Bundespolizei trojaner; OTL & gmer Logs vorhanden

tom52 · 18.11.2011, 11:11

Hallo,

ich habe mir den bka / bundespolizeitrojaner auf meinem notebook eingefangen.
nach dem starten geht nix mehr. der task manager öffnet sich auch nicht. ich habe zuerst den avira de cleaner laufen lassen.

der hat zwar drei einträge gefunden und entfernt, bei den namen der einträge dachte ich mir aber schon, dass das nicht dir richtigen sind.
und so wars auch. ich bekomme immer noch die sperrung und die ukash zahlungsaufforderung. (ganz unten im post hab ich das ergebnis file von avira mal mit gepostet. es gibt noch ein ausführlicheres logfile. falls das gewünscht wird, bitte bescheid geben.

so probier ichs jetzt hier.

ich hoffe ich hab mich vollständig an die erwünschte vorgehensweise gehalten:

also:
win 7 home
x86 systemtyp
ich habe alle logfiles im abgesicherten modus und alsadmin erstellt.

defogger log file (der wollte übrigens keinen neustart entgegen der anleitung von sunny

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 10:17 on 18/11/2011 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

OTL logfile

Code:

ATTFilter

OTL logfile created on: 11/18/2011 9:44:05 AM - Run 1
OTL by OldTimer - Version 3.2.31.0     Folder = C:\Users\***\Desktop
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2.97 Gb Total Physical Memory | 2.43 Gb Available Physical Memory | 81.92% Memory free
5.93 Gb Paging File | 5.48 Gb Available in Paging File | 92.44% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 101.88 Gb Total Space | 58.72 Gb Free Space | 57.64% Space Free | Partition Type: NTFS
Drive D: | 181.12 Gb Total Space | 164.36 Gb Free Space | 90.75% Space Free | Partition Type: NTFS
Drive E: | 6.33 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 1.86 Gb Total Space | 1.25 Gb Free Space | 67.37% Space Free | Partition Type: FAT32
 
Computer Name: ***-PC | User Name: *** | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Users\***\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe ()
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\cmd.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll ()
MOD - C:\Program Files\WinRAR\rarext.dll ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (OberonGameConsoleService) -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe ()
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
SRV - (PSI_SVC_2) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (aswSnx) -- C:\windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswTdi) -- C:\windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswRdr) -- C:\windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Lbd) -- C:\windows\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\URLSearchHook:  - No CLSID value found
IE - HKLM\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - No CLSID value found
IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.icq.com/
IE - HKCU\..\URLSearchHook:  - No CLSID value found
IE - HKCU\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.9&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://start.icq.com/"
FF - prefs.js..extensions.enabledItems: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f}:2.5.8.6
FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.7
FF - prefs.js..extensions.enabledItems: {7f57cf46-4467-4c2d-adfa-0cba7c507e54}:0.19.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: 2020Player@2020Technologies.com:4.5.2.0
FF - prefs.js..extensions.enabledItems: wrc@avast.com:20110101
FF - prefs.js..keyword.URL: "hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.3.6&q="
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/08/07 15:10:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/15 06:15:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/14 19:57:17 | 000,000,000 | ---D | M]
 
[2009/11/28 16:44:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions
[2011/11/07 18:50:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\ez78r71e.default\extensions
[2011/10/26 18:12:30 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\ez78r71e.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/07 18:50:58 | 000,000,000 | ---D | M] ("ICQ Toolbar") -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\ez78r71e.default\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
[2010/03/22 19:55:26 | 000,000,000 | ---D | M] (DVDVideoSoft Toolbar) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\ez78r71e.default\extensions\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}
[2010/09/30 15:23:47 | 000,000,000 | ---D | M] (20-20 3D Viewer) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\ez78r71e.default\extensions\2020Player@2020Technologies.com
[2009/11/28 19:51:20 | 000,000,881 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\conduit.xml
[2011/11/17 18:07:53 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-1.xml
[2010/10/31 19:15:46 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-10.xml
[2010/11/03 19:56:31 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-11.xml
[2011/04/05 19:25:38 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-12.xml
[2011/05/03 20:00:54 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-13.xml
[2011/05/18 20:11:53 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-14.xml
[2011/08/15 06:15:31 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-15.xml
[2010/03/26 23:17:02 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-2.xml
[2010/03/28 16:02:40 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-3.xml
[2010/04/03 06:51:48 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-4.xml
[2010/06/29 17:13:52 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-5.xml
[2010/06/30 14:21:31 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-6.xml
[2010/07/26 18:00:20 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-7.xml
[2010/08/15 13:06:02 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-8.xml
[2010/10/30 23:34:08 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin-9.xml
[2011/10/30 12:09:30 | 000,000,168 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin.gif
[2011/10/30 12:09:30 | 000,000,618 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin.src
[2010/06/21 16:35:24 | 000,001,042 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\icqplugin.xml
[2009/12/02 22:50:48 | 000,004,153 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\searchplugins\youtube.xml
[2011/06/13 14:01:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\extensions
[2009/12/02 20:44:37 | 000,000,000 | ---D | M] ("ICQ Toolbar") -- C:\Program Files\mozilla firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
[2010/05/22 21:15:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/06/13 14:01:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/08/07 15:10:38 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
() (No name found) -- C:\USERS\***\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\EZ78R71E.DEFAULT\EXTENSIONS\{7F57CF46-4467-4C2D-ADFA-0CBA7C507E54}.XPI
[2011/08/15 06:15:16 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/18 20:07:04 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011/05/18 20:07:04 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/05/18 20:07:04 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011/05/18 20:07:04 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2010/08/15 11:38:55 | 000,002,027 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
[2011/05/18 20:07:04 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011/05/18 20:07:04 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (DVDVideoSoft Toolbar) - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoft Toolbar) - {E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - C:\Program Files\DVDVideoSoft\tbDVDV.dll (Conduit Ltd.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKCU..\Run: [avupdate] C:\Users\***\AppData\Roaming\mahmud.exe (NEC Computers International)
O4 - HKCU..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent File not found
O4 - HKCU..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: add to &BOM - C:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta ()
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C170A8B9-F14C-43E9-9E6B-9B45260A4B0D}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O31 - SafeBoot: UseAlternatShell - 1
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/08/11 03:04:53 | 000,247,696 | R--- | M] (Konami Digital Entertainment Co., Ltd.) - E:\autorun.exe -- [ UDF ]
O32 - AutoRun File - [2011/08/11 03:04:53 | 000,000,047 | R--- | M] () - E:\Autorun.inf -- [ UDF ]
O33 - MountPoints2\{04f00496-36a3-11df-9292-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{04f00496-36a3-11df-9292-806e6f6e6963}\Shell\AutoRun\command - "" = F:\.\Autorun.exe AUTORUN=1
O33 - MountPoints2\{12ad8651-36b3-11df-b0bb-00245422090d}\Shell - "" = AutoRun
O33 - MountPoints2\{12ad8651-36b3-11df-b0bb-00245422090d}\Shell\AutoRun\command - "" = F:\.\Autorun.exe AUTORUN=1
O33 - MountPoints2\{8e073bbf-36a3-11df-ab3b-00245422090d}\Shell - "" = AutoRun
O33 - MountPoints2\{8e073bbf-36a3-11df-ab3b-00245422090d}\Shell\AutoRun\command - "" = F:\.\Autorun.exe AUTORUN=1
O33 - MountPoints2\{944fb5d5-c363-11de-9e20-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{944fb5d5-c363-11de-9e20-806e6f6e6963}\Shell\AutoRun\command - "" = E:\autorun.exe -- [2011/08/11 03:04:53 | 000,247,696 | R--- | M] (Konami Digital Entertainment Co., Ltd.)
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011/11/18 09:43:29 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2011/11/17 23:22:28 | 000,190,976 | ---- | C] (NEC Computers International) -- C:\Users\***\AppData\Roaming\mahmud.exe
[2011/11/13 19:25:12 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\mischa
[2011/11/13 15:10:21 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MegaCAD V16.01 ACIS V
[2011/11/13 15:09:49 | 000,000,000 | ---D | C] -- C:\MEGAV16V
[2011/11/13 15:09:34 | 000,000,000 | RH-D | C] -- C:\MINSTALL.T
[2011/11/13 15:09:14 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\megacad_v16_3d
[2011/11/12 22:28:39 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\KONAMI
[2011/11/12 12:47:06 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xactengine2_5.dll
[2011/11/12 12:47:05 | 000,440,080 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx10.dll
[2011/11/12 12:47:02 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xactengine2_4.dll
[2011/11/12 12:47:02 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\x3daudio1_1.dll
[2011/11/12 12:47:01 | 000,068,888 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xinput1_3.dll
[2011/11/12 12:47:00 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx9_31.dll
[2011/11/12 12:46:59 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xactengine2_3.dll
[2011/11/12 12:46:58 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xinput1_2.dll
[2011/11/12 12:46:57 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xactengine2_2.dll
[2011/11/12 12:46:56 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xinput1_1.dll
[2011/11/12 12:46:55 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xactengine2_1.dll
[2011/11/12 12:46:45 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx9_30.dll
[2011/11/12 12:46:44 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xactengine2_0.dll
[2011/11/12 12:46:44 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\x3daudio1_0.dll
[2011/11/12 12:46:43 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx9_29.dll
[2011/11/12 12:46:41 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx9_28.dll
[2011/11/12 12:46:40 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx9_27.dll
[2011/11/12 12:46:39 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx9_26.dll
[2011/11/12 12:46:37 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx9_25.dll
[2011/11/12 12:46:36 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\d3dx9_24.dll
[2011/11/12 12:39:21 | 000,000,000 | ---D | C] -- C:\ProgramData\KONAMI
[2011/11/12 12:39:21 | 000,000,000 | ---D | C] -- C:\Program Files\KONAMI
[2011/11/08 21:46:06 | 002,339,840 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\win32k.sys
 
========== Files - Modified Within 30 Days ==========
 
[2011/11/18 09:05:21 | 000,000,370 | ---- | M] () -- C:\windows\tasks\Ad-Aware Update (Weekly).job
[2011/11/18 09:05:21 | 000,000,370 | ---- | M] () -- C:\windows\tasks\Ad-Aware Update (Daily 4).job
[2011/11/18 09:05:21 | 000,000,370 | ---- | M] () -- C:\windows\tasks\Ad-Aware Update (Daily 3).job
[2011/11/18 09:05:21 | 000,000,370 | ---- | M] () -- C:\windows\tasks\Ad-Aware Update (Daily 2).job
[2011/11/18 09:05:21 | 000,000,370 | ---- | M] () -- C:\windows\tasks\Ad-Aware Update (Daily 1).job
[2011/11/18 09:04:21 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/11/18 09:04:18 | 2388,086,784 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/18 00:04:38 | 000,700,598 | ---- | M] () -- C:\windows\System32\perfh007.dat
[2011/11/18 00:04:38 | 000,653,700 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2011/11/18 00:04:38 | 000,149,714 | ---- | M] () -- C:\windows\System32\perfc007.dat
[2011/11/18 00:04:38 | 000,120,892 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2011/11/17 23:39:33 | 000,014,512 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 23:39:33 | 000,014,512 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 23:22:28 | 000,190,976 | ---- | M] (NEC Computers International) -- C:\Users\***\AppData\Roaming\mahmud.exe
[2011/11/10 21:55:57 | 244,825,786 | ---- | M] () -- C:\windows\MEMORY.DMP
[2011/11/10 14:53:02 | 000,419,232 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
 
========== Files Created - No Company Name ==========
 
[2011/11/17 23:26:11 | 000,000,370 | ---- | C] () -- C:\windows\tasks\Ad-Aware Update (Weekly).job
[2011/11/17 23:26:11 | 000,000,370 | ---- | C] () -- C:\windows\tasks\Ad-Aware Update (Daily 4).job
[2011/11/17 23:26:11 | 000,000,370 | ---- | C] () -- C:\windows\tasks\Ad-Aware Update (Daily 3).job
[2011/11/17 23:26:11 | 000,000,370 | ---- | C] () -- C:\windows\tasks\Ad-Aware Update (Daily 2).job
[2011/11/17 23:26:11 | 000,000,370 | ---- | C] () -- C:\windows\tasks\Ad-Aware Update (Daily 1).job
[2010/12/01 20:38:53 | 000,000,088 | RHS- | C] () -- C:\ProgramData\DBE129CFA4.sys
[2010/12/01 20:38:52 | 000,002,828 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/15 21:33:43 | 000,000,425 | ---- | C] () -- C:\windows\BRWMARK.INI
[2010/11/15 21:15:24 | 000,031,864 | ---- | C] () -- C:\windows\maxlink.ini
[2010/09/26 19:28:26 | 000,000,542 | ---- | C] () -- C:\windows\scummvm.ini
[2010/04/28 16:43:43 | 000,015,873 | ---- | C] () -- C:\windows\System32\Inetde.dll
[2010/03/14 22:01:48 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/01/05 20:35:56 | 000,015,880 | ---- | C] () -- C:\windows\System32\lsdelete.exe
[2009/11/25 16:39:11 | 000,000,002 | ---- | C] () -- C:\windows\HotFixList.ini
[2009/11/25 16:24:29 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe
[2009/09/22 23:05:23 | 000,700,598 | ---- | C] () -- C:\windows\System32\perfh007.dat
[2009/09/22 23:05:23 | 000,295,922 | ---- | C] () -- C:\windows\System32\perfi007.dat
[2009/09/22 23:05:23 | 000,149,714 | ---- | C] () -- C:\windows\System32\perfc007.dat
[2009/09/22 23:05:23 | 000,038,104 | ---- | C] () -- C:\windows\System32\perfd007.dat
[2009/09/22 06:45:54 | 000,307,200 | ---- | C] () -- C:\windows\SetDisplayResolution.exe
[2009/09/22 06:21:26 | 000,073,728 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2009/07/14 05:57:37 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/14 05:33:53 | 000,419,232 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
[2009/07/14 03:05:48 | 000,653,700 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2009/07/14 03:05:48 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2009/07/14 03:05:48 | 000,120,892 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2009/07/14 03:05:48 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2009/07/14 03:05:05 | 000,000,741 | ---- | C] () -- C:\windows\System32\NOISE.DAT
[2009/07/14 03:04:11 | 000,215,943 | ---- | C] () -- C:\windows\System32\dssec.dat
[2009/07/14 00:55:01 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
[2009/07/13 23:09:19 | 000,982,196 | ---- | C] () -- C:\windows\System32\igkrng500.bin
[2009/07/13 23:09:19 | 000,417,344 | ---- | C] () -- C:\windows\System32\igcompkrng500.bin
[2009/07/13 23:09:19 | 000,139,824 | ---- | C] () -- C:\windows\System32\igfcg500.bin
[2009/07/13 23:09:19 | 000,097,448 | ---- | C] () -- C:\windows\System32\igfcg500m.bin
[2009/06/10 22:26:10 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
[2007/04/27 09:43:58 | 000,120,200 | ---- | C] () -- C:\windows\System32\DLLDEV32i.dll
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 146 bytes -> C:\ProgramData\Temp:5C5A503E
@Alternate Data Stream - 136 bytes -> C:\ProgramData\Temp:4CF61E54
@Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:BB24555F
@Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:1198CD34

< End of report >

OTL extras:

Code:

ATTFilter

OTL Extras logfile created on: 11/18/2011 9:44:05 AM - Run 1
OTL by OldTimer - Version 3.2.31.0     Folder = C:\Users\***\Desktop
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2.97 Gb Total Physical Memory | 2.43 Gb Available Physical Memory | 81.92% Memory free
5.93 Gb Paging File | 5.48 Gb Available in Paging File | 92.44% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 101.88 Gb Total Space | 58.72 Gb Free Space | 57.64% Space Free | Partition Type: 

NTFS
Drive D: | 181.12 Gb Total Space | 164.36 Gb Free Space | 90.75% Space Free | Partition 

Type: NTFS
Drive E: | 6.33 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 1.86 Gb Total Space | 1.25 Gb Free Space | 67.37% Space Free | Partition Type: 

FAT32
 
Computer Name: ***-PC | User Name: *** | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | 

File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla 

Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft 

Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe 

%SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file 

--playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L"
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file 

--no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = 

C:\Program Files\Logitech\Logitech Harmony Remote Software 

7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = 

C:\Program Files\Logitech\Logitech Harmony Remote Software 

7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW(R) Graphics Suite X4
"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW(R) Graphics Suite X4 - Windows Shell 

Extension
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}" = ScanSoft PaperPort 11
"{028ED9C4-25EE-4DEE-9CF4-91034BC89B18}" = Microsoft SQL Server 2005 Express Edition 

(MSSMLBIZ)
"{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL 

Server-Setup (Englisch)
"{1401311D-3960-4CEB-AC0B-4214F069E5B9}" = Sonos Desktop Controller
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution 4
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{178EE5F4-0F86-4BF0-A0D1-9790AFF409D1}" = EasyBatteryManager
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1AFA1FEF-8CF9-4A51-AC46-64FAA7F3D9E2}" = AnyPC Client
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 

9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 26
"{2A125DB3-CE73-46FC-A1F9-E25E5C201143}" = MAGIX Screenshare
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{44A27085-0616-4181-A0C3-81C7ECA17F73}" = CorelDRAW Graphics Suite X4
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4cb9f93c-9edc-4be9-ae61-af128ddbecfa}" = Business Contact Manager für Outlook 2007 SP2
"{4D2121FE-5CCC-4D47-B3A0-BF56045A5099}" = Samsung Support Center
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{586509F0-350D-48B5-B763-9CC2F8D96C4C}" = Windows Live Sync
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{62562224-27D6-4542-AD91-1DAD0B965A0D}" = MAGIX Foto & Grafik Designer 7 Download-Version
"{63eafc52-b963-4297-a7eb-d412944e7065}_is1" = Game Pack
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - 

x86 8.0.50727.4053
"{7C5B4583-7CBF-4289-B195-03B553959DEA}" = VoiceOver Kit
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA
"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture
"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw
"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP
"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content
"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters
"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav
"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN
"{80F19EAA-44C4-47C2-AE87-1C7628E858D6}" = Logitech Harmony Remote Software 7
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11219217}" = Cradle of Rome
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113555820}" = Mahjongg Artifacts 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114072167}" = Go-Go Gourmet
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115053100}" = Dairy Dash
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115246907}" = Elf Bowling Hawaiian Vacation
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11531173}" = Farm Frenzy 2
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie
"{853F8A41-A3C9-43FA-87FA-1AE74FC6F3F7}" = BatteryLifeExtender
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller  Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0015-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 

Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 

Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 

Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 

Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 

Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 

Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISER_{A0516415-ED61-419A-981D-93596DA74165}" 

= Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}_PROHYBRIDR_{A0516415-ED61-419A-981D-93596DA74165}" = 

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" 

= Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" 

= Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISER_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" 

= Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}_PROHYBRIDR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = 

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISER_{26454C26-D259-4543-AA60-3189E09C5F76}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}_PROHYBRIDR_{26454C26-D259-4543-AA60-3189E09C5F76}" = 

Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90A40407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" 

= Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" 

= Security Update for Microsoft Office system 2007 (972581)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 

Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = 

Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0407-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 

9.0.30729.6161
"{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}" = CorelDRAW Graphics Suite X4 - IPM
"{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker
"{A7581D39-EA20-4883-A480-80C21047052B}" = Easy Network Manager
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity 

Components
"{AC76BA86-7AD7-1031-7B44-A91000000001}" = Adobe Reader 9.1 - Deutsch
"{AED2DD42-9853-407E-A6BC-8A1D6B715909}" = Windows Live Messenger
"{B61D21B6-469D-4423-B161-62DB20B8A70E}" = Visual Basic for Applications (R) Core - English
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{BF439B41-0252-48DE-8B8B-0430CB26A181}" = CorelDRAW Graphics Suite X4 - VBA
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C5098CA3-ED54-40E7-964A-B73E11AADB2A}" = Langenscheidt Vokabeltrainer 5.0 Englisch
"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials
"{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW(R) Graphics Suite X4 - Windows Shell 

Extension
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1434266-0486-4469-B338-A60082CC04E1}" = Atheros Client Installation Program
"{D2041A37-5FEC-49F0-AE5C-3F2FFDFAA4F4}" = Windows Live Call
"{D3F2FAA5-FEC4-42AA-9ABA-1F763919A2B5}" = Samsung Update Plus
"{DB81779E-7CC5-4630-BCFC-754004956444}" = Visual Basic for Applications (R) Core
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E737A098-F161-4B6F-AF22-86AAE34F6FBD}" = Pro Evolution Soccer 2012
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EF367AA4-070B-493C-9575-85BE59D789C9}" = Easy SpeedUp Manager
"{EFCEF949-9821-4759-A573-3EB8C857DF46}" = Windows Live Family Safety
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 

Runtime - v9.0.30729.01
"{F46E21DF-5BE1-48E2-8390-5EEA8B25E36A}" = Microsoft SQL Server Native Client
"{FDE96E86-7780-431C-92F7-679C6A7CEC51}" = Microsoft SQL Server VSS Writer
"1381-5408-0515-7060" = RAIDar 4.3.0
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast" = avast! Free Antivirus
"Biet-O-Matic v2.12.7" = Biet-O-Matic v2.12.7
"Business Contact Manager" = Business Contact Manager für Outlook 2007 SP2
"Crazy Boxes_is1" = Crazy Boxes V1.8
"Deluxe Pacman_is1" = Deluxe Pacman version 1.94
"DVDVideoSoft Toolbar" = DVDVideoSoft Toolbar
"ENTERPRISER" = Microsoft Office Enterprise 2007
"Free Studio_is1" = Free Studio version 4.3
"Frozen Bubble" = Frozen Bubble
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"MAGIX_MSI_Foto_Grafik_Designer_7" = MAGIX Foto & Grafik Designer 7 Download-Version
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox 5.0 (x86 de)" = Mozilla Firefox 5.0 (x86 de)
"NVIDIA Drivers" = NVIDIA Drivers
"PROHYBRIDR" = 2007 Microsoft Office system
"ScummVM_is1" = ScummVM 0.9.1
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VLC media player 1.1.11
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR Archivierer
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 11/10/2011 12:23:49 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: m->NextScheduledEvent 600245
 
Error - 11/10/2011 12:23:49 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: m->NextScheduledSPRetry 600245
 
Error - 11/10/2011 12:23:50 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 11/10/2011 12:23:50 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: m->NextScheduledEvent 601243
 
Error - 11/10/2011 12:23:50 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: m->NextScheduledSPRetry 601243
 
Error - 11/10/2011 12:23:51 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 11/10/2011 12:23:51 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: m->NextScheduledEvent 602242
 
Error - 11/10/2011 12:23:51 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: m->NextScheduledSPRetry 602242
 
Error - 11/10/2011 12:23:52 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 11/10/2011 12:23:52 PM | Computer Name = ***-PC | Source = Bonjour Service | ID = 

100
Description = Task Scheduling Error: m->NextScheduledEvent 603240
 
[ System Events ]
Error - 11/18/2011 4:20:13 AM | Computer Name = ***-PC | Source = DCOM | ID = 10005
Description = 
 
Error - 11/18/2011 4:20:12 AM | Computer Name = ***-PC | Source = Service Control Manager 

| ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 11/18/2011 4:20:12 AM | Computer Name = ***-PC | Source = Service Control Manager 

| ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 11/18/2011 4:20:13 AM | Computer Name = ***-PC | Source = DCOM | ID = 10005
Description = 
 
Error - 11/18/2011 4:20:14 AM | Computer Name = ***-PC | Source = Service Control Manager 

| ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 11/18/2011 4:20:14 AM | Computer Name = ***-PC | Source = Service Control Manager 

| ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 11/18/2011 4:20:14 AM | Computer Name = ***-PC | Source = Service Control Manager 

| ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 11/18/2011 4:20:14 AM | Computer Name = ***-PC | Source = Service Control Manager 

| ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 11/18/2011 4:20:14 AM | Computer Name = ***-PC | Source = Service Control Manager 

| ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 11/18/2011 4:20:14 AM | Computer Name = ***-PC | Source = Service Control Manager 

| ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
 
< End of report >

GMER logfile:

Code:

ATTFilter

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2011-11-18 10:58:24
Windows 6.1.7600  Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: rsbwj4ne.exe; Driver: C:\Users\ADMINI~1.SAL\AppData\Local\Temp\fgloypod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!ZwSaveKeyEx + 13B1          824828C9 1 Byte  [06]
.text           ntoskrnl.exe!KiDispatchInterrupt + 5A2   824A24F2 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\0000004b        halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \FileSystem\fastfat \Fat                 fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

avira de cleaner logfile

Code:

ATTFilter

**************************************************
Zusammenfassung des Suchlaufs:
**************************************************

Zeitstempel des letzten Updates: 23.02.2011 23:07:52

Konfigurationsprofil: sysscan.avp

Plattform      : Windows 7
Windowsversion : (plain)  [6.1.7600]

build.dat      : 10.0.0.36      11958 Bytes  28.02.2011 13:01:00


Beginn des Suchlaufs: Freitag, 18. November 2011  00:06

08c1ce20c430c18a7c032df104b74fa95f867643baba739d4166882b254df47e
  [FUND]      Enthält Erkennungsmuster des Spielprogrammes GAME/Dldr.TryMedia.Gen

f8796d11022289978dbbd7b6d36d21d72b950e8a44c736118c7e88fda6677d2d
  [FUND]      Enthält Erkennungsmuster des Java-Virus JAVA/OpenConnecti.C

b0d442b3b3f203d84f6d5cfc321cbc4474ad4256e9453838b7b980e46f2af2a0
  [FUND]      Enthält Erkennungsmuster des Exploits EXP/CVE-2010-0840.BB


Ende des Suchlaufs: Freitag, 18. November 2011  09:01
Benötigte Zeit:  1:25:41 Stunde(n)

Der Suchlauf wurde vollständig durchgeführt.

  26115 Verzeichnisse wurden überprüft
 493382 Dateien wurden geprüft
      6 Viren bzw. unerwünschte Programme wurden gefunden
      0 Dateien wurden als verdächtig eingestuft
      3 Dateien wurden gelöscht
      0 Viren bzw. unerwünschte Programme wurden repariert
      3 Dateien wurden in die Quarantäne verschoben
      0 Dateien wurden umbenannt
      0 Dateien konnten nicht durchsucht werden
 493376 Dateien ohne Befall
   3086 Archive wurden durchsucht
      0 Warnungen
      3 Hinweise

vielen dank schon mal an die fleißigen helfer

markusg · 18.11.2011, 11:53

hiho
achtung!
dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user.
wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts.

• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.

Code:

ATTFilter

:OTL
O4 - HKCU..\Run: [avupdate] C:\Users\***\AppData\Roaming\mahmud.exe (NEC Computers International)
:Files
C:\Users\***\AppData\Roaming\mahmud.exe
:Commands
[purity]
[EMPTYFLASH] 
[emptytemp]
[Reboot]

• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.
der start in den normalen modus sollte klappen.
öffne computer, öffne C: dann _OTL
dort rechtsklick auf moved files
wähle zu moved files.rar oder zip hinzufügen.
folge dem link, und lade das archiv im upload channel hoch
http://www.trojaner-board.de/54791-a...ner-board.html

tom52 · 18.11.2011, 12:24

yeah, jipiieh

es geht schon mal wieder (soweit)

vielen vielen dank

eine frage hätt ich noch: hätte mich die immunisierungsfunktion von spybot s&d vor dem trojaner bewahrt?

zur info: ich habe einen kleinen fehler gemacht, und den fix zunächst im falschen konto ausgeführt (admin-konto)
als das benutzerkonto nach dem neustart logischerweise immer noch infiziert war, habe ich noch mal im abgesicherten modus im richtigen konto gefixt. und davon ist jetzt dieses logfile
also hier die textdatei:

Code:

ATTFilter

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\avupdate deleted successfully.
File C:\Users\***\AppData\Roaming\mahmud.exe not found.
========== FILES ==========
File\Folder C:\Users\***\AppData\Roaming\mahmud.exe not found.
========== COMMANDS ==========
 
[EMPTYFLASH]
 
User: Administrator
 
User: Administrator.***-PC
 
User: All Users
 
User: Default
 
User: Default User
 
User: Public
 
User: ***
->Flash cache emptied: 120371 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Administrator.***-PC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: ***
->Temp folder emptied: 913101634 bytes
->Temporary Internet Files folder emptied: 178149422 bytes
->Java cache emptied: 2913560 bytes
->FireFox cache emptied: 306469524 bytes
->Flash cache emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2642 bytes
RecycleBin emptied: 479929015 bytes
 
Total Files Cleaned = 1,794.00 mb
 
 
OTL by OldTimer - Version 3.2.31.0 log created on 11182011_120925

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

habe die movedfiles.rar im uploadchannel hochgeladen.

(hab den upload mit diesem link verknüpft

hxxp://www.trojaner-board.de/105185-bundespolizei-trojaner-otl-gmer-logs-vorhanden.html#post722462

markusg · 18.11.2011, 12:56

danke.
von spybot halte ich nicht viel, es gibt wirksamere maßnamen, dazu kommen wir noch
bitte erstelle und poste ein combofix log.
Ein Leitfaden und Tutorium zur Nutzung von ComboFix

tom52 · 18.11.2011, 14:57

ok,
also hier das combofix log
Combofix Logfile:

Code:

ATTFilter

ComboFix 11-11-18.01 - *** 18.11.2011  14:11:31.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.49.1031.18.3037.1767 [GMT 1:00]
ausgeführt von:: c:\users\***\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\users\***\AppData\Roaming\.#
c:\users\***\AppData\Roaming\.#\MBX@13F8@3B2760.###
c:\users\***\AppData\Roaming\.#\MBX@13F8@3B2790.###
c:\users\***\AppData\Roaming\.#\MBX@AE4@3F2760.###
c:\users\***\AppData\Roaming\.#\MBX@AE4@3F2790.###
c:\users\***\AppData\Roaming\mahmud.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2011-10-18 bis 2011-11-18  ))))))))))))))))))))))))))))))
.
.
2011-11-18 12:47 . 2011-11-18 12:47	56200	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{ADA1B9A6-2170-4EBE-809B-D8FAE95285A0}\offreg.dll
2011-11-18 12:47 . 2011-10-07 03:48	6668624	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{ADA1B9A6-2170-4EBE-809B-D8FAE95285A0}\mpengine.dll
2011-11-18 11:03 . 2011-11-18 11:19	--------	d-----w-	C:\_OTL
2011-11-18 09:05 . 2011-11-18 09:05	--------	d-----w-	c:\users\Administrator
2011-11-13 14:09 . 2011-11-16 23:02	--------	d-----w-	C:\MEGAV16V
2011-11-13 14:09 . 2011-11-13 14:09	--------	d-----r-	C:\MINSTALL.T
2011-11-12 11:47 . 2006-12-08 11:02	251672	----a-w-	c:\windows\system32\xactengine2_5.dll
2011-11-12 11:47 . 2006-11-29 12:06	440080	----a-w-	c:\windows\system32\d3dx10.dll
2011-11-12 11:47 . 2006-11-15 10:38	15128	----a-w-	c:\windows\system32\x3daudio1_1.dll
2011-11-12 11:47 . 2006-09-28 15:05	237848	----a-w-	c:\windows\system32\xactengine2_4.dll
2011-11-12 11:47 . 2006-09-28 15:04	68888	----a-w-	c:\windows\system32\xinput1_3.dll
2011-11-12 11:47 . 2006-09-28 15:05	2414360	----a-w-	c:\windows\system32\d3dx9_31.dll
2011-11-12 11:39 . 2011-11-12 11:39	--------	d-----w-	c:\programdata\KONAMI
2011-11-12 11:39 . 2011-11-12 11:39	--------	d-----w-	c:\program files\KONAMI
2011-11-08 20:46 . 2011-09-29 15:43	1285488	----a-w-	c:\windows\system32\drivers\tcpip.sys
2011-11-08 20:46 . 2011-10-01 04:43	708608	----a-w-	c:\program files\Common Files\System\wab32.dll
2011-11-08 20:46 . 2011-09-29 04:20	2339840	----a-w-	c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 02:59 . 2011-10-13 07:31	1638912	----a-w-	c:\windows\system32\mshtml.tlb
2011-08-27 04:43 . 2011-10-13 07:31	571904	----a-w-	c:\windows\system32\oleaut32.dll
2011-08-27 04:43 . 2011-10-13 07:31	233472	----a-w-	c:\windows\system32\oleacc.dll
2011-08-23 15:06 . 2011-08-07 14:09	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-15 05:15 . 2011-05-18 19:07	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2010-03-09 2355224]
.
[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
2010-03-09 10:06	2355224	----a-w-	c:\program files\DVDVideoSoft\tbDVDV.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2010-03-09 2355224]
.
[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F}"= "c:\program files\DVDVideoSoft\tbDVDV.dll" [2010-03-09 2355224]
.
[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43	122512	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-31 13797992]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-19 7711264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-09 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-09 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-04-18 1181328]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-13 44312]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-31 187392]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
uInternet Settings,ProxyOverride = *.local
IE: add to &BOM - c:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\***\AppData\Roaming\Mozilla\Firefox\Profiles\ez78r71e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.9&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.3.6&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-ICQ - c:\program files\ICQ6.5\ICQ.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2011-11-18  14:21:04
ComboFix-quarantined-files.txt  2011-11-18 13:21
.
Vor Suchlauf: 9 Verzeichnis(se), 64.273.027.072 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 64.176.312.320 Bytes frei
.
- - End Of File - - 79C91B12344CFB7FE770CFE5BE3FF22B

--- --- ---

markusg · 18.11.2011, 15:50

malwarebytes:
Downloade Dir bitte Malwarebytes

Installiere
das Programm in den vorgegebenen Pfad.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Starte Malwarebytes, klicke auf Aktualisierung --> Suche
nach Aktualisierung
Wenn das Update beendet wurde, aktiviere vollständiger Scan durchführen und drücke auf Scannen.
Wenn der Scan beendet
ist, klicke auf Ergebnisse anzeigen.
Versichere Dich, dass alle Funde markiert sind und drücke Entferne Auswahl.
Poste
das Logfile, welches sich in Notepad öffnet, hier in den Thread.
Nachträglich kannst du den Bericht unter "Log Dateien" finden.

Bundespolizei trojaner; OTL & gmer Logs vorhanden

Log-Analyse und Auswertung: Bundespolizei trojaner; OTL & gmer Logs vorhanden