|
Log-Analyse und Auswertung: Hartnäckiger TrojanerWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
23.03.2010, 23:09 | #1 |
| Hartnäckiger Trojaner Gude, ich hab ein kleines oder auch vielleicht ein großes Trojaner-Problem. Seit einigen Tagen findet mein Virusscanner avast! bei jeden hochfahren des PC´s einen Virus namens: Win32:VB-ORG[trj] Der Pfad der infizierten Datei: C:\DOKUME~1\Marc.Z\LOKALE~1\Temp\setupv.exe Ich hab schon versucht ihn mit dem Trojan Remover zu entfernen, aber leider erfolglos. HijackThis habe ich auch schon durchlaufen lassen, hier der Logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:07:40, on 23.03.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS.0\System32\smss.exe C:\WINDOWS.0\system32\winlogon.exe C:\WINDOWS.0\system32\services.exe C:\WINDOWS.0\system32\lsass.exe C:\WINDOWS.0\system32\svchost.exe C:\WINDOWS.0\System32\svchost.exe C:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\Programme\Alwil Software\Avast4\ashServ.exe C:\Programme\Creative\Shared Files\CTAudSvc.exe C:\WINDOWS.0\Explorer.EXE C:\WINDOWS.0\SOUNDMAN.EXE C:\Programme\Java\jre6\bin\jusched.exe C:\Programme\Alwil Software\Avast4\ashDisp.exe C:\WINDOWS.0\system32\RUNDLL32.EXE C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Pando Networks\Media Booster\PMB.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\WINDOWS.0\system32\CTsvcCDA.exe C:\WINDOWS.0\system32\ctfmon.exe C:\Programme\LogMeIn Hamachi\hamachi-2.exe C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe C:\WINDOWS.0\system32\nvsvc32.exe C:\WINDOWS.0\System32\svchost.exe C:\WINDOWS.0\system32\MsPMSPSv.exe C:\Programme\Alwil Software\Avast4\ashMaiSv.exe C:\Programme\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS.0\system32\wscntfy.exe C:\WINDOWS.0\System32\svchost.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Steam\Steam.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2427995 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Comoestamos Toolbar - {dffd3710-4709-4976-b713-aebe3550ad82} - C:\Programme\Comoestamos\tbCom1.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: Comoestamos Toolbar - {dffd3710-4709-4976-b713-aebe3550ad82} - C:\Programme\Comoestamos\tbCom1.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Comoestamos Toolbar - {dffd3710-4709-4976-b713-aebe3550ad82} - C:\Programme\Comoestamos\tbCom1.dll O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS.0\system32\winsys2.exe O4 - HKLM\..\Run: [SBDrvDet] C:\Programme\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS.0\UpdReg.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [avast!] "C:\Programme\Alwil Software\Avast4\ashDisp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TrojanScanner] C:\Programme\Trojan Remover\Trjscan.exe /boot O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Pando Media Booster] C:\Programme\Pando Networks\Media Booster\PMB.exe O4 - HKCU\..\Run: [ESL Wire] "C:\Programme\EslWire\wire.exe" --tray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'Default user') O4 - Startup: kav7.0.1.325en.exe O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261766515558 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Programme\Gemeinsame Dateien\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS.0\system32\CTsvcCDA.exe O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Programme\Creative\Shared Files\CTAudSvc.exe O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Programme\LogMeIn Hamachi\hamachi-2.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.0\system32\GameMon.des.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe -- End of file - 8706 bytes Hoffe einer von euch kann mir helfen lg |
24.03.2010, 07:43 | #2 |
| Hartnäckiger Trojaner Hi,
__________________Bitte folgende Files prüfen: Dateien Online überprüfen lassen:
Code:
ATTFilter C:\Programme\Comoestamos\tbCom1.dll kav7.0.1.325en.exe (suchen, ev. zu finden in C:\WINDOWS.0\System32 oder C:\WINDOWS.0)
Anleitung Avenger (by swandog46) 1.) Lade dir das Tool Avenger und speichere es auf dem Desktop: 2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist. Kopiere nun folgenden Text in das weiße Feld: (bei -> "input script here") Code:
ATTFilter Files to delete: C:\DOKUME~1\Marc.Z\LOKALE~1\Temp\setupv.exe Folders to delete: C:\DOKUME~1\Marc.Z\LOKALE~1\Temp 4.) Um den Avenger zu starten klicke auf -> Execute Dann bestätigen mit "Yes" das der Rechner neu startet! 5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board. Hijackthis, fixen: öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Beim fixen müssen alle Programme geschlossen sein! (Falls vorhanden, Teatimer von Spyboot wie folgt deaktivieren: Modus-->Erweiterte Modus-->Ja-->Werkzeuge-->Resident-->dHäkchen entfernen aus der "Resident "TeaTimer" (Schutz aller Systemeinstellungen)->exit) Code:
ATTFilter R3 - URLSearchHook: Comoestamos Toolbar - {dffd3710-4709-4976-b713-aebe3550ad82} - C:\Programme\Comoestamos\tbCom1.dll O2 - BHO: Comoestamos Toolbar - {dffd3710-4709-4976-b713-aebe3550ad82} - C:\Programme\Comoestamos\tbCom1.dll O3 - Toolbar: Comoestamos Toolbar - {dffd3710-4709-4976-b713-aebe3550ad82} - C:\Programme\Comoestamos\tbCom1.dll Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen: http://filepony.de/download-chameleon/ Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen") Fullscan und alles bereinigen lassen! Log posten. OTL Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop
Gmer: http://www.trojaner-board.de/74908-a...t-scanner.html Den Downloadlink findest Du links oben (http://www.gmer.net/#files), dort dann auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken). Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. Ist dieser beendet, wähle Copy und füge den Bericht ein. chris
__________________ |
24.03.2010, 20:26 | #3 |
| Hartnäckiger Trojaner Dateien Online überprüfen lassen:
__________________Beim scannen der Datei "C:\Programme\Comoestamos\tbCom1.dll" kam das hier raus: Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis a-squared 4.5.0.50 2010.03.24 - AhnLab-V3 5.0.0.2 2010.03.24 - AntiVir 8.2.1.196 2010.03.24 - Antiy-AVL 2.0.3.7 2010.03.24 - Authentium 5.2.0.5 2010.03.24 - Avast 4.8.1351.0 2010.03.24 - Avast5 5.0.332.0 2010.03.24 - AVG 9.0.0.787 2010.03.24 - BitDefender 7.2 2010.03.24 - CAT-QuickHeal 10.00 2010.03.24 - ClamAV 0.96.0.0-git 2010.03.24 - Comodo 4370 2010.03.24 - DrWeb 5.0.1.12222 2010.03.24 - eSafe 7.0.17.0 2010.03.24 - eTrust-Vet 35.2.7386 2010.03.24 - F-Prot 4.5.1.85 2010.03.23 - F-Secure 9.0.15370.0 2010.03.24 - Fortinet 4.0.14.0 2010.03.24 - GData 19 2010.03.24 - Ikarus T3.1.1.80.0 2010.03.24 - Jiangmin 13.0.900 2010.03.24 - K7AntiVirus 7.10.1004 2010.03.22 - Kaspersky 7.0.0.125 2010.03.24 - McAfee 5930 2010.03.24 - McAfee+Artemis 5930 2010.03.24 - McAfee-GW-Edition 6.8.5 2010.03.24 - Microsoft 1.5605 2010.03.24 - NOD32 4971 2010.03.24 - Norman 6.04.10 2010.03.24 - nProtect 2009.1.8.0 2010.03.24 - Panda 10.0.2.2 2010.03.24 - PCTools 7.0.3.5 2010.03.24 - Prevx 3.0 2010.03.24 - Rising 22.40.02.03 2010.03.24 - Sophos 4.51.0 2010.03.24 - Sunbelt 6031 2010.03.22 - Symantec 20091.2.0.41 2010.03.24 - TheHacker 6.5.2.0.242 2010.03.24 - TrendMicro 9.120.0.1004 2010.03.24 - VBA32 3.12.12.2 2010.03.24 - ViRobot 2010.3.24.2242 2010.03.24 - VirusBuster 5.0.27.0 2010.03.24 - weitere Informationen File size: 2349080 bytes MD5...: 455e61a2cf37f7210df685e2b77bfbe3 SHA1..: 4e8bc33c6dfbdd9727988eb0aa95af115c08fa8f SHA256: 1429bb65815378be477091733036bf346c2030d3cec57b9ce55010c8ff21e3f0 ssdeep: 49152:GYqHRU4WtsufiSkJ9Z9gfU4zG+zWxK7/xrFbAvzVQQiFimvB25:GT0tNiZ vMfhLzWxKjshB PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1173a0 timedatestamp.....: 0x4b3c74b0 (Thu Dec 31 09:53:52 2009) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1474f3 0x147600 6.60 130952ab5ca68491e3eb9afeb2f72268 .rdata 0x149000 0x74aa7 0x74c00 4.54 63901788510b8530f57c16d50e880945 .data 0x1be000 0x8584 0x6400 4.93 8dfa9c2f6d1b7fd5e0460812beebdaae .rsrc 0x1c7000 0x5d168 0x5d200 5.97 4efdce3958de3ada93cb3e307af88510 .reloc 0x225000 0x1cfde 0x1d000 5.94 587570a59b7f4d5776c873b3af757d7c ( 20 imports ) > COMCTL32.dll: _TrackMouseEvent, -, InitCommonControlsEx, CreateToolbarEx, PropertySheetW, CreatePropertySheetPageW, ImageList_ReplaceIcon, ImageList_Create > WININET.dll: InternetCanonicalizeUrlW, InternetCrackUrlW, InternetCloseHandle, InternetSetOptionA, FindFirstUrlCacheEntryA, FindNextUrlCacheEntryA, HttpOpenRequestA, InternetSetOptionExA, DeleteUrlCacheEntry, InternetGetLastResponseInfoA, HttpSendRequestA, HttpQueryInfoA, InternetOpenA, InternetCrackUrlA, InternetOpenW, InternetSetOptionW, InternetOpenUrlW, InternetReadFile, InternetGetConnectedState, InternetQueryOptionA, InternetCanonicalizeUrlA, FindCloseUrlCache, InternetConnectA, GetUrlCacheEntryInfoW > SHLWAPI.dll: SHDeleteKeyA, PathFileExistsW > WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, - > VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW > MSIMG32.dll: GradientFill > RPCRT4.dll: UuidToStringW > urlmon.dll: ObtainUserAgentString, URLDownloadToFileW > CRYPT32.dll: CryptProtectData, CryptMsgClose, CertCloseStore, CertFreeCertificateContext, CryptUnprotectData, CertGetNameStringA, CertFindCertificateInStore, CryptQueryObject, CryptMsgGetParam, CertGetNameStringW > WINMM.dll: PlaySoundA, sndPlaySoundW, PlaySoundW, timeGetTime > PSAPI.DLL: EnumProcesses, GetModuleFileNameExW, EnumProcessModules, GetModuleBaseNameW, GetProcessMemoryInfo > KERNEL32.dll: ReadFile, GlobalLock, GlobalAlloc, GetFileSize, CreateFileW, SizeofResource, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetFileTime, RemoveDirectoryW, GetSystemTimeAsFileTime, GetComputerNameW, OutputDebugStringW, HeapFree, GetProcessHeap, LocalAlloc, OpenProcess, Thread32Next, Thread32First, CreateToolhelp32Snapshot, TerminateProcess, SetThreadPriority, GetCurrentThread, SetEvent, CreateSemaphoreW, ReleaseSemaphore, CreateFileMappingW, OpenFileMappingW, UnmapViewOfFile, MapViewOfFile, MulDiv, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetStdHandle, WriteFile, ExitProcess, VirtualAlloc, VirtualFree, HeapDestroy, HeapCreate, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, MoveFileW, GetCommandLineA, ResumeThread, ExitThread, RaiseException, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, HeapReAlloc, HeapAlloc, RtlUnwind, LoadLibraryA, GlobalUnlock, GlobalFree, OpenMutexW, GetCurrentProcess, FlushInstructionCache, VirtualProtect, Sleep, ExpandEnvironmentStringsW, CreateProcessW, GetLocaleInfoW, CreateMutexW, SetEndOfFile, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LCMapStringW, GetLocaleInfoA, Beep, MultiByteToWideChar, GetLocalTime, GetDateFormatW, GetTimeFormatW, FindResourceW, LoadResource, LockResource, FreeResource, GetFileAttributesW, SetLastError, CreateThread, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, CopyFileW, lstrcpyW, lstrcpyA, GetCurrentThreadId, LocalFree, GetLongPathNameW, GetShortPathNameW, GetModuleHandleW, GetTickCount, GetVersionExA, LoadLibraryW, FreeLibrary, WideCharToMultiByte, GetModuleFileNameA, MoveFileExW, lstrlenW, CreateEventW, WaitForSingleObject, GetModuleFileNameW, GetModuleHandleA, GetProcAddress, GetLastError, InterlockedDecrement, ReleaseMutex, CloseHandle, GetCurrentProcessId, HeapSize, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetStringTypeA, GetStringTypeW, LCMapStringA, GetConsoleCP, GetConsoleMode, InterlockedExchange, FlushFileBuffers, InitializeCriticalSectionAndSpinCount, SetFilePointer > USER32.dll: GetWindowRgn, MessageBeep, GetActiveWindow, IsDialogMessageA, IsDialogMessageW, MessageBoxA, DialogBoxParamW, DialogBoxParamA, CreateDialogParamA, CreateDialogParamW, SetRectEmpty, GetKeyState, SetDlgItemInt, GetDlgItemTextA, FrameRect, DrawFrameControl, CharLowerBuffA, DrawEdge, MsgWaitForMultipleObjects, PostThreadMessageA, SetParent, GetDlgItemTextW, GetScrollInfo, GetMenuItemRect, InsertMenuItemA, InsertMenuItemW, IsMenu, GetMenuInfo, SetMenuInfo, GetMenuItemID, GetMenuState, SetMenuItemInfoW, CheckMenuItem, EnableMenuItem, DeleteMenu, TrackPopupMenu, GetMonitorInfoW, GetMenuItemCount, GetMenuItemInfoW, CreatePopupMenu, DestroyMenu, SetClassLongA, SetLayeredWindowAttributes, SetForegroundWindow, EnableWindow, IsDlgButtonChecked, CheckDlgButton, SetActiveWindow, TranslateMessage, GetMessageA, ReleaseCapture, GetCapture, DispatchMessageW, DispatchMessageA, SetCapture, GetUpdateRect, BeginPaint, EndPaint, SetWindowRgn, SetRect, OffsetRect, DrawIconEx, GetIconInfo, DestroyIcon, GetSystemMetrics, FillRect, GetSysColor, PeekMessageA, MessageBoxW, DefWindowProcW, GetAsyncKeyState, SendMessageW, GetWindowTextLengthW, SystemParametersInfoW, LoadImageW, IsIconic, GetLastInputInfo, CharUpperW, DrawFocusRect, GetWindow, UpdateWindow, GetClassInfoExW, RegisterClassExW, CopyRect, PostMessageW, SetDlgItemTextW, EndDialog, GetWindowTextW, FindWindowW, GetMenuItemInfoA, SetWindowsHookExA, UnhookWindowsHookEx, CallNextHookEx, CreateWindowExW, UnregisterClassA, GetClassNameW, DefWindowProcA, GetWindowLongA, SetWindowLongA, GetFocus, IsChild, KillTimer, IsWindowUnicode, CallWindowProcW, FindWindowExW, GetWindowThreadProcessId, SetWindowPos, wsprintfW, SetWindowTextA, SetWindowTextW, GetClientRect, GetDlgCtrlID, CallWindowProcA, InvalidateRect, IsWindow, GetDlgItem, SendMessageA, ClientToScreen, GetParent, GetWindowLongW, SetCursor, LoadCursorA, InflateRect, PostMessageA, ShowWindow, SetWindowLongW, ReleaseDC, MoveWindow, DrawTextW, GetDC, GetWindowRect, RegisterWindowMessageW, IsWindowVisible, PtInRect, ScreenToClient, GetCursorPos, MonitorFromRect, GetMonitorInfoA, GetClassInfoW, RegisterClassW, DestroyWindow, SetTimer, GetDesktopWindow, SetFocus, AllowSetForegroundWindow > GDI32.dll: GetBkMode, GetBkColor, PtInRegion, SetLayout, PlgBlt, SelectPalette, RealizePalette, GetDeviceCaps, SetRectRgn, OffsetRgn, FrameRgn, SetTextAlign, TextOutW, RoundRect, ExcludeClipRect, GetPixel, CreateCompatibleBitmap, BitBlt, CreateRectRgn, Polygon, GdiFlush, SetPixel, GetObjectA, GetTextAlign, GetTextExtentPoint32W, GetLayout, Rectangle, SetBkColor, CreateCompatibleDC, DeleteDC, CreateSolidBrush, CreateFontIndirectW, CombineRgn, CreatePen, SelectObject, MoveToEx, LineTo, DeleteObject, GetWindowOrgEx, SetWindowOrgEx, SetBkMode, SetTextColor, GetTextColor, GetStockObject > COMDLG32.dll: GetOpenFileNameW > ADVAPI32.dll: RegCreateKeyW, ConvertStringSecurityDescriptorToSecurityDescriptorA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, GetSidSubAuthority, SetSecurityDescriptorSacl, RegDeleteKeyA, RegCloseKey, RegOpenKeyExA, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, RegSetValueExA, RegCreateKeyExA, GetSidSubAuthorityCount, CryptCreateHash, CryptHashData, CryptGetHashParam, CryptDestroyHash, CryptAcquireContextA, CryptReleaseContext, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegOpenKeyW, RegEnumKeyW, GetTokenInformation, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, OpenProcessToken, GetSecurityDescriptorSacl > SHELL32.dll: ShellExecuteExW, SHGetFolderPathW, SHCreateDirectoryExW, ShellExecuteW > ole32.dll: CoCreateInstance, IIDFromString, CreateStreamOnHGlobal, CLSIDFromString, CoUninitialize, CoCreateGuid, StringFromGUID2, CoInitialize, CoGetMalloc, StringFromIID > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, - > DNSAPI.dll: DnsQuery_A ( 14 exports ) DllCanUnloadNow, DllConnectToIE, DllConnectionProc, DllGetClassObject, DllGetInstallFileNameExt, DllOnUninstall, DllOnUpdateFinish, DllOpenUninstallPage, DllRegisterServer, DllShowTB, DllShowToolbar, DllShowToolbarWithIE, DllUnregisterServer, DllUpdate RDS...: NSRL Reference Data Set - pdfid.: - trid..: Windows OCX File (47.6%) Win64 Executable Generic (33.0%) Win32 Executable MS Visual C++ (generic) (14.5%) Win32 Executable Generic (3.2%) Generic Win/DOS Executable (0.7%) sigcheck: publisher....: Conduit Ltd. copyright....: Copyright (c) Conduit Ltd. 2008 product......: Conduit Toolbar description..: Conduit Toolbar original name: n/a internal name: Conduit Toolbar file version.: 5, 3, 4, 2 comments.....: Conduit Toolbar ver 1.0 signers......: - signing date.: - verified.....: Unsigned Die Datei "kav7.0.1.325en.exe" konnte ich in keinen der angegebenen Ordner finden. Avenger: Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46 hxxp://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\DOKUME~1\Marc.Z\LOKALE~1\Temp\setupv.exe" deleted successfully. Folder "C:\DOKUME~1\Marc.Z\LOKALE~1\Temp" deleted successfully. Completed script processing. ******************* Finished! Terminate. Malwarebytes Antimalware (MAM) Code:
ATTFilter Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3909 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 24.03.2010 19:34:06 mbam-log-2010-03-24 (19-34-04).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 188229 Laufzeit: 35 minute(s), 2 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 6 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\JDdownloader\Serials World\SerialsWorld.exe (Trojan.Agent) -> No action taken. C:\Dokumente und Einstellungen\Marc.Z\Startmenü\Programme\Autostart\kav7.0.1.325en.exe (Trojan.StartPage) -> No action taken. C:\Programme\Adobe Design Premium CS3\Adobe Photoshop CS3\Msvcrt.dll (Malware.Packer.Gen) -> No action taken. C:\Programme\Adobe Design Premium CS3\Adobe Photoshop CS3\Shfolder.dll (Malware.Packer.Gen) -> No action taken. C:\Programme\Alwil Software\Avast4\DATA\moved\setupv.exe.2.vir (Trojan.FakeAlert) -> No action taken. C:\Programme\Alwil Software\Avast4\DATA\moved\setupv.exe.vir (Trojan.FakeAlert) -> No action taken. OTL Otl-Logfile Code:
ATTFilter OTL logfile created on: 24.03.2010 19:42:55 - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Dokumente und Einstellungen\Marc.Z\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 72,00% Memory free 5,00 Gb Paging File | 4,00 Gb Available in Paging File | 90,00% Paging File free Paging file location(s): [Binary data over 100 bytes] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS.0 | %ProgramFiles% = C:\Programme Drive C: | 232,88 Gb Total Space | 118,11 Gb Free Space | 50,72% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: HOME-YIIOXJU9J8 Current User Name: Marc.Z Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Dokumente und Einstellungen\Marc.Z\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Pando Networks\Media Booster\PMB.exe () PRC - C:\Programme\Alwil Software\Avast4\ashDisp.exe (ALWIL Software) PRC - C:\Programme\Alwil Software\Avast4\ashServ.exe (ALWIL Software) PRC - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software) PRC - C:\Programme\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software) PRC - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software) PRC - C:\Programme\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.) PRC - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.) PRC - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe (Nero AG) PRC - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) PRC - C:\Programme\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd) PRC - C:\Programme\Windows NT\Zubehör\wordpad.exe (Microsoft Corporation) PRC - C:\WINDOWS.0\explorer.exe (Microsoft Corporation) PRC - C:\WINDOWS.0\soundman.exe (Realtek Semiconductor Corp.) ========== Modules (SafeList) ========== MOD - C:\Dokumente und Einstellungen\Marc.Z\Desktop\OTL.exe (OldTimer Tools) ========== Win32 Services (SafeList) ========== SRV - (Creative Audio Engine Licensing Service) -- C:\Programme\Gemeinsame Dateien\Creative Labs Shared\Service\CTAELicensing.exe (Creative Labs) SRV - (avast! Antivirus) -- C:\Programme\Alwil Software\Avast4\ashServ.exe (ALWIL Software) SRV - (avast! Mail Scanner) -- C:\Programme\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software) SRV - (avast! Web Scanner) -- C:\Programme\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software) SRV - (aswUpdSv) -- C:\Programme\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software) SRV - (npggsvc) -- C:\WINDOWS.0\System32\GameMon.des (INCA Internet Co., Ltd.) SRV - (Hamachi2Svc) -- C:\Programme\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.) SRV - (Apple Mobile Device) -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.) SRV - (Nero BackItUp Scheduler 4.0) -- C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe (Nero AG) SRV - (CTAudSvcService) -- C:\Programme\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd) ========== Driver Services (SafeList) ========== DRV - (sptd) -- C:\WINDOWS.0\System32\Drivers\sptd.sys () DRV - (ESLvnic1) -- C:\WINDOWS.0\system32\drivers\ESLvnic.sys (Turtle Entertainment GmbH) DRV - (aswMon2) -- C:\WINDOWS.0\system32\drivers\aswmon2.sys (ALWIL Software) DRV - (aswSP) -- C:\WINDOWS.0\system32\drivers\aswSP.sys (ALWIL Software) DRV - (aswFsBlk) -- C:\WINDOWS.0\system32\drivers\aswFsBlk.sys (ALWIL Software) DRV - (aswTdi) -- C:\WINDOWS.0\system32\drivers\aswTdi.sys (ALWIL Software) DRV - (aswRdr) -- C:\WINDOWS.0\system32\drivers\aswRdr.sys (ALWIL Software) DRV - (Aavmker4) -- C:\WINDOWS.0\system32\drivers\aavmker4.sys (ALWIL Software) DRV - (hamachi) -- C:\WINDOWS.0\system32\drivers\hamachi.sys (LogMeIn, Inc.) DRV - (usbaudio) USB-Audiotreiber (WDM) -- C:\WINDOWS.0\system32\drivers\usbaudio.sys (Microsoft Corporation) DRV - (MSICPL) -- C:\WINDOWS.0\system32\msicpl.dll (MSI) DRV - (FLASHSYS) -- C:\Programme\MSI\Live Update 4\LU4\FlashSys.sys () DRV - (nv) -- C:\WINDOWS.0\system32\drivers\nv4_mini.sys (NVIDIA Corporation) DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS.0\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.) DRV - (AmdK8) -- C:\WINDOWS.0\system32\drivers\AmdK8.sys (Advanced Micro Devices) DRV - (nvata) -- C:\WINDOWS.0\System32\DRIVERS\nvata.sys (NVIDIA Corporation) DRV - (nvnetbus) -- C:\WINDOWS.0\system32\drivers\nvnetbus.sys (NVIDIA Corporation) DRV - (NVENETFD) -- C:\WINDOWS.0\system32\drivers\NVENETFD.sys (NVIDIA Corporation) DRV - (nvatabus) -- C:\WINDOWS.0\system32\DRIVERS\nvatabus.sys (NVIDIA Corporation) DRV - (ha10kx2k) -- C:\WINDOWS.0\system32\drivers\ha10kx2k.sys (Creative Technology Ltd) DRV - (hap17v2k) -- C:\WINDOWS.0\system32\drivers\haP17v2k.sys (Creative Technology Ltd) DRV - (hap16v2k) -- C:\WINDOWS.0\system32\drivers\haP16v2k.sys (Creative Technology Ltd) DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS.0\system32\drivers\ctaud2k.sys (Creative Technology Ltd) DRV - (ctac32k) -- C:\WINDOWS.0\system32\drivers\ctac32k.sys (Creative Technology Ltd) DRV - (CTSBLFX) -- C:\WINDOWS.0\system32\ctsblfx.dll (Creative Technology Ltd) DRV - (CTAUDFX) -- C:\WINDOWS.0\system32\ctaudfx.dll (Creative Technology Ltd) DRV - (COMMONFX) -- C:\WINDOWS.0\system32\commonfx.dll (Creative Technology Ltd) DRV - (emupia) -- C:\WINDOWS.0\system32\drivers\emupia2k.sys (Creative Technology Ltd) DRV - (ctsfm2k) -- C:\WINDOWS.0\system32\drivers\ctsfm2k.sys (Creative Technology Ltd) DRV - (ctprxy2k) -- C:\WINDOWS.0\system32\drivers\ctprxy2k.sys (Creative Technology Ltd) DRV - (ossrv) -- C:\WINDOWS.0\system32\drivers\ctoss2k.sys (Creative Technology Ltd.) DRV - (ctdvda2k) -- C:\WINDOWS.0\system32\drivers\ctdvda2k.sys (Creative Technology Ltd) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.0\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2427995 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.defaultenginename: "Bing" FF - prefs.js..browser.search.defaultthis.engineName: "MyAshampoo Customized Web Search" FF - prefs.js..browser.search.defaulturl: "hxxp://www.bing.com/search?FORM=IEFM1&q=" FF - prefs.js..browser.search.order.1: "Ask.com" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/" FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.5 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4}:2.5.6.0 FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546 FF - prefs.js..extensions.enabledItems: ChoiceGuard@Microsoft:2.0 FF - prefs.js..keyword.URL: "hxxp://www.bing.com/search?FORM=IEFM1&q=" FF - user.js..browser.search.openintab: false FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009.12.24 20:08:16 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.03.10 01:31:08 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.03.21 19:09:23 | 000,000,000 | ---D | M] [2010.01.09 23:14:13 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Extensions [2010.01.09 23:14:13 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Extensions\mozswing@mozswing.org [2010.03.23 20:04:40 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\extensions [2010.01.01 14:11:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2009.12.25 20:32:28 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2010.02.03 19:03:32 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2010.02.11 16:08:32 | 000,000,000 | ---D | M] (MyAshampoo Toolbar) -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\extensions\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} [2010.01.02 22:00:27 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [2010.03.10 01:11:43 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\extensions\ChoiceGuard@Microsoft [2010.02.03 19:03:29 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\extensions\staged-xpis [2010.01.17 17:09:04 | 000,002,236 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\askcom.xml [2010.03.10 00:12:18 | 000,001,819 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\bing.xml [2010.01.20 12:19:10 | 000,000,923 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\conduit.xml [2010.02.12 17:06:52 | 000,002,055 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\daemon-search.xml [2010.03.23 08:35:32 | 000,000,950 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\icqplugin-1.xml [2010.02.12 17:07:12 | 000,000,950 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\icqplugin-2.xml [2008.03.31 09:52:00 | 000,000,618 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\icqplugin.src [2010.01.16 12:19:39 | 000,000,955 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\icqplugin.xml [2010.03.23 20:04:40 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2009.12.25 23:19:44 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07} [2010.01.31 18:27:28 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Programme\Mozilla Firefox\plugins\npPandoWebInst.dll [2010.02.11 16:27:51 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.02.11 16:27:51 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.02.11 16:27:51 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.02.11 16:27:51 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.02.11 16:27:51 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010.03.22 08:48:44 | 000,000,896 | ---- | M]) - C:\WINDOWS.0\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (no name) - {dffd3710-4709-4976-b713-aebe3550ad82} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A1E75A0E-4397-4BA8-BB50-E19FB66890F4} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {DFFD3710-4709-4976-B713-AEBE3550AD82} - No CLSID value found. O4 - HKLM..\Run: [avast!] C:\Programme\Alwil Software\Avast4\ashDisp.exe (ALWIL Software) O4 - HKLM..\Run: [CTXFIREG] File not found O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS.0\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS.0\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS.0\System32\nwiz.exe () O4 - HKLM..\Run: [SBDrvDet] C:\Programme\Creative\SB Drive Det\SBDrvDet.exe (Creative Technology Ltd) O4 - HKLM..\Run: [SoundMan] C:\WINDOWS.0\soundman.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [TrojanScanner] C:\Programme\Trojan Remover\Trjscan.exe (Simply Super Software) O4 - HKLM..\Run: [UpdReg] C:\WINDOWS.0\Updreg.EXE (Creative Technology Ltd.) O4 - HKLM..\Run: [WinSys2] C:\WINDOWS.0\system32\WinSys2.exe () O4 - HKCU..\Run: [Pando Media Booster] C:\Programme\Pando Networks\Media Booster\PMB.exe () O4 - HKCU..\Run: [PlayNC Launcher] File not found O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyComputer = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileAssociate = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261766515558 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab (Creative Software AutoUpdate Support Package) O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab (PCPitstop Exam) O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS.0\Java\classes\dajava.cab (Reg Error: Key error.) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS.0\Java\classes\xmldso.cab (Reg Error: Key error.) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS.0\explorer.exe (Microsoft Corporation) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O24 - Desktop WallPaper: C:\WINDOWS.0\Web\Wallpaper\Grüne Idylle.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS.0\Web\Wallpaper\Grüne Idylle.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.12.24 11:25:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.03.24 19:41:27 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\OTL.exe [2010.03.24 19:37:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\LogMeIn Hamachi [2010.03.24 18:52:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Malwarebytes [2010.03.24 18:52:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS.0\System32\drivers\mbamswissarmy.sys [2010.03.24 18:52:36 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes [2010.03.24 18:52:35 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS.0\System32\drivers\mbam.sys [2010.03.24 18:52:35 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.03.24 08:54:40 | 009,823,176 | ---- | C] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\windows-kb890830-v3.5.exe [2010.03.23 22:48:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\UAB [2010.03.23 22:48:57 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PC Drivers HeadQuarters [2010.03.23 22:48:56 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\PC_Drivers_Headquarters [2010.03.23 22:48:20 | 000,000,000 | ---D | C] -- C:\Programme\PC Drivers HeadQuarters [2010.03.23 21:57:45 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\Drakensang [2010.03.23 21:39:34 | 000,000,000 | ---D | C] -- C:\Programme\Drakensang [2010.03.23 20:39:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Delle--Before_I_Grow_Old-2CD-2009-OMA [2010.03.23 11:28:45 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Recent [2010.03.23 11:06:18 | 000,328,704 | ---- | C] (InstallShield Software Corporation ) -- C:\WINDOWS.0\IsUn0407.exe [2010.03.22 18:30:38 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Bob Marley & The Wailers - Legend (The Best Of) [2010.03.22 09:09:04 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{88078557-37D5-402B-8B75-49F162ECEDBD} [2010.03.22 09:08:31 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Fighters [2010.03.22 09:08:30 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\PackageAware [2010.03.22 00:10:47 | 000,000,000 | ---D | C] -- C:\WINDOWS.0\Prefetch [2010.03.22 00:04:00 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.0\System32\ztvcabinet.dll [2010.03.22 00:03:58 | 000,000,000 | ---D | C] -- C:\Programme\Trojan Remover [2010.03.22 00:03:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\Simply Super Software [2010.03.22 00:03:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Simply Super Software [2010.03.22 00:03:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Simply Super Software [2010.03.21 11:05:01 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\Nero [2010.03.21 11:04:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\Nero Collections [2010.03.21 10:54:45 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Nero [2010.03.21 10:45:30 | 000,000,000 | ---D | C] -- C:\Programme\Nero [2010.03.21 10:45:01 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Nero [2010.03.21 03:18:28 | 000,000,000 | ---D | C] -- C:\Programme\Windows Sidebar [2010.03.21 03:10:28 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero [2010.03.21 00:28:34 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\Comoestamos [2010.03.21 00:28:33 | 000,000,000 | ---D | C] -- C:\Programme\Comoestamos [2010.03.21 00:28:12 | 000,000,000 | ---D | C] -- C:\Programme\Cargar Movil [2010.03.20 18:05:12 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\Ascaron Entertainment [2010.03.20 17:40:17 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\Sykes [2010.03.19 15:50:12 | 000,000,000 | ---D | C] -- C:\WINDOWS.0\pss [2010.03.18 22:33:35 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\SecuROM [2010.03.18 22:33:34 | 000,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS.0\System32\CmdLineExt.dll [2010.03.16 07:43:09 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\LOG [2010.03.15 20:25:19 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Aequitas [2010.03.15 17:29:51 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\ESL Wire Game Client [2010.03.15 17:28:34 | 000,024,504 | ---- | C] (Turtle Entertainment GmbH) -- C:\WINDOWS.0\System32\drivers\ESLvnic.sys [2010.03.15 17:28:34 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ESL Wire [2010.03.15 17:28:33 | 000,000,000 | ---D | C] -- C:\Programme\EslWire [2010.03.15 11:58:21 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\NeroVision [2010.03.14 18:38:06 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Leadertech [2010.03.14 17:59:54 | 000,000,000 | ---D | C] -- C:\WINDOWS.0\System32\data [2010.03.13 14:03:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\Uniblue [2010.03.13 13:31:48 | 000,017,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.0\System32\mucltui.dll.mui [2010.03.13 13:31:47 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.0\System32\mucltui.dll [2010.03.10 19:58:08 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\assembly [2010.03.10 19:43:23 | 000,000,000 | ---D | C] -- C:\Programme\NCsoft [2010.03.10 01:32:29 | 000,000,000 | ---D | C] -- C:\Programme\iPod [2010.03.10 01:32:27 | 000,000,000 | ---D | C] -- C:\Programme\iTunes [2010.03.10 01:29:18 | 000,413,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.0\System32\mpg4c32.dll [2010.03.10 01:29:18 | 000,261,632 | ---- | C] (MainConcept) -- C:\WINDOWS.0\System32\mcdvd_32.dll [2010.03.10 01:29:18 | 000,221,215 | ---- | C] (DivXNetworks, Inc.) -- C:\WINDOWS.0\System32\divxdec.ax [2010.03.10 01:29:18 | 000,082,944 | ---- | C] (Voxware, Inc.) -- C:\WINDOWS.0\System32\vct3216.acm [2010.03.10 01:29:18 | 000,081,920 | ---- | C] (fccHandler) -- C:\WINDOWS.0\System32\AC3ACM.acm [2010.03.10 01:29:18 | 000,038,912 | ---- | C] (NCT Company) -- C:\WINDOWS.0\System32\alf2cd.acm [2010.03.10 01:29:18 | 000,013,239 | ---- | C] (SHARP Corporation) -- C:\WINDOWS.0\System32\Scg726.acm [2010.03.10 01:13:10 | 000,000,000 | ---D | C] -- C:\WINDOWS.0\nview [2010.03.10 01:12:50 | 000,000,000 | ---D | C] -- C:\Programme\WinAVI MP4 Converter [2010.03.10 01:12:48 | 000,000,000 | ---D | C] -- C:\Programme\Ashampoo [2010.03.10 01:12:03 | 000,000,000 | ---D | C] -- C:\WINDOWS.0\System32\DirectX [2010.03.10 01:11:07 | 000,000,000 | ---D | C] -- C:\Config.Msi [2010.03.10 01:11:03 | 000,000,000 | ---D | C] -- C:\ComboFix [2010.03.10 01:03:34 | 000,000,000 | ---D | C] -- C:\ComboFix(2) [2010.03.09 21:54:55 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\My Games [2010.03.09 21:33:32 | 000,000,000 | ---D | C] -- C:\Programme\Flagship Studios [2010.03.09 11:22:24 | 000,000,000 | ---D | C] -- C:\WINDOWS.0\System32\AGEIA [2010.03.08 09:00:46 | 000,000,000 | ---D | C] -- C:\WINDOWS.0\nview(3) [2010.03.08 05:12:28 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\ErrorLogs [2010.03.08 04:06:37 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{D5ABFFAD-D592-4F98-B02B-587125B4801F} [2010.03.08 03:26:40 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\DriverScanner [2010.03.08 03:12:39 | 000,000,000 | ---D | C] -- C:\Programme\Uniblue [2010.03.08 02:48:52 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Uniblue [2010.03.05 13:46:09 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\AVS4YOU [2010.03.04 21:48:57 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\South Park Staffel 12 [2010.03.04 17:11:51 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Blizzard Entertainment [2010.03.02 23:50:57 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\South Park Staffel 13 [2010.03.01 18:53:56 | 000,000,000 | ---D | C] -- C:\WINDOWS.0\Performance [2010.03.01 18:53:50 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\Microsoft Corporation [2010.02.28 09:43:14 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\JDdownloader [2010.02.28 09:35:03 | 000,000,000 | ---D | C] -- C:\Programme\JDownloader [2010.02.26 13:27:57 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Teeworlds [2010.02.26 13:21:59 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\teeworlds-0.5.2-win32 [2010.02.26 01:22:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010.02.24 21:10:40 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\Sarah [2010.02.23 20:58:31 | 000,000,000 | ---D | C] -- C:\Programme\Veetle [2010.02.23 15:06:36 | 000,000,000 | ---D | C] -- C:\Programme\World of Warcraft [2010.02.23 14:09:27 | 000,000,000 | ---D | C] -- C:\Programme\PokerStars.NET [2010.02.23 11:36:05 | 000,000,000 | ---D | C] -- C:\Programme\Steam [2010.02.23 00:42:42 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\InstallShield [2010.02.23 00:42:25 | 000,000,000 | ---D | C] -- C:\Programme\DAEMON Tools Lite [2010.01.27 14:05:18 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Adobe [2009.12.25 13:21:49 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Google [2009.12.24 19:40:35 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft [2009.12.24 11:28:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft [2009.12.24 11:25:27 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Microsoft [2009.12.24 11:25:27 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Microsoft [2009.06.23 11:49:14 | 000,065,536 | R--- | C] ( ) -- C:\WINDOWS.0\System32\a3d.dll [8 C:\WINDOWS.0\*.tmp files -> C:\WINDOWS.0\*.tmp -> ] [4 C:\WINDOWS.0\System32\*.tmp files -> C:\WINDOWS.0\System32\*.tmp -> ] [4 C:\*.tmp files -> C:\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.03.24 19:41:53 | 000,000,006 | -H-- | M] () -- C:\WINDOWS.0\tasks\SA.DAT [2010.03.24 19:41:34 | 000,013,168 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\ddd.rtf [2010.03.24 19:41:28 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\OTL.exe [2010.03.24 19:38:49 | 000,013,758 | ---- | M] () -- C:\WINDOWS.0\System32\wpa.dbl [2010.03.24 19:37:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS.0\bootstat.dat [2010.03.24 19:36:22 | 009,699,328 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\ntuser.dat [2010.03.24 19:36:14 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\ntuser.ini [2010.03.24 18:52:40 | 000,000,698 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.03.24 08:54:54 | 009,823,176 | ---- | M] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\windows-kb890830-v3.5.exe [2010.03.24 01:29:01 | 000,002,187 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Steam.lnk [2010.03.23 22:48:30 | 000,002,246 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Driver Detective.lnk [2010.03.23 21:49:16 | 000,001,564 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Drakensang.lnk [2010.03.23 17:17:05 | 000,000,212 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\default.rss [2010.03.23 17:17:05 | 000,000,069 | ---- | M] () -- C:\WINDOWS.0\NeroDigital.ini [2010.03.23 15:35:01 | 000,077,824 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.03.22 20:14:35 | 000,001,521 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Condition Zero Gelöschte Szenen.lnk [2010.03.22 08:48:44 | 000,000,896 | ---- | M] () -- C:\WINDOWS.0\System32\drivers\etc\hosts [2010.03.22 04:17:18 | 000,000,425 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\Sykes - SCHLAND.rtf [2010.03.22 01:32:29 | 000,000,155 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\AVSMediaPlayer.m3u [2010.03.22 00:11:07 | 000,000,856 | ---- | M] () -- C:\WINDOWS.0\System32\drivers\etc\HOSTS.TRB [2010.03.22 00:10:47 | 000,000,264 | ---- | M] () -- C:\WINDOWS.0\tasks\Uniblue SpeedUpMyPC Nag.job [2010.03.22 00:01:21 | 000,002,317 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SeaTools for Windows.lnk [2010.03.21 19:30:10 | 000,003,510 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\SVCD1.nsd [2010.03.21 19:08:38 | 000,002,125 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\iTunes.lnk [2010.03.21 19:03:40 | 000,000,746 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\WinAVI MP4 Converter.lnk [2010.03.21 11:04:42 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\downloads.m3u [2010.03.21 10:53:18 | 000,004,767 | ---- | M] () -- C:\WINDOWS.0\Irremote.ini [2010.03.21 10:45:50 | 000,002,363 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Nero StartSmart.lnk [2010.03.21 09:49:04 | 000,099,848 | ---- | M] () -- C:\WINDOWS.0\System32\FNTCACHE.DAT [2010.03.21 01:51:48 | 000,014,680 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT [2010.03.20 20:27:09 | 000,004,569 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\O.P.F.E.R!!!.rtf [2010.03.20 17:59:58 | 000,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS.0\System32\CmdLineExt.dll [2010.03.19 16:55:27 | 000,000,744 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100319_165525.reg [2010.03.19 16:55:06 | 000,007,716 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100319_165500.reg [2010.03.19 16:21:10 | 000,379,997 | ---- | M] () -- C:\WINDOWS.0\System32\drivers\etc\HOSTS.TRBAK [2010.03.19 15:51:45 | 000,000,517 | ---- | M] () -- C:\WINDOWS.0\win.ini [2010.03.19 15:51:45 | 000,000,297 | RHS- | M] () -- C:\boot.ini [2010.03.19 15:51:45 | 000,000,227 | ---- | M] () -- C:\WINDOWS.0\system.ini [2010.03.15 20:39:33 | 000,000,809 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\World of Warcraft.lnk [2010.03.15 17:28:38 | 000,000,625 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\ESL Wire.lnk [2010.03.15 16:17:19 | 000,164,201 | ---- | M] () -- C:\WINDOWS.0\System32\nvapps.xml [2010.03.14 18:23:34 | 007,565,216 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Chakuza - Ikarus (feat. David Asphalt.MP3 [2010.03.14 17:57:03 | 000,386,852 | ---- | M] () -- C:\WINDOWS.0\System32\ctdnlstr.dat [2010.03.14 17:57:03 | 000,313,207 | ---- | M] () -- C:\WINDOWS.0\System32\ctstatic.dat [2010.03.14 17:57:03 | 000,274,587 | ---- | M] () -- C:\WINDOWS.0\System32\ctsbas2w.dat [2010.03.14 17:57:03 | 000,051,787 | ---- | M] () -- C:\WINDOWS.0\System32\ctdlang.dat [2010.03.14 17:57:02 | 000,149,838 | ---- | M] () -- C:\WINDOWS.0\System32\ctbas2w.dat [2010.03.14 17:57:02 | 000,053,932 | ---- | M] () -- C:\WINDOWS.0\System32\ctdaught.dat [2010.03.14 17:57:02 | 000,001,912 | ---- | M] () -- C:\WINDOWS.0\System32\Audigy.bmp [2010.03.14 17:57:01 | 004,931,577 | ---- | M] () -- C:\WINDOWS.0\CTDVAUDY.CDF [2010.03.14 17:57:01 | 000,000,059 | ---- | M] () -- C:\WINDOWS.0\System32\default8.sfm [2010.03.14 17:57:01 | 000,000,059 | ---- | M] () -- C:\WINDOWS.0\System32\default4.sfm [2010.03.14 17:57:01 | 000,000,059 | ---- | M] () -- C:\WINDOWS.0\System32\default.sfm [2010.03.14 17:57:00 | 003,735,544 | ---- | M] () -- C:\WINDOWS.0\CTDV10K2.CDF [2010.03.14 17:57:00 | 002,167,684 | ---- | M] () -- C:\WINDOWS.0\System32\CT2MGM.SF2 [2010.03.14 17:57:00 | 001,048,576 | ---- | M] () -- C:\WINDOWS.0\System32\CT1MGM.ROM [2010.03.14 17:57:00 | 000,008,022 | ---- | M] () -- C:\WINDOWS.0\System32\UDAAPO32.UDA [2010.03.14 17:44:31 | 000,141,016 | ---- | M] () -- C:\WINDOWS.0\System32\ALSNDMGR.WAV [2010.03.13 14:03:28 | 000,000,727 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\DriverScanner.lnk [2010.03.13 13:54:33 | 000,000,715 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SpeedUpMyPC.lnk [2010.03.12 16:52:05 | 000,001,752 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Xilisoft PSP Video Converter.lnk [2010.03.11 02:05:44 | 003,178,374 | -H-- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\IconCache.db [2010.03.10 19:50:14 | 000,000,754 | ---- | M] () -- C:\WINDOWS.0\WORDPAD.INI [2010.03.10 03:30:46 | 000,004,096 | ---- | M] () -- C:\WINDOWS.0\d3dx.dat [2010.03.10 02:59:59 | 000,691,696 | ---- | M] () -- C:\WINDOWS.0\System32\drivers\sptd.sys [2010.03.10 02:23:09 | 000,000,378 | ---- | M] () -- C:\WINDOWS.0\tasks\Uniblue SpeedUpMyPC.job [2010.03.10 01:31:03 | 000,001,598 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\QuickTime Player.lnk [2010.03.10 01:29:32 | 000,000,938 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\AVS4YOU Software Navigator.lnk [2010.03.10 01:29:24 | 000,000,936 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\AVS Media Player.lnk [2010.03.09 16:02:31 | 000,000,520 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100309_160229.reg [2010.03.09 16:02:22 | 000,009,034 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100309_160218.reg [2010.03.08 05:23:04 | 000,000,858 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\CommandDispatchers.xml [2010.03.08 05:12:44 | 000,001,367 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\cleaner-config.xml [2010.03.08 03:24:48 | 000,000,739 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\RegistryBooster.lnk [2010.03.06 09:54:51 | 000,000,873 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\AVS Video Converter 6.lnk [2010.03.05 17:39:25 | 000,000,771 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\DivX Player.lnk [2010.03.05 17:39:18 | 000,000,807 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\DivX Converter.lnk [2010.03.05 17:38:50 | 000,001,491 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\DivX Movies.lnk [2010.03.02 10:53:42 | 000,024,504 | ---- | M] (Turtle Entertainment GmbH) -- C:\WINDOWS.0\System32\drivers\ESLvnic.sys [2010.03.02 04:25:15 | 000,002,562 | ---- | M] () -- C:\WINDOWS.0\diagwrn.xml [2010.03.02 04:25:15 | 000,001,908 | ---- | M] () -- C:\WINDOWS.0\diagerr.xml [2010.03.01 15:49:41 | 000,002,429 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\TubeBox! starten.lnk [2010.02.28 09:35:14 | 000,000,736 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\JDownloader.lnk [2010.02.23 20:18:04 | 003,869,515 | R--- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\ComboFix.exe [2010.02.23 11:41:41 | 000,001,519 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Counter-Strike.lnk [2010.02.23 08:19:32 | 000,000,726 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100223_081922.reg [2010.02.23 08:19:13 | 000,027,420 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100223_081910.reg [8 C:\WINDOWS.0\*.tmp files -> C:\WINDOWS.0\*.tmp -> ] [4 C:\WINDOWS.0\System32\*.tmp files -> C:\WINDOWS.0\System32\*.tmp -> ] [4 C:\*.tmp files -> C:\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.03.24 18:52:40 | 000,000,698 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.03.24 18:34:04 | 000,013,168 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\ddd.rtf [2010.03.23 22:48:30 | 000,002,246 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Driver Detective.lnk [2010.03.23 21:49:16 | 000,001,564 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Drakensang.lnk [2010.03.22 20:14:35 | 000,001,521 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Condition Zero Gelöschte Szenen.lnk [2010.03.22 04:17:16 | 000,000,425 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\Sykes - SCHLAND.rtf [2010.03.22 00:04:00 | 000,162,304 | ---- | C] () -- C:\WINDOWS.0\System32\ztvunrar36.dll [2010.03.22 00:04:00 | 000,153,088 | ---- | C] () -- C:\WINDOWS.0\System32\UNRAR3.dll [2010.03.22 00:04:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS.0\System32\ztvunace26.dll [2010.03.22 00:04:00 | 000,075,264 | ---- | C] () -- C:\WINDOWS.0\System32\unacev2.dll [2010.03.21 19:30:10 | 000,003,510 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\SVCD1.nsd [2010.03.21 19:03:40 | 000,000,746 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\WinAVI MP4 Converter.lnk [2010.03.21 11:05:21 | 000,000,069 | ---- | C] () -- C:\WINDOWS.0\NeroDigital.ini [2010.03.21 11:04:42 | 000,000,212 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\default.rss [2010.03.21 11:04:42 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\downloads.m3u [2010.03.21 10:45:50 | 000,002,363 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Nero StartSmart.lnk [2010.03.21 03:18:07 | 000,004,767 | ---- | C] () -- C:\WINDOWS.0\Irremote.ini [2010.03.20 20:27:09 | 000,004,569 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\O.P.F.E.R!!!.rtf [2010.03.19 16:55:26 | 000,000,744 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100319_165525.reg [2010.03.19 16:55:01 | 000,007,716 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100319_165500.reg [2010.03.15 17:28:38 | 000,000,625 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\ESL Wire.lnk [2010.03.14 18:14:46 | 007,565,216 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Chakuza - Ikarus (feat. David Asphalt.MP3 [2010.03.14 17:57:03 | 000,386,852 | ---- | C] () -- C:\WINDOWS.0\System32\ctdnlstr.dat [2010.03.14 17:57:01 | 000,000,059 | ---- | C] () -- C:\WINDOWS.0\System32\default8.sfm [2010.03.14 17:57:01 | 000,000,059 | ---- | C] () -- C:\WINDOWS.0\System32\default4.sfm [2010.03.14 17:57:01 | 000,000,059 | ---- | C] () -- C:\WINDOWS.0\System32\default.sfm [2010.03.14 17:57:00 | 004,931,577 | ---- | C] () -- C:\WINDOWS.0\CTDVAUDY.CDF [2010.03.14 17:57:00 | 003,735,544 | ---- | C] () -- C:\WINDOWS.0\CTDV10K2.CDF [2010.03.14 17:44:18 | 009,699,328 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\ntuser.dat [2010.03.13 14:03:28 | 000,000,727 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\DriverScanner.lnk [2010.03.13 13:54:33 | 000,000,715 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SpeedUpMyPC.lnk [2010.03.12 16:52:05 | 000,001,752 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Xilisoft PSP Video Converter.lnk [2010.03.10 03:30:46 | 000,004,096 | ---- | C] () -- C:\WINDOWS.0\d3dx.dat [2010.03.10 02:59:58 | 000,691,696 | ---- | C] () -- C:\WINDOWS.0\System32\drivers\sptd.sys [2010.03.10 02:23:09 | 000,000,378 | ---- | C] () -- C:\WINDOWS.0\tasks\Uniblue SpeedUpMyPC.job [2010.03.10 02:23:09 | 000,000,264 | ---- | C] () -- C:\WINDOWS.0\tasks\Uniblue SpeedUpMyPC Nag.job [2010.03.10 01:32:51 | 000,002,125 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\iTunes.lnk [2010.03.10 01:31:02 | 000,001,598 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\QuickTime Player.lnk [2010.03.10 01:29:18 | 000,524,288 | ---- | C] () -- C:\WINDOWS.0\System32\xvidcore.dll [2010.03.10 01:29:18 | 000,139,264 | ---- | C] () -- C:\WINDOWS.0\System32\xvidvfw.dll [2010.03.10 01:29:18 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\xvid.ax [2010.03.09 16:02:29 | 000,000,520 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100309_160229.reg [2010.03.09 16:02:21 | 000,009,034 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100309_160218.reg [2010.03.08 09:00:51 | 000,164,201 | ---- | C] () -- C:\WINDOWS.0\System32\nvapps.xml [2010.03.08 09:00:46 | 000,019,495 | ---- | C] () -- C:\WINDOWS.0\System32\nvdisp.nvu [2010.03.08 05:15:29 | 000,818,808 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat [2010.03.08 05:12:45 | 000,000,858 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\CommandDispatchers.xml [2010.03.08 05:12:44 | 000,001,367 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\cleaner-config.xml [2010.03.08 03:24:48 | 000,000,739 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\RegistryBooster.lnk [2010.03.06 09:54:51 | 000,000,873 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\AVS Video Converter 6.lnk [2010.03.01 18:15:19 | 000,002,562 | ---- | C] () -- C:\WINDOWS.0\diagwrn.xml [2010.03.01 18:15:19 | 000,001,908 | ---- | C] () -- C:\WINDOWS.0\diagerr.xml [2010.02.28 09:35:14 | 000,000,736 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\JDownloader.lnk [2010.02.23 15:52:09 | 000,000,809 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\World of Warcraft.lnk [2010.02.23 11:41:41 | 000,001,519 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Desktop\Counter-Strike.lnk [2010.02.23 11:36:05 | 000,002,187 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Steam.lnk [2010.02.23 08:19:23 | 000,000,726 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100223_081922.reg [2010.02.23 08:19:11 | 000,027,420 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Eigene Dateien\cc_20100223_081910.reg [2010.02.11 23:03:07 | 000,000,754 | ---- | C] () -- C:\WINDOWS.0\WORDPAD.INI [2010.01.01 15:41:52 | 000,000,155 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\AVSMediaPlayer.m3u [2009.12.26 14:11:24 | 000,077,824 | ---- | C] () -- C:\Dokumente und Einstellungen\Marc.Z\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.12.25 17:52:25 | 000,147,456 | ---- | C] () -- C:\WINDOWS.0\System32\RtlCPAPI.dll [2009.12.24 19:11:53 | 000,004,940 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\mtbjfghn.xbe [2009.12.24 19:10:22 | 000,363,520 | ---- | C] () -- C:\WINDOWS.0\System32\psisdecd.dll [2009.12.24 11:43:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS.0\SBWIN.INI [2009.12.24 11:43:14 | 000,000,231 | ---- | C] () -- C:\WINDOWS.0\AC3API.INI [2009.12.24 11:32:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS.0\msicpl.ini [2009.12.24 11:31:31 | 000,131,072 | R--- | C] () -- C:\WINDOWS.0\System32\smdll.dll [2009.12.24 11:31:30 | 000,032,768 | R--- | C] () -- C:\WINDOWS.0\System32\Auxiliary.dll [2009.12.24 11:31:29 | 000,266,240 | R--- | C] () -- C:\WINDOWS.0\System32\HookShield.dll [2009.12.24 11:31:29 | 000,262,144 | R--- | C] () -- C:\WINDOWS.0\System32\HookMAp.dll [2009.06.23 12:29:50 | 000,049,719 | ---- | C] () -- C:\WINDOWS.0\System32\instwdm.ini [2009.06.23 12:29:48 | 000,000,054 | ---- | C] () -- C:\WINDOWS.0\System32\ctzapxx.ini [2007.12.05 08:11:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS.0\System32\nvwdmcpl.dll [2007.12.05 08:11:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS.0\System32\nview.dll [2007.12.05 08:11:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS.0\System32\nvwimg.dll [2007.12.05 08:11:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS.0\System32\nvshell.dll [2007.12.05 08:11:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS.0\System32\nvnt4cpl.dll [2007.07.23 09:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelTraditionalChinese.dll [2007.07.23 09:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelSwedish.dll [2007.07.23 09:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelSpanish.dll [2007.07.23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelSimplifiedChinese.dll [2007.07.23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelPortugese.dll [2007.07.23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelKorean.dll [2007.07.23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelJapanese.dll [2007.07.23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelGerman.dll [2007.07.23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS.0\System32\AgCPanelFrench.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 125 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:D06A4C76 < End of report > |
24.03.2010, 20:27 | #4 |
| Hartnäckiger Trojaner OTL Extras Logfile Code:
ATTFilter OTL Extras logfile created on: 24.03.2010 19:42:55 - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Dokumente und Einstellungen\Marc.Z\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 72,00% Memory free 5,00 Gb Paging File | 4,00 Gb Available in Paging File | 90,00% Paging File free Paging file location(s): [Binary data over 100 bytes] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS.0 | %ProgramFiles% = C:\Programme Drive C: | 232,88 Gb Total Space | 118,11 Gb Free Space | 50,72% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: HOME-YIIOXJU9J8 Current User Name: Marc.Z Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "57520:TCP" = 57520:TCP:*:Enabled:Pando Media Booster "57520:UDP" = 57520:UDP:*:Enabled:Pando Media Booster "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Programme\HLSW\hlsw.exe" = C:\Programme\HLSW\hlsw.exe:*:Enabled:HLSW Application -- (Stripf Software) "C:\Programme\ICQ6.5\ICQ.exe" = C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ -- (ICQ, LLC.) "C:\Programme\Java\jre6\bin\java.exe" = C:\Programme\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.) "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NexonUS\NGM\NGM.exe" = C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon) "C:\Programme\Mozilla Firefox\firefox.exe" = C:\Programme\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation) "C:\Programme\mIRC\mirc.exe" = C:\Programme\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.) "C:\Programme\Steam\steamapps\mjay217\counter-strike\hl.exe" = C:\Programme\Steam\steamapps\mjay217\counter-strike\hl.exe:*:Enabled:Half-Life Launcher -- (Valve) "C:\Programme\Pando Networks\Media Booster\PMB.exe" = C:\Programme\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- () "C:\Programme\DNA\btdna.exe" = C:\Programme\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.) "C:\Programme\Steam\Steam.exe" = C:\Programme\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation) "C:\Dokumente und Einstellungen\Marc.Z\Desktop\teeworlds-0.5.2-win32\teeworlds_srv.exe" = C:\Dokumente und Einstellungen\Marc.Z\Desktop\teeworlds-0.5.2-win32\teeworlds_srv.exe:*:Enabled:teeworlds_srv -- () "C:\Programme\Steam\steamapps\mjay217\condition zero\hl.exe" = C:\Programme\Steam\steamapps\mjay217\condition zero\hl.exe:*:Enabled:Half-Life Launcher -- (Valve) "C:\Programme\Java\jre6\bin\javaw.exe" = C:\Programme\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.) "C:\Programme\World of Warcraft\WoW-3.2.0-deDE-downloader.exe" = C:\Programme\World of Warcraft\WoW-3.2.0-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment) "C:\Programme\World of Warcraft\Launcher.exe" = C:\Programme\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment) "C:\Programme\iTunes\iTunes.exe" = C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) "C:\Programme\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-deDE-downloader.exe" = C:\Programme\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment) "C:\Programme\EslWire\wire.exe" = C:\Programme\EslWire\wire.exe:*:Enabled:ESL Wire Client -- (Turtle Entertainment GmbH) "C:\Programme\Steam\steamapps\mjay217\condition zero deleted scenes\hl.exe" = C:\Programme\Steam\steamapps\mjay217\condition zero deleted scenes\hl.exe:*:Enabled:Half-Life Launcher -- (Valve) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{067EC517-9731-43FD-B4D5-296EE0027BBB}" = LogMeIn Hamachi "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{1545207E-C6F3-31D7-9918-BDBB65075FBF}" = Microsoft .NET Framework 3.5 Language Pack - deu "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17 "{33cf58f5-48d8-4575-83d6-96f574e4d83a}" = Nero DriveSpeed "{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{359cfc0a-beb1-440d-95ba-cf63a86da34f}" = Nero Recode "{368ba326-73ad-4351-84ed-3c0a7a52cc53}" = Nero Rescue Agent "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker "{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger "{43e39830-1826-415d-8bae-86845787b54b}" = Nero Vision "{4640FDE1-B83A-4376-84ED-86F86BEE2D41}" = Driver Detective "{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource "{588d8d73-dcc7-4733-ab7a-cd04ca675da2}" = Nero 9 Trial "{595a3116-40bb-4e0f-a2e8-d7951da56270}" = NeroExpress "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053 "{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call "{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5 "{62ac81f6-bdd3-4110-9d36-3e9eaab40999}" = Nero CoverDesigner "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{7748ac8c-18e3-43bb-959b-088faea16fb2}" = Nero StartSmart "{7829db6f-a066-4e40-8912-cb07887c20bb}" = Nero BurnRights "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{869200db-287a-4dc0-b02b-2b6787fbcd4c}" = Nero DiscSpeed "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player "{8FBC9407-713D-4B8A-98D2-57210DA56049}" = MSN Toolbar "{9309DD7E-EBFE-3C95-8B47-30D3A012F606}" = Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - DEU "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}" = AGEIA PhysX v7.11.13 "{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster "{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9e82b934-9a25-445b-b8df-8012808074ac}" = Nero PhotoSnap "{9e9fdde6-2c26-492a-85a0-05646b3f2795}" = NeroLiveGadget "{A1071AEB-B0EF-3F5F-BC84-83A270EBE496}" = Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - DEU "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{a209525b-3377-43f4-b886-32f6b6e7356f}" = Nero WaveEditor "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes "{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress "{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder "{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch "{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter "{b1adf008-e898-4fe2-8a1f-690d9a06acaf}" = DolbyFiles "{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{b78120a0-cf84-4366-a393-4d0a59bc546c}" = Menu Templates - Starter Kit "{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}" = Nero ControlCenter "{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5 "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C2F8CA82-2BD9-4513-B2D1-08A47914C1DA}_is1" = Uniblue DriverScanner 2010 "{c5a7cb6c-e76d-408f-ba0e-85605420fe9d}" = SoundTrax "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CECB9B3D-E681-4458-85F8-8D182941AF1D}" = Sound Blaster Audigy 2 "{d025a639-b9c9-417d-8531-208859000af8}" = NeroBurningROM "{D761C5D2-E727-415A-BC4E-52642CEA1A1C}" = TubeBox! "{D777D80E-13AE-4E6C-BCB2-9AEE10D9DEF1}" = Driver Updater "{d9dcf92e-72eb-412d-ac71-3b01276e5f8b}" = Nero ShowTime "{DF5A03CC-D5AA-43D8-B948-D9903F2AF94A}" = Counter-Strike(TM) "{df6a95f5-adc1-406a-bdc6-2aa7cc0182aa}" = Nero Live "{e498385e-1c51-459a-b45f-1721e37aa1a0}" = Movie Templates - Starter Kit "{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1" = Uniblue SpeedUpMyPC "{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster 2010 "{e8a80433-302b-4ff1-815d-fcc8eac482ff}" = Nero Installer "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F744201B-8229-4FBF-AF10-13BAFD02AF7C}" = STORM "{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials "{F916C6DF-2601-4385-9500-C45FF398D4CB}" = Install(GE) "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio "{fbcdfd61-7dcf-4e71-9226-873ba0053139}" = Nero InfoTool "3B18191663CDFABAA2A93D4267E54D683153FF60" = Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Ashampoo WinOptimizer 2010 Advanced_is1" = Ashampoo WinOptimizer 2010 Advanced "Audacity_is1" = Audacity 1.2.6 "AudioCS" = Creative-Audiokonsole "avast!" = avast! Antivirus "AVS Media Player_is1" = AVS Media Player 3.1 "AVS Update Manager_is1" = AVS Update Manager 1.0 "AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3 "AVS4YOU Video Converter 6_is1" = AVS Video Converter 6 "CCleaner" = CCleaner "Comoestamos Toolbar" = Comoestamos Toolbar "Creative Software AutoUpdate" = Creative Software AutoUpdate "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters "Dragonica(DE)" = Dragonica(DE) "Drakensang_is1" = Drakensang "ESL Wire_is1" = ESL Wire 1.4 "FileZilla Client" = FileZilla Client 3.3.1 "Gothic II" = Gothic II "Gothic II - Die Nacht des Raben" = Gothic II - Die Nacht des Raben "HijackThis" = HijackThis 2.0.2 "HLSW_is1" = HLSW v1.3.2.1 "ie8" = Windows Internet Explorer 8 "JDownloader" = JDownloader "LAME for Audacity_is1" = LAME v3.98.2 for Audacity "Liveupdate4_is1" = Liveupdate4 "LogMeIn Hamachi" = LogMeIn Hamachi "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 3.5 Language Pack - deu" = Microsoft .NET Framework 3.5 Language Pack - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "mIRC" = mIRC "Mozilla Firefox (3.6)" = Mozilla Firefox (3.6) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "MyAshampoo Toolbar" = MyAshampoo Toolbar "NVIDIA Drivers" = NVIDIA Drivers "SysInfo" = Creative-Systeminformationen "Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2 "TeamSpeak 3 Client" = TeamSpeak 3 Client "Trojan Remover_is1" = Trojan Remover 6.8.1 "Veetle TV" = Veetle TV 0.9.16 "WaveStudio 7" = Creative WaveStudio 7 "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "World of Warcraft" = World of Warcraft "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "Xilisoft PSP Video Converter" = Xilisoft PSP Video Converter "xp-AntiSpy" = xp-AntiSpy 3.97-6 "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0 "XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0 ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "BitTorrent DNA" = DNA ========== Last 10 Event Log Errors ========== [ Antivirus Events ] Error - 01.03.2010 23:22:17 | Computer Name = HOME-YIIOXJU9J8 | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of D:\Sources\WinSetup.dll failed, 0000001E. Error - 23.03.2010 08:29:13 | Computer Name = HOME-YIIOXJU9J8 | Source = avast! | ID = 33554522 Description = Error in aswChestS: chest s_RestoreFile Error 32. Error - 23.03.2010 08:29:13 | Computer Name = HOME-YIIOXJU9J8 | Source = avast! | ID = 33554522 Description = Error in aswChestC: chestRestoreFile Error 32. Error - 23.03.2010 08:29:13 | Computer Name = HOME-YIIOXJU9J8 | Source = avast! | ID = 33554522 Description = Error in aswChestC: chestGetFile Error 32. Error - 23.03.2010 08:29:13 | Computer Name = HOME-YIIOXJU9J8 | Source = avast! | ID = 33554522 Description = aswChestInterface - Program error description: CChestListView::ExtractSelectedFiles() chestGetFile() failed: 32. [ Application Events ] Error - 19.02.2010 00:04:43 | Computer Name = HOME-YIIOXJU9J8 | Source = Windows Live Messenger | ID = 1000 Description = Error - 19.02.2010 14:26:22 | Computer Name = HOME-YIIOXJU9J8 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung mmc.exe, Version 5.2.3790.4136, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 19.02.2010 16:29:33 | Computer Name = HOME-YIIOXJU9J8 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung AVSMediaPlayer.exe, Version 3.1.1.172, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 19.02.2010 17:37:35 | Computer Name = HOME-YIIOXJU9J8 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung AVSMediaPlayer.exe, Version 3.1.1.172, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 19.02.2010 17:38:02 | Computer Name = HOME-YIIOXJU9J8 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung AVSMediaPlayer.exe, Version 3.1.1.172, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 19.02.2010 17:38:31 | Computer Name = HOME-YIIOXJU9J8 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung AVSMediaPlayer.exe, Version 3.1.1.172, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 19.02.2010 17:38:47 | Computer Name = HOME-YIIOXJU9J8 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung AVSMediaPlayer.exe, Version 3.1.1.172, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 19.02.2010 20:59:16 | Computer Name = HOME-YIIOXJU9J8 | Source = Windows Live Messenger | ID = 1000 Description = Error - 20.02.2010 09:13:18 | Computer Name = HOME-YIIOXJU9J8 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung hl.exe, Version 1.1.1.1, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 23.02.2010 03:14:57 | Computer Name = HOME-YIIOXJU9J8 | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung _is3.exe, Version 12.0.0.49974, fehlgeschlagenes Modul _is3.exe, Version 12.0.0.49974, Fehleradresse 0x0001e48b. [ System Events ] Error - 21.03.2010 22:07:09 | Computer Name = HOME-YIIOXJU9J8 | Source = Dhcp | ID = 1001 Description = Diesem Computer konnte keine Netzwerkadresse durch den DHCP-Server für die Netzwerkkarte mit der Netzwerkadresse 0023C3866165 zugeteilt werden. Der folgende Fehler ist aufgetreten: %%1223. Es wird weiterhin im Hintergrund versucht, eine Adresse vom Netzwerkadressserver (DHCP) zugeteilt zu bekommen. Error - 23.03.2010 06:02:24 | Computer Name = HOME-YIIOXJU9J8 | Source = Cdrom | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\CdRom0 gefunden. Error - 23.03.2010 06:02:29 | Computer Name = HOME-YIIOXJU9J8 | Source = Cdrom | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\CdRom0 gefunden. Error - 24.03.2010 04:28:58 | Computer Name = HOME-YIIOXJU9J8 | Source = Server | ID = 2505 Description = Aufgrund eines doppelten Netzwerknamens konnte zu der Transportschicht \Device\NetBT_Tcpip_{BE76E6F5-021B-4BA9-BDEB-99B93D9A3F25} vom Serverdienst nicht gebunden werden. Der Serverdienst konnte nicht gestartet werden. Error - 24.03.2010 13:37:03 | Computer Name = HOME-YIIOXJU9J8 | Source = sr | ID = 1 Description = Beim Verarbeiten der Datei "" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC0000001" aufgetreten. Die Volumeüberwachung wurde angehalten. Error - 24.03.2010 13:37:57 | Computer Name = HOME-YIIOXJU9J8 | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: atapi PCIIde Error - 24.03.2010 13:42:36 | Computer Name = HOME-YIIOXJU9J8 | Source = sr | ID = 1 Description = Beim Verarbeiten der Datei "" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC0000001" aufgetreten. Die Volumeüberwachung wurde angehalten. Error - 24.03.2010 13:43:33 | Computer Name = HOME-YIIOXJU9J8 | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: atapi PCIIde Error - 24.03.2010 14:37:17 | Computer Name = HOME-YIIOXJU9J8 | Source = sr | ID = 1 Description = Beim Verarbeiten der Datei "" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC0000001" aufgetreten. Die Volumeüberwachung wurde angehalten. Error - 24.03.2010 14:37:55 | Computer Name = HOME-YIIOXJU9J8 | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: atapi PCIIde < End of report > Gmer: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-03-24 20:11:42 Windows 5.1.2600 Service Pack 3 Running: czc3xtgm.exe; Driver: C:\DOKUME~1\Marc.Z\LOKALE~1\Temp\kxliykob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB4A716B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB4A71574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB4A71A52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB4A7114C] SSDT spqu.sys ZwEnumerateKey [0xB7ECDDA4] SSDT spqu.sys ZwEnumerateValueKey [0xB7ECE132] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB4A7164E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB4A7108C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB4A710F0] SSDT spqu.sys ZwQueryKey [0xB7ECE20A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB4A7176E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB4A7172E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB4A718AE] INT 0x62 ? 8A7CFBF8 INT 0x73 ? 8A761BF8 INT 0x82 ? 8A7CFBF8 INT 0x83 ? 8A761BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? wyqaw.sys Das System kann die angegebene Datei nicht finden. ! ? spqu.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload B7C618AC 5 Bytes JMP 8A7D01D8 .text C:\WINDOWS.0\system32\DRIVERS\nv4_mini.sys section is writeable [0xB70A0380, 0x346307, 0xE8000020] .text awrq85k1.SYS B7053386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text awrq85k1.SYS B70533AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text awrq85k1.SYS B70533C4 3 Bytes [00, 80, 02] .text awrq85k1.SYS B70533C9 1 Byte [30] .text awrq85k1.SYS B70533C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Programme\Pando Networks\Media Booster\PMB.exe[2416] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!KfRaiseIrql] 00001CB1 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!HalTranslateBusAddress] 8986C636 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!READ_PORT_USHORT] 001C9686 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2 IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\awrq85k1.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS.0\system32\services.exe[948] @ C:\WINDOWS.0\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002 IAT C:\WINDOWS.0\system32\services.exe[948] @ C:\WINDOWS.0\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000 IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[4024] @ C:\WINDOWS.0\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A7CE1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{49D587F2-4BC6-4E05-B0FF-31A8EF08E41D} 89B811F8 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{41A50749-6E96-4E03-9FF6-530B908BD652} 89B811F8 Device \Driver\sptd \Device\4122454636 spqu.sys Device \Driver\usbohci \Device\USBPDO-0 8A6FB500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7621F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A7621F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A7621F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A7621F8 Device \Driver\usbehci \Device\USBPDO-1 8A6A51F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{BE76E6F5-021B-4BA9-BDEB-99B93D9A3F25} 89B811F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\PCI_PNP9636 \Device\00000057 spqu.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7D11F8 Device \Driver\Cdrom \Device\CdRom0 8A6BE1F8 Device \Driver\Cdrom \Device\CdRom1 8A6BE1F8 Device \Driver\Cdrom \Device\CdRom2 8A6BE1F8 Device \Driver\Cdrom \Device\CdRom3 8A6BE1F8 Device \Driver\Cdrom \Device\CdRom4 8A6BE1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89B811F8 Device \Driver\NetBT \Device\NetbiosSmb 89B811F8 Device \Driver\nvata \Device\00000079 8A7611F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbohci \Device\USBFDO-0 8A6FB500 Device \Driver\usbehci \Device\USBFDO-1 8A6A51F8 Device \Driver\nvata \Device\NvAta0 8A7611F8 Device \Driver\nvatabus \Device\0000007b 8A7CF1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B201F8 Device \Driver\nvata \Device\NvAta1 8A7611F8 Device \Driver\nvatabus \Device\0000007c 8A7CF1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B201F8 Device \Driver\nvatabus \Device\NvAta2 8A7CF1F8 Device \Driver\nvatabus \Device\0000007d 8A7CF1F8 Device \Driver\Ftdisk \Device\FtControl 8A7D11F8 Device \Driver\awrq85k1 \Device\Scsi\awrq85k11Port3Path0Target1Lun0 8A5D71F8 Device \Driver\awrq85k1 \Device\Scsi\awrq85k11Port3Path0Target0Lun0 8A5D71F8 Device \Driver\awrq85k1 \Device\Scsi\awrq85k11 8A5D71F8 Device \FileSystem\Cdfs \Cdfs 8A6D51F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEE 0x63 0x12 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA4 0x53 0x0A 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x25 0xAB 0x45 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE5 0x3E 0xF1 0xDC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x39 0xF0 0x7A 0xF6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC1 0xD0 0xB3 0x13 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x87 0x4D 0x29 0x7B ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEE 0x63 0x12 0x55 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA4 0x53 0x0A 0x56 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x25 0xAB 0x45 0x97 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE5 0x3E 0xF1 0xDC ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODLED02.00.00.02WSSV A07468142E3F16FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DBA7FD869164D67945D575E7D6A3B980898A4B8DB711ED3AB624DC24C184F131F83D26F413A8B12BFA9B0210720EBA9186DFE7F66AC0940E065A1548E9EBD09B81413BA939F729B60193C9871247ED811C154EC2D1C929CDB5A5E6A7DF5BBC3225EAC6681EBED8390E776151326280838800013992B99ED2B33D044F61FE8063379F9810655806692F2EB129E32EA53596B5EF9B3D8406F41B4C59700ACA9C5A7D15A8C3B24ED190CE9AC7D68640B0A2297D11D2D37EC8DF6F9900BC1C7A4AD21A3317BE435BCA20550CFB7EAEF9232A4EC3F6BD76F496907EF083B85AD449CA38367B8E5FABA3E6B7E6B19C49BCE04D82811C629BC445911580738BDADB8A49757E82048F9F65C911F9C6B374150EB97DAB507BEEC8FE51749EB06FBACF48CC8DAA484374C4620AB32056AA8CF6C0A1FEA9CF6556321CE032C199B7AA12F4E681B8C29069E4060D38C484AA2C7BB34938EBCD6D019B2829EBFF467141BE2998A7D9B4728B2C12A0755903053401C717AD290D7389744291B946B474737CFCFA7364B0CB65C6B3C278888370B642E7EBC9A93A1B500951B0911E98F3A2B79099B511B996E069F09F8F4E1EB4272584DAA98C9CE18832F65616 ---- EOF - GMER 1.0.15 ---- |
25.03.2010, 08:01 | #5 |
| Hartnäckiger Trojaner Hi, Du schon mit comboFix etc. experimentiert? Es sind noch Reste der Askbar da: Code:
ATTFilter IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2427995 FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" [2010.01.17 17:09:04 | 000,002,236 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\askcom.xml Prevx: http://www.prevx.com/freescan.asp Falls das Tool was findet, nicht das Log posten sondern einen Screenshot des dann angezeigten Fensters... chris chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
25.03.2010, 18:12 | #6 |
| Hartnäckiger Trojaner ComboFix habe ich mir mal vor paar Monaten geladen, aber nicht wirklich mit beschäftigt. Gmer-Log, nach der Deinstallation: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-03-25 18:09:41 Windows 5.1.2600 Service Pack 3 Running: gpjlud1g.exe; Driver: C:\DOKUME~1\Marc.Z\LOKALE~1\Temp\kxliykob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB4AEB6B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB4AEB574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB4AEBA52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB4AEB14C] SSDT spfe.sys ZwEnumerateKey [0xB7ECDDA4] SSDT spfe.sys ZwEnumerateValueKey [0xB7ECE132] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB4AEB64E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB4AEB08C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB4AEB0F0] SSDT spfe.sys ZwQueryKey [0xB7ECE20A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB4AEB76E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB4AEB72E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB4AEB8AE] INT 0x62 ? 8A7CFBF8 INT 0x73 ? 8A761BF8 INT 0x82 ? 8A7CFBF8 INT 0x83 ? 8A761BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spfe.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload B7C618AC 5 Bytes JMP 8A6D11D8 .text C:\WINDOWS.0\system32\DRIVERS\nv4_mini.sys section is writeable [0xB70A0380, 0x346307, 0xE8000020] .text C:\WINDOWS.0\system32\drivers\ACEDRV05.sys section is writeable [0xB4CC4000, 0x30A4A, 0xE8000020] .pklstb C:\WINDOWS.0\system32\drivers\ACEDRV05.sys entry point in ".pklstb" section [0xB4D06000] .relo2 C:\WINDOWS.0\system32\drivers\ACEDRV05.sys unknown last section [0xB4D21000, 0x8E, 0x42000040] ---- User code sections - GMER 1.0.15 ---- .text C:\Programme\Pando Networks\Media Booster\PMB.exe[1708] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spfe.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spfe.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spfe.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spfe.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spfe.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS.0\system32\services.exe[948] @ C:\WINDOWS.0\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002 IAT C:\WINDOWS.0\system32\services.exe[948] @ C:\WINDOWS.0\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000 IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1292] @ C:\WINDOWS.0\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A7CE1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{49D587F2-4BC6-4E05-B0FF-31A8EF08E41D} 89C491F8 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{41A50749-6E96-4E03-9FF6-530B908BD652} 89C491F8 Device \Driver\usbohci \Device\USBPDO-0 8A6A81F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7621F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A7621F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A7621F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A7621F8 Device \Driver\usbehci \Device\USBPDO-1 8A6A71F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{BE76E6F5-021B-4BA9-BDEB-99B93D9A3F25} 89C491F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7D11F8 Device \Driver\Cdrom \Device\CdRom0 8A7191F8 Device \Driver\Cdrom \Device\CdRom1 8A7191F8 Device \Driver\Cdrom \Device\CdRom2 8A7191F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89C491F8 Device \Driver\nvata \Device\00000079 8A7611F8 Device \Driver\NetBT \Device\NetbiosSmb 89C491F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbohci \Device\USBFDO-0 8A6A81F8 Device \Driver\usbehci \Device\USBFDO-1 8A6A71F8 Device \Driver\nvata \Device\NvAta0 8A7611F8 Device \Driver\nvatabus \Device\0000007b 8A7CF1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89BEB1F8 Device \Driver\nvata \Device\NvAta1 8A7611F8 Device \Driver\nvatabus \Device\0000007c 8A7CF1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89BEB1F8 Device \Driver\nvatabus \Device\NvAta2 8A7CF1F8 Device \Driver\nvatabus \Device\0000007d 8A7CF1F8 Device \Driver\Ftdisk \Device\FtControl 8A7D11F8 Device \FileSystem\Cdfs \Cdfs 89C391F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEE 0x63 0x12 0x55 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x39 0xF0 0x7A 0xF6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC1 0xD0 0xB3 0x13 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x87 0x4D 0x29 0x7B ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEE 0x63 0x12 0x55 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODLED02.00.00.02WSSV A07468142E3F16FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DBA7FD869164D67945D575E7D6A3B980898A4B8DB711ED3AB624DC24C184F131F83D26F413A8B12BFA9B0210720EBA9186DFE7F66AC0940E065A1548E9EBD09B81413BA939F729B60193C9871247ED811C154EC2D1C929CDB5A5E6A7DF5BBC3225EAC6681EBED8390E776151326280838800013992B99ED2B33D044F61FE8063379F9810655806692F2EB129E32EA53596B5EF9B3D8406F41B4C59700ACA9C5A7D15A8C3B24ED190CE9AC7D68640B0A2297D11D2D37EC8DF6F9900BC1C7A4AD21A3317BE435BCA20550CFB7EAEF9232A4EC3F6BD76F496907EF083B85AD449CA38367B8E5FABA3E6B7E6B19C49BCE04D82811C629BC445911580738BDADB8A49757E82048F9F65C911F9C6B374150EB97DAB507BEEC8FE51749EB06FBACF48CC8DAA484374C4620AB32056AA8CF6C0A1FEA9CF6556321CE032C199B7AA12F4E681B8C29069E4060D38C484AA2C7BB34938EBCD6D019B2829EBFF467141BE2998A7D9B4728B2C12A0755903053401C717AD290D7389744291B946B474737CFCFA7364B0CB65C6B3C278888370B642E7EBC9A93A1B500951B0911E98F3A2B79099B511B996E069F09F8F4E1EB4272584DAA98C9CE18832F65616 ---- EOF - GMER 1.0.15 ---- lg Geändert von Sykes (25.03.2010 um 18:21 Uhr) |
26.03.2010, 07:37 | #7 |
| Hartnäckiger Trojaner Hi, sieht gut aus... Entferne die Askbar noch, ggf. noch mal melden, dann gibts eine OTL-Script... chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
26.03.2010, 08:38 | #8 |
| Hartnäckiger Trojaner Mit wlechen Programm soll ich die Reste entfernen? Da sie bei HijackThis nicht mehr angezeigt werden. lg |
26.03.2010, 08:46 | #9 |
| Hartnäckiger Trojaner Hi,
Code:
ATTFilter IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2427995 FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" [2010.01.17 17:09:04 | 000,002,236 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\askcom.xml :Commands [emptytemp] [Reboot]
chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
26.03.2010, 11:56 | #10 |
| Hartnäckiger TrojanerCode:
ATTFilter All processes killed Error: Unable to interpret <IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2427995> in the current context! Error: Unable to interpret <FF - prefs.js..browser.search.defaultengine: "Ask.com"> in the current context! Error: Unable to interpret <FF - prefs.js..browser.search.order.1: "Ask.com"> in the current context! Error: Unable to interpret <[2010.01.17 17:09:04 | 000,002,236 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\askcom.xml> in the current context! ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Marc.Z ->Temp folder emptied: 252957 bytes ->Temporary Internet Files folder emptied: 4143835 bytes ->Java cache emptied: 12694384 bytes ->FireFox cache emptied: 208641591 bytes ->Google Chrome cache emptied: 6363821 bytes ->Flash cache emptied: 7703 bytes User: Marc~Z User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32835 bytes %systemdrive% .tmp files removed: 3962 bytes %systemroot% .tmp files removed: 46028927 bytes %systemroot%\System32 .tmp files removed: 961415 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 16384 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 266,00 mb OTL by OldTimer - Version 3.1.37.3 log created on 03262010_103328 Files\Folders moved on Reboot... File move failed. C:\WINDOWS.0\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot. C:\WINDOWS.0\temp\Perflib_Perfdata_720.dat moved successfully. Registry entries deleted on Reboot... lg |
26.03.2010, 16:00 | #11 |
| Hartnäckiger Trojaner Hi, hab das :OTL am Anfang des Scriptes vergessen ... chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
27.03.2010, 17:23 | #12 |
| Hartnäckiger Trojaner Wie jetzt? Bin was so Sachen am PC betrifft bin ich nicht so top Meinst du das so ? Code:
ATTFilter OTL IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2427995 FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" [2010.01.17 17:09:04 | 000,002,236 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\askcom.xml :Commands [emptytemp] [Reboot] lg |
29.03.2010, 06:47 | #13 |
| Hartnäckiger Trojaner Hi, mit Doppelpunkt davor :OTL chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
29.03.2010, 22:16 | #14 |
| Hartnäckiger Trojaner Ok nach dem OTL-Script : Code:
ATTFilter :OTL IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2427995 FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" [2010.01.17 17:09:04 | 000,002,236 | ---- | M] () -- C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\askcom.xml :Commands [emptytemp] [Reboot] Code:
ATTFilter All processes killed ========== OTL ========== HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully! Prefs.js: "Ask.com" removed from browser.search.defaultengine Prefs.js: "Ask.com" removed from browser.search.order.1 C:\Dokumente und Einstellungen\Marc.Z\Anwendungsdaten\Mozilla\Firefox\Profiles\a4cui1ez.default\searchplugins\askcom.xml moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Marc.Z ->Temp folder emptied: 616661 bytes ->Temporary Internet Files folder emptied: 7046258 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 157186847 bytes ->Google Chrome cache emptied: 0 bytes ->Flash cache emptied: 3794 bytes User: Marc~Z User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 84417 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 157,00 mb OTL by OldTimer - Version 3.1.37.3 log created on 03292010_231050 Files\Folders moved on Reboot... File move failed. C:\WINDOWS.0\temp\Perflib_Perfdata_72c.dat scheduled to be moved on reboot. Registry entries deleted on Reboot... |
Themen zu Hartnäckiger Trojaner |
.com, adobe, antivirus, avast, avast!, bho, bonjour, dll, entfernen, explorer, firefox, hkus\s-1-5-18, infizierte, internet, internet explorer, logfile, microsoft, mozilla, nvidia, pando media booster, plug-in, programme, rundll, software, system, temp, trojane, trojaner, windows, windows xp |