CPU AUslastung ist bei 100

Twinnis · 30.03.2010, 13:00

Hallo,

also wir wissen nun nicht mehr weiter und haben dieses Forum hier gefunden, vielleicht kann uns jemand weiterhelfen. Meine CPU Auslastung ist seit 3 Tagen immer bei 100%. Egal was wir versucht haben. Achaut ihr doch einfach mal woran es liegt und was wir noch tun könnten.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:08, on 30.03.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Programme\ZyXEL\G-302v3\G-302v3.exe
C:\Programme\Avant Browser\avant.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Avant Browser\avant.exe
C:\Dokumente und Einstellungen\Mama\Lokale Einstellungen\Temporary Internet Files\Content.IE5\XH5DOB7V\HiJackThis[1].exe
C:\Programme\Avant Browser\avant.exe
C:\Programme\Avant Browser\avant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60280
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ask.com/?o=15709&l=dis
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60280
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60280
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60280
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60280
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: syspck32.exe
O4 - Global Startup: ZyXEL G-302 v3 Utility.lnk = C:\Programme\ZyXEL\G-302v3\G-302v3.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - hxxp://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - hxxp://schnattchen1975.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} (PCMaticVer Class) - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 6268 bytes

Chris4You · 30.03.2010, 13:12

Hi,

have a look:
O4 - Startup: syspck32.exe
-> http://htlogs.com/what-is-syspck32-e...-syspck32-exe/

Malwarebytes Antimalware (MAM)
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html
Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen:
http://filepony.de/download-chameleon/
Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen")
Fullscan und alles bereinigen lassen! Log posten.

OTL
Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop

Doppelklick auf die OTL.exe

Vista/Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen

Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output

Unter Extra Registry, wähle bitte Use SafeList

Klicke nun auf Run Scan links oben

Wenn der Scan beendet wurde werden 2 Logfiles erstellt

Poste die Logfiles hier in den Thread

Dann sehen wir mal weiter ;o)

chris

Twinnis · 30.03.2010, 14:26

OTL logfile created on: 30.03.2010 14:19:11 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Dokumente und Einstellungen\Mama\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 69,00% Memory free
3,00 Gb Paging File | 2,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 48,83 Gb Total Space | 22,22 Gb Free Space | 45,51% Space Free | Partition Type: NTFS
Drive D: | 25,69 Gb Total Space | 4,46 Gb Free Space | 17,35% Space Free | Partition Type: NTFS
Drive E: | 702,31 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BÄRCHEN
Current User Name: Mama
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Dokumente und Einstellungen\Mama\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Dokumente und Einstellungen\Mama\Lokale Einstellungen\Temporary Internet Files\Content.IE5\XH5DOB7V\HiJackThis[1].exe (Trend Micro Inc.)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Avant Browser\avant.exe (Avant Force)
PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\ZyXEL\G-302v3\G-302v3.exe ()

========== Modules (SafeList) ==========

MOD - C:\Dokumente und Einstellungen\Mama\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (Lavasoft Ad-Aware Service) -- C:\Programme\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (PCPitstop Scheduling) -- C:\Programme\PCPitstop\PCPitstopScheduleService.exe (PC Pitstop LLC)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MsMpEng.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (usbsermpt) -- C:\WINDOWS\system32\drivers\usbsermpt.sys (Microsoft Corporation)
DRV - (cpuz132) -- C:\WINDOWS\system32\drivers\cpuz132_x32.sys (Windows (R) Codename Longhorn DDK provider)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (motmodem) -- C:\WINDOWS\system32\drivers\motmodem.sys (Motorola)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (Changer) -- C:\WINDOWS\system32\drivers\changer.sys (Microsoft Corporation)
DRV - (lbrtfdc) -- C:\WINDOWS\system32\drivers\lbrtfdc.sys (Toshiba Corp.)
DRV - (ATITool) -- C:\WINDOWS\system32\drivers\ATITool.sys ()
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (VIAudio) Vinyl AC'97 Audio Controller (WDM) -- C:\WINDOWS\system32\drivers\vinyl97.sys (VIA Technologies, Inc.)
DRV - (odysseyIM3) -- C:\WINDOWS\system32\drivers\odysseyIM3.sys (Funk Software, Inc.)
DRV - (PCANDIS5) -- C:\WINDOWS\system32\PCANDIS5.SYS (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (viaagp1) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (SjyPkt) -- C:\WINDOWS\system32\drivers\SjyPkt.sys (Windows (R) 2000 DDK provider)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = hxxp://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60280
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60280

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ask.com/?o=15709&l=dis
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = about:blank
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2009.06.15 00:16:17 | 000,307,243 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10574 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\ZyXEL G-302 v3 Utility.lnk = C:\Programme\ZyXEL\G-302v3\G-302v3.exe ()
O4 - Startup: C:\Dokumente und Einstellungen\Mama\Startmenü\Programme\Autostart\syspck32.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} hxxp://schnattchen1975.spaces.live.com/PhotoUpload/MsnPUpld.cab (Windows Live Photo Upload Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab (PCMaticVer Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.191.74.11 213.191.92.82
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Mama\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Mama\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Programme\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Programme\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008.06.30 07:53:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a93db160-18a4-11df-9012-0019cb1315e6}\Shell\AutoRun\command - "" = F:\START.EXE -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.03.30 14:17:03 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Mama\Desktop\OTL.exe
[2010.03.30 13:24:27 | 000,000,000 | ---D | C] -- C:\Programme\Trend Micro
[2010.03.30 01:34:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mama\Lokale Einstellungen\Anwendungsdaten\PCHealth
[2010.03.29 21:04:02 | 009,823,176 | ---- | C] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Mama\Desktop\windows-kb890830-v3.5.exe
[2010.03.29 20:59:52 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mama\Anwendungsdaten\Malwarebytes
[2010.03.29 20:59:36 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.03.29 20:59:31 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.03.29 20:59:07 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.03.29 20:59:06 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.03.29 16:02:25 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010.03.29 15:48:26 | 000,000,000 | ---D | C] -- C:\Programme\Windows Defender
[2010.03.29 13:41:18 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PCPitstop
[2010.03.29 13:41:10 | 000,000,000 | ---D | C] -- C:\Programme\PCPitstop
[2010.03.29 13:11:14 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Yahoo! Companion
[2010.03.29 13:11:14 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mama\Anwendungsdaten\Yahoo!
[2010.03.29 13:11:02 | 000,000,000 | ---D | C] -- C:\Programme\Yahoo!
[2010.03.29 13:08:43 | 000,000,000 | ---D | C] -- C:\Programme\Defraggler
[2010.03.29 11:09:40 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan
[2010.03.29 11:09:17 | 000,000,000 | ---D | C] -- C:\Programme\Security Task Manager
[2010.03.29 10:12:14 | 000,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010.03.29 10:12:14 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010.03.29 10:12:14 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010.03.29 10:12:11 | 000,000,000 | ---D | C] -- C:\Programme\Avira
[2010.03.29 10:12:11 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
[2010.03.29 09:50:54 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Mama\Recent
[2010.03.29 09:37:48 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Microsoft
[2010.03.29 09:37:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2010.03.29 09:37:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2010.03.29 09:37:47 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Microsoft
[2010.03.29 08:44:02 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mama\Anwendungsdaten\AVG8
[2010.03.28 20:54:04 | 000,000,000 | ---D | C] -- C:\Programme\RAM Defrag
[2010.03.28 13:51:58 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010.03.28 13:51:58 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010.03.28 13:51:33 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010.03.28 13:48:26 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010.03.28 13:48:26 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010.03.10 11:43:32 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010.03.06 11:12:42 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe
[2009.10.24 16:01:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Adobe
[2009.09.05 21:37:28 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Google
[2009.06.15 12:21:31 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Adobe
[2009.05.16 23:41:39 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Google
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.03.30 14:17:15 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Mama\Desktop\OTL.exe
[2010.03.30 14:15:19 | 008,388,608 | -H-- | M] () -- C:\Dokumente und Einstellungen\Mama\NTUSER.DAT
[2010.03.30 14:00:02 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010.03.30 13:24:28 | 000,001,698 | ---- | M] () -- C:\Dokumente und Einstellungen\Mama\Desktop\HijackThis.lnk
[2010.03.30 12:59:10 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.03.30 12:59:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.03.30 12:59:10 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010.03.30 12:58:19 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010.03.30 12:58:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.03.30 12:57:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.03.30 12:57:09 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\Mama\ntuser.ini
[2010.03.30 05:13:19 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010.03.30 01:34:35 | 000,000,322 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010.03.29 23:13:47 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010.03.29 21:04:04 | 009,823,176 | ---- | M] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Mama\Desktop\windows-kb890830-v3.5.exe
[2010.03.29 20:59:40 | 000,000,676 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.03.29 18:30:12 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010.03.29 18:30:12 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010.03.29 18:30:09 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010.03.29 15:43:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.03.29 14:09:11 | 000,262,144 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\ntuser.dat
[2010.03.29 13:41:22 | 000,000,699 | ---- | M] () -- C:\Dokumente und Einstellungen\Mama\Desktop\PC Matic.lnk
[2010.03.29 13:09:37 | 000,001,544 | ---- | M] () -- C:\Dokumente und Einstellungen\Mama\Desktop\Defraggler.lnk
[2010.03.29 10:46:53 | 000,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010.03.29 10:46:53 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010.03.29 10:46:53 | 000,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010.03.29 10:15:14 | 000,001,671 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010.03.28 13:47:10 | 000,000,126 | ---- | M] () -- C:\WINDOWS\System32\fjhdyfhsn.bat
[2010.03.28 13:47:01 | 000,000,004 | ---- | M] () -- C:\Dokumente und Einstellungen\Mama\Anwendungsdaten\avdrn.dat
[2010.03.28 10:22:01 | 001,105,834 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.03.28 10:22:01 | 000,483,976 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.03.28 10:22:01 | 000,441,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.03.28 10:22:01 | 000,094,330 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.03.28 10:22:01 | 000,071,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.03.24 18:00:42 | 000,001,777 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Chrome.lnk
[2010.03.21 14:37:40 | 000,102,400 | ---- | M] () -- C:\Dokumente und Einstellungen\Mama\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.03.30 13:24:28 | 000,001,698 | ---- | C] () -- C:\Dokumente und Einstellungen\Mama\Desktop\HijackThis.lnk
[2010.03.29 20:59:40 | 000,000,676 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.03.29 15:54:32 | 000,000,322 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010.03.29 14:09:11 | 000,262,144 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\ntuser.dat
[2010.03.29 13:41:22 | 000,000,699 | ---- | C] () -- C:\Dokumente und Einstellungen\Mama\Desktop\PC Matic.lnk
[2010.03.29 13:09:36 | 000,001,544 | ---- | C] () -- C:\Dokumente und Einstellungen\Mama\Desktop\Defraggler.lnk
[2010.03.29 10:15:13 | 000,001,671 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010.03.28 20:54:08 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\GkSui20.EXE
[2010.03.28 13:47:10 | 000,000,126 | ---- | C] () -- C:\WINDOWS\System32\fjhdyfhsn.bat
[2010.03.28 13:47:01 | 000,000,004 | ---- | C] () -- C:\Dokumente und Einstellungen\Mama\Anwendungsdaten\avdrn.dat
[2009.08.21 22:39:02 | 000,493,926 | ---- | C] () -- C:\Dokumente und Einstellungen\Mama\Anwendungsdaten\mdbu.bin
[2009.06.21 13:02:24 | 000,008,951 | ---- | C] () -- C:\WINDOWS\ePrompter.ini
[2009.06.15 07:37:32 | 030,143,040 | ---- | C] () -- C:\Programme\avira_antivir_personal_de.exe
[2009.05.29 22:09:35 | 001,855,179 | ---- | C] () -- C:\Programme\USB_Driver_32.zip
[2009.05.28 23:19:58 | 000,000,204 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009.03.06 21:14:44 | 000,002,528 | ---- | C] () -- C:\Dokumente und Einstellungen\Mama\Anwendungsdaten\$_hpcst$.hpc
[2008.09.15 14:31:00 | 000,000,252 | ---- | C] () -- C:\WINDOWS\asrapi.ini
[2008.09.15 14:29:35 | 000,081,920 | ---- | C] () -- C:\WINDOWS\asr3232.dll
[2008.08.28 14:05:41 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008.08.28 14:05:41 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008.08.28 14:05:40 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008.08.28 14:05:40 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008.08.28 14:05:40 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008.08.28 14:05:40 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008.07.04 18:43:35 | 000,000,565 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2008.07.01 19:53:00 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008.06.30 09:05:10 | 000,102,400 | ---- | C] () -- C:\Dokumente und Einstellungen\Mama\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.06.30 08:34:33 | 000,061,440 | R--- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2008.06.30 08:31:51 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2008.06.30 08:25:50 | 000,000,137 | ---- | C] () -- C:\Dokumente und Einstellungen\Mama\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
[2008.06.30 07:56:13 | 000,001,082 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008.05.26 22:23:36 | 000,016,834 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2008.05.26 22:23:34 | 000,024,188 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2008.05.26 22:23:32 | 000,016,568 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2006.11.10 15:08:50 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATITool.sys
< End of report >

OTL Extras logfile created on: 30.03.2010 14:19:11 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Dokumente und Einstellungen\Mama\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 69,00% Memory free
3,00 Gb Paging File | 2,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 48,83 Gb Total Space | 22,22 Gb Free Space | 45,51% Space Free | Partition Type: NTFS
Drive D: | 25,69 Gb Total Space | 4,46 Gb Free Space | 17,35% Space Free | Partition Type: NTFS
Drive E: | 702,31 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BÄRCHEN
Current User Name: Mama
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Programme\Avant Browser\avant.exe (Avant Force)
.url [@ = InternetShortcut] -- C:\Programme\Avant Browser\avant.exe (Avant Force)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Programme\Avant Browser\avant.exe" %1 (Avant Force)
htmlfile [opennew] -- "C:\Programme\Avant Browser\avant.exe" %1 (Avant Force)
http [open] -- "C:\Programme\Avant Browser\avant.exe" %1 (Avant Force)
https [open] -- "C:\Programme\Avant Browser\avant.exe" %1 (Avant Force)
InternetShortcut [open] -- "C:\Programme\Avant Browser\avant.exe" %1 (Avant Force)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"31154:TCP" = 31154:TCP:*:Enabled:E-mule
"46498:UDP" = 46498:UDP:*:Enabled:Emule
"1900:UDP" = 1900:UDP:LocalSubNet

isabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet

isabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programme\Microsoft ActiveSync\rapimgr.exe" = C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- File not found
"C:\Programme\Microsoft ActiveSync\wcescomm.exe" = C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- File not found
"C:\Programme\Microsoft ActiveSync\WCESMgr.exe" = C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- File not found
"C:\Programme\Windows Live\Messenger\wlcsdk.exe" = C:\Programme\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Programme\eMule\emule.exe" = C:\Programme\eMule\emule.exe:*:Enabled:eMule -- File not found
"D:\eMule\emule.exe" = D:\eMule\emule.exe:*:Enabled:eMule -- (hxxp://www.emule-project.net)
"C:\Programme\Microsoft ActiveSync\rapimgr.exe" = C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- File not found
"C:\Programme\Microsoft ActiveSync\wcescomm.exe" = C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- File not found
"C:\Programme\Microsoft ActiveSync\WCESMgr.exe" = C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- File not found
"C:\Programme\Windows Live\Messenger\wlcsdk.exe" = C:\Programme\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{14B1BDB4-D544-4915-9D98-11BD8E197DF9}" = ZyXEL G-302 v3 Utility
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1ED6E4D0-8DB0-A333-DEA6-188F957F5A43}" = Catalyst Control Center Graphics Light
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{221E5BB1-E4B5-485A-A74B-5D4D5BF21E62}" = Motorola Driver Installation 3.8.0
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D
"{31CF6C0E-51F0-41D2-B088-A6A143C4303C}" = SweetIM Toolbar for Internet Explorer 3.6
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{407E0CBD-D6BF-F243-6DE9-F1EEA525BA1C}" = Catalyst Control Center Graphics Full Existing
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{5EC634FA-5047-38B2-A53A-15963D9BD872}" = CCC Help English
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{651AFCC8-2F1A-8132-0A33-FA5F041380BA}" = Catalyst Control Center Graphics Full New
"{6675DEA5-3B2E-4528-B2B6-E2511AC1CB76}" = Lernspaß kompakt Mathe 4
"{69EF33D7-3425-1409-0BE1-C4F3A6FB57A8}" = ccc-utility
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7510EF8C-99B9-8533-524E-BF41BDC04188}" = Skins
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{773040E1-3B60-6507-C387-71F8F0A03C59}" = ccc-core-static
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{922D9CCA-4317-425F-9AA5-94829DF8BA6D}" = Motorola Software Update
"{92DEC792-A722-5991-2607-3EE3A4BD502B}" = Catalyst Control Center HydraVision Full
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96793032-8651-805A-67EF-E1759C1A8E3D}" = Catalyst Control Center Graphics Previews Common
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1031-7B44-A92000000001}" = Adobe Reader 9.2 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B094F70F-2CC2-5062-8534-D3830FC4B018}" = Catalyst Control Center Core Implementation
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2C284D2-6BD7-3B34-B0C5-B2CAED168DF7}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU
"{C314CE45-3392-3B73-B4E1-139CD41CA933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{CA42C38C-B369-B190-AD06-76D3AC95CFAC}" = ccc-core-preinstall
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCD90636-D97D-4130-A44A-3AD4E63B9220}" = OpenOffice.org 2.4
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF6F459C-8B89-4F88-B63F-A2E136BB6B79}" = SweetIM for Messenger 2.8
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EDDDC607-91D9-4758-9F57-265FDCD8A772}" = Microsoft Works 7.0
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F49FEF83-45CA-4CE8-8304-A7372BA07AA9}" = Motorola Phone Tools
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"ATITool" = ATITool Overclocking Utility
"AvantBrowser" = Avant Browser (remove only)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner (remove only)
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.52.2
"Defraggler" = Defraggler
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"eMule" = eMule
"Google Chrome" = Google Chrome
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Ikuru in Lolopolis 3" = Ikuru in Lolopolis 3
"Magic Drops" = Magic Drops
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Matic_is1" = PC Matic 1.0.0.0
"PhotoScape" = PhotoScape
"Picasa 3" = Picasa 3
"Purgatio Pro_is1" = Purgatio Pro
"QuickTime" = QuickTime
"RAM Defrag" = RAM Defrag
"Rossmann Fotoservice_is1" = Rossmann Fotoservice 2.6
"Security Task Manager" = Security Task Manager 1.7h
"Ulead Photo Express 3.0 SE" = Ulead Photo Express 3.0 SE
"VIA Vinyl Audio Codecs Driver Setup Program" = VIA Vinyl Audio Codecs Driver Setup Program
"VIA/S3G UniChrome Family Win2K/XP/Server2003 Display" = VIA/S3G Display Driver
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
"Yahoo! Companion" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 31.01.2010 08:49:13 | Computer Name = BÄRCHEN | Source = Google Update | ID = 20
Description =

Error - 01.02.2010 07:12:03 | Computer Name = BÄRCHEN | Source = crypt32 | ID = 131080
Description = Der automatische Aktualisierungsabruf der Drittanbieterstammlisten-Sequenznummer
von <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
ist fehlgeschlagen mit dem Fehler: Dieser Vorgang wurde wegen Zeitüberschreitung
zurückgegeben. .

Error - 05.02.2010 07:37:25 | Computer Name = BÄRCHEN | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung avant.exe, Version 11.7.0.43, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 05.02.2010 12:12:46 | Computer Name = BÄRCHEN | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 06.02.2010 13:49:05 | Computer Name = BÄRCHEN | Source = Google Update | ID = 20
Description =

Error - 19.02.2010 07:39:42 | Computer Name = BÄRCHEN | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung wiaacmgr.exe, Version 5.1.2600.5512, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 19.02.2010 07:39:51 | Computer Name = BÄRCHEN | Source = Application Hang | ID = 1001
Description = Fehlerhafter Speicherbereich 742196624.

Error - 19.02.2010 18:00:21 | Computer Name = BÄRCHEN | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung avant.exe, Version 11.7.0.46, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 20.02.2010 14:52:23 | Computer Name = BÄRCHEN | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung G-302v3.exe, Version 0.0.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 23.02.2010 14:16:04 | Computer Name = BÄRCHEN | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung G-302v3.exe, Version 0.0.0.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

[ System Events ]
Error - 29.03.2010 04:05:31 | Computer Name = BÄRCHEN | Source = SideBySide | ID = 16842811
Description = Generate Activation Context ist für C:\DOKUME~1\Mama\LOKALE~1\Temp\RarSFX0\redist.dll
fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .

Error - 29.03.2010 04:05:49 | Computer Name = BÄRCHEN | Source = SideBySide | ID = 16842784
Description = Abhängige Assemblierung "Microsoft.VC90.CRT" konnte nicht gefunden
werden. "Last Error": Die referenzierte Assemblierung ist nicht auf dem Computer
installiert.

Error - 29.03.2010 04:05:49 | Computer Name = BÄRCHEN | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly ist für Microsoft.VC90.CRT fehlgeschlagen.
Referenzfehlermeldung:
Die referenzierte Assemblierung ist nicht auf dem Computer installiert. .

Error - 29.03.2010 04:05:49 | Computer Name = BÄRCHEN | Source = SideBySide | ID = 16842811
Description = Generate Activation Context ist für C:\DOKUME~1\Mama\LOKALE~1\Temp\RarSFX0\redist.dll
fehlgeschlagen. Referenzfehlermeldung: Der Vorgang wurde erfolgreich beendet. .

Error - 29.03.2010 12:28:50 | Computer Name = BÄRCHEN | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Lavasoft Ad-Aware Service" wurde unerwartet beendet. Dies
ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 5000 Millisekunden
durchgeführt: Starten Sie den Dienst neu..

Error - 29.03.2010 12:29:04 | Computer Name = BÄRCHEN | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Windows Defender" wurde unerwartet beendet. Dies ist bereits
1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 15000 Millisekunden durchgeführt:
Starten Sie den Dienst neu..

Error - 29.03.2010 12:30:18 | Computer Name = BÄRCHEN | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Lavasoft Ad-Aware Service" wurde unerwartet beendet. Dies
ist bereits 2 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 5000 Millisekunden
durchgeführt: Starten Sie den Dienst neu..

Error - 29.03.2010 12:30:37 | Computer Name = BÄRCHEN | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Avira AntiVir Planer" wurde unerwartet beendet. Dies ist
bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 0 Millisekunden
durchgeführt: Starten Sie den Dienst neu..

Error - 29.03.2010 12:30:44 | Computer Name = BÄRCHEN | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Avira AntiVir Guard" wurde unerwartet beendet. Dies ist
bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 0 Millisekunden
durchgeführt: Starten Sie den Dienst neu..

Error - 29.03.2010 12:30:57 | Computer Name = BÄRCHEN | Source = Service Control Manager | ID = 7034
Description = Dienst "Lavasoft Ad-Aware Service" wurde unerwartet beendet. Dies
ist bereits 3 Mal passiert.

< End of report >

Chris4You · 30.03.2010, 15:04

Hi,

poste auch noch den MAM-Report...

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen! (nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:

Code:

ATTFilter

C:\WINDOWS\System32\lsdelete.exe
C:\WINDOWS\System32\fjhdyfhsn.bat
C:\WINDOWS\System32\GkSui20.EXE

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Doppelklick auf die OTL.exe, um das Programm auszuführen.

Vista/Win7-User bitte per Rechtsklick und "Ausführen als Administrator" starten.

Kopiere den Inhalt der folgenden Codebox komplett in die OTL-Box unter "Custom Scan/Fixes"

Code:

ATTFilter

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60280
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60280
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ask.com/?o=15709&l=dis
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - Startup: C:\Dokumente und Einstellungen\Mama\Startmenü\Programme\Autostart\syspck32.exe ()
[2010.03.28 13:47:10 | 000,000,126 | ---- | M] () -- C:\WINDOWS\System32\fjhdyfhsn.bat

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = dword:0x00

:Commands
[emptytemp]
[Reboot]

Den roten Run Fixes! Button anklicken.

Bitte alles aus dem Ergebnisfenster (Results) herauskopieren.

Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert:

%systemroot%\_OTL

OSAM
Folge den Anweisungen hier ( http://www.trojaner-board.de/84180-anleitung-osam-autorun-manager.html ) zur Erstellung eines Logs und poste das hier in Deinem Thread.

chris

Twinnis · 30.03.2010, 20:59

fjhdyfhsn.bat konnte nicht gefunden werden

Datei lsdelete.exe empfangen 2010.03.30 17:13:26 (UTC)
Status: Beendet
Ergebnis: 0/42 (0.00%)

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.03.30 -
AhnLab-V3 5.0.0.2 2010.03.30 -
AntiVir 7.10.6.5 2010.03.30 -
Antiy-AVL 2.0.3.7 2010.03.30 -
Authentium 5.2.0.5 2010.03.30 -
Avast 4.8.1351.0 2010.03.30 -
Avast5 5.0.332.0 2010.03.30 -
AVG 9.0.0.787 2010.03.29 -
BitDefender 7.2 2010.03.30 -
CAT-QuickHeal 10.00 2010.03.30 -
ClamAV 0.96.0.0-git 2010.03.30 -
Comodo 4439 2010.03.30 -
DrWeb 5.0.2.03300 2010.03.30 -
eSafe 7.0.17.0 2010.03.28 -
eTrust-Vet 35.2.7396 2010.03.30 -
F-Prot 4.5.1.85 2010.03.29 -
F-Secure 9.0.15370.0 2010.03.30 -
Fortinet 4.0.14.0 2010.03.30 -
GData 19 2010.03.30 -
Ikarus T3.1.1.80.0 2010.03.30 -
Jiangmin 13.0.900 2010.03.30 -
K7AntiVirus 7.10.1004 2010.03.22 -
Kaspersky 7.0.0.125 2010.03.30 -
McAfee 5936 2010.03.30 -
McAfee+Artemis 5936 2010.03.30 -
McAfee-GW-Edition 6.8.5 2010.03.30 -
Microsoft 1.5605 2010.03.30 -
NOD32 4985 2010.03.30 -
Norman 6.04.10 2010.03.30 -
nProtect 2009.1.8.0 2010.03.30 -
Panda 10.0.2.2 2010.03.30 -
PCTools 7.0.3.5 2010.03.30 -
Prevx 3.0 2010.03.30 -
Rising 22.41.01.03 2010.03.30 -
Sophos 4.52.0 2010.03.30 -
Sunbelt 6116 2010.03.30 -
Symantec 20091.2.0.41 2010.03.30 -
TheHacker 6.5.2.0.248 2010.03.30 -
TrendMicro 9.120.0.1004 2010.03.30 -
VBA32 3.12.12.2 2010.03.30 -
ViRobot 2010.3.30.2252 2010.03.30 -
VirusBuster 5.0.27.0 2010.03.30 -

weitere Informationen
File size: 15688 bytes
MD5 : 6dc73e5ca9ca2ae6bbdd29cdbe0ac872
SHA1 : d01670781288097f3b832ea42b5cd20c5f835842
SHA256: c75fe79f4dbd65ad1aadc65ec40d6d0442a6969410cee916837da14e4dc7fe98
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x22F0
timedatestamp.....: 0x496F34AB (Thu Jan 15 14:05:47 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1362 0x1400 5.78 e700c1b5c2353a10b2db729b156207e1
.rdata 0x3000 0x3AC 0x400 4.63 2d47414238d9b93e57a78a157c9d3919
.data 0x4000 0x998 0xA00 3.05 fa1b42f5935800f3f30682d2b1422656
.rsrc 0x5000 0x1B4 0x200 5.09 af5e12250c526d183544eef9776736bc

( 1 imports )

> ntdll.dll: RtlCreateHeap, NtTerminateProcess, RtlFreeHeap, RtlInitUnicodeString, RtlDestroyHeap, NtDisplayString, ZwClose, ZwDelayExecution, memcpy, wcscat, ZwReadFile, wcslen, ZwSetInformationFile, memset, RtlAllocateHeap, ZwDeleteFile, ZwOpenFile, ZwQueryInformationFile, wcscpy, NtQuerySystemTime, _snwprintf, strlen, strcpy, RtlUnicodeStringToAnsiString, ZwCreateFile, RtlTimeToTimeFields, ZwWriteFile, strcat

( 0 exports )

TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 192:22O1JIzcmFGZ4ujHnBaoHmei1Q9sJwF930LyowJL/aMjGwP7PM20e+ebM8JMu74V:sOc5nnBjHVMQ9sJwFiLYJLWwXbHEb
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: Lavasoft AB
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 9:51 AM 9/4/2009
verified.....: -

PEiD : -
RDS : NSRL Reference Data Set

Datei GkSui20.EXE empfangen 2010.03.30 17:03:12 (UTC)
Status: Beendet
Ergebnis: 1/42 (2.38%)

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.03.30 -
AhnLab-V3 5.0.0.2 2010.03.30 -
AntiVir 7.10.6.5 2010.03.30 -
Antiy-AVL 2.0.3.7 2010.03.30 -
Authentium 5.2.0.5 2010.03.30 -
Avast 4.8.1351.0 2010.03.30 -
Avast5 5.0.332.0 2010.03.30 -
AVG 9.0.0.787 2010.03.29 -
BitDefender 7.2 2010.03.30 -
CAT-QuickHeal 10.00 2010.03.30 -
ClamAV 0.96.0.0-git 2010.03.30 -
Comodo 4439 2010.03.30 -
DrWeb 5.0.2.03300 2010.03.30 -
eSafe 7.0.17.0 2010.03.28 -
eTrust-Vet 35.2.7396 2010.03.30 -
F-Prot 4.5.1.85 2010.03.29 -
F-Secure 9.0.15370.0 2010.03.30 -
Fortinet 4.0.14.0 2010.03.30 -
GData 19 2010.03.30 -
Ikarus T3.1.1.80.0 2010.03.30 -
Jiangmin 13.0.900 2010.03.30 -
K7AntiVirus 7.10.1004 2010.03.22 -
Kaspersky 7.0.0.125 2010.03.30 -
McAfee 5936 2010.03.30 -
McAfee+Artemis 5936 2010.03.30 -
McAfee-GW-Edition 6.8.5 2010.03.30 -
Microsoft 1.5605 2010.03.30 -
NOD32 4985 2010.03.30 -
Norman 6.04.10 2010.03.30 -
nProtect 2009.1.8.0 2010.03.30 -
Panda 10.0.2.2 2010.03.30 -
PCTools 7.0.3.5 2010.03.30 -
Prevx 3.0 2010.03.30 Medium Risk Malware
Rising 22.41.01.03 2010.03.30 -
Sophos 4.52.0 2010.03.30 -
Sunbelt 6116 2010.03.30 -
Symantec 20091.2.0.41 2010.03.30 -
TheHacker 6.5.2.0.248 2010.03.30 -
TrendMicro 9.120.0.1004 2010.03.30 -
VBA32 3.12.12.2 2010.03.30 -
ViRobot 2010.3.30.2252 2010.03.30 -
VirusBuster 5.0.27.0 2010.03.30 -

weitere Informationen
File size: 81920 bytes
MD5 : e62c2677834d1109c30bf639bdec8cd2
SHA1 : 1d8726df904b86d678d341d43e6146aa2dd68e3e
SHA256: d8c2fd0793001ac84703ed3936fea93cd0015709abeffd75ed794637e108070e
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5E2C
timedatestamp.....: 0x44830B5E (Sun Jun 4 18:33:34 2006)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xA533 0xB000 6.30 1bb36452a0363f8b90c8f10d4ac50ad0
.rdata 0xC000 0x1602 0x2000 4.27 486612109f8330319d165d9c2392df5a
.data 0xE000 0x5B90 0x4000 1.96 e9537e95930131efc7da5826d23a0120
.rsrc 0x14000 0x15B0 0x2000 2.81 b29da5a26c3b245c85092353d69abf28

( 0 imports )

( 0 exports )

TrID : File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
ssdeep: 1536:Pz9vBFVWRM4zJOcRaD/TmfDIX7rf2Zlh0Gsat+T:PhvBgX9OcRDDmrf2Zlh4T
sigcheck: publisher....: GkWare e.K.
copyright....: Copyright (c) 1996 - 2006 GkWare e.K.
product......: GkSetup
description..: GkSetup Uninstall Application
original name: GKSUI16.EXE
internal name: GKSUI16
file version.: 2.20.1656
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Prevx Info: hxxp://info.prevx.com/aboutprogramtext.asp?PX5=E7F06630007DD50C4080015E305B13000A5E4A84
PEiD : Armadillo v1.71
CWSandbox: hxxp://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=e62c2677834d1109c30bf639bdec8cd2
RDS : NSRL Reference Data Set
-

All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomizeSearch| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
File move failed. C:\Dokumente und Einstellungen\Mama\Startmenü\Programme\Autostart\syspck32.exe scheduled to be moved on reboot.
C:\WINDOWS\system32\fjhdyfhsn.bat moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"FirstRunDisabled" | dword:0x00 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Florian
->Temp folder emptied: 30159 bytes
->Temporary Internet Files folder emptied: 1803143364 bytes
->Java cache emptied: 268785 bytes
->Flash cache emptied: 146659 bytes

User: LocalService
->Temp folder emptied: 67959 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Mama
->Temp folder emptied: 443323157 bytes
->Temporary Internet Files folder emptied: 83535130 bytes
->Java cache emptied: 6409710 bytes
->Google Chrome cache emptied: 15740097 bytes
->Flash cache emptied: 719 bytes

User: NetworkService
->Temp folder emptied: 2836 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2175588 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 24192 bytes
Windows Temp folder emptied: 5225723 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.251,00 mb

Chris4You · 31.03.2010, 06:20

Hi,

die Malware war aktiv, darum hast du sie nicht gefunden, aber OTL:

Code:

ATTFilter

File move failed. C:\Dokumente und Einstellungen\Mama\Startmenü\Programme\Autostart\syspck32.exe scheduled to be moved on reboot.
C:\WINDOWS\system32\fjhdyfhsn.bat moved successfully

Poste noch das OSAM-Log...

MAM updaten und noch mal Komplettscan, log posten.
Zusätzlich:
http://www.prevx.com/freescan.asp
Falls das Tool was findet, nicht das Log posten sondern einen Screenshot des dann angezeigten Fensters...

chris

Twinnis · 31.03.2010, 09:01

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 09:50:30 on 31.03.2010

OS: Windows XP Home Edition Service Pack 3 (Build 2600)
Default Browser: Avant Force Avant Browser 11.7.0.46

Scanner Settings
Rootkits detection (hidden registry)
Rootkits detection (hidden files)
Retrieve files information
Check Microsoft signatures

Filters
Trusted entries
Empty entries
Hidden registry entries (rootkit activity)
Exclusively opened files
Not found files
Files without detailed information
Existing files
Non-startable services
Non-startable drivers
Active entries
Disabled entries

Risk Name Publisher Full Path Status
Boot Execute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
|||||| "BootExecute" C:\WINDOWS\system32\lsdelete.exe File found, but it contains no detailed information
Common
%SystemRoot%\Tasks
|||||| "Ad-Aware Update (Daily 1).job" "Lavasoft" C:\Programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe File exists
|||||| "Ad-Aware Update (Daily 2).job" "Lavasoft" C:\Programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe File exists
|||||| "Ad-Aware Update (Daily 3).job" "Lavasoft" C:\Programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe File exists
|||||| "Ad-Aware Update (Daily 4).job" "Lavasoft" C:\Programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe File exists
|||||| "Ad-Aware Update (Weekly).job" "Lavasoft" C:\Programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe File exists
|||| "GoogleUpdateTaskMachineCore.job" "Google Inc." C:\Programme\Google\Update\GoogleUpdate.exe File exists
|||| "GoogleUpdateTaskMachineUA.job" "Google Inc." C:\Programme\Google\Update\GoogleUpdate.exe File exists
|||||| "MP Scheduled Scan.job" "Microsoft Corporation" C:\Programme\Windows Defender\MpCmdRun.exe File exists
Control Panel Objects
%SystemRoot%\system32
|||||| "infocardcpl.cpl" "Microsoft Corporation" C:\WINDOWS\system32\infocardcpl.cpl File exists
|||||| "javacpl.cpl" "Sun Microsystems, Inc." C:\WINDOWS\system32\javacpl.cpl File exists
|||||| "QuickTime.cpl" "Apple Computer, Inc." C:\WINDOWS\system32\QuickTime.cpl File exists
"TWEAKUI.CPL" "Brummelchen@gmx.at" C:\WINDOWS\system32\TWEAKUI.CPL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
|||||| "Avira AntiVir Personal - Free Antivirus " "Avira GmbH" C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl File exists
|||||| "Avira AntiVir Personal – Free Antivirus " "Avira GmbH" C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl File exists
Drivers
HKLM\SYSTEM\CurrentControlSet\Services
|||||| "AEGIS Protocol (IEEE 802.1x) v3.4.5.0" (AegisP) "Meetinghouse Data Communications" C:\WINDOWS\System32\DRIVERS\AegisP.sys File exists
|||||| "ATITool Overclocking Utility" (ATITool) C:\WINDOWS\System32\DRIVERS\ATITool.sys File exists
|||||| "avgio" (avgio) "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\avgio.sys File exists
|||||| "avgntflt" (avgntflt) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\avgntflt.sys File exists
|||||| "avipbb" (avipbb) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\avipbb.sys File exists
|||||| "cpuz132" (cpuz132) "Windows (R) Codename Longhorn DDK provider" C:\WINDOWS\system32\drivers\cpuz132_x32.sys File exists
|||||| "Lbd" (Lbd) "Lavasoft AB" C:\WINDOWS\System32\DRIVERS\Lbd.sys File exists
|||||| "MBAMSwissArmy" (MBAMSwissArmy) "Malwarebytes Corporation" C:\WINDOWS\system32\drivers\mbamswissarmy.sys File exists
|||||| "Motorola USB Modem Driver for MPT" (usbsermpt) "Microsoft Corporation" C:\WINDOWS\System32\DRIVERS\usbsermpt.sys File exists
|| "Odyssey Network Services Miniport" (odysseyIM3) "Funk Software, Inc." C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys File exists
|||||| "PCANDIS5 Protocol Driver" (PCANDIS5) "Printing Communications Assoc., Inc. (PCAUSA)" C:\WINDOWS\system32\PCANDIS5.SYS File exists
"PCIDump" (PCIDump) C:\WINDOWS\system32\drivers\PCIDump.sys File not found
"PDCOMP" (PDCOMP) C:\WINDOWS\system32\drivers\PDCOMP.sys File not found
"PDFRAME" (PDFRAME) C:\WINDOWS\system32\drivers\PDFRAME.sys File not found
"PDRELI" (PDRELI) C:\WINDOWS\system32\drivers\PDRELI.sys File not found
"PDRFRAME" (PDRFRAME) C:\WINDOWS\system32\drivers\PDRFRAME.sys File not found
|||||| "PxHelp20" (PxHelp20) "Sonic Solutions" C:\WINDOWS\System32\Drivers\PxHelp20.sys File exists
|| "SjyPkt" (SjyPkt) "Windows (R) 2000 DDK provider" C:\WINDOWS\System32\Drivers\SjyPkt.sys File exists
|||||| "ssmdrv" (ssmdrv) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\ssmdrv.sys File exists
"WDICA" (WDICA) C:\WINDOWS\system32\drivers\WDICA.sys File not found
Explorer
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
|||||| {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" "Microsoft Corporation" c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install File exists
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
|||||| {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" "Adobe Systems, Inc." C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
HKLM\Software\Classes\Protocols\Filter
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
HKLM\Software\Classes\Protocols\Handler
|||| {828030A1-22C1-4009-854F-8E305202313F} "livecall" "Microsoft Corporation" C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL File exists
|||| {828030A1-22C1-4009-854F-8E305202313F} "msnim" "Microsoft Corporation" C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL File exists
|||||| {03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" "Microsoft Corporation" C:\Programme\Windows Live\Mail\mailcomm.dll File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
|||||| {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "Microsoft AntiMalware ShellExecuteHook" "Microsoft Corporation" C:\PROGRA~1\WIFD1F~1\MpShHook.dll File exists
|||||| {56F9679E-7826-4C84-81F3-532071A8BCC5} "Windows Desktop Search Namespace Manager" "Microsoft Corporation" C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
|||||| {653DCCC2-13DB-45B2-A389-427885776CFE} "Aktivitäten-Eigenschaftenseite" "Microsoft Corporation" c:\Programme\Microsoft IntelliPoint\ipcplact.dll File exists
|||||| {0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" "Microsoft Corporation" C:\Programme\Windows Live\Mail\mailcomm.dll File exists
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" deskpan.dll File not found
|||||| {1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" "Microsoft Corporation" c:\WINDOWS\system32\mscoree.dll File exists
{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682} "IZArc DragDrop Menu" File not found | COM-object registry key not found
{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5} "IZArc Shell Context Menu" File not found | COM-object registry key not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" File not found | COM-object registry key not found
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {20082881-FC36-4E47-9A7A-644C95FF749F} "Schnurlose Eigenschaften" "Microsoft Corporation" c:\Programme\Microsoft IntelliPoint\ipcplwir.dll File exists
|||||| {AF90F543-6A3A-4C1B-8B16-ECEC073E69BE} "Scrollrad-Eigenschaftenseite" "Microsoft Corporation" c:\Programme\Microsoft IntelliPoint\ipcplwhl.dll File exists
|||||| {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\shlext.dll File exists
|||||| {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" File not found | COM-object registry key not found
|||||| {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists
|||||| {5E2121EE-0300-11D4-8D3B-444553540000} "SimpleShlExt Class" "Advanced Micro Devices, Inc." C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll File exists
|||||| {124597D8-850A-41AE-849C-017A4FA99CA2} "Tasten-Eigenschaftenseite" "Microsoft Corporation" c:\Programme\Microsoft IntelliPoint\ipcplbtn.dll File exists
|||||| {13E7F612-F261-4391-BEA2-39DF4F3FA311} "Windows Desktop Search" "Microsoft Corporation" C:\Programme\Windows Desktop Search\msnlExt.dll File exists
{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" File not found | COM-object registry key not found
|||||| {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" C:\Programme\WinRAR\rarext.dll File exists
Internet Explorer
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
ITBar7Height "ITBar7Height" File not found | COM-object registry key not found
"ITBar7Layout" File not found | COM-object registry key not found
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
|||| {EF99BD32-C1FB-11D2-892F-0090271D4F88} "Yahoo! Toolbar" "Yahoo! Inc." C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll File exists
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
|||| {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_07"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll File exists
|||| {4F1E5B1A-2A80-42CA-8532-2D05CB959537} "MSN Photo Upload Tool"
hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab "Microsoft® Corporation" C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll File exists
{A27C56D2-3F58-4ABB-AA31-1168EDA6636F} "PCMaticVer Class"
hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab "PC Pitstop" C:\WINDOWS\Downloaded Program Files\PCMaticCtrl.dll File exists
|||||| {166B1BCA-3F9C-11CF-8075-444553540000} "Shockwave ActiveX Control"
hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab "Adobe Systems, Inc." C:\WINDOWS\system32\Adobe\Director\SwDir.dll File exists
|||| {E77F23EB-E7AB-4502-8F37-247DBAF1A147} "Windows Live Hotmail Photo Upload Tool"
hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab "Microsoft® Corporation" C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MsnPUpld.dll File exists
|||| {7FC1B346-83E6-4774-8D20-1A6B09B0E737} "Windows Live Photo Upload Control"
hxxp://schnattchen1975.spaces.live.com/PhotoUpload/MsnPUpld.cab "Microsoft® Corporation" C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MsnPUpld.dll File exists
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}"
hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab File not found | COM-object registry key not found
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
|||| {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} "ClsidExtension" "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll File exists
|||||| {53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" "Safer Networking Limited" C:\PROGRA~1\SPYBOT~1\SDHelper.dll File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
|||| "Yahoo! Toolbar" "Yahoo! Inc." C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
|||| {02478D38-C3F9-4efb-9B51-7695ECA05670} "&Yahoo! Toolbar Helper" "Yahoo! Inc." C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll File exists
|||||| {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" "Adobe Systems Incorporated" C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll File exists
|||| {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} "SingleInstance Class" "Yahoo! Inc" C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll File exists
|||||| {53707962-6F74-2D53-2644-206D7942484F} "Spybot-S&D IE Protection" "Safer Networking Limited" C:\PROGRA~1\SPYBOT~1\SDHelper.dll File exists
|||| {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "SSVHelper Class" "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_07\bin\ssv.dll File exists
|||||| {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll File exists
Logon
%AllUsersProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini File exists
"ZyXEL G-302 v3 Utility.lnk" C:\Programme\ZyXEL\G-302v3\G-302v3.exe Shortcut exists | File found, but it contains no detailed information | File exists
%UserProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\Mama\Startmenü\Programme\Autostart\desktop.ini File exists
Services
HKLM\SYSTEM\CurrentControlSet\Services
|||||| ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe File exists
"Anwendungsverwaltung" (AppMgmt) C:\WINDOWS\System32\appmgmts.dll File not found
|||||| "ASP.NET-Zustandsdienst" (aspnet_state) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe File exists
|||||| "ATI Smart" (ATI Smart) C:\WINDOWS\system32\ati2sgag.exe File exists
|||||| "Avira AntiVir Guard" (AntiVirService) "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\avguard.exe File exists
|||||| "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe File exists
Winlogon
HKCU\Control Panel\Desktop
"SCRNSAVE.EXE" C:\WINDOWS\3DMARI~1.SCR File not found
HKCU\Control Panel\IOProcs
"MVB" mvfs32.dll File not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
{c6dc5466-785a-11d2-84d0-00c04fb169f7} "Softwareinstallation" appmgmts.dll

MAM läuft noch im moment

Twinnis · 31.03.2010, 09:19

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
{c6dc5466-785a-11d2-84d0-00c04fb169f7} "Softwareinstallation" appmgmts.dll File not found

das fehlte eben noch.

Twinnis · 31.03.2010, 09:24

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Datenbank Version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

31.03.2010 10:23:34
mbam-log-2010-03-31 (10-23-34).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 113529
Laufzeit: 5 Minute(n), 40 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-zix (Trojan.Swizzor) -> No action taken.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Dokumente und Einstellungen\Mama\Anwendungsdaten\avdrn.dat (Malware.Trace) -> No action taken.

Chris4You · 31.03.2010, 09:56

Hi,

MAM alles bereinigen lassen, das sollten Überreste sein...

Was ich momentan nicht interpretieren kann ist das hier:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
|||||| "BootExecute" C:\WINDOWS\system32\lsdelete.exe File found, but it contains no detailed information

Eine Ausführung als "BootExecute" ist sehr ungewöhnlich... sollte zu LavaSoft gehören (Adware)...

Posten noch das PrevX-Log...

chris

Twinnis · 31.03.2010, 19:22

Chris4You · 01.04.2010, 07:00

Hi,

wenn ich das richtig sehe, nichts gefunden...

Dann wären wir erstmal durch, wenn der Rechner keine Zicken mehr macht...

Chris

Twinnis · 01.04.2010, 07:51

Nein. der Rechner macht keine Zicken mehr, läuft wieder ganz prima!!!

Danke für die Hilfe, hätte ich alleine nicht hinbekommen!!!

Twinnis

CPU AUslastung ist bei 100

Log-Analyse und Auswertung: CPU AUslastung ist bei 100