| |
| |||||||
Log-Analyse und Auswertung: Wo ist der Virus?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
31.03.2010, 16:01
| #1 |
 |  Wo ist der Virus? HI Leute Ich glaub ich hab nen Virus. Bekomme oft Virusmeldungen von Avira. Die sind aber ständig an ner anderen Stelle und so geht es schwer den Ursacher zu finden. Außerdem konnte ich heute Früh Firefox und auch den Internet Explorere nicht Öffnen. Der Prozess von beiden war kurz da, wurde dann aber gelöscht, bzw verschwand dann wieder. Nach ein paar gelöschten Viren und einem Neustart ging es wieder. Trotzdem stürzt Firefox ständig ab. Davor auch schon. Ich kenn mich mit dem ganzen aber auch nicht so aus. Also meine Frage ist. Wie kann ich den Virus finden und wie krieg ich den wieder weg. Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:57:59, on 31.03.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir Desktop\sched.exe C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Programme\Avira\AntiVir Desktop\avshadow.exe C:\Programme\ICQ6Toolbar\ICQ Service.exe C:\WINDOWS\system32\lxctcoms.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Lexmark 5400 Series\ezprint.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\Programme\Microsoft IntelliPoint\ipoint.exe C:\Programme\Microsoft IntelliType Pro\itype.exe C:\Programme\QuickTime\QTTask.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Microsoft IntelliPoint\dpupdchk.exe C:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\Msmsgs.exe C:\Programme\ICQ7.0\ICQ.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NSMdtr.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Programme\Gemeinsame Dateien\Microsoft Shared\MODI\11.0\mspscan.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Console\NSCSRVCE.EXE C:\PROGRA~1\GEMEIN~1\MICROS~1\MODI\11.0\MSPVIEW.EXE C:\PROGRA~1\GEMEIN~1\MICROS~1\MODI\11.0\MSPOCRDC.EXE C:\Dokumente und Einstellungen\Chris\Desktop\____\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://krisk.bei-uns.de/freunde/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/fuji/defaults/su/*hxxp://www.yahoo.com R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Programme\Lexmark 5400 Series\fm3032.exe" /s O4 - HKLM\..\Run: [EzPrint] "C:\Programme\Lexmark 5400 Series\ezprint.exe" O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [IS CfgWiz] C:\Programme\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT" O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\Msmsgs.exe" /background O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ7.0\ICQ.exe" silent loginmode=4 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Norton Internet Security\comHost.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - The Firebird Project - C:\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: ICQ Service - Unknown owner - C:\Programme\ICQ6Toolbar\ICQ Service.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 12059 bytes |
|
01.04.2010, 10:47
| #2 | |
| | Wo ist der Virus? 1. http://www.trojaner-board.de/51187-a...i-malware.html
__________________Log posten. 2. http://www.trojaner-board.de/74908-a...t-scanner.html Log posten. 3. Hol dir OTL Starte OTL Kopiere unten in das Skript-Feld rein: Zitat:
Schließe alle anderen Programme. Klicke auf Quick Scan. Poste die beiden Logs - OTL.txt und Extras.txt |
|
01.04.2010, 23:12
| #3 |
| | Wo ist der Virus? So nachdem GMER etwa 6 Stunden tätig war.. hier mal alles was du gefordert hast:
__________________Hoffe das bringt irgendwen weiter  Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Datenbank Version: 3941 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 01.04.2010 14:23:36 mbam-log-2010-04-01 (14-23-36).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 111000 Laufzeit: 11 Minute(n), 53 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 11 Infizierte Registrierungswerte: 2 Infizierte Dateiobjekte der Registrierung: 2 Infizierte Verzeichnisse: 0 Infizierte Dateien: 4 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully. _________________________________________________________________ GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-04-01 23:52:07 Windows 5.1.2600 Service Pack 3 Running: whkyldi9.exe; Driver: C:\DOKUME~1\Chris\LOKALE~1\Temp\fgtyipod.sys ---- System - GMER 1.0.15 ---- SSDT F7A601C6 ZwCreateKey SSDT F7A601BC ZwCreateThread SSDT F7A601CB ZwDeleteKey SSDT F7A601D5 ZwDeleteValueKey SSDT F7A601DA ZwLoadKey SSDT F7A601A8 ZwOpenProcess SSDT F7A601AD ZwOpenThread SSDT F7A601E4 ZwReplaceKey SSDT F7A601DF ZwRestoreKey SSDT F7A601D0 ZwSetValueKey ---- Kernel code sections - GMER 1.0.15 ---- ? qshkhsg.sys Das System kann die angegebene Datei nicht finden. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB98BB360, 0x20FDBD, 0xE8000020] .text C:\WINDOWS\system32\drivers\SSHDRV82.sys section is writeable [0xB6D1D000, 0x230A4, 0xE8000020] .pklstb C:\WINDOWS\system32\drivers\SSHDRV82.sys entry point in ".pklstb" section [0xB6D4F000] .relo2 C:\WINDOWS\system32\drivers\SSHDRV82.sys unknown last section [0xB6D65000, 0x8A, 0x42000040] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) Device \Driver\usbstor \Device\0000008e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbstor \Device\0000008f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prodrv06 \Device\ProDrv06 E1D9CC30 Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-22 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prohlp02 \Device\ProHlp02 E1016DC0 Device \Driver\usbstor \Device\00000090 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbstor \Device\00000091 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbstor \Device\00000092 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbstor \Device\00000086 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbstor \Device\00000099 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbstor \Device\0000008d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) ---- EOF - GMER 1.0.15 ---- _________________________________________________________________ OTL logfile created on: 01.04.2010 14:31:59 - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Dokumente und Einstellungen\Chris\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 71,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 87,00% Paging File free Paging file location(s): c:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 149,05 Gb Total Space | 74,05 Gb Free Space | 49,68% Space Free | Partition Type: NTFS Drive D: | 149,05 Gb Total Space | 148,62 Gb Free Space | 99,71% Space Free | Partition Type: NTFS Drive E: | 489,37 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: CHRISTIAN Current User Name: Chris Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010.04.01 13:36:13 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Chris\Desktop\OTL.exe PRC - [2010.03.28 14:39:17 | 000,133,368 | ---- | M] (ICQ, LLC.) -- C:\Programme\ICQ7.0\ICQ.exe PRC - [2010.03.16 15:36:29 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2010.03.02 10:28:23 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2010.02.24 09:28:01 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2010.01.14 21:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2009.07.09 12:22:18 | 000,144,712 | ---- | M] (Apple Inc.) -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe PRC - [2008.10.19 15:30:02 | 000,222,456 | ---- | M] () -- C:\Programme\ICQ6Toolbar\ICQ Service.exe PRC - [2008.06.10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Java\jre1.6.0_07\bin\jusched.exe PRC - [2008.04.14 04:22:45 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008.03.01 17:17:44 | 001,251,720 | ---- | M] () -- C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe PRC - [2008.01.29 18:38:32 | 000,583,048 | ---- | M] (Symantec Corporation) -- C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe PRC - [2007.09.26 10:53:56 | 000,554,352 | ---- | M] (Symantec Corporation) -- C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe PRC - [2007.08.31 21:13:41 | 000,988,584 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft IntelliType Pro\itype.exe PRC - [2007.08.31 20:58:50 | 000,357,800 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft IntelliPoint\dpupdchk.exe PRC - [2006.07.13 19:27:16 | 000,528,384 | ---- | M] ( ) -- C:\WINDOWS\system32\lxctcoms.exe PRC - [2006.06.07 05:05:20 | 000,098,304 | ---- | M] (Lexmark International Inc.) -- C:\Programme\Lexmark 5400 Series\ezprint.exe PRC - [2006.02.14 17:19:18 | 000,086,016 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE PRC - [2006.02.14 17:17:26 | 002,809,856 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE PRC - [2005.10.07 00:25:36 | 000,133,744 | ---- | M] (Symantec Corporation) -- C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe PRC - [2005.09.19 11:24:20 | 000,214,672 | ---- | M] (Symantec Corporation) -- C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe PRC - [2005.09.17 00:27:12 | 000,169,584 | ---- | M] (Symantec Corporation) -- C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe PRC - [2005.09.17 00:27:10 | 000,202,352 | ---- | M] (Symantec Corporation) -- C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe PRC - [2005.09.17 00:27:06 | 000,192,112 | ---- | M] (Symantec Corporation) -- C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe PRC - [2005.09.17 00:27:02 | 000,052,848 | ---- | M] (Symantec Corporation) -- C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe PRC - [2003.06.19 23:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE ========== Modules (SafeList) ========== MOD - [2010.04.01 13:36:13 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Chris\Desktop\OTL.exe MOD - [2006.01.05 11:31:00 | 001,466,368 | ---- | M] () -- C:\WINDOWS\system32\nview.dll MOD - [2006.01.05 11:31:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll MOD - [2005.09.23 18:38:24 | 000,123,488 | ---- | M] (Symantec Corporation) -- C:\Programme\Gemeinsame Dateien\Symantec Shared\AntiSpam\asOEHook.dll MOD - [2005.09.17 00:33:36 | 000,377,968 | ---- | M] (Symantec Corporation) -- C:\Programme\Gemeinsame Dateien\Symantec Shared\ccL40.dll MOD - [2003.03.18 22:14:52 | 000,499,712 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll MOD - [2003.02.21 04:42:22 | 000,348,160 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex) SRV - [2010.03.16 15:36:29 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2010.02.24 09:28:01 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2009.07.09 12:22:18 | 000,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2008.10.19 15:30:02 | 000,222,456 | ---- | M] () [Auto | Running] -- C:\Programme\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service) SRV - [2008.03.01 17:17:44 | 001,251,720 | ---- | M] () [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC) SRV - [2008.01.29 18:38:32 | 000,583,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service) SRV - [2007.09.26 10:53:56 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Programme\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate) SRV - [2007.09.26 10:53:56 | 000,554,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatisches LiveUpdate - Scheduler) SRV - [2006.07.13 19:27:16 | 000,528,384 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxctcoms.exe -- (lxct_device) SRV - [2005.10.22 18:28:54 | 000,045,696 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Programme\Norton Internet Security\comHost.exe -- (comHost) SRV - [2005.10.17 12:40:30 | 000,072,312 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Programme\Norton Internet Security\ccPwdSvc.exe -- (ccISPwdSvc) SRV - [2005.10.07 00:25:36 | 000,133,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe -- (navapsvc) SRV - [2005.09.24 16:10:58 | 000,749,696 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Console\NSCSRVCE.EXE -- (NSCService) SRV - [2005.09.19 11:24:20 | 000,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe -- (SNDSrvc) SRV - [2005.09.17 00:27:12 | 000,169,584 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe -- (ccSetMgr) SRV - [2005.09.17 00:27:10 | 000,202,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe -- (ccProxy) SRV - [2005.09.17 00:27:06 | 000,192,112 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr) SRV - [2005.09.15 16:21:14 | 001,160,800 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc) SRV - [2005.08.26 14:22:48 | 000,198,368 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe -- (SAVScan) SRV - [2005.08.10 13:26:14 | 001,527,900 | ---- | M] (The Firebird Project) [On_Demand | Stopped] -- C:\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance) SRV - [2003.07.28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose) SRV - [2003.06.19 23:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://google.icq.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://krisk.bei-uns.de/freunde/ IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "ICQ Search" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..extensions.enabledItems: {4176DFF4-4698-11DE-BEEB-45DA55D89593}:0.7.4 FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3 FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.3 FF - prefs.js..extensions.enabledItems: {37fa1426-b82d-11db-8314-0800200c9a66}:2.3.3 FF - prefs.js..keyword.URL: "hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=" FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.03.28 14:07:39 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.03.28 14:07:24 | 000,000,000 | ---D | M] [2010.03.28 14:08:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Extensions [2010.04.01 00:05:21 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\extensions [2010.03.30 16:24:29 | 000,000,000 | ---D | M] (Flagfox) -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} [2010.03.28 14:37:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.03.30 17:07:52 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66} [2010.03.30 11:12:43 | 000,000,000 | ---D | M] (AniWeather) -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593} [2010.03.30 11:12:42 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2010.03.29 20:39:01 | 000,000,687 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\searchplugins\icq-search.xml [2008.03.31 09:52:00 | 000,000,168 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\searchplugins\icqplugin.gif [2008.03.31 09:52:00 | 000,000,618 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\rr4oqbvi.default\searchplugins\icqplugin.src [2010.04.01 00:05:21 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2006.12.29 19:55:33 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2009.03.12 20:08:51 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07} [2010.03.16 20:28:04 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.03.16 20:28:04 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.03.16 20:28:04 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.03.16 20:28:04 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.03.16 20:28:04 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2004.08.04 14:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (CNisExtBho Class) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation) O2 - BHO: (CNavExtBho Class) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation) O3 - HKLM\..\Toolbar: (Norton Internet Security 2006) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation) O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation) O3 - HKCU\..\Toolbar\ShellBrowser: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKCU\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (Norton Internet Security 2006) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKCU\..\Toolbar\WebBrowser: (Norton AntiVirus) - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation) O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.) O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe (Symantec Corporation) O4 - HKLM..\Run: [EzPrint] C:\Programme\Lexmark 5400 Series\ezprint.exe (Lexmark International Inc.) O4 - HKLM..\Run: [IS CfgWiz] C:\Programme\Norton Internet Security\cfgwiz.exe (Symantec Corporation) O4 - HKLM..\Run: [itype] C:\Programme\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation) O4 - HKLM..\Run: [Lexmark 5400 Series Fax Server] C:\Programme\Lexmark 5400 Series\fm3032.exe () O4 - HKLM..\Run: [LXCTCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.DLL (Lexmark International Inc.) O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe () O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe (Symantec Corporation) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation) O4 - HKLM..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] C:\WINDOWS\System32\HdAShCut.exe (Windows (R) Server 2003 DDK provider) O4 - HKCU..\Run: [ICQ] C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.) O4 - HKCU..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe (Yahoo! Inc.) O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.) O9 - Extra Button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.) O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YPager.exe (Yahoo! Inc.) O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YPager.exe (Yahoo! Inc.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.03.30 20:51:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2005.09.28 18:42:30 | 000,000,025 | R--- | M] () - E:\autorun.inf -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2008.05.31 20:19:30 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found NetSvcs: SSHNAS - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point (16891835792228352) ========== Files/Folders - Created Within 14 Days ========== [2010.04.01 14:30:18 | 000,000,000 | ---D | C] -- C:\_OTL [2010.04.01 13:38:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Malwarebytes [2010.04.01 13:38:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.04.01 13:38:38 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes [2010.04.01 13:38:37 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.04.01 13:38:36 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.04.01 13:36:01 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Chris\Desktop\OTL.exe [2010.03.31 15:46:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch [2010.03.31 14:58:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas [2010.03.31 14:58:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de [2010.03.31 14:58:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits [2010.03.31 14:53:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic [2010.03.31 14:48:54 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$ [2010.03.31 14:48:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome [2010.03.31 14:39:46 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Chris\PrivacIE [2010.03.31 14:37:39 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Chris\IETldCache [2010.03.31 14:34:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates [2010.03.31 14:33:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM [2010.03.31 14:32:18 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8 [2010.03.31 14:32:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE [2010.03.31 12:17:15 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Symantec [2010.03.31 11:08:09 | 000,000,000 | ---D | C] -- C:\Programme\Norton Internet Security [2010.03.31 11:05:14 | 000,108,168 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS [2010.03.31 11:05:14 | 000,087,768 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL [2010.03.31 10:23:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Avira [2010.03.28 13:42:03 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Avira [2010.03.28 13:41:22 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys [2010.03.28 13:41:22 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys [2010.03.28 13:41:22 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys [2010.03.28 13:41:21 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira [2010.03.27 18:39:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan [2010.03.27 18:39:21 | 000,000,000 | ---D | C] -- C:\Programme\Security Task Manager [2010.03.27 13:44:35 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Uniblue [2010.03.20 00:49:30 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\iMacros [2010.02.06 15:34:35 | 608,744,450 | ---- | C] (Macrovision Corporation) -- C:\Programme\WarRock20081102.exe [2009.12.17 17:42:03 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Microsoft [2009.09.17 18:36:31 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Adobe [2009.06.26 18:30:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft [2009.04.15 12:14:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Apple [2008.08.03 11:11:03 | 025,842,736 | ---- | C] (Microsoft Corporation) -- C:\Programme\wmp11-windowsxp-x86-DE-DE.exe [2008.08.01 15:18:25 | 002,268,448 | ---- | C] (www.orbitdownloader.com ) -- C:\Programme\OrbitDownloaderSetup272.exe [2007.09.06 17:08:38 | 000,409,600 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctinpa.dll [2007.09.06 17:08:38 | 000,393,216 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctiesc.dll [2007.09.06 17:08:37 | 001,187,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctserv.dll [2007.09.06 17:08:37 | 000,983,040 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctusb1.dll [2007.09.06 17:08:37 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctpmui.dll [2007.09.06 17:08:37 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctprox.dll [2007.09.06 17:08:37 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctpplc.dll [2007.09.06 17:08:36 | 000,528,384 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctlmpm.dll [2007.09.06 17:08:35 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcthbn3.dll [2007.09.06 17:08:34 | 000,667,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctcomc.dll [2007.09.06 17:08:34 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctcomm.dll [2006.03.30 20:53:42 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Microsoft [2006.03.30 20:53:42 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft [25 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [21 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 14 Days ========== [2010.04.01 14:25:44 | 000,039,472 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml [2010.04.01 14:25:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.04.01 14:25:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.04.01 14:25:26 | 2146,816,000 | -HS- | M] () -- C:\hiberfil.sys [2010.04.01 14:24:33 | 006,029,312 | -H-- | M] () -- C:\Dokumente und Einstellungen\Chris\NTUSER.DAT [2010.04.01 14:24:33 | 000,000,300 | -HS- | M] () -- C:\Dokumente und Einstellungen\Chris\ntuser.ini [2010.04.01 13:40:37 | 000,293,376 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Desktop\whkyldi9.exe [2010.04.01 13:38:47 | 000,000,682 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.01 13:36:13 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Chris\Desktop\OTL.exe [2010.04.01 11:06:00 | 000,918,946 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\Patellofernorales Gelenk.tif [2010.03.31 17:26:34 | 000,944,398 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\fast immer ein.tif [2010.03.31 16:23:39 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010.03.31 16:21:17 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.03.31 15:48:59 | 000,466,000 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat [2010.03.31 15:48:59 | 000,446,940 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.03.31 15:48:59 | 000,087,302 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat [2010.03.31 15:48:59 | 000,073,552 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.03.31 15:48:56 | 001,088,486 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.03.31 15:45:20 | 000,192,184 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010.03.31 14:53:01 | 000,251,712 | RHS- | M] () -- C:\ntldr [2010.03.31 14:13:59 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010.03.31 13:40:31 | 000,699,222 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\Spezieller Teil.tif [2010.03.31 12:14:01 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010.03.31 11:19:37 | 000,020,365 | ---- | M] () -- C:\WINDOWS\System32\LexFiles.ulf [2010.03.31 11:13:58 | 000,001,857 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Norton Internet Security.lnk [2010.03.29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.03.29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.03.29 11:21:08 | 000,066,593 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\29-03-2010 11;20;48.rtf [2010.03.28 14:07:30 | 000,001,572 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Mozilla Firefox.lnk [2010.03.28 13:41:32 | 000,001,677 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Avira AntiVir Control Center.lnk [2010.03.27 18:30:12 | 000,027,648 | ---- | M] () -- C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [25 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [21 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.04.01 13:40:33 | 000,293,376 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Desktop\whkyldi9.exe [2010.04.01 13:38:47 | 000,000,682 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.01 11:06:00 | 000,918,946 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\Patellofernorales Gelenk.tif [2010.03.31 17:26:34 | 000,944,398 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\fast immer ein.tif [2010.03.31 13:40:31 | 000,699,222 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\Spezieller Teil.tif [2010.03.31 11:13:58 | 000,001,857 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Norton Internet Security.lnk [2010.03.29 11:21:07 | 000,066,593 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Eigene Dateien\29-03-2010 11;20;48.rtf [2010.03.28 14:07:30 | 000,001,572 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Mozilla Firefox.lnk [2010.03.28 13:41:32 | 000,001,677 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Avira AntiVir Control Center.lnk [2010.01.24 01:00:25 | 000,307,200 | ---- | C] () -- C:\WINDOWS\System32\AscSQLite.dll [2009.11.07 11:01:12 | 000,076,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\SSHDRV82.sys [2009.06.11 20:33:19 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll [2009.05.30 11:12:08 | 000,000,058 | ---- | C] () -- C:\WINDOWS\nfsc_patch.ini [2009.04.03 20:28:36 | 000,313,542 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\oyqea_nav.dat [2009.04.03 20:28:36 | 000,002,988 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\oyqea.dat [2009.04.03 20:28:36 | 000,000,677 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\oyqea_navps.dat [2009.03.14 12:55:26 | 000,000,092 | ---- | C] () -- C:\WINDOWS\QTW.INI [2008.09.06 18:38:08 | 000,000,162 | -H-- | C] () -- C:\Programme\~$mbatarms.ext [2008.08.09 16:03:33 | 000,105,984 | ---- | C] () -- C:\WINDOWS\System32\c_dll.dll [2008.06.13 20:51:16 | 000,008,624 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LUUnInstall.LiveUpdate [2008.03.11 20:53:31 | 000,000,032 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat [2007.12.21 14:47:14 | 000,159,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys [2007.09.06 17:20:10 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxctvs.dll [2007.09.06 17:20:06 | 000,335,872 | ---- | C] () -- C:\WINDOWS\System32\lxctcoin.dll [2007.09.06 17:19:41 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxctdrs.dll [2007.09.06 17:19:41 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxctcaps.dll [2007.09.06 17:19:41 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxctcnv4.dll [2007.09.06 17:19:13 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxctpmon.dll [2007.09.06 17:19:13 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXCTFXPU.DLL [2007.09.06 17:19:13 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\lxctpmrc.dll [2007.09.06 17:08:38 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\LXCTinst.dll [2007.09.06 17:08:35 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\lxctgrd.dll [2007.04.22 12:11:35 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2007.02.16 16:21:59 | 000,027,648 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2006.12.05 08:18:56 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll [2006.10.22 20:13:24 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll [2006.08.03 11:27:36 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\xmltok.dll [2006.08.03 11:27:36 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\xmlparse.dll [2006.07.20 22:07:50 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\PhysXLoader.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll [2006.07.10 18:54:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll [2006.06.14 12:11:07 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI [2006.05.15 16:16:52 | 000,000,340 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\wklnhst.dat [2006.04.20 21:07:57 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2006.04.10 11:53:55 | 000,000,138 | ---- | C] () -- C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat [2006.03.30 21:50:56 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2006.03.30 21:42:00 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll [2006.03.30 21:42:00 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll [2006.03.30 21:42:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll [2006.03.30 21:42:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll [2006.03.30 21:42:00 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll [2006.03.30 21:42:00 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll [2006.03.30 21:41:41 | 000,000,180 | ---- | C] () -- C:\WINDOWS\Option.ini [2006.03.30 21:41:29 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006.03.30 21:37:48 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll [2006.03.30 21:35:56 | 000,002,856 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini [2006.03.30 21:28:27 | 000,000,849 | ---- | C] () -- C:\WINDOWS\orun32.ini [2006.03.30 20:54:16 | 000,000,778 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2006.03.30 20:49:44 | 000,003,776 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2006.03.30 13:59:52 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2006.03.30 13:59:52 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll [2006.03.30 13:59:51 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll [2006.03.30 13:59:51 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll [2006.03.30 13:59:50 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll [2003.02.20 17:53:42 | 000,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys ========== LOP Check ========== [2007.09.06 17:19:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\5400 Series [2008.07.12 18:09:51 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CDKeycreate [2009.03.12 20:09:09 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ICQ [2006.03.30 21:38:11 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MAGIX [2007.11.10 14:24:39 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MSScanAppDataDir [2008.12.17 19:19:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NexonEU [2008.09.06 20:24:38 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NexonUS [2010.03.31 09:15:04 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan [2006.04.20 21:13:34 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\T-Online [2008.09.09 15:37:23 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TechSmith [2010.01.29 15:20:41 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TrackMania [2009.09.26 09:13:04 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ubisoft [2009.04.03 22:38:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} [2009.04.20 15:52:59 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} [2007.09.06 17:33:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\5400 Series [2009.10.29 20:10:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Ascaron Entertainment [2009.06.11 19:57:11 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Audacity [2010.01.10 13:21:17 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\CasaPortale.de [2008.04.14 12:13:49 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\EverAd [2008.08.01 15:19:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\GrabPro [2010.04.01 09:00:43 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\ICQ [2006.12.27 22:07:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\ICQ Toolbar [2006.12.27 22:06:29 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\ICQLite [2006.05.15 16:12:42 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\InterVideo [2006.05.09 17:01:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\MAGIX [2008.09.15 09:15:18 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Orbit [2010.01.10 13:18:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\SQLyog [2008.07.14 16:28:15 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\TeamViewer [2006.05.15 16:53:28 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Template [2010.03.27 13:44:35 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Chris\Anwendungsdaten\Uniblue ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > [2001.05.24 12:59:30 | 000,162,304 | ---- | M] () -- C:\UNWISE.EXE < MD5 for: AGP440.SYS > [2004.08.04 14:00:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2010.03.31 14:48:51 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2004.08.04 14:00:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys [2010.03.31 14:48:51 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2010.03.31 14:48:51 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\sp3.cab:AGP440.sys [2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\agp440.sys [2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004.08.04 14:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys < MD5 for: ATAPI.SYS > [2004.08.04 14:00:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2010.03.31 14:48:51 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2004.08.04 14:00:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys [2010.03.31 14:48:51 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2010.03.31 14:48:51 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\sp3.cab:atapi.sys [2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\atapi.sys [2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004.08.04 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys < MD5 for: EVENTLOG.DLL > [2008.04.14 04:22:10 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008.04.14 04:22:10 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\eventlog.dll [2008.04.14 04:22:10 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\system32\eventlog.dll [2004.08.04 14:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=B932C077D5A65B71B4512544AC404CB4 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: IASTOR.SYS > [2004.09.26 15:24:54 | 000,477,952 | ---- | M] (Intel Corporation) MD5=DD19FDD8BB262F64A11C50CC23FC6F70 -- C:\WINDOWS\OEM\iaStor\iaStor.sys < MD5 for: NETLOGON.DLL > [2008.04.14 04:22:19 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008.04.14 04:22:19 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\netlogon.dll [2008.04.14 04:22:19 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\system32\netlogon.dll [2004.08.04 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=D27395EDCD3416AFD125A9370DCB585C -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll [2009.02.06 20:46:10 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=ED4BBAD725A21632FB205452749FC8F5 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll [2009.02.06 20:46:10 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=ED4BBAD725A21632FB205452749FC8F5 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll < MD5 for: NVATABUS.SYS > [2004.09.02 09:24:38 | 000,082,816 | ---- | M] (NVIDIA Corporation) MD5=EEABD98AA887DD923546F20D400B2907 -- C:\WINDOWS\OEM\nvatabus\nvatabus.sys < MD5 for: NVRAID.SYS > [2004.09.02 09:24:40 | 000,067,968 | ---- | M] (NVIDIA Corporation) MD5=DF8D51C884B93A0D3BEAAAFAC485D6A3 -- C:\WINDOWS\OEM\nvraid\nvraid.sys < MD5 for: SCECLI.DLL > [2008.04.14 04:22:23 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008.04.14 04:22:23 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\scecli.dll [2008.04.14 04:22:23 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\system32\scecli.dll [2004.08.04 14:00:00 | 000,186,880 | ---- | M] (Microsoft Corporation) MD5=64DC26B3CF7BCCAD431CE360A4C625D5 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll < MD5 for: VIAMRAID.SYS > [2004.05.18 15:55:26 | 000,074,112 | ---- | M] (VIA Technologies inc,.ltd) MD5=F199939205DCCC7836AE5AB8B5DD5E83 -- C:\WINDOWS\OEM\viapdsk\viamraid.sys < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [21 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\System32\config\*.sav > [2008.05.31 20:25:14 | 000,524,288 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav [2008.05.31 14:09:20 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav [2008.05.31 20:25:14 | 023,068,672 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav [2008.05.31 20:25:14 | 004,194,304 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav < End of report > |
|
01.04.2010, 23:14
| #4 |
| | Wo ist der Virus? So udn hier noch der Extras.txt. Hat in den anderen Post nicht mehr reingepasst: OTL Extras logfile created on: 01.04.2010 14:31:59 - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Dokumente und Einstellungen\Chris\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 71,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 87,00% Paging File free Paging file location(s): c:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 149,05 Gb Total Space | 74,05 Gb Free Space | 49,68% Space Free | Partition Type: NTFS Drive D: | 149,05 Gb Total Space | 148,62 Gb Free Space | 99,71% Space Free | Partition Type: NTFS Drive E: | 489,37 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: CHRISTIAN Current User Name: Chris Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Nexon\Combat Arms EU\CombatArms.exe" = C:\Nexon\Combat Arms EU\CombatArms.exe:*Enabled:CombatArms.exe -- (Nexon) "C:\Nexon\Combat Arms EU\Engine.exe" = C:\Nexon\Combat Arms EU\Engine.exe:*Enabled:Engine.exe -- (Nexon) "C:\Programme\ICQ7.0\ICQ.exe" = C:\Programme\ICQ7.0\ICQ.exe:*:Enabled:ICQ7 -- (ICQ, LLC.) "C:\Programme\ICQ7.0\aolload.exe" = C:\Programme\ICQ7.0\aolload.exe:*:Enabled:aolload.exe -- (AOL LLC) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Nexon\Combat Arms EU\CombatArms.exe" = C:\Nexon\Combat Arms EU\CombatArms.exe:*Enabled:CombatArms.exe -- (Nexon) "C:\Nexon\Combat Arms EU\Engine.exe" = C:\Nexon\Combat Arms EU\Engine.exe:*Enabled:Engine.exe -- (Nexon) "C:\Programme\Java\jdk1.6.0_07\jre\bin\java.exe" = C:\Programme\Java\jdk1.6.0_07\jre\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.) "C:\Programme\mIRC\mirc.exe" = C:\Programme\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.) "C:\Nexon\Combat Arms EU\NMService.exe" = C:\Nexon\Combat Arms EU\NMService.exe:*:Enabled:Nexon Messenger Core -- (Nexon Corp.) "C:\Programme\die-staemme-lan\dslan_v1.12\mysql\bin\mysqld.exe" = C:\Programme\die-staemme-lan\dslan_v1.12\mysql\bin\mysqld.exe:*:Enabled:mysqld -- () "C:\Programme\die-staemme-lan\dslan_v1.12\apache\bin\apache.exe" = C:\Programme\die-staemme-lan\dslan_v1.12\apache\bin\apache.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation) "C:\Programme\die-staemme-lan\dslan_v1.3\apache\bin\apache.exe" = C:\Programme\die-staemme-lan\dslan_v1.3\apache\bin\apache.exe:* isabled:Apache HTTP Server -- (Apache Software Foundation)"C:\Programme\die-staemme-lan\dslan_v1.3\mysql\bin\mysqld.exe" = C:\Programme\die-staemme-lan\dslan_v1.3\mysql\bin\mysqld.exe:*:Enabled:mysqld -- () "C:\Programme\die-staemme-lan\AiOn 0.4\apache\bin\apache.exe" = C:\Programme\die-staemme-lan\AiOn 0.4\apache\bin\apache.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation) "C:\Programme\die-staemme-lan\AiOn 0.4\mysql\bin\mysqld.exe" = C:\Programme\die-staemme-lan\AiOn 0.4\mysql\bin\mysqld.exe:*:Enabled:mysqld -- () "C:\Programme\ICQ6.5\ICQ.exe" = C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ -- (ICQ, LLC.) "C:\Programme\iTunes\iTunes.exe" = C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) "C:\Programme\TmNationsForever\TmForever.exe" = C:\Programme\TmNationsForever\TmForever.exe:*:Enabled:TmForever -- () "C:\Programme\Ubisoft\Tom Clancy's Splinter Cell Chaos Theory\Versus\System\SCCT_Versus.ex" = C:\Programme\Ubisoft\Tom Clancy's Splinter Cell Chaos Theory\Versus\System\SCCT_Versus.ex:*:Enabled:SCCT_Versus -- () "C:\Programme\Ubisoft\Tom Clancy's Splinter Cell Chaos Theory\System\splintercell3.exe" = C:\Programme\Ubisoft\Tom Clancy's Splinter Cell Chaos Theory\System\splintercell3.exe:*:Enabled:splintercell3 -- () "C:\Programme\devolo\informer\devinf.exe" = C:\Programme\devolo\informer\devinf.exe:*:Enabled:devolo Informer -- (devolo AG) "L:\Programme\MySQL\bin\mysqld.exe" = L:\Programme\MySQL\bin\mysqld.exe:*:Enabled:mysqld -- File not found "C:\Programme\ICQ7.0\ICQ.exe" = C:\Programme\ICQ7.0\ICQ.exe:*:Enabled:ICQ7 -- (ICQ, LLC.) "C:\Programme\ICQ7.0\aolload.exe" = C:\Programme\ICQ7.0\aolload.exe:*:Enabled:aolload.exe -- (AOL LLC) "C:\WINDOWS\system32\lxctcoms.exe" = C:\WINDOWS\system32\lxctcoms.exe:*:Enabled:Lexmark Communications System -- ( ) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0819E89D-6214-4B6F-A18D-4633CB4E0E4A}" = Softwareupdate für Webordner "{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}" = ccCommon "{12E2B9E9-05B1-407d-B0FD-B5F350535125}" = Norton Internet Security "{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate "{1DB5BDA2-1D0C-4213-8190-C587B14F6800}" = ZuneIEPlugin "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{2987EE84-C4EE-4FF5-8160-32DE00D6ABC6}" = GTA2 "{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet "{2EBF25F1-F8A2-40EA-92BE-931C142A44E2}" = CC_ccProxyExt "{2F173C40-563E-11D4-89C5-0010ADDAAC33}" = EA.com Matchup "{30738666-9805-4926-A78F-91DA33B6C437}" = ccPxyCore "{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10 "{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11 "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7 "{32A3A4F4-B792-11D6-A78A-00B0D0160070}" = Java(TM) SE Development Kit 6 Update 7 "{345112D9-0930-4A68-AB71-A831BA5DE7AA}" = Microsoft IntelliType Pro 6.2 "{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3B29A786-5803-4E9E-9B58-3014A5B4E519}" = Norton AntiSpam "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker "{48185814-A224-447a-81DA-71BD20580E1B}" = Norton Internet Security "{4F77F6EE-2C99-49F7-940A-2E9C208C3BE1}" = Paint.NET v3.5.2 "{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features "{5677563D-0CB1-485F-9E18-C5025306BB3F}" = Norton AntiSpam "{5E8A1B08-0FBD-4543-9646-F2C2D0D05750}" = Macromedia Flash Player 8 "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762 "{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec "{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}" = Norton Protection Center "{88EB38EF-4D2C-436D-ABD3-56B232674062}" = ICQ7 "{88EF3F58-80D5-43B0-B9C0-FA4F51D0BD55}_is1" = ANSTOSS 2005 1.0 "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player "{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2 "{91120407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003 "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6 "{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9AB97F52-512B-43EF-AAEC-4825C17B32ED}" = EA.com Update "{9D1C26BD-E792-4159-9D16-07EA222D8EF0}" = Windows Messenger 5.1 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security "{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder "{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter "{AB2D4D3C-C5C9-4B90-858A-0A742B4DF873}" = Baphomets Fluch - Der Engel des Todes "{AC76BA86-7AD7-1031-7B44-000000000001}" = Adobe Reader 6.0 - Deutsch "{AC76BA86-7AD7-1031-7B44-A70700000002}" = Adobe Reader 7.0.7 - Deutsch "{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint "{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder "{AF79DFD1-04C2-4CE5-9C8F-F60CA3CF01A7}" = NETGEAR Powerline-Ethernet-Adapter XE102 "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter "{B26E3B0D-C2FA-4370-B068-7C476766F029}" = Microsoft Works "{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6 "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{B7C61755-DB48-4003-948F-3D34DB8EAF69}" = MSRedist "{BABAEBE4-9FFB-4B5D-9453-64FF11517CA2}" = Tom Clancy's Splinter Cell Chaos Theory "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support "{C6F5B6CF-609C-428E-876F-CA83176C021B}" = Norton AntiVirus 2006 "{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser "{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CD49361E-3FE6-457E-90A1-9C59E29B5D02}" = Java DB 10.3.1.4 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1 "{D17D8B97-F937-432F-88BD-382727D34441}" = EuropeMapleStory "{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation) "{E397F6F0-AEE4-4236-BB05-1351350F8365}" = War Rock "{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton Internet Security "{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security "{E85FA9A1-C241-4698-893B-DD99509B8DB0}" = Norton WMI Update "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F3CBA4E6-436E-4B51-9651-93830EE38616}" = Windows Messenger 5.1 MUI Pack "{F64306A5-4C32-41bb-B153-53986527FAB4}" = Norton WMI Update "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "{FFB4DD53-28B7-4981-BFF0-9BD801F61095}" = Norton Internet Security "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "AGEIA PhysX v2.5.0" = AGEIA PhysX v2.5.0 "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "CheckIt Diagnostics" = CheckIt Diagnostics "Combat Arms EU" = Combat Arms EU "CombatTools" = CombatTools "Defraggler" = Defraggler (remove only) "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters "dlanconf" = devolo dLAN-Konfigurationsassistent "dslmon" = devolo Informer "Firebird SQL Server D" = Firebird SQL Server (D) "FLV to AVI MPEG WMV 3GP MP4 iPod Converter_is1" = FLV to AVI MPEG WMV 3GP MP4 iPod Converter 4.2.0620 "Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.8.0 "Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 3.1 "HijackThis" = HijackThis 2.0.2 "HyperCam 2" = HyperCam 2 "ICQToolbar" = ICQ Toolbar "ie8" = Windows Internet Explorer 8 "Lagerhaus" = Lagerhaus 1.0 "Lexmark 5400 Series" = Lexmark 5400 Series "LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation) "MAGIX Digital Foto Maker SE D" = MAGIX Digital Foto Maker SE (D) "MAGIX Fotos auf CD D" = MAGIX Fotos auf CD (D) "MAGIX Media Suite - Standard Edition D" = MAGIX Media Suite - Standard Edition (D) "MAGIX mp3 maker SE D" = MAGIX mp3 maker SE (D) "MAGIX Online Druck Service (FS)" = MAGIX Online Druck Service (FS) "MAGIX Video deLuxe SE D" = MAGIX Video deLuxe SE (D) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "mIRC" = mIRC "Mozilla Firefox (3.6.2pre)" = Mozilla Firefox (3.6.2pre) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "MSNINST" = MSN "Nero - Burning Rom!UninstallKey" = Nero OEM "Nero BurnRights!UninstallKey" = Nero BurnRights "NeroVision!UninstallKey" = Nero Digital "NVEContent!UninstallKey" = NeroVision Express Content "NVIDIA Drivers" = NVIDIA Drivers "OpenAL" = OpenAL "oyqea" = Favorit "Plasma Pong_is1" = Plasma Pong v1.3b "Port Royale 2" = Port Royale 2 "ShockwaveFlash" = Adobe Flash Player 9 ActiveX "SpeedFan" = SpeedFan (remove only) "SymSetup.{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security 2006 (Symantec Corporation) "Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2 "TmNationsForever_is1" = TmNationsForever "Tomb Raider II" = Tomb Raider II "tomb3.exe" = Tomb Raider III (Demo) "Uninstall_is1" = Uninstall 1.0.0.1 "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 "WIC" = Windows Imaging Component "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinRAR archiver" = WinRAR "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Yahoo! Messenger" = Yahoo! Messenger ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 31.03.2010 09:50:35 | Computer Name = CHRISTIAN | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes Modul , Version 0.0.0.0, Fehleradresse 0x00000000. Error - 31.03.2010 09:51:10 | Computer Name = CHRISTIAN | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes Modul , Version 0.0.0.0, Fehleradresse 0x00000000. Error - 31.03.2010 09:51:26 | Computer Name = CHRISTIAN | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes Modul , Version 0.0.0.0, Fehleradresse 0x00000000. Error - 31.03.2010 16:29:49 | Computer Name = CHRISTIAN | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes Modul , Version 0.0.0.0, Fehleradresse 0x00000000. Error - 01.04.2010 03:14:47 | Computer Name = CHRISTIAN | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes Modul , Version 0.0.0.0, Fehleradresse 0x00000000. Error - 01.04.2010 03:14:56 | Computer Name = CHRISTIAN | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung drwtsn32.exe, Version 5.1.2600.0, fehlgeschlagenes Modul dbghelp.dll, Version 5.1.2600.5512, Fehleradresse 0x0001295d. Error - 01.04.2010 07:12:18 | Computer Name = CHRISTIAN | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung MSPVIEW.EXE, Version 11.0.1897.0, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 01.04.2010 08:06:38 | Computer Name = CHRISTIAN | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes Modul , Version 0.0.0.0, Fehleradresse 0x00000000. [ System Events ] Error - 31.03.2010 03:19:19 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7034 Description = Dienst "Windows Installer" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert. Error - 31.03.2010 06:17:44 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7023 Description = Der Dienst "SSHNAS" wurde mit folgendem Fehler beendet: %%126 Error - 31.03.2010 06:31:12 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7023 Description = Der Dienst "SSHNAS" wurde mit folgendem Fehler beendet: %%126 Error - 31.03.2010 08:24:44 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7023 Description = Der Dienst "SSHNAS" wurde mit folgendem Fehler beendet: %%126 Error - 31.03.2010 08:39:03 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7023 Description = Der Dienst "SSHNAS" wurde mit folgendem Fehler beendet: %%126 Error - 31.03.2010 09:46:33 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7023 Description = Der Dienst "SSHNAS" wurde mit folgendem Fehler beendet: %%126 Error - 01.04.2010 02:53:15 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7023 Description = Der Dienst "SSHNAS" wurde mit folgendem Fehler beendet: %%126 Error - 01.04.2010 08:04:21 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7023 Description = Der Dienst "SSHNAS" wurde mit folgendem Fehler beendet: %%126 Error - 01.04.2010 08:25:37 | Computer Name = CHRISTIAN | Source = sr | ID = 1 Description = Beim Verarbeiten der Datei "" auf Volume "HarddiskVolume1" ist im Wiederherstellungsfilter der unerwartete Fehler "0xC0000001" aufgetreten. Die Volumeüberwachung wurde angehalten. Error - 01.04.2010 08:26:05 | Computer Name = CHRISTIAN | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: PCIIde < End of report > |
|
02.04.2010, 10:05
| #5 | |
| | Wo ist der Virus? Sieht gut aus. 1. Starte OTL. Kopiere unten in das Skript-Feld rein: Zitat:
Neustart zulassen, wenn gefragt. Poste das Log. Zu finden unter c:\_OTL Und gleich zum Endspurt: 2. http://www.trojaner-board.de/51871-a...tispyware.html 3. http://www.trojaner-board.de/59299-a...eb-cureit.html Wenn DrWeb nichts findet, kann man die Berichtsliste nicht abspeichern - das ist ok. |
|
02.04.2010, 11:12
| #6 |
| | Wo ist der Virus? All processes killed ========== OTL ========== Service LiveUpdate Notice Ex stopped successfully! Service LiveUpdate Notice Ex deleted successfully! SSHNAS removed from NetSvcs value successfully! C:\WINDOWS\system32\AscSQLite.dll moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Besitzer User: Chris ->Temp folder emptied: 5769510309 bytes ->Temporary Internet Files folder emptied: 804526501 bytes ->Java cache emptied: 8809736 bytes ->FireFox cache emptied: 36205642 bytes ->Flash cache emptied: 194025 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: LocalService ->Temp folder emptied: 65984 bytes ->Temporary Internet Files folder emptied: 221203 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 507330 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 6546333 bytes %systemroot%\System32 .tmp files removed: 13354887 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 29011440 bytes RecycleBin emptied: 974069 bytes Total Files Cleaned = 6.361,00 mb OTL by OldTimer - Version 3.1.37.3 log created on 04022010_120139 Files\Folders moved on Reboot... Registry entries deleted on Reboot... |
|
02.04.2010, 14:08
| #7 |
| | Wo ist der Virus? Dann noch SuperAntiSpyware: SUPERAntiSpyware Scan Log hxxp://www.superantispyware.com Generated 04/02/2010 at 02:20 PM Application Version : 4.35.1002 Core Rules Database Version : 4760 Trace Rules Database Version: 2572 Scan type : Complete Scan Total Scan Time : 02:03:56 Memory items scanned : 599 Memory threats detected : 0 Registry items scanned : 6246 Registry threats detected : 9 File items scanned : 211369 File threats detected : 79 Adware.Tracking Cookie C:\Dokumente und Einstellungen\Chris\Cookies\chris@zanox-affiliate[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@serving-sys[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@myroitracking[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@apmebf[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@trackalyzer[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@pointroll[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@track.getjiggie[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ad.jmg[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@webmasterplan[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@adserver.trojaner-info[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@unitymedia[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@himedia.individuad[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@clickpayz4.91423.blueseek[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@admarketplace[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@theclickcheck[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@collective-media[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@network-ca.247realmedia[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ad.adc-serv[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@atwola[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@media6degrees[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@247realmedia[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@clickpayz10.91423.blueseek[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@tacoda[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ads.cnn[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@advertise[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@adtech[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@media.warrock[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ilead.itrack[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@adfarm1.adition[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@at.atwola[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@www1.12finder[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@warnerbros.112.2o7[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@mediaplex[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@xml.trafficengine[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@2o7[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ads.pointroll[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@clickpayz4.91485.blueseek[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@libri.112.2o7[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@interclick[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@clickbank[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ak[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@clicksor[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@clickpayz1.91485.blueseek[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ad.yieldmanager[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@casalemedia[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@banners.tribute[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@fastclick[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@oberon-media[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@content.yieldmanager[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@cdn5.specificclick[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@www.zanox-affiliate[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@bs.serving-sys[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@overture[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@html[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@gamecenter.oberon-media[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@bluestreak[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@amazonmerchants.122.2o7[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@tracking.quisma[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@atdmt[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@tradedoubler[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@advertising[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@doubleclick[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@adserving.ezanga[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@bridge2.admarketplace[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@statcounter[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ad.zanox[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@media.gan-online[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@shop.zanox[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@specificclick[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@ad.adnet[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@adviva[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@clickpayz8.91485.blueseek[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@revsci[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@traffictrack[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@zanox[2].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@eas.apm.emediate[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@pcwelt[1].txt C:\Dokumente und Einstellungen\Chris\Cookies\chris@adviva[3].txt Trojan.Agent/Gen-SSHNAS HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc Trojan.Agent/Gen-Nullo[Short] C:\SYSTEM VOLUME INFORMATION\_RESTORE{85038894-684E-4DC0-90E0-2454D15C3286}\RP350\A0106567.DLL |
|
02.04.2010, 14:29
| #8 |
| | Wo ist der Virus? Ok, die Funde von SUPERAntiSpyware kannst du entfernen lassen, falls noch nicht geschehen. Bleibt noch DrWeb. |
|
02.04.2010, 17:33
| #9 |
| | Wo ist der Virus? DrWeb. Hab ich durchlaufen lassen. Nach etwa 3 Stunden kam eine Fehlermeldung : Problembericht senden / Nicht senden. Dann war alles weg. Ich glaub aber 2 Sachen hat er gefunden. Soll ich DrWEb nochmal durchlaufen lassen? |
|
02.04.2010, 19:05
| #10 |
| | Wo ist der Virus? Nein, stürzt wahrscheinlich wieder ab. 1. Hol dir AVZ Entpacke und starte AVZ. Führe einen Update durch (Button auf der rechten Seite unten ("Database Update") - dann auf Start). Nach dem Update: Setze oben links ein Häkchen bei allen Laufwerken (Festplatten). Wechesle zu "File Types" und wähle All Files. Wechsele zu "Search Parameters", setze zusätzlich ein Häkchen bei Block User-Mode Rootkits und Block Kernel-Mode Rootkits Schließe alle anderen Programme. Klicke auf Start, der Scan wird eine Weile in Anspruch nehmen. Speichere nach dem Scan das Log mit dem Button unten rechts "Save Log" und poste es. |
|
02.04.2010, 19:32
| #11 |
| | Wo ist der Virus? Gut mach ich morgen. Will nicht schon wieder bis 1 wach bleiben |
|
03.04.2010, 15:56
| #12 |
| | Wo ist der Virus? AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 03.04.2010 12:19:47 Database loaded: signatures - 269208, NN profile(s) - 2, malware removal microprograms - 56, signature database released 01.04.2010 22:24 Heuristic microprograms loaded: 382 PVS microprograms loaded: 9 Digital signatures of system files loaded: 191412 Heuristic analyzer mode: Medium heuristics mode Malware removal mode: disabled Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=08B520) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 80562520 KiST = 804E48D0 (284) Function NtCreateKey (29) intercepted (8057791D->BAB2B1FE), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtCreateThread (35) intercepted (80586C45->BAB2B1F4), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtDeleteKey (3F) intercepted (80593334->BAB2B203), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtDeleteValueKey (41) intercepted (80591F8B->BAB2B20D), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtLoadKey (62) intercepted (805CE7ED->BAB2B212), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtOpenProcess (7A) intercepted (80581702->BAB2B1E0), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtOpenThread (80) intercepted (805E1941->BAB2B1E5), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtReplaceKey (C1) intercepted (806564EC->BAB2B21C), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtRestoreKey (CC) intercepted (80656081->BAB2B217), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtSetValueKey (F7) intercepted (8058228C->BAB2B208), hook not defined >>> Function restored successfully ! >>> Hook code blocked Function NtTerminateProcess (101) intercepted (8058E695->B7045320), hook C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS >>> Function restored successfully ! >>> Hook code blocked Functions checked: 284, intercepted: 11, restored: 11 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Analyzing CPU 2 CmpCallCallBacks = 001450D8 Disable callback OK Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers Checking - complete 2. Scanning RAM Number of processes found: 53 Number of modules loaded: 487 Scanning RAM - complete 3. Scanning disks Direct reading: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\settings.dat Direct reading: C:\Dokumente und Einstellungen\Chris\Cookies\index.dat C:\Dokumente und Einstellungen\Chris\Desktop\____\mirc635.exe >>>>> Trojan.Win32.Pakes.lth C:\Dokumente und Einstellungen\Chris\Eigene Dateien\TrackMania\Thumbs.db >>> suspicion for Trojan-PSW.Win32.LdPinch.blo ( 0A3DC8E5 08F05DCF 0025C355 002A2345 29696) Direct reading: C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Direct reading: C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Direct reading: C:\Dokumente und Einstellungen\Chris\Lokale Einstellungen\Verlauf\History.IE5\index.dat Direct reading: C:\Dokumente und Einstellungen\Chris\NTUSER.DAT Direct reading: C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Direct reading: C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Direct reading: C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Direct reading: C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Direct reading: C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Direct reading: C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Direct reading: C:\Dokumente und Einstellungen\NetworkService\IETldCache\index.dat Direct reading: C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Direct reading: C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Direct reading: C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Direct reading: C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Direct reading: C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcrst.dll Direct reading: C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSMReg.log C:\Programme\Teamspeak2_RC2\client_sdk\TSRemote.dll >>> suspicion for Trojan-Downloader.Win32.Delf.yjt ( 08A4FE90 03C32EF8 00220FCF 001C965E 97792) Direct reading: C:\System Volume Information\_restore{85038894-684E-4DC0-90E0-2454D15C3286}\RP354\change.log C:\WINDOWS\$NtServicePackUninstall$\reg01365 >>> suspicion for Backdoor.Win32.NeoArk.21 ( 000313BA 03BCF8C4 0015E185 00277CBE 724992) Direct reading: C:\WINDOWS\SchedLgU.Txt Direct reading: C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Direct reading: C:\WINDOWS\system32\CatRoot2\edb.log Direct reading: C:\WINDOWS\system32\CatRoot2\tmp.edb Direct reading: C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Direct reading: C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Direct reading: C:\WINDOWS\system32\config\AppEvent.Evt Direct reading: C:\WINDOWS\system32\config\default Direct reading: C:\WINDOWS\system32\config\Internet.evt Direct reading: C:\WINDOWS\system32\config\sam Direct reading: C:\WINDOWS\system32\config\SecEvent.Evt Direct reading: C:\WINDOWS\system32\config\security Direct reading: C:\WINDOWS\system32\config\SysEvent.Evt Direct reading: C:\WINDOWS\system32\config\system Direct reading: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Direct reading: C:\WINDOWS\WindowsUpdate.log 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Terminaldienste) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst) >> Services: potentially dangerous service allowed: Schedule (Taskplaner) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe) >> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed Checking - complete Files scanned: 605740, extracted from archives: 386785, malicious software found 1, suspicions - 3 Scanning finished at 03.04.2010 13:58:59 !!! Attention !!! Restored 11 KiST functions during Anti-Rootkit operation This may affect execution of certain software, so it is strongly recommended to reboot Time of scanning: 01:39:13 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address hxxp://virusinfo.info conference |
|
03.04.2010, 16:49
| #13 | |
| | Wo ist der Virus? Lasse alle Dateien anzeigen. Lade folgende Dateien nacheinander bei VirusTotal hoch und poste die Links zu den Ergebnissen. Zitat:
|
|
03.04.2010, 17:28
| #14 |
| | Wo ist der Virus? Antivirus Version letzte aktualisierung Ergebnis a-squared 4.5.0.50 2010.04.03 Riskware.Client-IRC.Win32.mIRC!IK AhnLab-V3 5.0.0.2 2010.04.03 - AntiVir 7.10.6.23 2010.04.02 - Antiy-AVL 2.0.3.7 2010.04.02 Client-IRC/Win32.mIRC.gen Authentium 5.2.0.5 2010.04.03 - Avast 4.8.1351.0 2010.04.03 - Avast5 5.0.332.0 2010.04.03 Win32:Mirc-Z AVG 9.0.0.787 2010.04.03 - BitDefender 7.2 2010.04.03 - CAT-QuickHeal 10.00 2010.04.03 - ClamAV 0.96.0.0-git 2010.04.03 - Comodo 4486 2010.04.03 - DrWeb 5.0.2.03300 2010.04.03 - eSafe 7.0.17.0 2010.04.01 - eTrust-Vet 35.2.7405 2010.04.02 - F-Prot 4.5.1.85 2010.04.03 - F-Secure 9.0.15370.0 2010.04.03 - Fortinet 4.0.14.0 2010.04.03 - GData 19 2010.04.03 - Ikarus T3.1.1.80.0 2010.04.03 not-a-virus:Client-IRC.Win32.mIRC Jiangmin 13.0.900 2010.04.03 - K7AntiVirus 7.10.1004 2010.03.22 not-a-virus:Client-IRC.Win32.mIRC.g Kaspersky 7.0.0.125 2010.04.03 not-a-virus:Client-IRC.Win32.mIRC.g McAfee 5937 2010.03.31 - McAfee+Artemis 5937 2010.03.31 - McAfee-GW-Edition 6.8.5 2010.04.02 - Microsoft 1.5605 2010.04.03 - NOD32 4996 2010.04.03 - Norman 6.04.10 2010.04.03 - nProtect 2009.1.8.0 2010.04.03 - Panda 10.0.2.2 2010.04.03 - PCTools 7.0.3.5 2010.04.03 - Prevx 3.0 2010.04.03 - Rising 22.41.04.05 2010.04.02 - Sophos 4.52.0 2010.04.03 - Sunbelt 6134 2010.04.03 - Symantec 20091.2.0.41 2010.04.03 - TheHacker 6.5.2.0.251 2010.04.02 - TrendMicro 9.120.0.1004 2010.04.03 - VBA32 3.12.12.4 2010.04.02 - ViRobot 2010.4.3.2259 2010.04.03 - VirusBuster 5.0.27.0 2010.04.03 - weitere Informationen File size: 1751280 bytes MD5...: ce01307967773104627ec80e44e60e88 SHA1..: d9c26f7e40298b20f553934ed69dcbe6223c1101 SHA256: e7eb0068d526f40d3d6b378a7bdfeb4575276f6ea8825d021a47997ddff993dc ssdeep: 49152 AOUEW6Xv5ECnwlN/ygeYzZR7c+yPlZmy831RhiO2/AOI6Xv+CnwlN/ygemHgFP2ysLP2/ PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x3225 timedatestamp.....: 0x48efcdc9 (Fri Oct 10 21:48:57 2008) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x5976 0x5a00 6.47 335c19bb25cd1d02eec2b0a4eacb979c .rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75 .data 0x9000 0x1af98 0x400 4.69 59710519e577598f785044e4d95261f4 .ndata 0x24000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0x2d000 0x64a0 0x6600 5.84 59b4f6411a707957041ae7301d41e9d9 ( 8 imports ) > KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA > USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow > GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject > SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation > ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA > COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create > ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance > VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win64 Executable Generic (59.6%) Win32 Executable MS Visual C++ (generic) (26.2%) Win32 Executable Generic (5.9%) Win32 Dynamic Link Library (generic) (5.2%) Generic Win/DOS Executable (1.3%) sigcheck: publisher....: mIRC Co. Ltd. copyright....: Copyright (c) 1995-2008 mIRC Co. Ltd. product......: mIRC description..: mIRC original name: n/a internal name: n/a file version.: 6.35 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned packers (F-Prot): NSIS |
|
03.04.2010, 17:31
| #15 |
| | Wo ist der Virus? Antivirus Version letzte aktualisierung Ergebnis a-squared 4.5.0.50 2010.04.03 - AhnLab-V3 5.0.0.2 2010.04.03 - AntiVir 7.10.6.23 2010.04.02 - Antiy-AVL 2.0.3.7 2010.04.02 - Authentium 5.2.0.5 2010.04.03 - Avast 4.8.1351.0 2010.04.03 - Avast5 5.0.332.0 2010.04.03 - AVG 9.0.0.787 2010.04.03 - BitDefender 7.2 2010.04.03 - CAT-QuickHeal 10.00 2010.04.03 - ClamAV 0.96.0.0-git 2010.04.03 - Comodo 4486 2010.04.03 - DrWeb 5.0.2.03300 2010.04.03 - eSafe 7.0.17.0 2010.04.01 - eTrust-Vet None 2010.04.02 - F-Prot 4.5.1.85 2010.04.03 - F-Secure 9.0.15370.0 2010.04.03 - Fortinet 4.0.14.0 2010.04.03 - GData 19 2010.04.03 - Ikarus T3.1.1.80.0 2010.04.03 - Jiangmin 13.0.900 2010.04.03 - K7AntiVirus 7.10.1004 2010.03.22 - Kaspersky 7.0.0.125 2010.04.03 - McAfee 5937 2010.03.31 - McAfee+Artemis 5937 2010.03.31 - McAfee-GW-Edition 6.8.5 2010.04.02 - Microsoft 1.5605 2010.04.03 - NOD32 4996 2010.04.03 - Norman 6.04.10 2010.04.03 - nProtect 2009.1.8.0 2010.04.03 - Panda 10.0.2.2 2010.04.03 - PCTools 7.0.3.5 2010.04.03 - Prevx 3.0 2010.04.03 - Rising 22.41.04.05 2010.04.02 - Sophos 4.52.0 2010.04.03 - Sunbelt 6134 2010.04.03 - Symantec 20091.2.0.41 2010.04.03 - TheHacker 6.5.2.0.251 2010.04.02 - TrendMicro 9.120.0.1004 2010.04.03 - VBA32 3.12.12.4 2010.04.02 - ViRobot 2010.4.3.2259 2010.04.03 - VirusBuster 5.0.27.0 2010.04.03 - weitere Informationen File size: 29696 bytes MD5...: dc41a144d3334838c3414d017a6e7d0e SHA1..: 4c35794488707b2662b4b439cfb2f17e8d70aadf SHA256: 6ac275daadaca6763998ea8e3a5039e55e289c826e3b4e470a14ec323a2df3cc ssdeep: 768:KZOJrdMdSgtG3AaZuen2zYGgOQN0G3YJhfoJ9:KZOJdM/G/aUGgp0Gob PEiD..: - PEInfo: - RDS...: NSRL Reference Data Set - pdfid.: - trid..: Windows XP Thumbnail Database (64.4%) Generic OLE2 / Multistream Compound File (35.5%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned |
|
| Themen zu Wo ist der Virus? |
| adobe, antivir, antivir guard, antivirus, bho, desktop, einstellungen, excel, explorere, firefox, frage, hkus\s-1-5-18, internet, magix, neustart, nvidia, plug-in, protection center, prozess, rundll, security, server, software, symantec, system, viren, virus, windows, windows xp |
Linear-Darstellung
