HKCU/HKLM - C:\dir\install\server.exe

sHaoMao · 06.03.2010, 18:07

Hallo, seit einigen Tagen habe ich im Startprozess 2 für mich unerklärliche Prozesse die ich auch nicht gelöscht bekomme.. hier mein HJT Logfile, hoffe mir kann geholfen werden:

edit: Platform ist Windows 7 Ultimate, weis nicht warum der das nicht anzeigt..

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 17:53:14, on 06.03.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
D:\Games\Half Life 2\steam.exe
C:\Program Files (x86)\ICQ6.5\ICQ.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HKLM] C:\dir\install\install\server.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Steam] "d:\games\half life 2\steam.exe" -silent
O4 - HKCU\..\Run: [ICQ] "C:\Program Files (x86)\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [HKCU] C:\dir\install\install\server.exe
O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\dir\install\install\server.exe
O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\dir\install\install\server.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST')
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6.5\ICQ.exe
O13 - Gopher Prefix: 
O17 - HKLM\System\CCS\Services\Tcpip\..\{E72A87C5-4266-4C1B-81DF-99CA1353B877}: NameServer = 192.168.1.254
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\Windows\SYSTEM32\astsrv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7651 bytes

Chris4You · 07.03.2010, 21:53

Hi,

Datei bitte bei Virustotal.com prüfen lassen, dürfte ein Bot sein...

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen!
(nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“
und suche folgende Datei/Dateien:

Code:

ATTFilter

C:\dir\install\install\server.exe

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Malwarebytes Antimalware (MAM)
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html
Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen:
http://filepony.de/download-chameleon/
Fullscan und alles bereinigen lassen! Log posten.

chris

sHaoMao · 08.03.2010, 18:17

So, hier erstmal das Ergebnis von VirusTotal:

Code:

ATTFilter

Antivirus  	Version  	letzte aktualisierung  	Ergebnis
a-squared	4.5.0.50	2010.03.07	Worm.Win32.Rebhip!IK
AhnLab-V3	5.0.0.2	2010.03.07	-
AntiVir	8.2.1.180	2010.03.05	TR/Spy.Gen
Antiy-AVL	2.0.3.7	2010.03.05	Trojan/Win32.Scar.gen
Authentium	5.2.0.5	2010.03.06	W32/Agent.HZS
Avast	4.8.1351.0	2010.03.07	Win32:Spyware-gen
Avast5	5.0.332.0	2010.03.07	Win32:Spyware-gen
AVG	9.0.0.787	2010.03.07	PSW.Generic7.BBRB
BitDefender	7.2	2010.03.07	Gen:Win32.ExplorerHijack.mGW@aeCgJop
CAT-QuickHeal	10.00	2010.03.06	Trojan.Scar.zic
ClamAV	0.96.0.0-git	2010.03.06	Trojan.Agent-125915
Comodo	4091	2010.02.28	TrojWare.Win32.PSW.Delf.~JHN
DrWeb	5.0.1.12222	2010.03.07	Win32.HLLW.Autoruner.14540
eSafe	7.0.17.0	2010.03.04	-
eTrust-Vet	35.2.7342	2010.03.05	Win32/Spyrat!generic
F-Prot	4.5.1.85	2010.03.06	W32/Agent.HZS
F-Secure	9.0.15370.0	2010.03.07	Gen:Win32.ExplorerHijack.mGW@aeCgJop
Fortinet	4.0.14.0	2010.03.07	-
GData	19	2010.03.07	Gen:Win32.ExplorerHijack.mGW@aeCgJop
Ikarus	T3.1.1.80.0	2010.03.07	Worm.Win32.Rebhip
Jiangmin	13.0.900	2010.03.07	Trojan/Swisyn.it
K7AntiVirus	7.10.990	2010.03.04	-
Kaspersky	7.0.0.125	2010.03.07	Trojan.Win32.Llac.ada
McAfee	5912	2010.03.06	Generic PWS.di
McAfee+Artemis	5912	2010.03.06	Generic PWS.di
McAfee-GW-Edition	6.8.5	2010.03.07	Heuristic.BehavesLike.Win32.Dropper.H
Microsoft	1.5502	2010.03.07	Backdoor:Win32/Poisonivy.H
NOD32	4922	2010.03.07	a variant of Win32/Spatet.A
Norman	6.04.08	2010.03.07	W32/Malware
nProtect	2009.1.8.0	2010.03.07	Trojan/W32.Agent.203264.AA
Panda	10.0.2.2	2010.03.07	Trj/CI.A
PCTools	7.0.3.5	2010.03.04	Malware.Spyrat
Prevx	3.0	2010.03.08	-
Rising	22.37.06.04	2010.03.07	-
Sophos	4.51.0	2010.03.07	Mal/Behav-328
Sunbelt	5780	2010.03.07	Trojan.Win32.Generic!BT
Symantec	20091.2.0.41	2010.03.07	W32.Spyrat
TheHacker	6.5.1.9.223	2010.03.07	-
TrendMicro	9.120.0.1004	2010.03.07	TSPY_SPATET.SMT
VBA32	3.12.12.2	2010.03.05	Trojan.Win32.Swisyn.hyo
ViRobot	2010.3.5.2214	2010.03.05	-
VirusBuster	5.0.27.0	2010.03.06	Worm.DR.Rebhip.Gen
weitere Informationen
File size: 203264 bytes
MD5...: 0a554ef0cda5e138ce917cac7e821673
SHA1..: cc64e05a8614f89b20fff829cd863753851cc4df
SHA256: 81e9f65faeb17bec84e86fb3b6312cb9708dcdea99147edb339f5aba0aa64a2b
ssdeep: 6144:fbbza7zW7z4ipOIf1rB0+oHK+wgLE6y/ze:zb6z0TVlBPD1Bze
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xbb4c
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0xb044 0xb200 6.39 fdffb71272ecc517a450c5ebbb15d04f
DATA 0xd000 0x21c 0x400 2.74 7bb9fb6f83822e89fe3ad5557e5d512e
BSS 0xe000 0x11e5 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x10000 0xba0 0xc00 4.68 088b5d10f853e1d2afaa21223ca9f5f8
.tls 0x11000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x12000 0x18 0x200 0.21 a270a5e1f4f71f9ddb31027f913842a2
.reloc 0x13000 0xa48 0xc00 6.22 42cc91613363ed348eb15307cc3595a4
.rsrc 0x14000 0x245b8 0x24600 7.94 044cf71fdcb6024be1d8d04f8515f0d4

( 16 imports )
> kernel32.dll: GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetCommandLineA, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, GetModuleFileNameA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
> user32.dll: CharNextA
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegEnumValueA, RegDeleteKeyA, RegCreateKeyExA, RegCreateKeyA, RegCloseKey, OpenProcessToken, LookupAccountNameA, IsValidSid, GetUserNameA
> kernel32.dll: lstrlenA, lstrcmpiA, WriteProcessMemory, WriteFile, WaitForSingleObject, VirtualProtectEx, VirtualProtect, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, Sleep, SizeofResource, SetFilePointer, SetFileAttributesA, ReadProcessMemory, ReadFile, OpenProcess, LockResource, LoadResource, LoadLibraryA, GlobalFree, GetVersionExA, GetTickCount, GetProcAddress, GetPrivateProfileStringA, GetPrivateProfileIntA, GetModuleHandleA, GetLastError, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetCurrentProcess, FreeResource, FreeLibrary, FindResourceA, FindFirstFileA, FindClose, ExitProcess, DeleteFileA, CreateRemoteThread, CreateProcessA, CreateMutexA, CreateFileA, CreateDirectoryA, CopyFileA, CloseHandle
> user32.dll: wvsprintfA, ToAscii, SetWindowsHookExA, GetWindowThreadProcessId, GetKeyboardState, FindWindowA, CharLowerA, CharUpperA
> ole32.dll: OleInitialize, CoCreateInstance
> pstorec.dll: PStoreCreateInstance
> ole32.dll: CoTaskMemFree
> ole32.dll: StringFromCLSID
> advapi32.dll: LsaFreeMemory, LsaClose, LsaRetrievePrivateData, LsaOpenPolicy, ConvertSidToStringSidA
> shell32.dll: SHGetSpecialFolderPathA
> rasapi32.dll: RasGetEntryDialParamsA, RasEnumEntriesA
> advapi32.dll: CredEnumerateA
> crypt32.dll: CryptUnprotectData
> advapi32.dll: CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

und nun die Log nach dem vollständigen Durchlauf von MAM:

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3837
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

08.03.2010 18:15:49
mbam-log-2010-03-08 (18-15-49).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 300940
Laufzeit: 25 minute(s), 29 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 4
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 4

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{p62stcli-3kn8-12xw-65y6-uq46s4net266} (Generic.Bot.H) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Backdoor.SpyNet.M) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Backdoor.SpyNet.M) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hklm (Backdoor.SpyNet.M) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Backdoor.SpyNet.M) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\dir\install\install\server.exe (Generic.Bot.H) -> Quarantined and deleted successfully.
C:\Users\Shao\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Users\Shao\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Shao\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.

Allerdings ist zu bemerken, dass auch wenn bei MAM "C:\dir\install\install\server.exe (Generic.Bot.H) -> Quarantined and deleted successfully." steht, dass diese Datei nach dem Neustart immer noch besteht und auch weiterhin beim Win-Start geladen wird.

Chris4You · 09.03.2010, 07:18

Hi,

dann ist noch ein Loader unterwegs...

OTL
Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop
* Doppelklick auf die OTL.exe
* Vista/Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
* Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
* Unter Extra Registry, wähle bitte Use SafeList
* Klicke nun auf Run Scan links oben
* Wenn der Scan beendet wurde werden 2 Logfiles erstellt
* Poste die Logfiles hier in den Thread.

Dr. Web (wg. Rootkit):
http://www.trojaner-board.de/59299-anleitung-drweb-cureit.html
Nach Beendigung des Scans findes Du das Log unter %USERPROFILE%\DoctorWeb\CureIt.log.
Bevor du irgendwelche Aktionen unternimmst, kopiere bitte den Inhalt des Logs und poste ihn.
Die Log Datei ist sehr groß, ca. über 5MB Text. Benutzt einfach die Suche nach "infiziert" und kopiert betreffende Teile heraus, bevor Du sie postet.

chris

sHaoMao · 09.03.2010, 20:38

Wusste nicht das ich sooooviele Logs und Scans durchführen muss um einen Bot zu entfernen

Ich blicke eh schon lange nicht mehr durch.. hoffe das das Problem mit diesen Logs gelöst werden kann :-)

Vielen Dank übrigens schonmal für die Hilfe !!

Hier die OTL Logs, Dr. Web Logs folgen morgen:

OTL.txt

Code:

ATTFilter

OTL logfile created on: 09.03.2010 20:25:22 - Run 1
OTL by OldTimer - Version 3.1.35.0     Folder = D:\Downloads
64bit- Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
8,00 Gb Total Physical Memory | 7,00 Gb Available Physical Memory | 84,00% Memory free
16,00 Gb Paging File | 15,00 Gb Available in Paging File | 91,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232,88 Gb Total Space | 172,83 Gb Free Space | 74,21% Space Free | Partition Type: NTFS
Drive D: | 232,88 Gb Total Space | 65,83 Gb Free Space | 28,27% Space Free | Partition Type: NTFS
Drive E: | 5,40 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Processes (SafeList) ==========
 
PRC - D:\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - D:\Games\Half Life 2\steam.exe (Valve Corporation)
PRC - C:\Program Files (x86)\ICQ6.5\ICQ.exe (ICQ, LLC.)
PRC - C:\Windows\SysWOW64\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Windows\SysWOW64\ASTSRV.EXE (Nalpeiron Ltd.)
 
 
========== Modules (SafeList) ==========
 
MOD - D:\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\SysWOW64\comdlg32.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - (FLEXnet Licensing Service 64) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe (Acresso Software Inc.)
SRV:64bit: - (WwanSvc) -- C:\Windows\SysNative\wwansvc.dll (Microsoft Corporation)
SRV:64bit: - (WbioSrvc) -- C:\Windows\SysNative\wbiosrvc.dll (Microsoft Corporation)
SRV:64bit: - (UmRdpService) -- C:\Windows\SysNative\umrdp.dll (Microsoft Corporation)
SRV:64bit: - (Power) -- C:\Windows\SysNative\umpo.dll (Microsoft Corporation)
SRV:64bit: - (Themes) -- C:\Windows\SysNative\themeservice.dll (Microsoft Corporation)
SRV:64bit: - (sppuinotify) -- C:\Windows\SysNative\sppuinotify.dll (Microsoft Corporation)
SRV:64bit: - (SensrSvc) -- C:\Windows\SysNative\sensrsvc.dll (Microsoft Corporation)
SRV:64bit: - (PeerDistSvc) -- C:\Windows\SysNative\PeerDistSvc.dll (Microsoft Corporation)
SRV:64bit: - (PNRPsvc) -- C:\Windows\SysNative\pnrpsvc.dll (Microsoft Corporation)
SRV:64bit: - (p2pimsvc) -- C:\Windows\SysNative\pnrpsvc.dll (Microsoft Corporation)
SRV:64bit: - (HomeGroupProvider) -- C:\Windows\SysNative\provsvc.dll (Microsoft Corporation)
SRV:64bit: - (RpcEptMapper) -- C:\Windows\SysNative\RpcEpMap.dll (Microsoft Corporation)
SRV:64bit: - (PNRPAutoReg) -- C:\Windows\SysNative\pnrpauto.dll (Microsoft Corporation)
SRV:64bit: - (HomeGroupListener) -- C:\Windows\SysNative\ListSvc.dll (Microsoft Corporation)
SRV:64bit: - (FontCache) -- C:\Windows\SysNative\FntCache.dll (Microsoft Corporation)
SRV:64bit: - (Dhcp) -- C:\Windows\SysNative\dhcpcore.dll (Microsoft Corporation)
SRV:64bit: - (defragsvc) -- C:\Windows\SysNative\defragsvc.dll (Microsoft Corporation)
SRV:64bit: - (CscService) -- C:\Windows\SysNative\cscsvc.dll (Microsoft Corporation)
SRV:64bit: - (bthserv) -- C:\Windows\SysNative\bthserv.dll (Microsoft Corporation)
SRV:64bit: - (BDESVC) -- C:\Windows\SysNative\bdesvc.dll (Microsoft Corporation)
SRV:64bit: - (AxInstSV) -- C:\Windows\SysNative\AxInstSv.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (AppIDSvc) -- C:\Windows\SysNative\appidsvc.dll (Microsoft Corporation)
SRV:64bit: - (wbengine) -- C:\Windows\SysNative\wbengine.exe (Microsoft Corporation)
SRV:64bit: - (sppsvc) -- C:\Windows\SysNative\sppsvc.exe (Microsoft Corporation)
SRV:64bit: - (Fax) -- C:\Windows\SysNative\FXSSVC.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (VSS) -- C:\Windows\Vss [2009.07.14 04:20:14 | 000,000,000 | ---D | M]
SRV - (MSDTC) -- C:\Windows\SysWOW64\Msdtc [2009.07.14 04:20:14 | 000,000,000 | ---D | M]
SRV - (HomeGroupProvider) -- C:\Windows\SysWOW64\provsvc.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\SysWOW64\dhcpcore.dll (Microsoft Corporation)
SRV - (vds) -- C:\Windows\SysWOW64\wbem\vds.mof ()
SRV - (clr_optimization_v2.0.50727_64) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (astcc) -- C:\Windows\SysWOW64\ASTSRV.EXE (Nalpeiron Ltd.)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (adfs) -- C:\Windows\SysNative\drivers\adfs.sys (Adobe Systems, Inc.)
DRV:64bit: - (AnyDVD) -- C:\Windows\SysNative\drivers\AnyDVD.sys (SlySoft, Inc.)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys ()
DRV:64bit: - (ElbyCDIO) -- C:\Windows\SysNative\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (KSecPkg) -- C:\Windows\SysNative\drivers\ksecpkg.sys (Microsoft Corporation)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (hwpolicy) -- C:\Windows\SysNative\drivers\hwpolicy.sys (Microsoft Corporation)
DRV:64bit: - (FsDepends) -- C:\Windows\SysNative\drivers\fsdepends.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (WIMMount) -- C:\Windows\SysNative\drivers\wimmount.sys (Microsoft Corporation)
DRV:64bit: - (vhdmp) -- C:\Windows\SysNative\drivers\vhdmp.sys (Microsoft Corporation)
DRV:64bit: - (vmbus) -- C:\Windows\SysNative\drivers\vmbus.sys (Microsoft Corporation)
DRV:64bit: - (storflt) -- C:\Windows\SysNative\drivers\vmstorfl.sys (Microsoft Corporation)
DRV:64bit: - (vdrvroot) -- C:\Windows\SysNative\drivers\vdrvroot.sys (Microsoft Corporation)
DRV:64bit: - (storvsc) -- C:\Windows\SysNative\drivers\storvsc.sys (Microsoft Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (rdyboost) -- C:\Windows\SysNative\drivers\rdyboost.sys (Microsoft Corporation)
DRV:64bit: - (pcw) -- C:\Windows\SysNative\drivers\pcw.sys (Microsoft Corporation)
DRV:64bit: - (CNG) -- C:\Windows\SysNative\drivers\cng.sys (Microsoft Corporation)
DRV:64bit: - (fvevol) -- C:\Windows\SysNative\drivers\fvevol.sys (Microsoft Corporation)
DRV:64bit: - (rdpbus) -- C:\Windows\SysNative\drivers\rdpbus.sys (Microsoft Corporation)
DRV:64bit: - (RDPREFMP) -- C:\Windows\SysNative\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV:64bit: - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\SysNative\drivers\agilevpn.sys (Microsoft Corporation)
DRV:64bit: - (WfpLwf) -- C:\Windows\SysNative\drivers\wfplwf.sys (Microsoft Corporation)
DRV:64bit: - (NdisCap) -- C:\Windows\SysNative\drivers\ndiscap.sys (Microsoft Corporation)
DRV:64bit: - (vwifibus) -- C:\Windows\SysNative\drivers\vwifibus.sys (Microsoft Corporation)
DRV:64bit: - (1394ohci) -- C:\Windows\SysNative\drivers\1394ohci.sys (Microsoft Corporation)
DRV:64bit: - (HdAudAddService) -- C:\Windows\SysNative\drivers\HdAudio.sys (Microsoft Corporation)
DRV:64bit: - (UmPass) -- C:\Windows\SysNative\drivers\umpass.sys (Microsoft Corporation)
DRV:64bit: - (WinUsb) -- C:\Windows\SysNative\drivers\winusb.sys (Microsoft Corporation)
DRV:64bit: - (mshidkmdf) -- C:\Windows\SysNative\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV:64bit: - (WudfPf) -- C:\Windows\SysNative\drivers\WUDFPf.sys (Microsoft Corporation)
DRV:64bit: - (MTConfig) -- C:\Windows\SysNative\drivers\MTConfig.sys (Microsoft Corporation)
DRV:64bit: - (CompositeBus) -- C:\Windows\SysNative\drivers\CompositeBus.sys (Microsoft Corporation)
DRV:64bit: - (Beep) -- C:\Windows\SysNative\drivers\beep.sys (Microsoft Corporation)
DRV:64bit: - (AppID) -- C:\Windows\SysNative\drivers\appid.sys (Microsoft Corporation)
DRV:64bit: - (scfilter) -- C:\Windows\SysNative\drivers\scfilter.sys (Microsoft Corporation)
DRV:64bit: - (s3cap) -- C:\Windows\SysNative\drivers\vms3cap.sys (Microsoft Corporation)
DRV:64bit: - (VMBusHID) -- C:\Windows\SysNative\drivers\VMBusHID.sys (Microsoft Corporation)
DRV:64bit: - (discache) -- C:\Windows\SysNative\drivers\discache.sys (Microsoft Corporation)
DRV:64bit: - (HidBatt) -- C:\Windows\SysNative\drivers\hidbatt.sys (Microsoft Corporation)
DRV:64bit: - (CmBatt) -- C:\Windows\SysNative\drivers\CmBatt.sys (Microsoft Corporation)
DRV:64bit: - (AcpiPmi) -- C:\Windows\SysNative\drivers\acpipmi.sys (Microsoft Corporation)
DRV:64bit: - (CSC) -- C:\Windows\SysNative\drivers\csc.sys (Microsoft Corporation)
DRV:64bit: - (AmdPPM) -- C:\Windows\SysNative\drivers\amdppm.sys (Microsoft Corporation)
DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (adfs) -- C:\Windows\SysWOW64\drivers\adfs.sys (Adobe Systems, Inc.)
DRV - (AnyDVD) -- C:\Windows\SysWOW64\drivers\AnyDVD.sys (SlySoft, Inc.)
DRV - (pfc) -- C:\Windows\SysWOW64\drivers\pfc.sys (Padus, Inc.)
DRV - (CSC) -- C:\Windows\CSC [2009.11.14 10:10:08 | 000,000,000 | ---D | M]
DRV - (ElbyCDIO) -- C:\Windows\SysWOW64\ElbyCDIO.dll (Elaborate Bytes AG)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\SysWOW64\winusb.dll (Microsoft Corporation)
DRV - (NetBIOS) -- C:\Windows\SysWOW64\netbios.dll (Microsoft Corporation)
DRV - (mpsdrv) -- C:\Windows\SysWOW64\wbem\mpsdrv.mof ()
DRV - (Tcpip) -- C:\Windows\SysWOW64\wbem\tcpip.mof ()
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DB BF AF B2 34 83 CA 01  [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://www.google.de/"
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010.02.20 14:22:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010.03.04 16:55:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010.02.20 14:22:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010.03.04 16:55:22 | 000,000,000 | ---D | M]
 
[2009.11.14 11:08:04 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Extensions
[2009.11.14 11:08:04 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\4tl3a6y9.default\extensions
[2010.03.08 17:27:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions
[2009.11.03 03:14:39 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2009.11.03 03:14:39 | 000,002,344 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2009.11.03 03:14:39 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2009.11.03 03:14:39 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2009.11.03 03:14:39 | 000,000,801 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.12.01 21:54:29 | 000,000,857 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1				activate.adobe.com
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [HKLM] C:\dir\install\install\server.exe ()
O4 - HKCU..\Run: [AdobeBridge]  File not found
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [HKCU] C:\dir\install\install\server.exe ()
O4 - HKCU..\Run: [ICQ] C:\Program Files (x86)\ICQ6.5\ICQ.exe (ICQ, LLC.)
O4 - HKCU..\Run: [Steam] d:\games\half life 2\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\dir\install\install\server.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\dir\install\install\server.exe ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6.5\ICQ.exe (ICQ, LLC.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010.02.10 02:55:59 | 000,423,304 | R--- | M] (Electronic Arts) - E:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2010.02.10 07:21:09 | 000,000,000 | ---D | M] - E:\Autorun -- [ CDFS ]
O32 - AutoRun File - [2010.01.31 09:21:13 | 000,367,686 | R--- | M] () - E:\Autorun.ico -- [ CDFS ]
O32 - AutoRun File - [2010.02.10 03:55:03 | 009,965,568 | R--- | M] () - E:\autorun.dat -- [ CDFS ]
O32 - AutoRun File - [2010.02.10 03:54:55 | 000,000,155 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{67436c56-d0fd-11de-9f74-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{67436c56-d0fd-11de-9f74-806e6f6e6963}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- [2010.02.10 02:55:59 | 000,423,304 | R--- | M] (Electronic Arts)
O33 - MountPoints2\{fcfb5fe3-d1f5-11de-9407-00508db3a509}\Shell - "" = AutoRun
O33 - MountPoints2\{fcfb5fe3-d1f5-11de-9407-00508db3a509}\Shell\AutoRun\command - "" = H:\Setup.EXE -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.03.07 14:26:35 | 000,000,000 | ---D | C] -- C:\Programme\Adobe
[2010.03.07 14:22:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Macrovision Shared
[2010.03.07 14:21:12 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Macrovision Shared
[2010.03.07 13:52:55 | 000,000,000 | ---D | C] -- C:\AdobeTemp
[2010.03.07 13:52:29 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010.03.06 20:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CCleaner
[2010.03.06 20:39:05 | 000,000,000 | ---D | C] -- C:\dir
[2010.03.06 17:50:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TrendMicro
[2010.03.04 17:43:00 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\BFBC2
[2010.03.02 11:56:32 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\TS3Client
[2010.03.02 11:56:02 | 000,000,000 | ---D | C] -- C:\Programme\TeamSpeak 3 Client
[2010.02.28 17:38:28 | 000,102,400 | ---- | C] (Blizzard Entertainment) -- C:\Windows\DIIUnin.exe
[2010.02.26 19:48:51 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010.02.26 19:47:19 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010.02.26 16:23:00 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2010.02.26 16:23:00 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2010.02.26 16:23:00 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2010.02.26 16:23:00 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2010.02.26 16:23:00 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2010.02.26 16:23:00 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2010.02.26 16:22:53 | 000,960,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\CPFilters.dll
[2010.02.26 16:22:53 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\CPFilters.dll
[2010.02.26 16:22:53 | 000,613,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\psisdecd.dll
[2010.02.26 16:22:53 | 000,552,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msdri.dll
[2010.02.26 16:22:53 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\psisdecd.dll
[2010.02.26 16:22:53 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MSNP.ax
[2010.02.26 16:22:53 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSNP.ax
[2010.02.26 16:22:52 | 000,852,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2010.02.26 16:22:52 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2010.02.24 19:55:35 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Mumble
[2010.02.24 19:55:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mumble
[2010.02.23 17:37:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010.02.23 17:37:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010.02.18 16:55:48 | 001,572,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\quartz.dll
[2010.02.18 16:55:48 | 001,328,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\quartz.dll
[2010.02.18 16:55:48 | 000,091,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\avifil32.dll
[2010.02.18 16:55:48 | 000,084,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mciavi32.dll
[2010.02.18 16:55:48 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iyuv_32.dll
[2010.02.18 16:55:48 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msvidc32.dll
[2010.02.18 16:55:48 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msyuv.dll
[2010.02.18 16:55:48 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrle32.dll
[2010.02.18 16:55:48 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tsbyuv.dll
[2010.02.18 16:55:47 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc.dll
[2010.02.18 16:55:47 | 000,422,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_isv.dll
[2010.02.18 16:55:47 | 000,369,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc.dll
[2010.02.18 16:55:47 | 000,365,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_isv.dll
[2010.02.18 16:55:47 | 000,357,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_isv.exe
[2010.02.18 16:55:47 | 000,356,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate.exe
[2010.02.18 16:55:47 | 000,324,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_isv.exe
[2010.02.18 16:55:47 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate.exe
[2010.02.18 16:55:47 | 000,306,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_ssp.exe
[2010.02.18 16:55:47 | 000,305,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_ssp_isv.exe
[2010.02.18 16:55:47 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_ssp.exe
[2010.02.18 16:55:47 | 000,277,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_ssp_isv.exe
[2010.02.18 16:55:47 | 000,121,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_ssp_isv.dll
[2010.02.18 16:55:47 | 000,121,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_ssp.dll
[2010.02.18 16:55:47 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_ssp_isv.dll
[2010.02.18 16:55:47 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_ssp.dll
[2010.02.10 22:06:38 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\Bioshock2
[2010.02.10 22:06:38 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Bioshock2
[2010.02.10 22:03:53 | 000,000,000 | -HSD | C] -- C:\ProgramData\SecuROM
[2010.02.10 16:20:35 | 000,000,000 | ---D | C] -- C:\Programme\iTunes
[2010.02.10 16:20:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2010.02.10 16:20:35 | 000,000,000 | ---D | C] -- C:\Programme\iPod
[2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\***\AppData\Roaming\*.tmp files -> C:\Users\***\AppData\Roaming\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2010.03.09 20:26:16 | 002,621,440 | -HS- | M] () -- C:\Users\***\NTUSER.DAT
[2010.03.09 20:24:42 | 000,004,043 | -H-- | M] () -- C:\Users\***\AppData\Roaming\logs.dat
[2010.03.09 19:14:35 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010.03.09 19:14:35 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010.03.09 19:14:01 | 001,472,002 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010.03.09 19:14:01 | 000,643,628 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2010.03.09 19:14:01 | 000,606,992 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010.03.09 19:14:01 | 000,126,188 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2010.03.09 19:14:01 | 000,103,370 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010.03.09 19:09:31 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.03.09 19:09:28 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.03.09 19:09:23 | 2146,295,807 | -HS- | M] () -- C:\hiberfil.sys
[2010.03.08 18:19:06 | 009,366,431 | -H-- | M] () -- C:\Users\***\AppData\Local\IconCache.db
[2010.03.08 17:02:33 | 002,952,736 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010.03.07 18:58:39 | 000,215,128 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2010.03.07 18:58:39 | 000,215,128 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2010.03.07 14:28:49 | 000,084,528 | ---- | M] () -- C:\Users\***\AppData\Local\GDIPFONTCACHEV1.DAT
[2010.03.07 03:01:40 | 000,075,064 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2010.03.06 20:46:41 | 000,000,672 | ---- | M] () -- C:\cc_20100306_204638.reg
[2010.03.06 20:46:12 | 000,006,416 | ---- | M] () -- C:\cc_20100306_204609.reg
[2010.03.06 20:45:55 | 000,028,880 | ---- | M] () -- C:\cc_20100306_204546.reg
[2010.03.06 20:44:02 | 000,001,873 | ---- | M] () -- C:\Users\***\Desktop\CCleaner.lnk
[2010.03.06 17:50:46 | 000,002,969 | ---- | M] () -- C:\Users\***\Desktop\HiJackThis.lnk
[2010.03.05 17:41:20 | 000,000,785 | ---- | M] () -- C:\Users\***\Desktop\Battlefield Bad Company 2.lnk
[2010.03.04 17:11:11 | 002,434,856 | ---- | M] () -- C:\Windows\SysWow64\pbsvc_bc2.exe
[2010.03.04 16:55:39 | 000,086,584 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysNative\drivers\adfs.sys
[2010.03.04 16:55:38 | 000,073,312 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWow64\drivers\adfs.sys
[2010.03.02 13:19:51 | 000,032,035 | ---- | M] () -- C:\Windows\DIIUnin.dat
[2010.03.02 11:56:03 | 000,000,967 | ---- | M] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2010.02.28 17:44:31 | 000,021,840 | ---- | M] () -- C:\Windows\SysWow64\SIntfNT.dll
[2010.02.28 17:44:31 | 000,017,212 | ---- | M] () -- C:\Windows\SysWow64\SIntf32.dll
[2010.02.28 17:44:31 | 000,012,067 | ---- | M] () -- C:\Windows\SysWow64\SIntf16.dll
[2010.02.28 17:40:20 | 000,001,578 | ---- | M] () -- C:\Users\***\Desktop\Diablo II - Lord of Destruction.lnk
[2010.02.28 17:38:29 | 000,001,578 | ---- | M] () -- C:\Users\Public\Desktop\Diablo II.lnk
[2010.02.28 17:38:28 | 000,102,400 | ---- | M] (Blizzard Entertainment) -- C:\Windows\DIIUnin.exe
[2010.02.28 17:38:28 | 000,002,829 | ---- | M] () -- C:\Windows\DIIUnin.pif
[2010.02.24 19:58:58 | 000,002,388 | ---- | M] () -- C:\Users\***\Documents\MumbleAutomaticCertificateBackup.p12
[2010.02.24 19:55:35 | 000,000,984 | ---- | M] () -- C:\Users\Public\Desktop\Mumble (Abwärtskompatibel).lnk
[2010.02.24 19:55:35 | 000,000,967 | ---- | M] () -- C:\Users\Public\Desktop\Mumble.lnk
[2010.02.23 17:37:04 | 000,000,997 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.02.16 22:44:13 | 000,000,812 | ---- | M] () -- C:\Users\***\Desktop\Counter-Strike Source.lnk
[2010.02.10 22:48:28 | 000,001,487 | ---- | M] () -- C:\Users\***\Desktop\BioShock 2.lnk
[2010.02.10 16:20:42 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\***\AppData\Roaming\*.tmp files -> C:\Users\***\AppData\Roaming\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010.03.06 20:46:40 | 000,000,672 | ---- | C] () -- C:\cc_20100306_204638.reg
[2010.03.06 20:46:11 | 000,006,416 | ---- | C] () -- C:\cc_20100306_204609.reg
[2010.03.06 20:45:51 | 000,028,880 | ---- | C] () -- C:\cc_20100306_204546.reg
[2010.03.06 20:43:04 | 000,001,873 | ---- | C] () -- C:\Users\***\Desktop\CCleaner.lnk
[2010.03.06 17:50:46 | 000,002,969 | ---- | C] () -- C:\Users\***\Desktop\HiJackThis.lnk
[2010.03.05 17:41:20 | 000,000,785 | ---- | C] () -- C:\Users\***\Desktop\Battlefield Bad Company 2.lnk
[2010.03.02 11:56:03 | 000,000,967 | ---- | C] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2010.03.01 07:54:24 | 000,285,774 | ---- | C] () -- C:\Windows\EasyLoad.exe
[2010.02.28 17:41:57 | 000,021,840 | ---- | C] () -- C:\Windows\SysWow64\SIntfNT.dll
[2010.02.28 17:41:57 | 000,017,212 | ---- | C] () -- C:\Windows\SysWow64\SIntf32.dll
[2010.02.28 17:41:57 | 000,012,067 | ---- | C] () -- C:\Windows\SysWow64\SIntf16.dll
[2010.02.28 17:40:20 | 000,001,578 | ---- | C] () -- C:\Users\***\Desktop\Diablo II - Lord of Destruction.lnk
[2010.02.28 17:38:29 | 000,032,035 | ---- | C] () -- C:\Windows\DIIUnin.dat
[2010.02.28 17:38:29 | 000,001,578 | ---- | C] () -- C:\Users\Public\Desktop\Diablo II.lnk
[2010.02.28 17:38:28 | 000,002,829 | ---- | C] () -- C:\Windows\DIIUnin.pif
[2010.02.24 19:58:58 | 000,002,388 | ---- | C] () -- C:\Users\***\Documents\MumbleAutomaticCertificateBackup.p12
[2010.02.24 19:55:35 | 000,000,984 | ---- | C] () -- C:\Users\Public\Desktop\Mumble (Abwärtskompatibel).lnk
[2010.02.24 19:55:35 | 000,000,967 | ---- | C] () -- C:\Users\Public\Desktop\Mumble.lnk
[2010.02.23 17:37:04 | 000,000,997 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.02.10 22:48:28 | 000,001,487 | ---- | C] () -- C:\Users\***\Desktop\BioShock 2.lnk
[2010.02.10 16:20:42 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2009.12.20 00:22:08 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009.12.06 20:14:07 | 000,000,600 | ---- | C] () -- C:\Users\***\AppData\Roaming\winscp.rnd
[2009.12.01 22:05:56 | 000,003,584 | ---- | C] () -- C:\Users\***\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.11.06 10:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2009.08.03 00:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2009.08.03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2009.08.03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2009.07.14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009.07.13 22:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2005.08.08 21:51:53 | 000,004,043 | -H-- | C] () -- C:\Users\***\AppData\Roaming\logs.dat
[2002.03.21 15:39:02 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\UNACEV2.DLL
< End of report >

Extras.txt

Code:

ATTFilter

OTL Extras logfile created on: 09.03.2010 20:25:22 - Run 1
OTL by OldTimer - Version 3.1.35.0     Folder = D:\Downloads
64bit- Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
8,00 Gb Total Physical Memory | 7,00 Gb Available Physical Memory | 84,00% Memory free
16,00 Gb Paging File | 15,00 Gb Available in Paging File | 91,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232,88 Gb Total Space | 172,83 Gb Free Space | 74,21% Space Free | Partition Type: NTFS
Drive D: | 232,88 Gb Total Space | 65,83 Gb Free Space | 28,27% Space Free | Partition Type: NTFS
Drive E: | 5,40 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [ACDBrowse] -- "C:\Program Files (x86)\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" "%1" (ACD Systems Ltd.)
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDBrowse] -- "C:\Program Files (x86)\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" "%1" (ACD Systems Ltd.)
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{295CFB7C-A57E-4313-93E7-68E7CE1D0332}" = Adobe WinSoft Linguistics Plugin x64
"{2D74E972-5A85-44DC-9193-8A302BA8C181}" = Photoshop Camera Raw_x64
"{39107B20-EA1C-4974-881C-607300BB3C99}" = MobileMe Control Panel
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{6631325A-9B1B-4EE7-8E64-8CC4A6F10643}" = Adobe Fonts All x64
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8875A1C0-6308-4790-8CF6-D34E89880052}" = Adobe Linguistics CS4 x64
"{887797BF-37A5-4199-B0C9-0D38D6196E9A}" = Adobe Anchor Service x64 CS4
"{8C8D673B-20FB-43E6-BCB7-9B3F78F2E762}" = Adobe Type Support x64 CS4
"{8DAA31EB-6830-4006-A99F-4DF8AB24714F}" = Adobe CSI CS4 x64
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2007
"{90BA8112-80B3-4617-A3C1-BD2771B60F74}" = Adobe CMaps x64 CS4
"{9EFC40E3-5F31-4F75-8445-286273F74D8E}" = Apple Mobile Device Support
"{A3454894-144A-4D80-B605-C128FE0D7329}" = Adobe Drive CS4 x64
"{B812FCC0-6192-4BFA-A9C6-1E8578F255DA}" = iTunes
"{D40172D6-CE2D-4B72-BF5F-26A04A900B7B}" = Adobe Photoshop CS4 (64 Bit)
"{DAE239CE-EB9D-4EB3-B0D4-528D6BAA48FD}" = Bonjour
"{DFFABE78-8173-4E97-9C5C-22FB26192FC5}" = Adobe PDF Library Files x64 CS4
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"WinRAR archiver" = WinRAR
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{098A2A49-7CF3-4F08-A38D-FB879117152A}" = Adobe Color NA Extra Settings CS4
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0DC0E85F-36E4-463B-B3EA-4CD8ED2222A1}" = Adobe Color EU Recommended Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{2DFAC810-6DD8-4E23-96A4-BEB118408203}" = Mask Pro 4.1
"{32C7FDDF-8D18-4B29-B81A-CDA512093274}" = Intellihance Pro 4.2
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A8B461A-9336-4CF9-98F4-14DD38E673F0}" = BioShock 2
"{4E79A60F-15D2-4BEC-91AD-E41EC42E61B0}" = Batman: Arkham Asylum
"{52B65911-1559-4ED5-9461-46957FDD48CD}" = Borderlands
"{5F073685-ADDB-4D5A-98E9-0F795989A57F}" = PhotoFrame Pro 3.1
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7AE25201-3E12-4FA2-9E65-67CD475D9263}" = ACDSee 9 Foto-Manager
"{7C723788-585C-4537-92AC-CF616209197C}" = PhotoTune 2
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1031}" = Nero 8
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9EB46587-4354-411C-BBAC-A9BBB2131F3D}" = FocalPoint 1.0
"{AC38B36B-90F8-4C1F-8AC9-236B851B8871}" = Genuine Fractals 5.0
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B0198F7E-9D0D-4F94-B241-D943505DE194}" = Command and Conquer 4 Beta
"{B01DD5B7-9862-43D7-BCA3-7882A17E4328}" = PhotoTools 1.0 Professional Edition
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"AnyDVD" = AnyDVD
"Call of Duty Modern Warfare 2_is1" = Call of Duty Modern Warfare 2
"CCleaner" = CCleaner
"CloneDVD2" = CloneDVD2
"Diablo II" = Diablo II
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FL Studio 9" = FL Studio 9
"Hardcore" = Hardcore
"IL Download Manager" = IL Download Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MKVtoolnix" = MKVtoolnix 2.9.8
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"Mumble" = Mumble and Murmur
"OpenAL" = OpenAL
"PoiZone" = PoiZone
"PokerStars.net" = PokerStars.net
"PunkBusterSvc" = PunkBuster Services
"Sawer" = Sawer
"Steam App 240" = Counter-Strike: Source
"Steam App 550" = Left 4 Dead 2
"Steam App 563" = Left 4 Dead 2 Authoring Tools
"Steam App 564" = Left 4 Dead 2 Add-on Support
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"Toxic Biohazard" = Toxic Biohazard
"VLC media player" = VLC media player 1.0.3
"Warcraft III" = Warcraft III
"Winamp" = Winamp
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III" = Warcraft III: All Products
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 07.03.2010 07:17:06 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00000000  ID des fehlerhaften
 Prozesses: 0x440  Startzeit der fehlerhaften Anwendung: 0x01cabde7b794e6e5  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: f5eee891-29da-11df-a55f-00508db3a509
 
Error - 08.03.2010 12:02:54 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00000000  ID des fehlerhaften
 Prozesses: 0xb8c  Startzeit der fehlerhaften Anwendung: 0x01cabed8cd8f4b6e  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: 0d77e66d-2acc-11df-85bd-00508db3a509
 
Error - 08.03.2010 12:02:54 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00000000  ID des fehlerhaften
 Prozesses: 0xb00  Startzeit der fehlerhaften Anwendung: 0x01cabed8cd7b0771  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: 0d77bf5d-2acc-11df-85bd-00508db3a509
 
Error - 08.03.2010 13:20:14 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc00000fd  Fehleroffset: 0x7447e2c4  ID des fehlerhaften
 Prozesses: 0xbcc  Startzeit der fehlerhaften Anwendung: 0x01cabee39b154811  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: db6905d2-2ad6-11df-98ca-00508db3a509
 
Error - 08.03.2010 13:20:14 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00000000  ID des fehlerhaften
 Prozesses: 0xbd4  Startzeit der fehlerhaften Anwendung: 0x01cabee39b226500  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: db6b8f3c-2ad6-11df-98ca-00508db3a509
 
Error - 08.03.2010 13:20:14 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00000000  ID des fehlerhaften
 Prozesses: 0xbdc  Startzeit der fehlerhaften Anwendung: 0x01cabee39b226500  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: db6b682c-2ad6-11df-98ca-00508db3a509
 
Error - 09.03.2010 14:09:44 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00000000  ID des fehlerhaften
 Prozesses: 0xb88  Startzeit der fehlerhaften Anwendung: 0x01cabfb3b01d9a56  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: f03a5bdb-2ba6-11df-b611-00508db3a509
 
Error - 09.03.2010 14:09:44 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc00000fd  Fehleroffset: 0x7432e284  ID des fehlerhaften
 Prozesses: 0x96c  Startzeit der fehlerhaften Anwendung: 0x01cabfb3af0bb834  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: f0392aae-2ba6-11df-b611-00508db3a509
 
Error - 09.03.2010 14:09:44 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00000000  ID des fehlerhaften
 Prozesses: 0xb80  Startzeit der fehlerhaften Anwendung: 0x01cabfb3b01d9a56  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: f03a82eb-2ba6-11df-b611-00508db3a509
 
Error - 09.03.2010 14:09:44 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: explorer.exe, Version: 6.1.7600.16450,
 Zeitstempel: 0x4aeba271  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00000000  ID des fehlerhaften
 Prozesses: 0xb90  Startzeit der fehlerhaften Anwendung: 0x01cabfb3b01d9a56  Pfad der
 fehlerhaften Anwendung: C:\Windows\SysWOW64\explorer.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: f03b8d08-2ba6-11df-b611-00508db3a509
 
[ System Events ]
Error - 07.03.2010 07:16:49 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 08.03.2010 12:02:18 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 08.03.2010 12:02:18 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 08.03.2010 12:02:19 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 08.03.2010 13:19:51 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 08.03.2010 13:19:51 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 08.03.2010 13:19:53 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 09.03.2010 14:09:24 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 09.03.2010 14:09:24 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
Error - 09.03.2010 14:09:26 | Computer Name = ***-PC | Source = Application Popup | ID = 1060
Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\drivers\pfc.sys
 nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
 des Treibers zu erhalten.
 
 
< End of report >

ps. habe meine Namen zur Sicherheit entfernt.

Chris4You · 10.03.2010, 08:34

Hi,

dann wollen wir mal:

Doppelklick auf die OTL.exe, um das Programm auszuführen.

Vista/Win7-User bitte per Rechtsklick und "Ausführen als Administrator" starten.

Kopiere den Inhalt der folgenden Codebox komplett in die OTL-Box unter "Custom Scan/Fixes"

Code:

ATTFilter

:OTL
O4 - HKLM..\Run: [HKLM] C:\dir\install\install\server.exe 
O4 - HKCU..\Run: [HKCU] C:\dir\install\install\server.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\dir\install\install\server.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\dir\install\install\server.exe ()
:Commands
[emptytemp]
[Reboot]

Den roten Run Fixes! Button anklicken.

Bitte alles aus dem Ergebnisfenster (Results) herauskopieren.

Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert:

%systemroot%\_OTL

Poste dann auch noch das Log von Dr. Web...

chris

sHaoMao · 10.03.2010, 17:55

Also ich denke ich hab gute Ergebnisse..

hier die OTL LOG

Code:

ATTFilter

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HKLM deleted successfully.
C:\dir\install\install\server.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\HKCU deleted successfully.
File C:\dir\install\install\server.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\Policies deleted successfully.
File C:\dir\install\install\server.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\Policies deleted successfully.
File C:\dir\install\install\server.exe not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: Shao
->Temp folder emptied: 1537174 bytes
->Temporary Internet Files folder emptied: 7504652 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 94199713 bytes
->Flash cache emptied: 2808 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 1618992 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4570 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50300 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 100,00 mb
 
 
OTL by OldTimer - Version 3.1.35.0 log created on 03102010_144707

Anschließend habe ich DrWeb EWIG (!!!) laufen gelassen und dieser hat keine infizierten gefunden.

Dann habe ich nochmal OTL laufen gelassen und das Ergebnis:

Code:

ATTFilter

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HKLM not found.
File C:\dir\install\install\server.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\HKCU not found.
File C:\dir\install\install\server.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\Policies not found.
File C:\dir\install\install\server.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\Policies not found.
File C:\dir\install\install\server.exe not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: Shao
->Temp folder emptied: 1204 bytes
->Temporary Internet Files folder emptied: 857537 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 12203561 bytes
->Flash cache emptied: 434 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 12,00 mb
 
 
OTL by OldTimer - Version 3.1.35.0 log created on 03102010_145244

Der Ordner und die server.exe sind entfernt, tauchen auch nicht wieder auf. Allerdings steht es in den Run-Diensten bei msconfig immernoch drin. Kann ich diese auch irgendwie entfernen?

Danke übrigens für die Problemlösung

:

Chris4You · 10.03.2010, 21:21

Hi,

* Starte die OTL.exe (Vista/Win7-User mit Rechtsklick "als Administrator starten")
* Kopiere nun den Inhalt in die Textbox custom scan/fixes.

Code:

ATTFilter

msconfig
safebootminimal
safebootnetwork
activex
drivers32

* Schliesse bitte nun alle Programme. (Wichtig)
* Klicke nun bitte auf den Quick Scan Button.
* Klick auf OK.
* Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in den Thread

chris

HKCU/HKLM - C:\dir\install\server.exe

Log-Analyse und Auswertung: HKCU/HKLM - C:\dir\install\server.exe