dcom server prozessstart unerwartet beendet

Perios · 23.01.2010, 00:51

Hallo Leute,

ich habe seit vorgestern das Problem, daß sich mein PC aufgrund der Meldung "dcom server prozessstart unerwartet beendet" ständig herunterfährt.

Nach unendlichen recherchen in unterschiedlichsten Internet-Foren habe ich bereits mehrfach Virenscans durchgeführt (Prevx und Malwarebytes' Anti-Malware) und die verseuchten Dateien gelöscht.

Dadurch hat sich das Problem aber leider nicht beheben lassen. Sobald ich online gehe erscheint die Fehlermeldung nach wenigen Minuten wieder.

Deshalb habe ich HijackThis durchgeführt. Wäre echt super von Euch, wenn Ihr mir das auswerten könnten. Weiß mir echt nicht mehr zu helfen.

___________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:07:15, on 23.01.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\FSC OSD Utility\OSDUtility.exe
C:\Program Files\Norman\Npm\Bin\Zlh.exe
C:\Program Files\FSC Launch Manager\LaunchMgr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Prevx\prevx.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\***\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.t-online.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.t-online.de/software/ie401/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.t-online.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von T-Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.t-online.de/software/ie50/setpxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.btx.dtag.de:80;ftp=ftp-proxy.btx.dtag.de:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [FSC OSD Utility] c:\PROGRA~1\FSCOSD~1\OSDUTI~1.EXE
O4 - HKLM\..\Run: [FSCRecovery] c:\Program Files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [Launch Manager] C:\PROGRA~1\FSCLAU~1\LAUNCH~1.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [fsc-reg] C:\fsc-reg\fscreg.exe 20091227
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ncstatsc] C:\Windows\system32\lsnccq.exe
O4 - HKCU\..\Run: [jncontmon] C:\Windows\system32\ssjitsys32.exe
O4 - HKCU\..\Run: [udccndw2] C:\Windows\system32\psiomcp.exe
O4 - HKCU\..\Run: [qisdrmss] C:\Windows\system32\qodesnaq.exe
O4 - HKCU\..\Run: [pqezlr32] C:\Windows\system32\eyclcm.exe
O4 - HKCU\..\Run: [mndpro32] C:\Windows\system32\primndd.exe
O4 - HKCU\..\Run: [iejdsmm] C:\Windows\system32\yhsgmmw.exe
O4 - HKCU\..\Run: [abdoqad] "c:\users\tom\appdata\local\abdoqad.exe" abdoqad
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [fsc-reg] C:\fsc-reg\fscreg.exe 20091227 (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [ncstatsc] C:\Windows\system32\lsnccq.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [jncontmon] C:\Windows\system32\ssjitsys32.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [udccndw2] C:\Windows\system32\psiomcp.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [qisdrmss] C:\Windows\system32\qodesnaq.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [pqezlr32] C:\Windows\system32\eyclcm.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [mndpro32] C:\Windows\system32\primndd.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [iejdsmm] C:\Windows\system32\yhsgmmw.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [abdoqad] "c:\users\tom\appdata\local\abdoqad.exe" abdoqad (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.lokalisten.de/iup/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE (file missing)
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Program Files\Norman\Npm\Bin\scheduler.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe

--
End of file - 10627 bytes

___________________________________________

Ich danke Euch schon mal im voraus für Eure Hilfe.

Gruß
Tom Perios

Chris4You · 23.01.2010, 01:26

Hi,

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen!
(nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“
und suche folgende Datei/Dateien:

Code:

ATTFilter

C:\Windows\system32\lsnccq.exe
C:\Windows\system32\ssjitsys32.exe
C:\Windows\system32\psiomcp.exe
C:\Windows\system32\qodesnaq.exe
C:\Windows\system32\eyclcm.exe
C:\Windows\system32\primndd.exe
C:\Windows\system32\yhsgmmw.exe
c:\users\tom\appdata\local\abdoqad.exe
C:\fsc-reg\fscreg.exe

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung,

alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Files die nicht erkannt wurden, aus den Scripts (Avenger/HJ) entfernen. Falls das File nicht gefunden wurde, drin lasse!

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:

2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Code:

ATTFilter

 
Files to delete:
C:\Windows\system32\lsnccq.exe
C:\Windows\system32\ssjitsys32.exe
C:\Windows\system32\psiomcp.exe
C:\Windows\system32\qodesnaq.exe
C:\Windows\system32\eyclcm.exe
C:\Windows\system32\primndd.exe
C:\Windows\system32\yhsgmmw.exe

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Beim fixen müssen alle Programme geschlossen sein!

Code:

ATTFilter

O4 - HKCU\..\Run: [ncstatsc] C:\Windows\system32\lsnccq.exe
O4 - HKCU\..\Run: [jncontmon] C:\Windows\system32\ssjitsys32.exe
O4 - HKCU\..\Run: [udccndw2] C:\Windows\system32\psiomcp.exe
O4 - HKCU\..\Run: [qisdrmss] C:\Windows\system32\qodesnaq.exe
O4 - HKCU\..\Run: [pqezlr32] C:\Windows\system32\eyclcm.exe
O4 - HKCU\..\Run: [mndpro32] C:\Windows\system32\primndd.exe
O4 - HKCU\..\Run: [iejdsmm] C:\Windows\system32\yhsgmmw.exe
O4 - HKCU\..\Run: [abdoqad] "c:\users\tom\appdata\local\abdoqad.exe" abdoqad
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [ncstatsc] C:\Windows\system32\lsnccq.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [jncontmon] C:\Windows\system32\ssjitsys32.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [udccndw2] C:\Windows\system32\psiomcp.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [qisdrmss] C:\Windows\system32\qodesnaq.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [pqezlr32] C:\Windows\system32\eyclcm.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [mndpro32] C:\Windows\system32\primndd.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [iejdsmm] C:\Windows\system32\yhsgmmw.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [abdoqad] "c:\users\tom\appdata\local\abdoqad.exe" abdoqad (User '?')

Dr. WEb:
http://www.trojaner-board.de/59299-anleitung-drweb-cureit.html
Poste auch dieses Log!

OTL
Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop

* Doppelklick auf die OTL.exe
* Vista/Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
* Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
* Unter Extra Registry, wähle bitte Use SafeList
* Klicke nun auf Run Scan links oben
* Wenn der Scan beendet wurde werden 2 Logfiles erstellt
* Poste die Logfiles hier in den Thread.

Gmer:
http://www.trojaner-board.de/74908-anleitung-gmer-rootkit-scanner.html
Den Downloadlink findest Du links oben (http://www.gmer.net/#files), dort dann
auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken).
Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. Ist dieser beendet, wähle Copy und füge den Bericht ein.

Chris

Perios · 24.01.2010, 21:18

Hey Chris,

danke für die schnelle Hilfe. Also ich hab das jetzt mal Stück für Stück abgearbeitet:

Virtustotal laufen lassen und dabei folgenden Bericht erhalten:

MD5: f8fb8401761d72b39ebc2fee9a2aa978
First received: 2009.07.20 01:05:13 UTC
Datum 2010.01.04 15:43:02 UTC [>19D]
Ergebnisse 1/40
Permalink: analisis/c8498601ad23ecf3e3071838f846949b1fdcf5eafa2095f90cb193db1e171286-1262619782

Dies hat aber nur bei der Datei C:\fsc-reg\fscreg.exe funktioniert. Die anderen Dateien waren nicht vorhanden. Ich glaube aber, daß die vielleicht mein Virenscanner entfernt hat, bevor ich HijackThis laufen lassen habe.

Avenger laufen lassen mit folgendem Bericht:

Logfile of The Avenger Version 2.0, (c) by Swandog46
Swandog46's Public Anti-Malware Tools

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "oezdqdq" found!
ImagePath: system32\drivers\erpmneec.sys
Start Type: 0 (Boot)

Rootkit scan completed.

Warning: Invalid contents in ServiceGroupOrder key!
There may be a driver loading earlier than Avenger!

Error: file "C:\Windows\system32\lsnccq.exe" not found!
Deletion of file "C:\Windows\system32\lsnccq.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\system32\ssjitsys32.exe" not found!
Deletion of file "C:\Windows\system32\ssjitsys32.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\system32\psiomcp.exe" not found!
Deletion of file "C:\Windows\system32\psiomcp.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\system32\qodesnaq.exe" not found!
Deletion of file "C:\Windows\system32\qodesnaq.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\system32\eyclcm.exe" not found!
Deletion of file "C:\Windows\system32\eyclcm.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\system32\primndd.exe" not found!
Deletion of file "C:\Windows\system32\primndd.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\system32\yhsgmmw.exe" not found!
Deletion of file "C:\Windows\system32\yhsgmmw.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Anschließend HijackThis aufgemacht und die Dateien gefixt. Folgende Dateien waren aber nicht da:
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [ncstatsc] C:\Windows\system32\lsnccq.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [jncontmon] C:\Windows\system32\ssjitsys32.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [udccndw2] C:\Windows\system32\psiomcp.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [qisdrmss] C:\Windows\system32\qodesnaq.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [pqezlr32] C:\Windows\system32\eyclcm.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [mndpro32] C:\Windows\system32\primndd.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [iejdsmm] C:\Windows\system32\yhsgmmw.exe (User '?')
O4 - HKUS\S-1-5-21-3617320737-3657223746-2595875988-1000\..\Run: [abdoqad] "c:\users\tom\appdata\local\abdoqad.exe" abdoqad (User '?')

Danach hab ich dann Dr. Web durchgeführt. Als ich den Bericht speichern wollte ist aber leider scheiß WindowsVista abgeschmiert. Deswegen hab ich den leider nicht. :-( Er hat paar infizierte Dateien gefunden... das war aber alles Kleinkram meiner Meinung nach, die er dann verschoben hat. Die einzige wichtige Datei die repariert wurde war atapi.sys.

Dann hab ich OTL laufen lassen und diese beiden Berichte erhalten:

OTL Extras logfile created on: 24.01.2010 20:34:15 - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Users\Tom\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18865)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 64,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 92,21 Gb Total Space | 24,73 Gb Free Space | 26,83% Space Free | Partition Type: NTFS
Drive D: | 197,09 Gb Total Space | 197,00 Gb Free Space | 99,95% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOM-PC
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A93ED72-5187-4286-B8F1-5810A49075CB}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{3DD143E3-C14E-4764-907A-3AC355D5A203}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{4BC8DCE2-0492-4CE0-9B5F-72F77543C898}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{501D40E9-4341-4E67-BB1A-8542EA7F987E}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{575B5F32-7413-45DF-8838-22BAD7DF6AFC}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{5B7DFB8A-675E-4530-A2C6-1E2BB400743F}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{5D1788EF-FA37-4B90-A0EE-325345A94EB8}" = lport=2869 | protocol=6 | dir=in | app=system |
"{748EEF39-F939-44E5-8CBF-7B321DE0158B}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{7F8F5F50-8741-4BCF-A286-F3CC51EF7EF2}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{85CDC046-7CD7-45BF-9507-04CECAE1D0C5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8C816338-C0BF-4903-AE82-1F0E0CE873E5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9B8497DF-4C09-490A-ABC3-58B167453060}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{B3B086BB-2400-4A08-8E32-383D2FEFBCD9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{C2EB998F-E824-40D0-8BF5-53567A52AB75}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{C6CEF9DF-2843-447C-B293-3664005AF2F9}" = rport=2869 | protocol=6 | dir=out | app=system |
"{DCCD8883-9CCE-4660-85DF-1A9F7AA496EC}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{E1354BA8-1709-4ED1-9F74-E07FCA598698}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{EDC8ED10-0594-4A02-9F61-1D7BC4013F3E}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01D2EEDE-F565-4689-9D0A-EBB75C392794}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{08EFC8D9-9B1D-4A1E-9C76-0B647C85532D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{11CBFFF3-DA05-4C4D-B479-8977BA97E627}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 |
"{2C9A92BB-EAE3-44CA-AB31-CA9AF3087FDB}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{338FE4A9-313D-44A0-86E1-5E49FC95CD4E}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{4279145C-C7CF-49BA-9CCB-9AB415C2ACA4}" = protocol=6 | dir=in | app=c:\program files\fujitsu siemens computers\fsclounge\fscwbaseupdaterservice\2\fscwbaseupdaterservice.exe |
"{4F1EB719-6682-458B-8BDC-E5083F2A4FE5}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{5658886F-F08F-43CD-8E79-DEC5CFECC9CB}" = protocol=17 | dir=in | app=c:\program files\eidos\batman arkham asylum\binaries\shippingpc-bmgame.exe |
"{73C58589-A678-42EF-A956-C911B807637B}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{A6638EB5-E000-4124-BA01-8054872F4CDC}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{C156407D-1115-4D9A-A3F6-0EB939B27F61}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{CA8CB4F1-176A-4FA9-9FBF-C4024027BCAD}" = protocol=17 | dir=in | app=c:\program files\fujitsu siemens computers\fsclounge\fscwbaseupdaterservice\2\fscwbaseupdaterservice.exe |
"{D83B9CD4-F91F-4D90-AB51-DF2F16C388BF}" = protocol=6 | dir=in | app=c:\program files\eidos\batman arkham asylum\binaries\shippingpc-bmgame.exe |
"{E35E0C97-8A5C-4FB2-82CC-3497668396E1}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{E52066B2-B01E-4E2E-A794-8CAF3EAB9290}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"TCP Query User{40EBEFDC-EE27-4940-A07B-4465036C29DF}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{661D1CAF-9D93-4321-B01A-CFC00FA55684}C:\users\tom\downloads\mercury\mercury.exe" = protocol=6 | dir=in | app=c:\users\tom\downloads\mercury\mercury.exe |
"TCP Query User{9EF3E8A4-3242-49E8-9C8E-78217D21EF57}C:\users\tom\appdata\local\microsoft\windows\temporary internet files\content.ie5\bifb6njq\zerg_reveal_final_german_xvid.avi-downloader[1].exe" = protocol=6 | dir=in | app=c:\users\tom\appdata\local\microsoft\windows\temporary internet files\content.ie5\bifb6njq\zerg_reveal_final_german_xvid.avi-downloader[1].exe |
"TCP Query User{EA624CDE-E0C8-42E6-812F-5A59D30BFF42}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe |
"UDP Query User{6806EC3A-6188-475F-B4FA-CB43FAE203CF}C:\users\tom\appdata\local\microsoft\windows\temporary internet files\content.ie5\bifb6njq\zerg_reveal_final_german_xvid.avi-downloader[1].exe" = protocol=17 | dir=in | app=c:\users\tom\appdata\local\microsoft\windows\temporary internet files\content.ie5\bifb6njq\zerg_reveal_final_german_xvid.avi-downloader[1].exe |
"UDP Query User{6D232792-B50B-4F6D-84B3-63805CC80337}C:\users\tom\downloads\mercury\mercury.exe" = protocol=17 | dir=in | app=c:\users\tom\downloads\mercury\mercury.exe |
"UDP Query User{DDBA6527-B309-4900-AA5B-C43276C274A0}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{F5B82613-815C-40AA-B720-E02E0F77B07C}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{2BA722D1-48D1-406E-9123-8AE5431D63EF}" = Windows Live Fotogalerie
"{2F926AE7-9FB7-4B34-906F-9C29A6D146A7}" = SystemDiagnostics
"{373C3C97-2FA9-4E18-85A2-255060C21031}" = Nero 8 Essentials
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3EFEF049-23D4-4B46-8903-4592FEA51018}" = Windows Live Movie Maker
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4E79A60F-15D2-4BEC-91AD-E41EC42E61B0}" = Batman: Arkham Asylum
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6833245E-DD86-479A-882A-8360D62C8194}" = NVIDIA PhysX
"{6EB4FCC1-B3B7-4599-8921-905D095A49FA}" = Launch Manager
"{70B7A167-0B88-445D-A3EA-97C73AA88CAC}" = Windows Live Toolbar
"{76618402-179D-4699-A66B-D351C59436BC}" = Windows Live Sync
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{994223F3-A99B-4DDD-9E1D-0190A17C6860}" = Windows Live Family Safety
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A3BC157-B94F-4EFD-ABA9-1E56DEB00655}" = FSCLounge
"{A1C962E2-2426-49C6-A38B-9A07E40D607C}" = Microsoft Games for Windows - LIVE
"{A36B158D-8E9D-4BD3-8BDA-4B5EDC9C2E8C}" = Norman Security Suite
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AFC454ED-A26F-4816-826B-C35129D82E1F}" = Fujitsu Siemens Computers Recovery
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E6B28CE4-9D73-4B7D-9329-A0ED4855D686}" = FSC OSD Utility
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{EFCE5837-FC21-11D6-9D24-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.1_02
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Free YouTube Download_is1" = Free YouTube Download 2.3
"Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 3.2
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ICQToolbar" = ICQ Toolbar
"InstallShield_{6EB4FCC1-B3B7-4599-8921-905D095A49FA}" = Launch Manager
"InstallShield_{E6B28CE4-9D73-4B7D-9329-A0ED4855D686}" = FSC OSD Utility
"Java Web Start" = Java Web Start
"kikqo" = Favorit
"Live-Player" = Live-Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"Netscape (7.1)" = Netscape (7.1)
"Netscape Communicator 4.73" = Netscape Communicator 4.73
"PCSI" = Prevx
"Picasa2" = Picasa 2
"Uninstall_is1" = Uninstall 1.0.0.1
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"VLC media player" = VLC media player 0.9.9
"Warcraft III" = Warcraft III
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 22.01.2010 13:52:25 | Computer Name = Tom-PC | Source = WinMgmt | ID = 10
Description =

Error - 22.01.2010 14:26:07 | Computer Name = Tom-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x0138f2b4, Prozess-ID 0x348, Anwendungsstartzeit
01ca9b8b96789cc9.

Error - 22.01.2010 14:28:31 | Computer Name = Tom-PC | Source = WinMgmt | ID = 10
Description =

Error - 22.01.2010 14:34:36 | Computer Name = Tom-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x0214f1fc, Prozess-ID 0x364, Anwendungsstartzeit
01ca9b90a21404e4.

Error - 22.01.2010 14:37:02 | Computer Name = Tom-PC | Source = WinMgmt | ID = 10
Description =

Error - 22.01.2010 14:41:46 | Computer Name = Tom-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x0269f42c, Prozess-ID 0x350, Anwendungsstartzeit
01ca9b91d32d3f1c.

Error - 22.01.2010 14:44:23 | Computer Name = Tom-PC | Source = WinMgmt | ID = 10
Description =

Error - 22.01.2010 15:23:37 | Computer Name = Tom-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x0258f750, Prozess-ID 0x330, Anwendungsstartzeit
01ca9b92da38d7f0.

Error - 22.01.2010 15:50:12 | Computer Name = Tom-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x012ef378, Prozess-ID 0x14d0, Anwendungsstartzeit
01ca9b98f3a4609e.

Error - 22.01.2010 16:28:18 | Computer Name = Tom-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x01dcf13c, Prozess-ID 0x17fc, Anwendungsstartzeit
01ca9b9c757fbdd6.

[ System Events ]
Error - 02.08.2009 12:24:24 | Computer Name = Tom-PC | Source = netbt | ID = 4321
Description = Der Name "TOM-PC :20" konnte nicht auf der Schnittstelle mit
IP-Adresse 192.168.2.105 registriert werden. Der Computer mit IP-Adresse 169.254.5.45
hat nicht zugelassen, dass dieser Computer diesen Namen verwendet.

Error - 02.08.2009 12:24:33 | Computer Name = Tom-PC | Source = ipnathlp | ID = 31004
Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet
werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner
Fehler ist im Speicher-Manager aufgetreten.

Error - 02.08.2009 14:14:25 | Computer Name = Tom-PC | Source = DCOM | ID = 10010
Description =

Error - 03.08.2009 11:45:34 | Computer Name = Tom-PC | Source = HTTP | ID = 15016
Description =

Error - 03.08.2009 11:46:19 | Computer Name = Tom-PC | Source = ipnathlp | ID = 31004
Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet
werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner
Fehler ist im Speicher-Manager aufgetreten.

Error - 03.08.2009 11:46:21 | Computer Name = Tom-PC | Source = ipnathlp | ID = 31004
Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet
werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner
Fehler ist im Speicher-Manager aufgetreten.

Error - 03.08.2009 11:46:30 | Computer Name = Tom-PC | Source = ipnathlp | ID = 31004
Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet
werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner
Fehler ist im Speicher-Manager aufgetreten.

Error - 03.08.2009 14:31:59 | Computer Name = Tom-PC | Source = DCOM | ID = 10010
Description =

Error - 03.08.2009 14:44:28 | Computer Name = Tom-PC | Source = ipnathlp | ID = 31004
Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet
werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner
Fehler ist im Speicher-Manager aufgetreten.

Error - 04.08.2009 13:37:32 | Computer Name = Tom-PC | Source = HTTP | ID = 15016
Description =

< End of report >

OTL logfile created on: 24.01.2010 20:34:15 - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Users\Tom\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18865)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 64,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 92,21 Gb Total Space | 24,73 Gb Free Space | 26,83% Space Free | Partition Type: NTFS
Drive D: | 197,09 Gb Total Space | 197,00 Gb Free Space | 99,95% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOM-PC
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Tom\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Prevx\prevx.exe (Prevx)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Norman\Npm\Bin\Njeeves.exe (Norman ASA)
PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
PRC - C:\Programme\Norman\Npm\Bin\scheduler.exe (Norman ASA)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Norman\Npm\Bin\Zanda.exe (Norman ASA)
PRC - C:\Programme\Norman\Npm\Bin\Zlh.exe (Norman ASA)
PRC - C:\Programme\Norman\Npm\Bin\nvoy.exe (Norman ASA)
PRC - C:\Programme\ICQ6Toolbar\ICQ Service.exe ()
PRC - C:\Programme\FSC OSD Utility\OSDUtility.exe (Quanta Computer Inc.)
PRC - C:\Windows\System32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Windows\System32\igfxpers.exe (Intel Corporation)
PRC - C:\Windows\System32\hkcmd.exe (Intel Corporation)
PRC - C:\Programme\FSC Launch Manager\LaunchMgr.exe (Quanta Computer Inc.)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe (Nero AG)
PRC - C:\Programme\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe (Fujitsu Siemens Computers)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Programme\Norman\Npm\Bin\elogsvc.exe (Norman ASA)
PRC - C:\Windows\System32\IoctlSvc.exe (Prolific Technology Inc.)

========== Modules (SafeList) ==========

MOD - C:\Users\Tom\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (NVCScheduler) -- File not found
SRV - (CSIScanner) -- C:\Program Files\Prevx\prevx.exe (Prevx)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (Norman NJeeves) -- C:\Program Files\Norman\Npm\bin\NJEEVES.EXE (Norman ASA)
SRV - (Scheduler) -- C:\Program Files\Norman\Npm\Bin\scheduler.exe (Norman ASA)
SRV - (Norman ZANDA) -- C:\Program Files\Norman\Npm\Bin\Zanda.exe (Norman ASA)
SRV - (NVOY) -- C:\Program Files\Norman\npm\bin\nvoy.exe (Norman ASA)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ICQ Service) -- C:\Programme\ICQ6Toolbar\ICQ Service.exe ()
SRV - (Nero BackItUp Scheduler 3) -- C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe (Nero AG)
SRV - (TestHandler) -- C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe (Fujitsu Siemens Computers)
SRV - (NMIndexingService) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (Nero AG)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (eLoggerSvc6) -- C:\Program Files\Norman\Npm\Bin\Elogsvc.exe (Norman ASA)
SRV - (PLFlash DeviceIoControl Service) -- C:\Windows\System32\IoctlSvc.exe (Prolific Technology Inc.)
SRV - (ehstart) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (pxrts) -- C:\Windows\System32\drivers\pxrts.sys (Prevx)
DRV - (pxscan) -- C:\Windows\System32\drivers\pxscan.sys (Prevx)
DRV - (pxkbf) -- C:\Windows\System32\drivers\pxkbf.sys (Prevx)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (fssfltr) -- C:\Windows\System32\drivers\fssfltr.sys (Microsoft Corporation)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (RMCAST) RMCAST (Pgm) -- C:\Windows\System32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (RTL8187B) -- C:\Windows\System32\drivers\RTL8187B.sys (Realtek Semiconductor Corporation )
DRV - (ahcix86s) -- C:\Windows\system32\drivers\ahcix86s.sys (AMD Technologies Inc.)
DRV - (RTSTOR) -- C:\Windows\System32\drivers\RTSTOR.sys (Realtek Semiconductor Corp.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (JRAID) -- C:\Windows\system32\drivers\jraid.sys (JMicron Technology Corp.)
DRV - (PxHelp20) -- C:\Windows\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (iaStor) -- C:\Windows\system32\drivers\iastor.sys (Intel Corporation)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (secdrv) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = iGoogle

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = Nachrichten - Service - Shopping bei t-online.de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=proxy.btx.dtag.de:80;ftp=ftp-proxy.btx.dtag.de:80

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.de/"
FF - prefs.js..network.proxy.autoconfig_url: "http://www.t-online.de/software/ie50/setpxy.pac"
FF - prefs.js..network.proxy.ftp: "ftp-proxy.btx.dtag.de"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.http: "proxy.btx.dtag.de"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.01.16 15:07:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.01.17 21:51:04 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.1\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2009.05.02 01:50:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.1\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2010.01.17 21:51:04 | 00,000,000 | ---D | M]

[2010.01.16 15:07:25 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Extensions
[2010.01.24 01:27:36 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Firefox\Profiles\egffyzoj.default\extensions
[2010.01.16 15:07:08 | 00,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2009.12.22 04:57:54 | 00,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2009.12.22 04:57:54 | 00,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2009.12.22 04:57:54 | 00,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2009.12.22 04:57:54 | 00,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2009.12.22 04:57:54 | 00,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2006.09.18 22:41:30 | 00,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [FSC OSD Utility] c:\Programme\FSC OSD Utility\OSDUtility.exe (Quanta Computer Inc.)
O4 - HKLM..\Run: [FSCRecovery] c:\Programme\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe (Fujitsu Siemens Computers GmbH)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Launch Manager] C:\Programme\FSC Launch Manager\LaunchMgr.exe (Quanta Computer Inc.)
O4 - HKLM..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\Bin\ZLH.EXE (Norman ASA)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [fsc-reg] C:\fsc-reg\fscreg.exe (Fujitsu Siemens)
O4 - HKCU..\Run: [Sidebar] C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Save YouTube Video - C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll (DVSTeam)
O8 - Extra context menu item: Save YouTube Video as MP3 - C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll (DVSTeam)
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/...ndows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/...ndows-i586.cab (Java Plug-in 1.4.1_02)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://www.lokalisten.de/iup/ImageUploader4.cab (Image Uploader Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Users\Tom\AppData\Roaming\ufxw.exe) - C:\Users\Tom\AppData\Roaming\ufxw.exe File not found
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-6296374783-9751805672-495840989-1801\yv8g67.exe) - C:\RECYCLER\S-1-5-21-6296374783-9751805672-495840989-1801\yv8g67.exe File not found
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-5590127956-1593757267-638454392-6420\rundll32.exe) - C:\RECYCLER\S-1-5-21-5590127956-1593757267-638454392-6420\.exe File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img8.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img8.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.01.24 15:45:54 | 00,000,000 | ---D | C] -- C:\Users\Tom\DoctorWeb
[2010.01.24 14:44:18 | 00,000,000 | ---D | C] -- C:\Avenger
[2010.01.22 22:01:48 | 00,053,136 | ---- | C] (Prevx) -- C:\Windows\System32\PxSecure.dll
[2010.01.22 22:01:47 | 00,047,664 | ---- | C] (Prevx) -- C:\Windows\System32\drivers\pxrts.sys
[2010.01.22 22:01:47 | 00,030,280 | ---- | C] (Prevx) -- C:\Windows\System32\drivers\pxscan.sys
[2010.01.22 22:01:46 | 00,024,496 | ---- | C] (Prevx) -- C:\Windows\System32\drivers\pxkbf.sys
[2010.01.22 22:01:46 | 00,000,000 | ---D | C] -- C:\Programme\Prevx
[2010.01.22 22:01:38 | 00,000,000 | ---D | C] -- C:\ProgramData\PrevxCSI
[2010.01.22 20:29:48 | 00,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\Malwarebytes
[2010.01.22 20:29:40 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.01.22 20:29:38 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.01.22 20:29:37 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.01.22 20:29:37 | 00,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.01.16 15:07:13 | 00,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\Mozilla
[2010.01.16 15:07:06 | 00,000,000 | ---D | C] -- C:\Programme\Mozilla Firefox
[2010.01.13 21:37:34 | 00,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010.01.13 21:37:34 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010.01.03 14:26:41 | 00,000,000 | ---D | C] -- C:\WNCHESS
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.01.24 20:33:43 | 02,359,296 | -HS- | M] () -- C:\Users\Tom\NTUSER.DAT
[2010.01.24 20:26:04 | 01,541,724 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010.01.24 20:26:04 | 00,664,282 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.01.24 20:26:04 | 00,625,582 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.01.24 20:26:04 | 00,142,622 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.01.24 20:26:04 | 00,117,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.01.24 20:21:16 | 00,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010.01.24 20:21:16 | 00,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010.01.24 20:21:15 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.01.24 20:21:03 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.01.24 20:20:59 | 30,499,02080 | -HS- | M] () -- C:\hiberfil.sys
[2010.01.24 20:06:18 | 00,524,288 | -HS- | M] () -- C:\Users\Tom\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010.01.24 20:06:18 | 00,065,536 | -HS- | M] () -- C:\Users\Tom\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010.01.24 20:01:17 | 21,362,2131 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010.01.24 01:14:42 | 00,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{422ED6B3-5743-499B-8670-94FD39146DC9}.job
[2010.01.22 23:45:25 | 00,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010.01.22 23:45:20 | 00,002,379 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2010.01.22 23:39:58 | 00,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010.01.22 23:39:46 | 00,051,712 | ---- | M] () -- C:\Users\Tom\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.01.22 22:01:48 | 00,053,136 | ---- | M] (Prevx) -- C:\Windows\System32\PxSecure.dll
[2010.01.22 22:01:47 | 00,047,664 | ---- | M] (Prevx) -- C:\Windows\System32\drivers\pxrts.sys
[2010.01.22 22:01:47 | 00,030,280 | ---- | M] (Prevx) -- C:\Windows\System32\drivers\pxscan.sys
[2010.01.22 22:01:46 | 00,024,496 | ---- | M] (Prevx) -- C:\Windows\System32\drivers\pxkbf.sys
[2010.01.22 21:50:09 | 00,000,088 | ---- | M] () -- C:\Users\Tom\AppData\Local\kikqo.bat
[2010.01.22 20:29:43 | 00,000,824 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.01.17 21:51:04 | 00,001,893 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010.01.16 15:07:10 | 00,001,730 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010.01.15 00:19:27 | 00,000,809 | ---- | M] () -- C:\Users\Tom\.plugin141_02.trace
[2010.01.14 11:12:06 | 00,181,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010.01.07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.01.07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.01.03 14:17:19 | 00,000,043 | ---- | M] () -- C:\Windows\Battle.ini
[2010.01.03 14:17:19 | 00,000,038 | ---- | M] () -- C:\Windows\progman.ini
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.01.24 20:20:59 | 30,499,02080 | -HS- | C] () -- C:\hiberfil.sys
[2010.01.22 23:45:25 | 00,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010.01.22 20:29:43 | 00,000,824 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.01.17 21:51:04 | 00,001,893 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010.01.16 15:07:10 | 00,001,730 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010.01.03 14:17:19 | 00,000,043 | ---- | C] () -- C:\Windows\Battle.ini
[2010.01.03 14:17:19 | 00,000,038 | ---- | C] () -- C:\Windows\progman.ini
[2009.11.06 10:58:04 | 00,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009.09.17 18:44:54 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.08.23 20:58:48 | 00,000,176 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\wklnhst.dat
[2009.06.19 19:06:22 | 00,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009.06.19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009.05.12 19:30:53 | 00,000,088 | ---- | C] () -- C:\Users\Tom\AppData\Local\kikqo.bat
[2009.05.02 01:47:20 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009.05.01 12:01:02 | 00,000,091 | ---- | C] () -- C:\Users\Tom\AppData\Local\fusioncache.dat
[2009.05.01 11:43:05 | 00,051,712 | ---- | C] () -- C:\Users\Tom\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.04.30 20:25:50 | 00,000,000 | ---- | C] () -- C:\Windows\netscape.INI
[2009.04.30 19:38:49 | 00,000,342 | ---- | C] () -- C:\Windows\{9A3BC157-B94F-4EFD-ABA9-1E56DEB00655}_WiseFW.ini
[2008.10.20 14:37:54 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1527.dll
[2008.04.25 13:23:38 | 00,012,288 | ---- | C] () -- C:\Windows\System32\EvOnlDiag.dll
[2006.11.02 13:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 11:25:26 | 00,557,568 | ---- | C] () -- C:\Windows\System32\hpotscl1.dll
[2006.11.02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
< End of report >

Zu guter letzt hab ich dann GMER ausgeführt und dieses Ergebnis erhalten:

GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-01-24 21:16:24
Windows 6.0.6002 Service Pack 2
Running: 7eiqk5bo.exe; Driver: C:\Users\Tom\AppData\Local\Temp\ufldipow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0x8E5201CC]
SSDT AA7B8E84 ZwCreateThread
SSDT AA7B8E70 ZwOpenProcess
SSDT AA7B8E75 ZwOpenThread
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0x8E520292]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0x8E52018E]
SSDT AA7B8E7F ZwTerminateProcess
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0x8E520316]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0x8E52034E]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 191 81EB48D4 4 Bytes [CC, 01, 52, 8E] {INT 3 ; ADD [EDX-0x72], EDX}
.text ntkrnlpa.exe!KeSetEvent + 221 81EB4964 4 Bytes [84, 8E, 7B, AA]
.text ntkrnlpa.exe!KeSetEvent + 3F1 81EB4B34 4 Bytes [70, 8E, 7B, AA] {JO 0xffffffffffffff90; JNP 0xffffffffffffffae}
.text ntkrnlpa.exe!KeSetEvent + 40D 81EB4B50 4 Bytes [75, 8E, 7B, AA] {JNZ 0xffffffffffffff90; JNP 0xffffffffffffffae}
.text ntkrnlpa.exe!KeSetEvent + 431 81EB4B74 4 Bytes [92, 02, 52, 8E] {XCHG EDX, EAX; ADD DL, [EDX-0x72]}
.text ...
.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x807A5024]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85254841

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Ich hoffe daß des alles so passt.

Nochmals vielen Dankf für Deine Hilfe und nen guten Start in die neue Woche.

Gruß
Tom Perios

Chris4You · 24.01.2010, 21:34

Hi,

das sieht nach TDSS aus, GMER meldet immer noch eine modifizierte atapi.sys. (Das ist ein Festplattentreiber der infiziert ist, der lässt sich nur bei nicht laufendem Window austauschen (z.B. beim Booten oder wenn von CD gebootet wird))...

Da müssen wir CF einsetzen oder Du kopierst die atapi.sys per Hand von einer Vista-CD (von der Du auch gebootet hast) in das windows\system32\drivers-Verzeichnis...

Combofix
Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Antivierenlösung komplett auschalten und zwar so, dass sie sich auch nach einem Reboot NICHT einschaltet!

Achtung: In einigen wenigen Fällen kann es vorkommen, das der Rechner nicht mehr booten kann und Neuaufgesetzt
werden muß!

Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report (ComboFix.txt) angezeigt, den bitte kopieren und in deinem Thread einfuegen.

chris

Perios · 25.01.2010, 20:34

Hallo Chris,

okay, ich hab jetzt mal die Combofix - Variante ausprobiert.

Hier ist das Ergebnis:

ComboFix 10-01-24.05 - Tom 25.01.2010 20:19:31.2.2 - x86
ausgeführt von:: c:\users\Tom\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-0245131447-2158420221-814525652-2975
c:\recycler\S-1-5-21-1928647143-1248250933-215711038-9001
c:\recycler\S-1-5-21-5590127956-1593757267-638454392-6420
c:\recycler\S-1-5-21-5701272197-4024598026-546493947-1273
c:\recycler\S-1-5-21-6296374783-9751805672-495840989-1801
c:\recycler\S-1-5-21-7044629846-0846104279-131756759-8465
c:\recycler\S-1-5-21-7067108538-6076604797-704226279-6017
c:\recycler\S-1-5-21-7719182858-7891406537-768258179-0322
c:\recycler\S-1-5-21-9535833969-1088570110-550153922-4167
c:\recycler\S-1-5-21-9640924374-5868853749-072708762-1020

.
((((((((((((((((((((((( Dateien erstellt von 2009-12-25 bis 2010-01-25 ))))))))))))))))))))))))))))))
.

2010-01-25 19:25 . 2010-01-25 19:25 -------- d-----w- c:\users\Tom\AppData\Local\temp
2010-01-25 19:25 . 2010-01-25 19:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-24 14:45 . 2010-01-25 00:32 -------- d-----w- c:\users\Tom\DoctorWeb
2010-01-22 22:45 . 2010-01-22 22:45 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-22 19:29 . 2010-01-22 19:29 -------- d-----w- c:\users\Tom\AppData\Roaming\Malwarebytes
2010-01-22 19:29 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-22 19:29 . 2010-01-22 19:29 -------- d-----w- c:\programdata\Malwarebytes
2010-01-22 19:29 . 2010-01-22 19:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 19:29 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.d ll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\Spot lightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Microsoft\eHome\Packages\MCESpotlight\M CESpotlight\SpotlightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Microsoft\eHome\Package s\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Microso ft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendu ngsdaten\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 05:28 . 2010-01-20 05:28 1273592 ----a-w- c:\programdata\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendu ngsdaten\Anwendungsdaten\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-16 14:07 . 2010-01-16 14:07 -------- d-----w- c:\users\Tom\AppData\Local\Mozilla
2010-01-13 20:37 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 20:37 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-03 13:26 . 2010-01-03 13:26 -------- d-----w- C:\WNCHESS

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 19:08 . 2008-01-21 07:15 664282 ----a-w- c:\windows\system32\perfh007.dat
2010-01-25 19:08 . 2008-01-21 07:15 142622 ----a-w- c:\windows\system32\perfc007.dat
2010-01-25 18:51 . 2009-05-01 18:14 -------- d-----w- c:\users\Tom\AppData\Roaming\ICQ
2010-01-25 02:17 . 2010-01-25 02:17 70176 ----a-w- c:\users\Tom\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-25 00:09 . 2009-05-02 16:10 -------- d-----w- c:\users\Tom\AppData\Roaming\vlc
2010-01-25 00:09 . 2009-08-23 19:58 -------- d-----w- c:\users\Tom\AppData\Roaming\Template
2010-01-25 00:09 . 2009-06-21 01:35 -------- d-----w- c:\users\Tom\AppData\Roaming\skypePM
2010-01-25 00:09 . 2009-06-21 01:33 -------- d-----w- c:\users\Tom\AppData\Roaming\Skype
2010-01-25 00:07 . 2009-05-12 18:31 -------- d-----w- c:\users\Tom\AppData\Roaming\live-player
2010-01-25 00:06 . 2009-05-03 15:25 -------- d-----w- c:\users\Tom\AppData\Roaming\dvdcss
2010-01-24 21:18 . 2008-10-20 13:46 -------- d-----w- c:\programdata\Microsoft Help
2010-01-24 21:18 . 2009-05-01 18:14 -------- d-----w- c:\program files\ICQ6.5
2010-01-24 21:02 . 2009-04-30 18:37 -------- d-----w- c:\program files\Norman
2010-01-24 18:06 . 2009-09-17 17:44 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-21 06:25 . 2009-05-01 18:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 20:51 . 2008-10-20 13:40 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 23:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-14 10:12 . 2009-10-03 10:49 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 14:56 . 2009-05-12 18:30 -------- d-----w- c:\program files\Live-Player
2010-01-02 06:38 . 2010-01-22 17:41 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 17:41 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 17:41 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 17:41 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-08 17:57 . 2009-08-15 15:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-19 23:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-09 12:31 . 2009-12-11 21:51 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-11 21:51 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-11 21:51 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-06 09:59 . 2009-11-06 09:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 09:59 . 2009-11-06 09:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-10-29 09:17 . 2009-11-25 22:24 2048 ----a-w- c:\windows\system32\tzres.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"fsc-reg"="c:\fsc-reg\fscreg.exe" [2008-08-01 380688]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-16 6253088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-12 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-12 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-12 145944]
"FSCRecovery"="c:\program files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe" [2008-06-18 268096]
"Skytel"="Skytel.exe" [2008-07-16 1833504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"fsc-reg"="c:\fsc-reg\fscreg.exe" [2008-08-01 380688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\T-Online_Software_6

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
2008-05-28 11:40 20480 ----a-w- c:\program files\Google\Google EULA\GoogleEULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
2003-06-24 10:09 568096 ----a-w- c:\program files\Netscape\Netscape\Netscp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2008-02-26 01:23 443968 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):80,35,26,b5,3d,3e,ca,01

R2 NVOY;Norman Resource Provider;c:\program files\Norman\npm\bin\nvoy.exe [2009-01-20 126008]
R3 FontCache;Windows-Dienst für Schriftartencache;c:\windows\system32\svchost.exe [2008-01-21 21504]
R3 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr.sys [2009-08-05 54632]
R3 fsssvc;Windows Live Family Safety-Dienst;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\program files\Norman\Npm\bin\NVCSCHED.EXE [x]
R3 Scheduler;Norman Scheduler Service;c:\program files\Norman\Npm\Bin\scheduler.exe [2009-03-17 130104]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-10-19 222456]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2008-06-26 337920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners

2010-01-25 c:\windows\Tasks\User_Feed_Synchronization-{422ED6B3-5743-499B-8670-94FD39146DC9}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=FUJD&bmod=FUJD
uInternet Settings,ProxyServer = http=proxy.btx.dtag.de:80;ftp=ftp-proxy.btx.dtag.de:80
uInternet Settings,ProxyOverride = <local>
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\egffyzoj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: network.proxy.ftp - ftp-proxy.btx.dtag.de
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.http - proxy.btx.dtag.de
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\npaudio.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\npavi32.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\NPBeatSP.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\NPJava11.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\NPJava12.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\NPJava13.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\NPJava32.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\NPJPI141_02.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\npnul32.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\Npqtw32.dll
FF - plugin: c:\progra~1\Netscape\COMMUN~1\program\Plugins\npswf32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-Norman ZANDA - c:\program files\Norman\Npm\Bin\ZLH.EXE
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-NPCTray - c:\program files\Norman\npc\bin\npc_tray.exe
MSConfigStartUp-WLAN-Access Finder - c:\program files\T-Online\WLAN-Access Finder\ToWLaAcF.exe
AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe
AddRemove-kikqo - c:\users\tom\appdata\local\kikqo.bat
AddRemove-Live-Player - c:\program files\Live-Player\uninst.exe
AddRemove-Warcraft III - c:\windows\War3Unin.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 20:25
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8527D841]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x89da3d24
\Driver\ACPI -> acpi.sys @ 0x80692d68
\Driver\atapi -> ataport.SYS @ 0x80799a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-3617320737-3657223746-2595875988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ø**T%\OpenWithList]
@Class="Shell"
.
Zeit der Fertigstellung: 2010-01-25 20:29:12
ComboFix-quarantined-files.txt 2010-01-25 19:29

Vor Suchlauf: 21 Verzeichnis(se), 27.160.989.696 Bytes frei
Nach Suchlauf: 26 Verzeichnis(se), 26.984.050.688 Bytes frei

- - End Of File - - 1CA9AFC6A755EA423078096764DC1E72

Gruß
Tom

Chris4You · 26.01.2010, 07:38

Hi,

die atapi.sys ist sehr neu, hast Du die ausgetauscht?
2010-01-24 18:06 . 2009-09-17 17:44 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
GMER meldet immer noch Änderungen an der atapi.sys, CLASSPNP.SYS und acpi.sys.
Hattest Du mal Daemon-Tools oder Alcohol auf dem Rechner?

chris

Perios · 26.01.2010, 19:54

Hallo Chris.

Nö, ausgetauscht hab ich nichts. Ich habe auch Windows nichts neu installiert oder von CD gebootet...

Daemon-Tools oder Alcohol? Also wissentlich hatte ich da nichts auf dem Rechner... was wäre das denn beispielsweise?

dcom server prozessstart unerwartet beendet

Log-Analyse und Auswertung: dcom server prozessstart unerwartet beendet