Knifflig

Bitte lasse die Dateien aus der Code-Box bei Virustotal überprüfen

Code: Alles auswählenAufklappen

ATTFilter

C:\windows\System32\drivers\atapi.sys
         

Also gehe wie hier beschrieben vor:

• Öffne diese Webseite: virustotal
• Klicke auf "Durchsuchen"
• Suche die Datei auf deinem Rechner--> Doppelklick auf die zu prüfende Datei (oder kopiere den Inhalt ab aus der Codebox)
• "Senden der Datei"
• Warte, bis der Scandurchlauf aller Virenscanner beendet ist
• Auf "Filter" klicken
• dann auf "Ergebnisse"
• das Ergebnis (wie Du es bekommst )
  komplett markieren und hier rein kopieren

Sollte die Datei als schädlich erkannt werden bitte noch nicht entfernen


Hast du eine Windows CD oder ist es dir möglich eine CD zu brennen ?

Schaltfläche Ergebnis nicht gefunden (unter Filter?). Hab einfach mal den Text beigefügt, der nach der Überprüfung angezeigt wird. (eSafe 7.0.17.0 war der einzige Scanner, der was entedeckt hat)

Zitat:

Datei atapi.sys empfangen 2010.04.11 21:08:41 (UTC)
Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.04.11 -
AhnLab-V3 5.0.0.2 2010.04.10 -
AntiVir 7.10.6.55 2010.04.09 -
Antiy-AVL 2.0.3.7 2010.04.09 -
Authentium 5.2.0.5 2010.04.11 -
Avast 4.8.1351.0 2010.04.11 -
Avast5 5.0.332.0 2010.04.11 -
AVG 9.0.0.787 2010.04.11 -
BitDefender 7.2 2010.04.11 -
CAT-QuickHeal 10.00 2010.04.10 -
ClamAV 0.96.0.3-git 2010.04.11 -
Comodo 4572 2010.04.11 -
DrWeb 5.0.2.03300 2010.04.11 -
eSafe 7.0.17.0 2010.04.11 Win32.TrojanHorse
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.11 -
F-Secure 9.0.15370.0 2010.04.11 -
Fortinet 4.0.14.0 2010.04.10 -
GData 19 2010.04.11 -
Ikarus T3.1.1.80.0 2010.04.11 -
Jiangmin 13.0.900 2010.04.11 -
Kaspersky 7.0.0.125 2010.04.11 -
McAfee-GW-Edition 6.8.5 2010.04.11 -
Microsoft 1.5605 2010.04.11 -
NOD32 5018 2010.04.11 -
Norman 6.04.11 2010.04.10 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.11 -
PCTools 7.0.3.5 2010.04.11 -
Prevx 3.0 2010.04.11 -
Rising 22.42.06.04 2010.04.11 -
Sophos 4.52.0 2010.04.11 -
Sunbelt 6164 2010.04.11 -
Symantec 20091.2.0.41 2010.04.11 -
TheHacker 6.5.2.0.259 2010.04.11 -
TrendMicro 9.120.0.1004 2010.04.11 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.10.2270 2010.04.11 -
VirusBuster 5.0.27.0 2010.04.11 -
weitere Informationen
File size: 21584 bytes
MD5...: 338c86357871c167a96ab976519bf59e
SHA1..: e99e20970139fb1e67bbc54fa8a61c18a4fce36e
SHA256: f28cc534523d1701b0552f5d7e18e88369c4218bdb1f69110c3e31d395884ad6
ssdeep: 384:SN+KUt2BtUXbyTHoCtGRZjNVAsRMNSChq3BLWErUwW9Qu5VpBjbOjBMmhyMD<br>:adUtytUXbyTICtGjNMNbcxHJudkMmwMD<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x603e<br>timedatestamp.....: 0x4a5bbf13 (Mon Jul 13 23:11:15 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 6 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x2472 0x2600 6.22 9b9f242740c0a1c2494b23ae50935e6d<br>.rdata 0x4000 0xae 0x200 1.54 1833a5650ae0f8256ba78bf8ed79d6e1<br>.data 0x5000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e<br>INIT 0x6000 0x38c 0x400 4.66 392ce67c807da67e018ad9cf892fde4c<br>.rsrc 0x7000 0x3f0 0x400 3.41 ecb60c1c006d2813169c8bcfe271a200<br>.reloc 0x8000 0xd2 0x200 2.47 035f51da8bf9893e51952ac185994f14<br><br>( 2 imports ) <br>&gt; ataport.SYS: AtaPortNotification, AtaPortQuerySystemTime, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortCopyMemory, AtaPortEtwTraceLog, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange<br>&gt; NTOSKRNL.exe: KeTickCount<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: (c) Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: ATAPI IDE Miniport Driver<br>original name: atapi.sys<br>internal name: atapi.sys<br>file version.: 6.1.7600.16385 (win7_rtm.090713-1255)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
trid..: Win64 Executable Generic (95.5%)<br>Generic Win/DOS Executable (2.2%)<br>DOS Executable Generic (2.2%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Windows 7 hab ich über unsere Uni bekommen. Hab die CD zwar nicht hier, kann ich mir aber jederzeit vom Server runterladen und auf CD brennen.

Ich trau dem ganzen nicht.

1. Lade Dir bitte TDSS Killer herunter und speichere es auf dem Desktop.
2. Extrahiere die .zip Datei auf dem Desktop.
   Gehe sicher das sich die TDSSKiller.exe auf dem Desktop befindet
3. Drücke bitte die Windows + R Taste, kopiere folgendes in die Kommandozeile und drücke Enter.
   

   "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

4. Wenn eine Nachricht erscheint "Hidden service detected" mache bitte nichts. Drücke nur enter.
5. Wenn der Scan beendet wurde wird eine Logfile namens "TDSSKiller.txt" auf deiner Festplatte C: erstellt. Poste mir bitte den Inhalt der Log.

schritt 2

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

• Starte bitte die OTL.exe.
  Vista und Win7 User mit Rechtsklick "als Administrator starten"
• Kopiere nun den Inhalt in die Textbox.

Code: Alles auswählenAufklappen

ATTFilter

%SYSTEMDRIVE%\*.exe
%systemdrive%\windows\system32\drivers\*.sys /md5
         

• Schliesse bitte nun alle Programme. (Wichtig)
• Klicke nun bitte auf den Quick Scan Button.
• Klick auf .
• Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread

Note: Die Log könnte etwas länger werden. Wenn notwendig bitte zu einem Filehoster uploaden

OTL als rar im Anhang,
TDSSKILLER Log:

Zitat:

16:38:34:196 2492 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
16:38:34:196 2492 ================================================================================
16:38:34:196 2492 SystemInfo:

16:38:34:196 2492 OS Version: 6.1.7600 ServicePack: 0.0
16:38:34:196 2492 Product type: Workstation
16:38:34:196 2492 ComputerName: BAYER04
16:38:34:198 2492 UserName: Tobi
16:38:34:198 2492 Windows directory: C:\Windows
16:38:34:198 2492 Processor architecture: Intel x86
16:38:34:198 2492 Number of processors: 2
16:38:34:198 2492 Page size: 0x1000
16:38:34:199 2492 Boot type: Normal boot
16:38:34:199 2492 ================================================================================
16:38:34:201 2492 UnloadDriverW: NtUnloadDriver error 2
16:38:34:201 2492 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:38:34:226 2492 wfopen_ex: Trying to open file C:\Windows\system32\config\system
16:38:34:226 2492 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:38:34:226 2492 wfopen_ex: Trying to KLMD file open
16:38:34:226 2492 wfopen_ex: File opened ok (Flags 2)
16:38:34:239 2492 wfopen_ex: Trying to open file C:\Windows\system32\config\software
16:38:34:239 2492 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:38:34:239 2492 wfopen_ex: Trying to KLMD file open
16:38:34:239 2492 wfopen_ex: File opened ok (Flags 2)
16:38:34:272 2492 Initialize success
16:38:34:272 2492
16:38:34:273 2492 Scanning Services ...
16:38:40:438 2492 Raw services enum returned 478 services
16:38:40:466 2492
16:38:40:467 2492 Scanning Kernel memory ...
16:38:40:468 2492 Devices to scan: 1
16:38:40:468 2492
16:38:40:468 2492 Driver Name: atapi
16:38:40:468 2492 IRP_MJ_CREATE : 8645EAC8
16:38:40:468 2492 IRP_MJ_CREATE_NAMED_PIPE : 8645EAC8
16:38:40:468 2492 IRP_MJ_CLOSE : 8645EAC8
16:38:40:468 2492 IRP_MJ_READ : 8645EAC8
16:38:40:468 2492 IRP_MJ_WRITE : 8645EAC8
16:38:40:468 2492 IRP_MJ_QUERY_INFORMATION : 8645EAC8
16:38:40:469 2492 IRP_MJ_SET_INFORMATION : 8645EAC8
16:38:40:469 2492 IRP_MJ_QUERY_EA : 8645EAC8
16:38:40:469 2492 IRP_MJ_SET_EA : 8645EAC8
16:38:40:469 2492 IRP_MJ_FLUSH_BUFFERS : 8645EAC8
16:38:40:469 2492 IRP_MJ_QUERY_VOLUME_INFORMATION : 8645EAC8
16:38:40:469 2492 IRP_MJ_SET_VOLUME_INFORMATION : 8645EAC8
16:38:40:469 2492 IRP_MJ_DIRECTORY_CONTROL : 8645EAC8
16:38:40:469 2492 IRP_MJ_FILE_SYSTEM_CONTROL : 8645EAC8
16:38:40:469 2492 IRP_MJ_DEVICE_CONTROL : 8645EAC8
16:38:40:469 2492 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8645EAC8
16:38:40:469 2492 IRP_MJ_SHUTDOWN : 8645EAC8
16:38:40:469 2492 IRP_MJ_LOCK_CONTROL : 8645EAC8
16:38:40:469 2492 IRP_MJ_CLEANUP : 8645EAC8
16:38:40:469 2492 IRP_MJ_CREATE_MAILSLOT : 8645EAC8
16:38:40:469 2492 IRP_MJ_QUERY_SECURITY : 8645EAC8
16:38:40:469 2492 IRP_MJ_SET_SECURITY : 8645EAC8
16:38:40:470 2492 IRP_MJ_POWER : 8645EAC8
16:38:40:470 2492 IRP_MJ_SYSTEM_CONTROL : 8645EAC8
16:38:40:470 2492 IRP_MJ_DEVICE_CHANGE : 8645EAC8
16:38:40:470 2492 IRP_MJ_QUERY_QUOTA : 8645EAC8
16:38:40:470 2492 IRP_MJ_SET_QUOTA : 8645EAC8
16:38:40:470 2492 Driver "atapi" infected by TDSS rootkit!
16:38:40:483 2492 C:\Windows\system32\DRIVERS\atapi.sys - Verdict: 1
16:38:40:483 2492 File "C:\Windows\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 16:38:40:484 2492 Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
16:38:41:067 2492 vfvi6
16:38:41:113 2492 dsvbh1
16:38:42:430 2492 fdfb1
16:38:42:430 2492 Backup copy found, using it..
16:38:42:464 2492 will be cured on next reboot
16:38:42:465 2492 Reboot required for cure complete..
16:38:42:487 2492 Cure on reboot scheduled successfully
16:38:42:487 2492
16:38:42:487 2492 Completed
16:38:42:488 2492
16:38:42:488 2492 Results:
16:38:42:489 2492 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
16:38:42:489 2492 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:38:42:490 2492 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:38:42:490 2492
16:38:42:490 2492 fclose_ex: Trying to close file C:\Windows\system32\config\system
16:38:42:492 2492 fclose_ex: Trying to close file C:\Windows\system32\config\software
16:38:42:492 2492 UnloadDriverW: NtUnloadDriver error 1
16:38:42:494 2492 KLMD(ARK) unloaded successfully

Du hast mir die TDSSKiller.txt angehängt
Bitte nachreichen.

Macht der Rechner noch Probleme ?

schritt 1

Lösche die vorhanden ComboFix.exe und lade sie erneut herunter

BleepingComputer - ForoSpyware

Schließe alle laufenden Programme, deaktiviere deine Antivirensoftware.
Rechtsklick auf die Combofix.exe --> "als admin ausführen"

schritt 2

Starte bitte GMER erneut.

Entferne folgende Häckchen (rechts)

• Section
  IAT/EAT
  Modules
  Threads
  ADS

Bitte poste in Deiner nächsten Antwort
Combofix.txt
Gmer.txt
Austehende OTL Logfile

Die letzten 3 (Neu-)Starts des Rechners gingen wieder problemlos und auch sonst merk ich nicht mehr wirklich was. Läuft wieder sichtbar schneller und die störenden Antivir Popups kommen auch nicht mehr.

Im Anhang schonmal OTL.txt, diesmal hoffentlich auch wirklich

Rest gleich per edit

edit:

ComboFix

Zitat:

ComboFix 10-04-11.06 - Tobi 12.04.2010 17:31:30.4.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.3067.2451 [GMT 2:00]
ausgeführt von:: c:\users\Tobi\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((( Dateien erstellt von 2010-03-12 bis 2010-04-12 ))))))))))))))))))))))))))))))
.

2010-04-12 15:38 . 2010-04-12 15:49 -------- d-----w- c:\users\Tobi\AppData\Local\temp
2010-04-12 15:38 . 2010-04-12 15:38 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-12 15:38 . 2010-04-12 15:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-11 10:26 . 2010-04-11 17:21 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-11 10:26 . 2010-04-11 10:45 -------- d-----w- c:\programdata\Hitman Pro
2010-04-11 10:26 . 2010-04-11 10:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-10 23:08 . 2010-04-10 23:08 -------- d-----w- C:\_OTL
2010-04-10 17:21 . 2010-04-10 17:21 -------- d-----w- c:\users\Tobi\AppData\Roaming\Avira
2010-04-10 16:18 . 2010-04-10 16:18 -------- d-----w- c:\programdata\Avira
2010-04-10 16:18 . 2010-03-01 07:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-10 16:18 . 2009-05-11 09:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-10 16:18 . 2009-05-11 09:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-10 15:51 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 15:51 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 11:53 . 2010-04-10 11:54 -------- d-----w- c:\program files\trend micro
2010-04-10 11:53 . 2010-04-10 11:53 -------- d-----w- C:\rsit
2010-04-09 08:52 . 2010-04-09 08:52 -------- d-----w- c:\users\Tobi\AppData\Roaming\Malwarebytes
2010-04-09 08:52 . 2010-04-09 08:52 -------- d-----w- c:\programdata\Malwarebytes
2010-04-09 08:52 . 2010-04-11 17:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-09 08:51 . 2010-04-09 08:51 -------- d-----w- c:\program files\CCleaner
2010-04-06 19:00 . 2010-04-11 18:03 823808 ----a-w- c:\windows\system32\drivers\soccx.sys
2010-03-31 13:17 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-30 15:30 . 2010-03-30 15:30 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 17:59 . 2010-03-26 18:02 -------- d-----w- c:\program files\Common Files\3DO Shared
2010-03-26 17:59 . 2010-03-26 18:02 -------- d-----w- c:\program files\3DO
2010-03-26 17:58 . 1998-10-29 15:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-23 18:42 . 2010-03-22 09:25 780288 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\pmv306a-1003220-0-libOctoshapeClient.dll
2010-03-21 11:11 . 2010-03-21 11:11 -------- d-----w- c:\users\Tobi\AppData\Local\Zattoo
2010-03-21 11:09 . 2010-03-21 11:09 -------- d-----w- c:\program files\Zattoo4
2010-03-17 15:59 . 2010-03-17 15:59 -------- d-----w- c:\users\Tobi\AppData\Local\AOL
2010-03-17 15:58 . 2010-04-03 11:21 -------- d-----w- c:\program files\ICQ7.0

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 15:49 . 2009-11-01 15:07 -------- d-----w- c:\users\Tobi\AppData\Roaming\Skype
2010-04-12 15:49 . 2009-11-01 15:08 -------- d-----w- c:\users\Tobi\AppData\Roaming\skypePM
2010-04-12 15:29 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-12 14:38 . 2010-04-12 14:38 21584 ----a-w- c:\windows\system32\drivers\tskBE01.tmp
2010-04-12 08:05 . 2009-11-01 13:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-11 17:55 . 2009-11-01 13:24 -------- d-----w- c:\program files\DellTPad
2010-04-11 17:19 . 2009-11-18 18:34 -------- d-----w- c:\users\Tobi\AppData\Roaming\ICQ
2010-04-10 16:16 . 2010-04-10 13:48 112 ----a-w- c:\programdata\5XAtt3xo2.dat
2010-04-10 08:16 . 2009-07-14 08:47 643866 ----a-w- c:\windows\system32\perfh007.dat
2010-04-10 08:16 . 2009-07-14 08:47 126394 ----a-w- c:\windows\system32\perfc007.dat
2010-04-08 13:20 . 2009-11-01 14:04 -------- d-----w- c:\program files\Winamp Remote
2010-03-26 17:20 . 2009-11-10 18:38 -------- d-----w- c:\program files\Garena
2010-03-22 15:57 . 2009-11-01 15:39 119506 ----a-w- c:\windows\War3Unin.dat
2010-03-18 11:09 . 2009-11-01 13:59 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-16 15:40 . 2010-03-12 17:11 -------- d-----w- c:\programdata\PPLive
2010-03-16 12:48 . 2010-03-12 21:28 -------- d-----w- c:\programdata\PPLiveVA
2010-03-16 12:48 . 2010-03-12 17:04 -------- d-----w- c:\users\Tobi\AppData\Roaming\PPLive
2010-03-16 12:48 . 2010-03-12 17:04 -------- d-----w- c:\program files\PPLive
2010-03-13 13:11 . 2010-03-13 13:11 -------- d-----w- c:\programdata\Jlcm
2010-03-13 13:11 . 2010-03-13 13:11 -------- d-----w- c:\program files\Common Files\PPLiveNetwork
2010-03-12 21:30 . 2010-03-12 21:29 12204184 ----a-w- c:\programdata\PPLive\cache\ppva\pptvsetup_2.4.1.0014_s2_hasppva.exe
2010-03-12 21:30 . 2010-03-12 17:13 12204184 ----a-w- c:\users\Tobi\AppData\Roaming\PPLive\Update\Update.exe
2010-03-12 17:20 . 2010-03-12 17:19 468480 ----a-w- c:\programdata\PPLive\test_vod1.dll
2010-03-12 16:32 . 2010-03-12 16:31 -------- d-----w- c:\program files\TVAnts
2010-02-27 21:54 . 2009-11-01 21:03 -------- d-----w- c:\users\Tobi\AppData\Roaming\vlc
2010-02-26 19:33 . 2010-02-26 19:33 -------- d-----w- c:\programdata\TVU Networks
2010-02-26 19:33 . 2010-02-26 19:32 -------- d-----w- c:\program files\TVUPlayer
2010-02-26 19:30 . 2010-02-26 19:29 4519389 ----a-w- c:\users\Tobi\AppData\Roaming\TVU Networks\AutoUpgrade\TVUPlayer2.5.2.2.exe
2010-02-26 19:29 . 2010-02-26 19:29 -------- d-----w- c:\users\Tobi\AppData\Roaming\TVU Networks
2010-02-26 06:06 . 2010-02-26 06:06 2626360 ----a-w- c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-02-24 09:16 . 2009-11-01 13:37 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 11:24 . 2009-11-10 17:22 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-11 07:10 . 2010-03-06 22:23 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-08 21:31 . 2009-11-03 19:35 71960 ----a-w- c:\users\Tobi\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-02-05 12:38 . 2010-02-05 12:38 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-02 07:45 . 2010-02-24 09:54 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-01 12:24 . 2010-02-08 15:25 71960 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-npoctoshape.dll
2010-02-01 12:24 . 2010-02-08 15:25 417280 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-libOctoshapeClient.dll
2010-02-01 12:24 . 2010-02-08 15:25 124184 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-apoctoshape.dll
2010-01-18 23:29 . 2010-02-10 10:21 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-10 10:21 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-10 10:21 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-10 10:21 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-10 10:21 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-10 10:21 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-10 10:21 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-10 10:21 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-11_16.26.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-01 13:44 . 2010-04-12 14:37 42994 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-04-12 15:50 47024 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-01 13:20 . 2010-04-12 15:50 10180 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1981820849-1269703919-3846408820-1001_UserData.bin
+ 2009-11-01 13:06 . 2010-04-12 15:39 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 13:06 . 2010-04-11 16:14 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-06 19:05 . 2010-04-12 14:35 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2010-04-06 19:05 . 2010-04-11 09:43 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2009-07-14 04:41 . 2010-04-12 15:39 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2010-04-11 16:14 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-01 13:11 . 2010-04-12 15:42 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-01 13:11 . 2010-04-12 15:42 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-01 13:11 . 2010-04-12 15:42 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-01 13:20 . 2010-04-12 15:39 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-03 18:04 . 2010-04-12 15:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-03 18:04 . 2010-04-12 15:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-03 18:04 . 2010-04-12 15:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-11-01 13:20 . 2010-04-12 15:39 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-01 13:20 . 2010-04-12 15:39 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-11 16:14 . 2010-04-11 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-04-12 15:29 . 2010-04-12 15:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-11 16:14 . 2010-04-11 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-12 15:29 . 2010-04-12 15:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-01 13:12 . 2010-04-12 15:39 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-11-01 13:12 . 2010-04-11 16:14 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-11-01 13:06 . 2010-04-12 15:39 622592 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 13:06 . 2010-04-11 16:14 622592 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:47 . 2010-04-11 22:02 400656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-04-11 22:02 . 2010-04-11 22:02 400656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1981820849-1269703919-3846408820-1001-12288.dat
- 2009-07-14 02:03 . 2010-04-11 11:01 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2010-04-12 14:48 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"Octoshape Streaming Services"="c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Steam"="c:\spiele\Steam\\Steam.exe" [2010-02-22 1217872]
"PPAP"="c:\program files\Common Files\PPLiveNetwork\PPAP.exe" [2010-02-04 173512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 3563520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-01 149280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-1 813584]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-9 1616976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 135664]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 GarenaPEngine;GarenaPEngine;c:\users\Tobi\AppData\Local\Temp\RZNF628.tmp [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-09 721904]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\aestsrv.exe [2008-02-28 73728]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-12-18 54784]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-01-29 203264]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-06-03 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-05-13 277504]

.
Inhalt des "geplante Tasks" Ordners

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 12:08]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 12:08]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{88EB38EF-4D2C-436D-ABD3-56B232674062} - c:\program files\ICQ7.0\ICQ.exe
FF - ProfilePath - c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\
FF - prefs.js: browser.startup.homepage - www.t-online.de
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\plugins\npoctoshape.dll

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "hxxp://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-klmdb.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8647FAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x853cae88
QueryNameProcedure -> 0x853ca018
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\atapi]
"ImagePath"="system32\drivers\tskBE01.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\Tobi\AppData\Local\Temp\RZNF628.tmp"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(5716)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\STacSV.exe
c:\windows\system32\atieclxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\program files\Winamp Remote\bin\OrbTray.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Winamp Remote\bin\Orb.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Skype\Toolbars\Shared\SkypeNames2.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-04-12 17:53:25 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-04-12 15:53
ComboFix2.txt 2010-04-11 18:25
ComboFix3.txt 2010-04-11 16:29

Vor Suchlauf: 27 Verzeichnis(se), 50.733.088.768 Bytes frei
Nach Suchlauf: 28 Verzeichnis(se), 50.648.891.392 Bytes frei

- - End Of File - - 98B5E1C630BA35F10680D3530110320E

GMER:

Zitat:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-12 18:02:34
Windows 6.1.7600
Running: rryfs3dy.exe; Driver: C:\Users\Tobi\AppData\Local\Temp\kxddqpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83242AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83242104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832423F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322A634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322A898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832421DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83242958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832426F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83242F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832431A8

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8647FAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Die macht mich fertig.
(Schritt 1 und 2 sind notwendig da die uns eventuell behindern)

Schritt 1

Deinstalliere bitte Alcohol 120 (falls noch vorhanden)


schritt 2

Downloade dir bitte SPTDinst-v162-x64.exe.
Doppelklick darauf und wähle Uninstall.


schritt 3

Temp File Cleaner

Downloade Dir bitte TFC ( von Oldtimer ) und speichere die Datei auf dem Desktop.
Schließe nun alle offenen Programme und trenne Dich von dem Internet.
Doppelklick auf die TFC.exe
Sollte TFC nicht alle Dateien löschen können wird es einen Neustart verlangen. Dies bitte zulassen.


schritt 4

Vorbereitung

• Denke daran, während des Laufs von Combofix Dein Antiviren-Programm temporär abzustellen.
  Danach wieder anstellen nicht vergessen!
• Wichtig: Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein.
  Dies kann dazu führen, dass ComboFix sich aufhängt.

Anwendung

1. Öffne notepad (Start => Ausführen => notepad (reinschreiben) => ok) oder einen Editor Deiner Wahl und kopiere alles aus der nachfolgenden Codebox in ein leeres Dokument:
   
   Code: Alles auswählenAufklappen

   ATTFilter

   KILLALL::
   
   Rootkit::
   C:\Windows\System32\drivers\soccx.sys
   
   FCOPY::
   C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys | C:\Windows\System32\drivers\atapi.sys
            

2. Speichere dies als CFScript.txt auf Deinem Desktop
   .
   
   .
3. In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
4. Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Hinweis für Mitleser: Obiges Combofix-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.


Poste mir bitte die ComboFix Logfile

So hier der aktuelle Combo-Fix log:

Zitat:

ComboFix 10-04-12.01 - Tobi 12.04.2010 22:02:48.5.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.3067.2444 [GMT 2:00]
ausgeführt von:: c:\users\Tobi\Desktop\Combo-Fix.exe
Benutzte Befehlsschalter :: c:\users\Tobi\Desktop\CFScript.txt.txt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --> c:\windows\System32\drivers\atapi.sys
.
((((((((((((((((((((((( Dateien erstellt von 2010-03-12 bis 2010-04-12 ))))))))))))))))))))))))))))))
.

2010-04-12 20:10 . 2010-04-12 20:12 -------- d-----w- c:\users\Tobi\AppData\Local\temp
2010-04-12 20:10 . 2010-04-12 20:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-12 20:10 . 2010-04-12 20:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-11 10:26 . 2010-04-11 17:21 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-11 10:26 . 2010-04-11 10:45 -------- d-----w- c:\programdata\Hitman Pro
2010-04-11 10:26 . 2010-04-11 10:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-10 23:08 . 2010-04-10 23:08 -------- d-----w- C:\_OTL
2010-04-10 17:21 . 2010-04-10 17:21 -------- d-----w- c:\users\Tobi\AppData\Roaming\Avira
2010-04-10 16:18 . 2010-04-10 16:18 -------- d-----w- c:\programdata\Avira
2010-04-10 16:18 . 2010-03-01 07:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-10 16:18 . 2009-05-11 09:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-10 16:18 . 2009-05-11 09:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-10 15:51 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 15:51 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 11:53 . 2010-04-10 11:54 -------- d-----w- c:\program files\trend micro
2010-04-10 11:53 . 2010-04-10 11:53 -------- d-----w- C:\rsit
2010-04-09 08:52 . 2010-04-09 08:52 -------- d-----w- c:\users\Tobi\AppData\Roaming\Malwarebytes
2010-04-09 08:52 . 2010-04-09 08:52 -------- d-----w- c:\programdata\Malwarebytes
2010-04-09 08:52 . 2010-04-11 17:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-09 08:51 . 2010-04-09 08:51 -------- d-----w- c:\program files\CCleaner
2010-04-06 19:00 . 2010-04-11 18:03 823808 ----a-w- c:\windows\system32\drivers\soccx.sys
2010-03-31 13:17 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-30 15:30 . 2010-03-30 15:30 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 17:59 . 2010-03-26 18:02 -------- d-----w- c:\program files\Common Files\3DO Shared
2010-03-26 17:59 . 2010-03-26 18:02 -------- d-----w- c:\program files\3DO
2010-03-26 17:58 . 1998-10-29 15:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-23 18:42 . 2010-03-22 09:25 780288 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\pmv306a-1003220-0-libOctoshapeClient.dll
2010-03-21 11:11 . 2010-03-21 11:11 -------- d-----w- c:\users\Tobi\AppData\Local\Zattoo
2010-03-21 11:09 . 2010-03-21 11:09 -------- d-----w- c:\program files\Zattoo4
2010-03-17 15:59 . 2010-03-17 15:59 -------- d-----w- c:\users\Tobi\AppData\Local\AOL
2010-03-17 15:58 . 2010-04-03 11:21 -------- d-----w- c:\program files\ICQ7.0

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 20:13 . 2009-11-01 15:07 -------- d-----w- c:\users\Tobi\AppData\Roaming\Skype
2010-04-12 15:49 . 2009-11-01 15:08 -------- d-----w- c:\users\Tobi\AppData\Roaming\skypePM
2010-04-12 14:38 . 2010-04-12 19:58 21584 ----a-w- c:\windows\system32\drivers\tskBE01.tmp
2010-04-12 08:05 . 2009-11-01 13:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-11 17:55 . 2009-11-01 13:24 -------- d-----w- c:\program files\DellTPad
2010-04-11 17:19 . 2009-11-18 18:34 -------- d-----w- c:\users\Tobi\AppData\Roaming\ICQ
2010-04-10 16:16 . 2010-04-10 13:48 112 ----a-w- c:\programdata\5XAtt3xo2.dat
2010-04-10 08:16 . 2009-07-14 08:47 643866 ----a-w- c:\windows\system32\perfh007.dat
2010-04-10 08:16 . 2009-07-14 08:47 126394 ----a-w- c:\windows\system32\perfc007.dat
2010-04-08 13:20 . 2009-11-01 14:04 -------- d-----w- c:\program files\Winamp Remote
2010-03-26 17:20 . 2009-11-10 18:38 -------- d-----w- c:\program files\Garena
2010-03-22 15:57 . 2009-11-01 15:39 119506 ----a-w- c:\windows\War3Unin.dat
2010-03-18 11:09 . 2009-11-01 13:59 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-16 15:40 . 2010-03-12 17:11 -------- d-----w- c:\programdata\PPLive
2010-03-16 12:48 . 2010-03-12 21:28 -------- d-----w- c:\programdata\PPLiveVA
2010-03-16 12:48 . 2010-03-12 17:04 -------- d-----w- c:\users\Tobi\AppData\Roaming\PPLive
2010-03-16 12:48 . 2010-03-12 17:04 -------- d-----w- c:\program files\PPLive
2010-03-13 13:11 . 2010-03-13 13:11 -------- d-----w- c:\programdata\Jlcm
2010-03-13 13:11 . 2010-03-13 13:11 -------- d-----w- c:\program files\Common Files\PPLiveNetwork
2010-03-12 21:30 . 2010-03-12 21:29 12204184 ----a-w- c:\programdata\PPLive\cache\ppva\pptvsetup_2.4.1.0014_s2_hasppva.exe
2010-03-12 21:30 . 2010-03-12 17:13 12204184 ----a-w- c:\users\Tobi\AppData\Roaming\PPLive\Update\Update.exe
2010-03-12 17:20 . 2010-03-12 17:19 468480 ----a-w- c:\programdata\PPLive\test_vod1.dll
2010-03-12 16:32 . 2010-03-12 16:31 -------- d-----w- c:\program files\TVAnts
2010-02-27 21:54 . 2009-11-01 21:03 -------- d-----w- c:\users\Tobi\AppData\Roaming\vlc
2010-02-26 19:33 . 2010-02-26 19:33 -------- d-----w- c:\programdata\TVU Networks
2010-02-26 19:33 . 2010-02-26 19:32 -------- d-----w- c:\program files\TVUPlayer
2010-02-26 19:30 . 2010-02-26 19:29 4519389 ----a-w- c:\users\Tobi\AppData\Roaming\TVU Networks\AutoUpgrade\TVUPlayer2.5.2.2.exe
2010-02-26 19:29 . 2010-02-26 19:29 -------- d-----w- c:\users\Tobi\AppData\Roaming\TVU Networks
2010-02-26 06:06 . 2010-02-26 06:06 2626360 ----a-w- c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-02-24 09:16 . 2009-11-01 13:37 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 11:24 . 2009-11-10 17:22 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-11 07:10 . 2010-03-06 22:23 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-08 21:31 . 2009-11-03 19:35 71960 ----a-w- c:\users\Tobi\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-02-05 12:38 . 2010-02-05 12:38 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-02 07:45 . 2010-02-24 09:54 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-01 12:24 . 2010-02-08 15:25 71960 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-npoctoshape.dll
2010-02-01 12:24 . 2010-02-08 15:25 417280 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-libOctoshapeClient.dll
2010-02-01 12:24 . 2010-02-08 15:25 124184 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-apoctoshape.dll
2010-01-18 23:29 . 2010-02-10 10:21 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-10 10:21 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-10 10:21 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-10 10:21 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-10 10:21 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-10 10:21 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-10 10:21 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-10 10:21 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-11_16.26.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-01 13:44 . 2010-04-12 19:42 43102 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-04-12 20:13 47024 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-01 13:20 . 2010-04-12 20:03 10220 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1981820849-1269703919-3846408820-1001_UserData.bin
+ 2009-11-01 13:06 . 2010-04-12 20:11 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 13:06 . 2010-04-11 16:14 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-06 19:05 . 2010-04-12 14:35 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2010-04-06 19:05 . 2010-04-11 09:43 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2009-07-14 04:41 . 2010-04-12 20:11 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2010-04-11 16:14 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-01 13:11 . 2010-04-12 20:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-01 13:11 . 2010-04-12 20:12 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-01 13:11 . 2010-04-12 20:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-01 13:20 . 2010-04-12 20:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-03 18:04 . 2010-04-12 20:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-03 18:04 . 2010-04-12 20:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-03 18:04 . 2010-04-12 20:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-11-01 13:20 . 2010-04-12 20:11 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-01 13:20 . 2010-04-12 20:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-11 16:14 . 2010-04-11 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-04-12 19:59 . 2010-04-12 20:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-11 16:14 . 2010-04-11 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-12 19:59 . 2010-04-12 20:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-01 13:12 . 2010-04-12 20:11 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-11-01 13:12 . 2010-04-11 16:14 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-11-01 13:06 . 2010-04-12 20:11 622592 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 13:06 . 2010-04-11 16:14 622592 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:47 . 2010-04-11 22:02 400656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-04-11 22:02 . 2010-04-11 22:02 400656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1981820849-1269703919-3846408820-1001-12288.dat
- 2009-07-14 02:03 . 2010-04-11 11:01 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2010-04-12 14:48 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"Octoshape Streaming Services"="c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Steam"="c:\spiele\Steam\\Steam.exe" [2010-02-22 1217872]
"PPAP"="c:\program files\Common Files\PPLiveNetwork\PPAP.exe" [2010-02-04 173512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 3563520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-01 149280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-1 813584]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-9 1616976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 135664]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 GarenaPEngine;GarenaPEngine;c:\users\Tobi\AppData\Local\Temp\RZNF628.tmp [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\aestsrv.exe [2008-02-28 73728]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-12-18 54784]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-01-29 203264]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-06-03 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-05-13 277504]

.
Inhalt des "geplante Tasks" Ordners

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 12:08]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 12:08]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{88EB38EF-4D2C-436D-ABD3-56B232674062} - c:\program files\ICQ7.0\ICQ.exe
FF - ProfilePath - c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\
FF - prefs.js: browser.startup.homepage - www.t-online.de
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\plugins\npoctoshape.dll

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "hxxp://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86466AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x853cae88
QueryNameProcedure -> 0x853ca018
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\atapi]
"ImagePath"="system32\drivers\tskBE01.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\Tobi\AppData\Local\Temp\RZNF628.tmp"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(3692)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\STacSV.exe
c:\windows\system32\atieclxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Winamp Remote\bin\OrbTray.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Winamp Remote\bin\Orb.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-04-12 22:17:21 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-04-12 20:17
ComboFix2.txt 2010-04-12 15:53
ComboFix3.txt 2010-04-11 18:25
ComboFix4.txt 2010-04-11 16:29

Vor Suchlauf: 27 Verzeichnis(se), 50.616.291.328 Bytes frei
Nach Suchlauf: 28 Verzeichnis(se), 50.407.497.728 Bytes frei

- - End Of File - - 8F01F13F59FD4EE13A06B3817FBC0493

Teil eins scheint geschaft. Jz müssen wir noch eine Datei entfernen

schritt 1

Lade den Avenger herunter und entzippe ihn auf den Desktop. Nicht gezippt direkt als EXE ist der Avenger hier erhältlich.

Starte die avenger.exe durch Rechtsklick "als Admin ausführen" und akzeptiere mit OK die Nutzungsbedingungen. Füge den Inhalt der folgenden Codebox vollständig und unverändert bei "Input script here" ein und klicke auf "Execute". Beantworte die Frage, ob Du sicher bist, dass das Skript ausgeführt werden soll mit "Ja".

Code: Alles auswählenAufklappen

ATTFilter

Drivers to delete:
soccx

Files to delete:
c:\windows\system32\drivers\soccx.sys
         

Beantworte die Frage zum Neustart des Rechners (Reboot now?) ebenfalls mit "Ja". Nachdem der Rechner neu gestartet ist (das kann auch zweimal nötig sein und passieren!) und das DOS-Fenster, das der Avenger geöffnet hat, wieder geschlossen ist, öffnet Avenger Deinen Editor mit dem Avengerlog, zu finden auch unter C:\avenger.txt. Den Inhalt bitte posten. Ein Backup der entfernten Objekte wurde als C:\avenger\backup.zip angelegt.


schritt 2

Bitte GMER erneut laufen lassen. Lass die Einstellungen wie sie sind.


Bitte poste in Deiner nächsten Antwort
Avenger.txt
Gmer.txt

Das hört sich ja gut an

Avenger:

Zitat:

Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\soccx" not found!
Deletion of driver "soccx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\drivers\soccx.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

GMER:

Zitat:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-13 19:04:27
Windows 6.1.7600
Running: rryfs3dy.exe; Driver: C:\Users\Tobi\AppData\Local\Temp\kxddqpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322CAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83214634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83214898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322CF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322D1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E455C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6A052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? system32\drivers\byiqqeh.sys Das System kann den angegebenen Pfad nicht finden. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90C2E000, 0x2D5378, 0xE8000020]
.text peauth.sys 9BE2BC9D 28 Bytes [5E, 97, 07, 10, 2B, 54, 46, ...]
.text peauth.sys 9BE2BCC1 28 Bytes [5E, 97, 07, 10, 2B, 54, 46, ...]
PAGE peauth.sys 9BE31B9B 72 Bytes [27, FD, 49, C8, 65, FE, 0D, ...]
PAGE peauth.sys 9BE31BEC 111 Bytes [10, 77, 4E, C5, 7C, 76, E9, ...]
PAGE peauth.sys 9BE31E20 101 Bytes [66, F4, 7F, DD, B7, 5C, 3C, ...]
PAGE ...
.text autochk.exe 004511D1 2 Bytes [C8, 04]
.text autochk.exe 004511D5 33 Bytes [8D, 8D, B4, FE, FF, FF, E8, ...]
.text autochk.exe 004511F9 15 Bytes [8B, 8D, A0, FD, FF, FF, E8, ...]
.text autochk.exe 0045120A 39 Bytes [8B, 8D, 40, FE, FF, FF, 81, ...]
.text autochk.exe 00451232 33 Bytes [8D, 8D, A4, FE, FF, FF, E8, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtProtectVirtualMemory 77C05360 5 Bytes JMP 004E000A
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtWriteVirtualMemory 77C05EE0 5 Bytes JMP 004F000A
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!KiUserExceptionDispatcher 77C06448 5 Bytes JMP 003D000A
.text C:\Windows\system32\svchost.exe[1036] ole32.dll!CoCreateInstance 767A57FC 5 Bytes JMP 00D7000A
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!GetCursorPos 7638C198 5 Bytes JMP 00D8000A
.text C:\Program Files\Winamp Remote\bin\OrbTray.exe[2604] kernel32.dll!SetUnhandledExceptionFilter 776E3162 5 Bytes JMP 00413C70 C:\Program Files\Winamp Remote\bin\OrbTray.exe (Orb/Orb Networks)
.text C:\Windows\Explorer.EXE[2684] ntdll.dll!NtProtectVirtualMemory 77C05360 5 Bytes JMP 001A000A
.text C:\Windows\Explorer.EXE[2684] ntdll.dll!NtWriteVirtualMemory 77C05EE0 5 Bytes JMP 001B000A
.text C:\Windows\Explorer.EXE[2684] ntdll.dll!KiUserExceptionDispatcher 77C06448 5 Bytes JMP 0013000A
.text C:\Program Files\Winamp Remote\bin\Orb.exe[3376] kernel32.dll!SetUnhandledExceptionFilter 776E3162 5 Bytes JMP 00402CD0 C:\Program Files\Winamp Remote\bin\Orb.exe (Orb Application/Orb Networks, Inc.)
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3388] kernel32.dll!CreateFileW 776E0B7D 5 Bytes JMP 01842930 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3388] kernel32.dll!CreateFileA 776E291C 5 Bytes JMP 018428D0 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3388] USER32.dll!ShowWindow 7639147A 2 Bytes JMP 01842750 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3388] USER32.dll!ShowWindow + 3 7639147D 2 Bytes [4B, 8B]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AA2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A85624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A856E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AA250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A98573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A94D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74A950CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74A951A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74A966D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A982CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A98819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A9907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A9E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A94C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86657AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Irgendetwas infiziert uns da andauernd die atapi.sys aber iwie glaub ich das nicht.


Lösche bitte die vorhandene Version von Gmer und downloade es dir erneut.

Poste mir bitte erneut eine GMER Logfile sowie eine frische OTL Logfile.

GMER:

Zitat:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-13 21:03:28
Windows 6.1.7600
Running: swzl5i3v.exe; Driver: C:\Users\Tobi\AppData\Local\Temp\kxddqpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322CAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83214634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83214898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322C6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322CF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322D1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E455C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6A052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? system32\drivers\byiqqeh.sys Das System kann den angegebenen Pfad nicht finden. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90C2E000, 0x2D5378, 0xE8000020]
.text peauth.sys 9BE2BC9D 28 Bytes [5E, 97, 07, 10, 2B, 54, 46, ...]
.text peauth.sys 9BE2BCC1 28 Bytes [5E, 97, 07, 10, 2B, 54, 46, ...]
PAGE peauth.sys 9BE31B9B 72 Bytes [27, FD, 49, C8, 65, FE, 0D, ...]
PAGE peauth.sys 9BE31BEC 111 Bytes [10, 77, 4E, C5, 7C, 76, E9, ...]
PAGE peauth.sys 9BE31E20 101 Bytes [66, F4, 7F, DD, B7, 5C, 3C, ...]
PAGE ...
.text autochk.exe 004511D1 2 Bytes [C8, 04]
.text autochk.exe 004511D5 33 Bytes [8D, 8D, B4, FE, FF, FF, E8, ...]
.text autochk.exe 004511F9 15 Bytes [8B, 8D, A0, FD, FF, FF, E8, ...]
.text autochk.exe 0045120A 39 Bytes [8B, 8D, 40, FE, FF, FF, 81, ...]
.text autochk.exe 00451232 33 Bytes [8D, 8D, A4, FE, FF, FF, E8, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtProtectVirtualMemory 77C05360 5 Bytes JMP 004E000A
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtWriteVirtualMemory 77C05EE0 5 Bytes JMP 004F000A
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!KiUserExceptionDispatcher 77C06448 5 Bytes JMP 003D000A
.text C:\Windows\system32\svchost.exe[1036] ole32.dll!CoCreateInstance 767A57FC 5 Bytes JMP 00D7000A
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!GetCursorPos 7638C198 5 Bytes JMP 00D8000A
.text C:\Program Files\Winamp Remote\bin\OrbTray.exe[2604] kernel32.dll!SetUnhandledExceptionFilter 776E3162 5 Bytes JMP 00413C70 C:\Program Files\Winamp Remote\bin\OrbTray.exe (Orb/Orb Networks)
.text C:\Windows\Explorer.EXE[2684] ntdll.dll!NtProtectVirtualMemory 77C05360 5 Bytes JMP 001A000A
.text C:\Windows\Explorer.EXE[2684] ntdll.dll!NtWriteVirtualMemory 77C05EE0 5 Bytes JMP 001B000A
.text C:\Windows\Explorer.EXE[2684] ntdll.dll!KiUserExceptionDispatcher 77C06448 5 Bytes JMP 0013000A
.text C:\Program Files\Winamp Remote\bin\Orb.exe[3376] kernel32.dll!SetUnhandledExceptionFilter 776E3162 5 Bytes JMP 00402CD0 C:\Program Files\Winamp Remote\bin\Orb.exe (Orb Application/Orb Networks, Inc.)
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3388] kernel32.dll!CreateFileW 776E0B7D 5 Bytes JMP 01842930 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3388] kernel32.dll!CreateFileA 776E291C 5 Bytes JMP 018428D0 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3388] USER32.dll!ShowWindow 7639147A 2 Bytes JMP 01842750 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3388] USER32.dll!ShowWindow + 3 7639147D 2 Bytes [4B, 8B]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5636] ntdll.dll!NtProtectVirtualMemory 77C05360 5 Bytes JMP 0049000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5636] ntdll.dll!NtWriteVirtualMemory 77C05EE0 5 Bytes JMP 004B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5636] ntdll.dll!KiUserExceptionDispatcher 77C06448 5 Bytes JMP 0047000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AA2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A85624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A856E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AA250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A98573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A94D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74A950CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74A951A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74A966D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A982CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A98819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A9907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A9E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2684] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A94C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86657AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

OTL.txt

Zitat:

OTL logfile created on: 13.04.2010 21:08:37 - Run 5
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Tobi\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 63,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 123,49 Gb Total Space | 46,76 Gb Free Space | 37,87% Space Free | Partition Type: NTFS
Drive D: | 70,00 Gb Total Space | 13,08 Gb Free Space | 18,69% Space Free | Partition Type: NTFS
Drive E: | 29,25 Gb Total Space | 3,82 Gb Free Space | 13,07% Space Free | Partition Type: NTFS
Drive F: | 10,00 Gb Total Space | 1,85 Gb Free Space | 18,49% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 1397,26 Gb Total Space | 383,01 Gb Free Space | 27,41% Space Free | Partition Type: NTFS

Computer Name: BAYER04
Current User Name: Tobi
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Tobi\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Common Files\PPLiveNetwork\PPAP.exe (PPLive Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Programme\Skype\Toolbars\Shared\SkypeNames2.exe (Skype Technologies S.A.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\atieclxx.exe (AMD)
PRC - C:\Windows\System32\atiesrxx.exe (AMD)
PRC - C:\Programme\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Programme\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc.)
PRC - C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\Users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)
PRC - C:\Programme\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\stacsv.exe (IDT, Inc.)
PRC - C:\Programme\Winamp Remote\bin\OrbTray.exe (Orb Networks)
PRC - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\AEstSrv.exe (Andrea Electronics Corporation)
PRC - C:\Programme\Winamp Remote\bin\Orb.exe (Orb Networks, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Users\Tobi\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Programme\Logitech\SetPoint\lgscroll.dll (Logitech, Inc.)
MOD - C:\Programme\Logitech\SetPoint\GameHook.dll (Logitech, Inc.)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\msvcr80.dll (Microsoft Corporation)
MOD - C:\Windows\System32\BtMmHook.dll (Broadcom Corporation.)


========== Win32 Services (SafeList) ==========

SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (LBTServ) -- C:\Programme\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX-Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (STacSV) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\stacsv.exe (IDT, Inc.)
SRV - (AESTFilters) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\AEstSrv.exe (Andrea Electronics Corporation)


========== Driver Services (SafeList) ==========

DRV - (atapi) -- C:\Windows\system32\drivers\tskBE01.tmp (Microsoft Corporation)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\System32\drivers\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (OA001Ufd) -- C:\Windows\System32\drivers\OA001Ufd.sys (Creative Technology Ltd.)
DRV - (BCM43XX) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)
DRV - (BCM42RLY) -- C:\Windows\System32\drivers\bcm42rly.sys (Broadcom Corporation)
DRV - (OA001Vid) -- C:\Windows\System32\drivers\OA001Vid.sys (Creative Technology Ltd.)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (k57nd60x) Broadcom NetLink (TM) -- C:\Windows\System32\drivers\k57nd60x.sys (Broadcom Corporation)
DRV - (btwl2cap) -- C:\Windows\System32\drivers\btwl2cap.sys (Broadcom Corporation.)
DRV - (btwaudio) -- C:\Windows\System32\drivers\btwaudio.sys (Broadcom Corporation.)
DRV - (btwrchid) -- C:\Windows\System32\drivers\btwrchid.sys (Broadcom Corporation.)
DRV - (btwavdt) -- C:\Windows\System32\drivers\btwavdt.sys (Broadcom Corporation.)
DRV - (itecir) -- C:\Windows\System32\drivers\itecir.sys (ITE Tech. Inc. )
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 82 97 38 FA B8 D5 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.t-online.de"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000004
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 5
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..network.proxy.backup.ftp: ""
FF - prefs.js..network.proxy.backup.ftp_port: 0
FF - prefs.js..network.proxy.backup.gopher: ""
FF - prefs.js..network.proxy.backup.gopher_port: 0
FF - prefs.js..network.proxy.backup.socks: "localhost"
FF - prefs.js..network.proxy.backup.socks_port: 9050
FF - prefs.js..network.proxy.backup.ssl: "localhost"
FF - prefs.js..network.proxy.backup.ssl_port: 9666
FF - prefs.js..network.proxy.ftp: "proxy.fh-flensburg.de"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "proxy.fh-flensburg.de"
FF - prefs.js..network.proxy.gopher_port: 80
FF - prefs.js..network.proxy.http: "proxy.fh-flensburg.de"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "proxy.fh-flensburg.de"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "proxy.fh-flensburg.de"
FF - prefs.js..network.proxy.ssl_port: 80

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.04.06 17:09:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.04.06 17:09:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.03.18 13:09:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.02.11 11:58:58 | 000,000,000 | ---D | M]

[2009.11.01 16:00:32 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\mozilla\Extensions
[2010.04.12 22:30:23 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\mozilla\Firefox\Profiles\ker0n89o.default\extensions
[2010.02.26 21:33:36 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\mozilla\Firefox\Profiles\ker0n89o.default\extensions\firefox@tvunetworks.com
[2009.11.10 11:40:38 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\mozilla\Firefox\Profiles\ker0n89o.default\extensions\moveplayer@movenetworks.com
[2010.04.12 22:30:23 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.03.30 17:31:13 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010.04.06 17:08:55 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.04.06 17:08:55 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.04.06 17:08:55 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.04.06 17:08:55 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.04.06 17:08:55 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2010.04.12 22:12:02 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKCU..\Run: [Octoshape Streaming Services] C:\Users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)
O4 - HKCU..\Run: [PPAP] C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe (PPLive Corporation)
O4 - HKCU..\Run: [Steam] C:\Spiele\Steam\Steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Programme\PPLive\PPTV\PPLive.exe (PPLive Corporation)
O9 - Extra 'Tools' menuitem : PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Programme\PPLive\PPTV\PPLive.exe (PPLive Corporation)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Programme\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009.11.10 02:53:39 | 000,000,000 | RH-D | M] - I:\autorun -- [ NTFS ]
O32 - Unable to obtain root file information for disk I:\
O33 - MountPoints2\{6d5d6313-c6e6-11de-a723-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{6d5d6313-c6e6-11de-a723-806e6f6e6963}\Shell\AutoRun\command - "" = G:\_AUTORUN\AUTORUN.EXE -- File not found
O33 - MountPoints2\{6d5d6313-c6e6-11de-a723-806e6f6e6963}\Shell\instDX\command - "" = G:\directX\dxsetup.exe -- File not found
O33 - MountPoints2\{6d5d6313-c6e6-11de-a723-806e6f6e6963}\Shell\readme\command - "" = notepad readme.txt
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.04.13 18:33:35 | 000,000,000 | ---D | C] -- C:\Avenger
[2010.04.12 22:17:26 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010.04.12 22:16:05 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010.04.12 22:10:26 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Local\temp
[2010.04.12 21:57:04 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010.04.12 21:50:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010.04.12 21:42:26 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Tobi\Desktop\TFC.exe
[2010.04.12 21:01:50 | 000,880,624 | ---- | C] (Duplex Secure Ltd.) -- C:\Users\Tobi\Desktop\SPTDinst-v162-x86.exe
[2010.04.12 21:00:45 | 001,065,968 | ---- | C] (Duplex Secure Ltd.) -- C:\Users\Tobi\Desktop\SPTDinst-v162-x64.exe
[2010.04.12 16:38:11 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Users\Tobi\Desktop\TDSSKiller.exe
[2010.04.11 18:15:23 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010.04.11 18:15:23 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010.04.11 18:15:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010.04.11 18:15:07 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010.04.11 18:13:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.04.11 12:26:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010.04.11 12:26:07 | 000,000,000 | ---D | C] -- C:\Programme\Hitman Pro 3.5
[2010.04.11 12:25:36 | 005,650,240 | ---- | C] (SurfRight B.V.) -- C:\Users\Tobi\Desktop\HitmanPro35.exe
[2010.04.11 01:08:11 | 000,000,000 | ---D | C] -- C:\_OTL
[2010.04.10 23:00:38 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\Tobi\Desktop\OTL.exe
[2010.04.10 19:21:43 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Roaming\Avira
[2010.04.10 18:18:03 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2010.04.10 18:18:02 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010.04.10 18:18:02 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys
[2010.04.10 18:18:02 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys
[2010.04.10 18:18:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010.04.10 17:51:23 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.04.10 17:51:20 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.04.10 17:50:39 | 005,918,776 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Tobi\Desktop\mbam-setup-1.45.exe
[2010.04.10 13:53:06 | 000,000,000 | ---D | C] -- C:\Programme\trend micro
[2010.04.10 13:53:06 | 000,000,000 | ---D | C] -- C:\rsit
[2010.04.09 10:52:17 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Roaming\Malwarebytes
[2010.04.09 10:52:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.04.09 10:52:04 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.04.09 10:51:35 | 000,000,000 | ---D | C] -- C:\Programme\CCleaner
[2010.04.08 21:18:27 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010.04.08 15:18:52 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010.03.31 15:17:08 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010.03.31 15:17:08 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010.03.31 15:17:08 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010.03.30 17:30:51 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Skype
[2010.03.26 19:59:10 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\3DO Shared
[2010.03.26 19:59:10 | 000,000,000 | ---D | C] -- C:\Programme\3DO
[2010.03.26 19:58:05 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\Windows\IsUninst.exe
[2010.03.21 13:11:15 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Local\Zattoo
[2010.03.21 13:09:44 | 000,000,000 | ---D | C] -- C:\Programme\Zattoo4
[2010.03.17 17:59:03 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Local\AOL
[2010.03.17 17:58:52 | 000,000,000 | ---D | C] -- C:\Programme\ICQ7.0
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.04.13 21:10:05 | 002,097,152 | -HS- | M] () -- C:\Users\Tobi\NTUSER.DAT
[2010.04.13 21:08:03 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Tobi\Desktop\OTL.exe
[2010.04.13 20:54:07 | 000,293,376 | ---- | M] () -- C:\Users\Tobi\Desktop\swzl5i3v.exe
[2010.04.13 20:24:00 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010.04.13 18:41:23 | 000,013,248 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010.04.13 18:41:23 | 000,013,248 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010.04.13 18:34:15 | 000,001,088 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010.04.13 18:34:00 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.04.13 18:33:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.04.13 18:33:42 | 2411,872,256 | -HS- | M] () -- C:\hiberfil.sys
[2010.04.13 18:31:49 | 002,838,629 | -H-- | M] () -- C:\Users\Tobi\AppData\Local\IconCache.db
[2010.04.12 22:12:51 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010.04.12 22:12:02 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010.04.12 21:50:24 | 003,912,873 | R--- | M] () -- C:\Users\Tobi\Desktop\Combo-Fix.exe
[2010.04.12 21:42:27 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Tobi\Desktop\TFC.exe
[2010.04.12 21:03:05 | 000,880,624 | ---- | M] (Duplex Secure Ltd.) -- C:\Users\Tobi\Desktop\SPTDinst-v162-x86.exe
[2010.04.12 21:02:19 | 001,065,968 | ---- | M] (Duplex Secure Ltd.) -- C:\Users\Tobi\Desktop\SPTDinst-v162-x64.exe
[2010.04.12 17:13:07 | 000,023,899 | ---- | M] () -- C:\Users\Tobi\Desktop\OTL.zip
[2010.04.12 16:47:23 | 000,021,560 | ---- | M] () -- C:\Users\Tobi\Desktop\OTL.rar
[2010.04.11 23:14:34 | 000,404,310 | ---- | M] () -- C:\Users\Tobi\Desktop\ergebnis.xps
[2010.04.11 19:38:16 | 377,442,582 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010.04.11 19:21:02 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010.04.11 19:19:12 | 000,000,020 | ---- | M] () -- C:\Users\Tobi\defogger_reenable
[2010.04.11 19:18:33 | 000,050,477 | ---- | M] () -- C:\Users\Tobi\Desktop\Defogger.exe
[2010.04.11 12:45:19 | 000,000,234 | ---- | M] () -- C:\Windows\System32\.crusader
[2010.04.11 12:26:01 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\Users\Tobi\Desktop\HitmanPro35.exe
[2010.04.11 12:14:00 | 042,341,360 | ---- | M] () -- C:\Users\Tobi\Desktop\avira_antivir_personal10_de.exe
[2010.04.10 18:18:24 | 000,002,016 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010.04.10 18:16:51 | 000,000,112 | ---- | M] () -- C:\ProgramData\5XAtt3xo2.dat
[2010.04.10 17:51:26 | 000,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.04.10 17:51:02 | 005,918,776 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Tobi\Desktop\mbam-setup-1.45.exe
[2010.04.10 17:36:53 | 000,781,909 | ---- | M] () -- C:\Users\Tobi\Desktop\RSIT.exe
[2010.04.10 13:54:12 | 000,002,043 | ---- | M] () -- C:\Users\Tobi\Desktop\HijackThis.lnk
[2010.04.10 10:16:38 | 001,472,002 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010.04.10 10:16:38 | 000,643,866 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.04.10 10:16:38 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.04.10 10:16:38 | 000,126,394 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.04.10 10:16:38 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.04.09 10:51:38 | 000,001,835 | ---- | M] () -- C:\Users\Tobi\Desktop\CCleaner.lnk
[2010.03.30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.03.30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.03.28 21:58:51 | 000,001,153 | ---- | M] () -- C:\Users\Tobi\Desktop\Frozen Throne - Verknüpfung.lnk
[2010.03.26 20:02:08 | 000,001,564 | ---- | M] () -- C:\Users\Public\Desktop\Heroes of Might and Magic III Complete.lnk
[2010.03.24 20:02:46 | 000,014,476 | ---- | M] () -- C:\Users\Tobi\Desktop\OT4749926968902302117398232.pdf
[2010.03.22 17:57:43 | 000,119,506 | ---- | M] () -- C:\Windows\War3Unin.dat
[2010.03.22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Users\Tobi\Desktop\TDSSKiller.exe
[2010.03.21 13:14:44 | 000,017,408 | ---- | M] () -- C:\Users\Tobi\AppData\Local\WebpageIcons.db
[2010.03.21 13:09:46 | 000,001,818 | ---- | M] () -- C:\Users\Tobi\Desktop\Zattoo.lnk
[2010.03.18 18:00:32 | 003,163,136 | ---- | M] () -- C:\Users\Tobi\Desktop\Elektrotechnik WS 2009.doc
[2010.03.17 23:33:16 | 000,001,792 | ---- | M] () -- C:\Users\Tobi\Desktop\ICQ7.lnk
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.04.13 20:54:07 | 000,293,376 | ---- | C] () -- C:\Users\Tobi\Desktop\swzl5i3v.exe
[2010.04.13 18:30:20 | 000,731,136 | ---- | C] () -- C:\Users\Tobi\Desktop\avenger.exe
[2010.04.12 17:13:07 | 000,023,899 | ---- | C] () -- C:\Users\Tobi\Desktop\OTL.zip
[2010.04.12 16:47:23 | 000,021,560 | ---- | C] () -- C:\Users\Tobi\Desktop\OTL.rar
[2010.04.11 23:14:32 | 000,404,310 | ---- | C] () -- C:\Users\Tobi\Desktop\ergebnis.xps
[2010.04.11 19:23:31 | 003,912,873 | R--- | C] () -- C:\Users\Tobi\Desktop\Combo-Fix.exe
[2010.04.11 19:18:52 | 000,000,020 | ---- | C] () -- C:\Users\Tobi\defogger_reenable
[2010.04.11 19:18:33 | 000,050,477 | ---- | C] () -- C:\Users\Tobi\Desktop\Defogger.exe
[2010.04.11 18:15:23 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010.04.11 18:15:23 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010.04.11 18:15:23 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010.04.11 18:15:23 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010.04.11 18:15:23 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010.04.11 12:45:19 | 000,000,234 | ---- | C] () -- C:\Windows\System32\.crusader
[2010.04.11 12:26:22 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010.04.10 18:18:24 | 000,002,016 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010.04.10 18:13:41 | 042,341,360 | ---- | C] () -- C:\Users\Tobi\Desktop\avira_antivir_personal10_de.exe
[2010.04.10 17:51:26 | 000,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.04.10 15:48:43 | 000,000,112 | ---- | C] () -- C:\ProgramData\5XAtt3xo2.dat
[2010.04.10 13:54:37 | 000,781,909 | ---- | C] () -- C:\Users\Tobi\Desktop\RSIT.exe
[2010.04.10 13:54:12 | 000,002,043 | ---- | C] () -- C:\Users\Tobi\Desktop\HijackThis.lnk
[2010.04.09 12:47:31 | 377,442,582 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010.04.09 10:51:38 | 000,001,835 | ---- | C] () -- C:\Users\Tobi\Desktop\CCleaner.lnk
[2010.03.26 20:02:08 | 000,001,564 | ---- | C] () -- C:\Users\Public\Desktop\Heroes of Might and Magic III Complete.lnk
[2010.03.24 20:02:46 | 000,014,476 | ---- | C] () -- C:\Users\Tobi\Desktop\OT4749926968902302117398232.pdf
[2010.03.21 13:11:15 | 000,017,408 | ---- | C] () -- C:\Users\Tobi\AppData\Local\WebpageIcons.db
[2010.03.21 13:09:46 | 000,001,818 | ---- | C] () -- C:\Users\Tobi\Desktop\Zattoo.lnk
[2010.03.18 18:00:15 | 003,163,136 | ---- | C] () -- C:\Users\Tobi\Desktop\Elektrotechnik WS 2009.doc
[2010.03.17 23:33:16 | 000,001,792 | ---- | C] () -- C:\Users\Tobi\Desktop\ICQ7.lnk
[2009.12.17 19:26:30 | 000,000,055 | ---- | C] () -- C:\Windows\wininit.ini
[2009.12.10 23:22:10 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009.12.10 15:20:29 | 000,000,842 | ---- | C] () -- C:\Users\Tobi\.recently-used.xbel
[2009.11.09 15:09:34 | 000,000,125 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009.11.01 23:38:13 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009.11.01 23:09:50 | 000,011,776 | ---- | C] () -- C:\Users\Tobi\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.11.01 15:28:52 | 000,055,808 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2009.11.01 15:10:05 | 002,097,152 | -HS- | C] () -- C:\Users\Tobi\NTUSER.DAT
[2009.11.01 15:10:05 | 000,524,288 | -HS- | C] () -- C:\Users\Tobi\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009.11.01 15:10:05 | 000,524,288 | -HS- | C] () -- C:\Users\Tobi\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009.11.01 15:10:05 | 000,262,144 | -HS- | C] () -- C:\Users\Tobi\ntuser.dat.LOG1
[2009.11.01 15:10:05 | 000,065,536 | -HS- | C] () -- C:\Users\Tobi\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009.11.01 15:10:05 | 000,000,020 | -HS- | C] () -- C:\Users\Tobi\ntuser.ini
[2009.11.01 15:10:05 | 000,000,000 | -HS- | C] () -- C:\Users\Tobi\ntuser.dat.LOG2
[2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008.12.10 11:11:04 | 000,002,045 | -H-- | C] () -- C:\Windows\System32\whlpda32e.dll
[2001.11.14 14:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
< End of report >

Extras.txt

Zitat:

OTL Extras logfile created on: 13.04.2010 21:08:37 - Run 5
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Tobi\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 63,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 123,49 Gb Total Space | 46,76 Gb Free Space | 37,87% Space Free | Partition Type: NTFS
Drive D: | 70,00 Gb Total Space | 13,08 Gb Free Space | 18,69% Space Free | Partition Type: NTFS
Drive E: | 29,25 Gb Total Space | 3,82 Gb Free Space | 13,07% Space Free | Partition Type: NTFS
Drive F: | 10,00 Gb Total Space | 1,85 Gb Free Space | 18,49% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 1397,26 Gb Total Space | 383,01 Gb Free Space | 27,41% Space Free | Partition Type: NTFS

Computer Name: BAYER04
Current User Name: Tobi
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.1.0.4402
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam(TM)
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 15
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{359cfc0a-beb1-440d-95ba-cf63a86da34f}" = Nero Recode
"{368ba326-73ad-4351-84ed-3c0a7a52cc53}" = Nero Rescue Agent
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{43e39830-1826-415d-8bae-86845787b54b}" = Nero Vision
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{595a3116-40bb-4e0f-a2e8-d7951da56270}" = NeroExpress
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.05
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{62ac81f6-bdd3-4110-9d36-3e9eaab40999}" = Nero CoverDesigner
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6CDC748B-47B0-45EB-B740-681E8429F7F9}" = Opera 10.01
"{6D3963B0-E13B-4FC3-B0FF-506A304BB043}" = Cisco EAP-FAST Module
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7748ac8c-18e3-43bb-959b-088faea16fb2}" = Nero StartSmart
"{7829db6f-a066-4e40-8912-cb07887c20bb}" = Nero BurnRights
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{88EB38EF-4D2C-436D-ABD3-56B232674062}" = ICQ7
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{2AB528A5-BB1B-4EBE-8E51-AD0C4CD33CA9}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{58FC5E37-DD28-4D4A-A549-125744C6763C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{888B9AC7-8F5C-456B-A27A-157A6C310E52}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9AF0B106-56F1-461B-A270-95BC1682E282}" = Broadcom Gigabit NetLink Controller
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{a209525b-3377-43f4-b886-32f6b6e7356f}" = Nero WaveEditor
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch
"{b1adf008-e898-4fe2-8a1f-690d9a06acaf}" = DolbyFiles
"{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{b78120a0-cf84-4366-a393-4d0a59bc546c}" = Menu Templates - Starter Kit
"{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}" = Nero ControlCenter
"{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet
"{c5a7cb6c-e76d-408f-ba0e-85605420fe9d}" = SoundTrax
"{d025a639-b9c9-417d-8531-208859000af8}" = NeroBurningROM
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D45EC259-4A19-4656-B588-C2C360DD18EA}" = Half-Life(R) 2
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{e498385e-1c51-459a-b45f-1721e37aa1a0}" = Movie Templates - Starter Kit
"{e8a80433-302b-4ff1-815d-fcc8eac482ff}" = Nero Installer
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{FCED9B62-34FF-4C15-8A23-F65221F7874D}" = ITECIR Driver
"{fde130ac-53d8-44bb-bbab-ede73108e1f2}" = Nero 9 Trial
"1A5A977E511ED61600002E176F048ED6FCBD8560" = Windows-Treiberpaket - ITE Tech.Inc. (itecir) HIDClass (12/18/2007 5.0.0004.6)
"AC3Filter" = AC3Filter (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Broadcom 802.11b Network Adapter" = Dienstprogramm für Dell Wireless WLAN Karte
"CCleaner" = CCleaner
"Creative OA001" = Integrated Webcam Driver (1.02.02.0603)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Scanner" = EPSON Scan
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"Garena" = Garena
"GEN_LYRICS_IE.DLL" = Winamp Lyrics (Explorer Version) v1.22
"Heroes of Might and Magic® III" = Heroes of Might and Magic® III Complete
"HijackThis" = HijackThis 2.0.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"Orb" = Winamp Remote
"PokerStars" = PokerStars
"PPLive" = PPTV V2.4.1.0014
"SopCast" = SopCast 3.2.4
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"Tournament Manager Pro V.3_is1" = Tournament Manager Pro V.3.1.0
"TVAnts 1.0" = TVAnts 1.0
"TVUPlayer" = TVUPlayer 2.5.2.2
"USB STEERING WHEEL" = USB STEERING WHEEL
"VLC media player" = VLC media player 1.0.3
"Warcraft III" = Warcraft III
"Winamp" = Winamp
"WinRAR archiver" = WinRAR
"Zattoo4" = Zattoo4 4.0.4

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager
"Octoshape Streaming Services" = Octoshape Streaming Services
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Bitte lasse die Dateien aus der Code-Box bei Virustotal überprüfen

Code: Alles auswählenAufklappen

ATTFilter

C:\ProgramData\5XAtt3xo2.dat
         

Also gehe wie hier beschrieben vor:

• Öffne diese Webseite: virustotal
• Klicke auf "Durchsuchen"
• Suche die Datei auf deinem Rechner--> Doppelklick auf die zu prüfende Datei (oder kopiere den Inhalt ab aus der Codebox)
• "Senden der Datei"
• Warte, bis der Scandurchlauf aller Virenscanner beendet ist
• Auf "Filter" klicken
• dann auf "Ergebnisse"
• das Ergebnis (wie Du es bekommst )
  komplett markieren und hier rein kopieren

Sollte die Datei als schädlich erkannt werden bitte noch nicht entfernen

Hier das Ergebnis (ist wohl nichts mit los):

Zitat:

Datei 5XAtt3xo2.dat empfangen 2010.04.13 19:34:19 (UTC)
Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.04.13 -
AhnLab-V3 5.0.0.2 2010.04.13 -
AntiVir 7.10.6.69 2010.04.13 -
Antiy-AVL 2.0.3.7 2010.04.13 -
Authentium 5.2.0.5 2010.04.13 -
Avast 4.8.1351.0 2010.04.13 -
Avast5 5.0.332.0 2010.04.13 -
AVG 9.0.0.787 2010.04.13 -
BitDefender 7.2 2010.04.13 -
CAT-QuickHeal 10.00 2010.04.13 -
ClamAV 0.96.0.3-git 2010.04.13 -
Comodo 4588 2010.04.13 -
DrWeb 5.0.2.03300 2010.04.13 -
eSafe 7.0.17.0 2010.04.13 -
eTrust-Vet 35.2.7423 2010.04.13 -
F-Prot 4.5.1.85 2010.04.13 -
F-Secure 9.0.15370.0 2010.04.13 -
Fortinet 4.0.14.0 2010.04.12 -
GData 19 2010.04.13 -
Ikarus T3.1.1.80.0 2010.04.13 -
Jiangmin 13.0.900 2010.04.13 -
Kaspersky 7.0.0.125 2010.04.13 -
McAfee 5.400.0.1158 2010.04.13 -
McAfee-GW-Edition 6.8.5 2010.04.13 -
Microsoft 1.5605 2010.04.13 -
NOD32 5026 2010.04.13 -
Norman 6.04.11 2010.04.13 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.7 2010.04.13 -
PCTools 7.0.3.5 2010.04.13 -
Prevx 3.0 2010.04.13 -
Rising 22.43.01.01 2010.04.13 -
Sophos 4.52.0 2010.04.13 -
Sunbelt 6170 2010.04.13 -
Symantec 20091.2.0.41 2010.04.13 -
TheHacker 6.5.2.0.260 2010.04.13 -
TrendMicro 9.120.0.1004 2010.04.13 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.13.2274 2010.04.13 -
VirusBuster 5.0.27.0 2010.04.13 -
weitere Informationen
File size: 112 bytes
MD5...: 2d645fd05019f815e8ecadc717a87531
SHA1..: dcc06113f4c11938bb75c791fd7989f8114a8798
SHA256: 9c22a24daebbc9e4bd2762752d815353f0bf17941b6104f7ddeb4d41770321c6
ssdeep: 3hEl+1V34ktKftKseD65HjPdlgLj3lYdBn:dEk1Vif4seD65HjPuj3liBn<br>
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Unknown!
sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

Ist es dir möglich eine CD zu brennen ?

Aber zuerst versuchen wir es mal auf die "herkömmliche" Methode

Windows + R Taste --> notepad (reinschreiben) --> OK
Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code: Alles auswählenAufklappen

ATTFilter

cd \
Copy "c:\windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys" C:
         

Speichere diese unter file.bat auf Deinem Desktop.
Wähle bei Dateityp alle Dateien aus.
Doppelklick auf die file.bat.
Es sollte 1 Datei wurde kopiert im DOS Fenster stehen
Vista- User: Mit Rechtsklick "als Administrator starten"


schritt 2

Starte (Rechtsklick "als Admin ausführen") bitte Avenger und füge folgendes Script ein.

Code: Alles auswählenAufklappen

ATTFilter

Files to move:
C:\atapi.sys | C:\windows\system32\drivers\atapi.sys
         

Nun auf Execute und OK

Poste mir das Logfile von Avenger bitte


PS: So hartnäckig war dieses Teil noch nie -.-