suchlauf: 14 Verzeichnis(se), 66.752.884.736 Bytes frei Nach Suchlauf: 14 Verzeichnis(se), 66.521.870.336 Bytes frei . - - End Of File - - E83DD303DD2849725C851B72AC68C258 |
![]() | #10 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Persistance durch Patch bekommen das sehe ich das du das gepostet hast. und ich untersuche den pc ob er sauber ist. gibts beeinträchtigungen seit dem die malware aktiv war?
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
![]() | #11 |
![]() ![]() | ![]() Persistance durch Patch bekommen also langsamer ist er nicht und nimmt auch keinen kontakt mit dem inet auf wenn nichts ist (Netzwerkauslastung bei 0%) Auslastung im Durchschnitt bei 0% wenn du das meinst Geändert von DonSerious (06.10.2011 um 15:54 Uhr) |
![]() | #12 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Persistance durch Patch bekommen ja. öffne otl klicke bereinigung, pc startet neu und otl und combofix werden gelöscht. endere sämmtliche passwörter.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
![]() | #13 |
![]() ![]() | ![]() Persistance durch Patch bekommen danke, waren die logs sauber? |
![]() | #14 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Persistance durch Patch bekommen na sonst würd ich ja nicht sagen das die passwörter geendert werden müssen :-) logs sehen ok aus
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
![]() | #15 |
![]() ![]() | ![]() Persistance durch Patch bekommen wenn die logs sauber waren, warum muss ich dann die passwörter ändern, wenn ich zum zeitpunkt der infektion nicht mit dem internet verbunden war und ich es gelöscht habe bevor ich wiederverbunden habe. |
![]() |
Themen zu Persistance durch Patch bekommen |
5 minuten, 64-bit, adobe, adobe flash player, battlefield 3, bho, c:\windows\system32\rundll32.exe, call of duty, curse, error, explorer, firefox, flash player, format, google, grand theft auto, h.264/mpeg-4, helper, home, install.exe, installation, langs, launch, logfile, malware, microsoft security, monkey island, nvidia, nvidia update, object, opera, plug-in, programme, realtek, recuva, rundll, security, shell32.dll, shortcut, software, starten, teamspeak, version=1.0, virtualbox, webcheck, windows |