Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Plagegeister aller Art und deren Bekämpfung: TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Seite 4 von 4 « Erste 23 4
Alt 16.04.2010, 12:50   #46
Larusso
/// Selecta Jahrusso
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Bei Filelister, hast Du das Tool als Admin gestartet?
Besteht ein Ordner Filelister auf dem Desktop?
Wenn nicht, kann es sein das die Log auf dem Desktop ist oder nit mit Win7 kompatibel

Hast Du immer alle Tools als Admin gestartet ?
Trat das Problem mit OTLPE nur bei dem CustomScan auf ?

Speichere folgendes aus der Codebox als scan.txt auf deinem Desktop
Code:
ATTFilter
c:\windows\system32\drivers\*.sys /90
Starte OTLPE und führe das Script wie vorher aus




Lege bitte einen Ordner Infected auf dem Desktop an.
Starte nun OTLPE und kopiere folgende Dateien aus C:\windows\system32\drivers in den Ordner
  • atikmdag.sys
    atapi.sys
    disk.sys
    CLASSPNP.SYS
    tskBE01.tmp

Danach starte den PC in normalModus und lasse diese Dateien bei VT prüfen.
Wenn bei einer Datei nichts gefunden wird, brauche ich die Logfile dieser Datei nicht

(Jetzt bin ich dann bald am Ende mit meinem Chinesisch)
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie
Alt 16.04.2010, 14:48   #47
Dev
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Hab ich vergessen zu erwähnen. Filelister kann ich nicht als Admin ausführen, liegt vielleicht an Windows 7?.... Nachdem das Programm durchgelaufen ist, fragt es ob die Log gespeichert werden soll, allerdings ist sie leer.

Gefunden hat VT was bei atapi.sys und tskBE01.tmp, jeweils wars eSafe

atapi Ergebnis:

Zitat:
Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.04.16 -
AhnLab-V3 5.0.0.2 2010.04.16 -
AntiVir 7.10.6.114 2010.04.16 -
Antiy-AVL 2.0.3.7 2010.04.16 -
Authentium 5.2.0.5 2010.04.16 -
Avast 4.8.1351.0 2010.04.16 -
Avast5 5.0.332.0 2010.04.16 -
AVG 9.0.0.787 2010.04.16 -
BitDefender 7.2 2010.04.16 -
CAT-QuickHeal 10.00 2010.04.16 -
ClamAV 0.96.0.3-git 2010.04.16 -
Comodo 4614 2010.04.16 -
DrWeb 5.0.2.03300 2010.04.16 -
eSafe 7.0.17.0 2010.04.15 Win32.TrojanHorse
eTrust-Vet 35.2.7429 2010.04.16 -
F-Prot 4.5.1.85 2010.04.16 -
F-Secure 9.0.15370.0 2010.04.16 -
Fortinet 4.0.14.0 2010.04.16 -
GData 19 2010.04.16 -
Ikarus T3.1.1.80.0 2010.04.16 -
Jiangmin 13.0.900 2010.04.16 -
Kaspersky 7.0.0.125 2010.04.16 -
McAfee 5.400.0.1158 2010.04.16 -
McAfee-GW-Edition 6.8.5 2010.04.16 -
Microsoft 1.5605 2010.04.16 -
NOD32 5033 2010.04.16 -
Norman 6.04.11 2010.04.16 -
nProtect 2010-04-16.01 2010.04.16 -
Panda 10.0.2.7 2010.04.15 -
PCTools 7.0.3.5 2010.04.16 -
Prevx 3.0 2010.04.16 -
Rising 22.43.04.04 2010.04.16 -
Sophos 4.52.0 2010.04.16 -
Sunbelt 6183 2010.04.16 -
Symantec 20091.2.0.41 2010.04.16 -
TheHacker 6.5.2.0.262 2010.04.15 -
TrendMicro 9.120.0.1004 2010.04.15 -
VBA32 3.12.12.4 2010.04.15 -
ViRobot 2010.4.16.2280 2010.04.16 -
VirusBuster 5.0.27.0 2010.04.16 -
weitere Informationen
File size: 21584 bytes
MD5...: 338c86357871c167a96ab976519bf59e
SHA1..: e99e20970139fb1e67bbc54fa8a61c18a4fce36e
SHA256: f28cc534523d1701b0552f5d7e18e88369c4218bdb1f69110c3e31d395884ad6
ssdeep: 384:SN+KUt2BtUXbyTHoCtGRZjNVAsRMNSChq3BLWErUwW9Qu5VpBjbOjBMmhyMD
:adUtytUXbyTICtGjNMNbcxHJudkMmwMD
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x603e
timedatestamp.....: 0x4a5bbf13 (Mon Jul 13 23:11:15 2009)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2472 0x2600 6.22 9b9f242740c0a1c2494b23ae50935e6d
.rdata 0x4000 0xae 0x200 1.54 1833a5650ae0f8256ba78bf8ed79d6e1
.data 0x5000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x6000 0x38c 0x400 4.66 392ce67c807da67e018ad9cf892fde4c
.rsrc 0x7000 0x3f0 0x400 3.41 ecb60c1c006d2813169c8bcfe271a200
.reloc 0x8000 0xd2 0x200 2.47 035f51da8bf9893e51952ac185994f14

( 2 imports )
> ataport.SYS: AtaPortNotification, AtaPortQuerySystemTime, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortCopyMemory, AtaPortEtwTraceLog, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> NTOSKRNL.exe: KeTickCount

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: ATAPI IDE Miniport Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

tskBE01:

Zitat:
Datei tskBE01.tmp empfangen 2010.04.16 13:42:22 (UTC)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 1/40 (2.5%)





Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.04.16 -
AhnLab-V3 5.0.0.2 2010.04.16 -
AntiVir 7.10.6.114 2010.04.16 -
Antiy-AVL 2.0.3.7 2010.04.16 -
Authentium 5.2.0.5 2010.04.16 -
Avast 4.8.1351.0 2010.04.16 -
Avast5 5.0.332.0 2010.04.16 -
AVG 9.0.0.787 2010.04.16 -
BitDefender 7.2 2010.04.16 -
CAT-QuickHeal 10.00 2010.04.16 -
ClamAV 0.96.0.3-git 2010.04.16 -
Comodo 4615 2010.04.16 -
DrWeb 5.0.2.03300 2010.04.16 -
eSafe 7.0.17.0 2010.04.15 Win32.TrojanHorse
eTrust-Vet 35.2.7429 2010.04.16 -
F-Prot 4.5.1.85 2010.04.16 -
F-Secure 9.0.15370.0 2010.04.16 -
Fortinet 4.0.14.0 2010.04.16 -
GData 19 2010.04.16 -
Ikarus T3.1.1.80.0 2010.04.16 -
Jiangmin 13.0.900 2010.04.16 -
Kaspersky 7.0.0.125 2010.04.16 -
McAfee 5.400.0.1158 2010.04.16 -
McAfee-GW-Edition 6.8.5 2010.04.16 -
Microsoft 1.5605 2010.04.16 -
NOD32 5033 2010.04.16 -
Norman 6.04.11 2010.04.16 -
nProtect 2010-04-16.01 2010.04.16 -
Panda 10.0.2.7 2010.04.15 -
PCTools 7.0.3.5 2010.04.16 -
Prevx 3.0 2010.04.16 -
Rising 22.43.04.04 2010.04.16 -
Sophos 4.52.0 2010.04.16 -
Sunbelt 6183 2010.04.16 -
Symantec 20091.2.0.41 2010.04.16 -
TheHacker 6.5.2.0.262 2010.04.15 -
TrendMicro 9.120.0.1004 2010.04.15 -
VBA32 3.12.12.4 2010.04.15 -
ViRobot 2010.4.16.2280 2010.04.16 -
VirusBuster 5.0.27.0 2010.04.16 -
weitere Informationen
File size: 21584 bytes
MD5...: 338c86357871c167a96ab976519bf59e
SHA1..: e99e20970139fb1e67bbc54fa8a61c18a4fce36e
SHA256: f28cc534523d1701b0552f5d7e18e88369c4218bdb1f69110c3e31d395884ad6
ssdeep: 384:SN+KUt2BtUXbyTHoCtGRZjNVAsRMNSChq3BLWErUwW9Qu5VpBjbOjBMmhyMD
:adUtytUXbyTICtGjNMNbcxHJudkMmwMD
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x603e
timedatestamp.....: 0x4a5bbf13 (Mon Jul 13 23:11:15 2009)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2472 0x2600 6.22 9b9f242740c0a1c2494b23ae50935e6d
.rdata 0x4000 0xae 0x200 1.54 1833a5650ae0f8256ba78bf8ed79d6e1
.data 0x5000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x6000 0x38c 0x400 4.66 392ce67c807da67e018ad9cf892fde4c
.rsrc 0x7000 0x3f0 0x400 3.41 ecb60c1c006d2813169c8bcfe271a200
.reloc 0x8000 0xd2 0x200 2.47 035f51da8bf9893e51952ac185994f14

( 2 imports )
> ataport.SYS: AtaPortNotification, AtaPortQuerySystemTime, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortCopyMemory, AtaPortEtwTraceLog, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> NTOSKRNL.exe: KeTickCount

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
__________________
Alt 16.04.2010, 20:58   #48
Larusso
/// Selecta Jahrusso
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Wie sieht es mit der OTLPE Logfile aus ?

Ich würde dir schonmal eine Sicherung der wichtigsten Daten ans Herz legen.
__________________
__________________
Alt 16.04.2010, 21:02   #49
Dev
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Hmm, hoffe das ist die richtige. Müsste sie jedenfalls sein.

Wenn es am Ende aufs Formatieren hinausläuft, kann man das wohl nichts ändern. Vorwerfen, dass ihr nicht alles versucht habt, kann ich jedenfalls nicht

OTLPE:

Zitat:
OTL logfile created on: 4/16/2010 4:13:41 PM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Windows 7 Professional (Version = 6.1.7600) - Type = System
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 123.49 Gb Total Space | 44.57 Gb Free Space | 36.09% Space Free | Partition Type: NTFS
Drive D: | 70.00 Gb Total Space | 13.09 Gb Free Space | 18.69% Space Free | Partition Type: NTFS
Drive E: | 29.25 Gb Total Space | 3.76 Gb Free Space | 12.87% Space Free | Partition Type: NTFS
Drive F: | 7.55 Gb Total Space | 7.55 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
Drive G: | 10.00 Gb Total Space | 1.85 Gb Free Space | 18.53% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/03/16 09:36:29 | 000,267,432 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 03:28:01 | 000,135,336 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/02/05 17:23:28 | 000,326,792 | ---- | M] (Valve Corporation) [On_Demand] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/08/17 21:36:08 | 000,176,128 | ---- | M] (AMD) [Auto] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/07/20 07:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/13 21:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 21:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 21:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 21:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 21:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 21:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 21:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 21:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 21:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 21:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 21:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 21:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 21:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 21:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV)
SRV - [2009/07/13 21:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 21:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/05/15 02:35:52 | 000,935,208 | ---- | M] (Nero AG) [Auto] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008/05/06 11:03:08 | 000,221,239 | ---- | M] (IDT, Inc.) [Auto] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\stacsv.exe -- (STacSV)
SRV - [2008/02/28 11:51:50 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\AEstSrv.exe -- (AESTFilters)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (Pcouffin)
DRV - File not found [Kernel | On_Demand] -- -- (GarenaPEngine)
DRV - File not found [Kernel | On_Demand] -- -- (DFUBTUSB)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2010/04/12 10:38:42 | 000,021,584 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\tskBE01.tmp -- (atapi)
DRV - [2010/03/01 03:05:19 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 07:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/08/17 22:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/07/13 21:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 21:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 21:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 21:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 21:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 21:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 21:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 21:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 21:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot] -- C:\Windows\System32\drivers\amdxata.sys -- (amdxata)
DRV - [2009/07/13 21:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 21:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 21:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 21:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 21:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 21:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 21:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 21:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/13 21:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 21:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 21:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 21:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 21:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 21:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 21:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 21:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 21:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 21:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 21:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 21:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 21:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 21:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 21:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 21:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 21:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 21:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 21:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 21:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 21:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 21:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 21:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 21:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 21:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\cng.sys -- (CNG)
DRV - [2009/07/13 20:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 20:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 20:01:41 | 000,007,168 | ---- | M] () [Kernel | System] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 19:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 19:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 19:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 19:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/13 19:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 19:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 19:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 19:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 19:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 19:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 19:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 19:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 19:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 19:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 19:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 19:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 19:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 19:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 18:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 18:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 18:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 18:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 18:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 18:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 18:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 18:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 18:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/06/17 12:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 12:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/05/11 03:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/06/03 12:30:22 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\OA001Ufd.sys -- (OA001Ufd)
DRV - [2008/06/02 06:44:12 | 001,207,288 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2008/06/02 06:44:02 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
DRV - [2008/05/12 20:01:00 | 000,277,504 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\OA001Vid.sys -- (OA001Vid)
DRV - [2008/05/06 11:04:42 | 000,379,904 | ---- | M] (IDT, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2008/04/18 17:43:40 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/02/15 13:01:18 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/01/29 15:08:46 | 000,203,264 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\k57nd60x.sys -- (k57nd60x) Broadcom NetLink (TM)
DRV - [2008/01/29 13:46:58 | 000,029,736 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\btwl2cap.sys -- (btwl2cap)
DRV - [2008/01/29 12:54:02 | 000,081,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2008/01/29 12:54:02 | 000,017,448 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2008/01/29 12:54:00 | 000,100,392 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2007/12/18 12:12:12 | 000,054,784 | ---- | M] (ITE Tech. Inc. ) [Kernel | On_Demand] -- C:\Windows\System32\drivers\itecir.sys -- (itecir)
DRV - [2007/07/30 06:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/30 05:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




IE - HKU\Tobi_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\Tobi_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\Tobi_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 60 40 93 27 00 DC CA 01 [binary data]
IE - HKU\Tobi_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Tobi_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 15:22:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/06 11:09:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/18 07:09:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/02/11 05:58:58 | 000,000,000 | ---D | M]

[2010/04/15 04:41:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/30 11:31:13 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/04/06 11:08:55 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010/04/06 11:08:55 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml
[2010/04/06 11:08:55 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010/04/06 11:08:55 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010/04/06 11:08:55 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2010/04/12 16:12:02 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKU\Tobi_ON_C..\Run: [Octoshape Streaming Services] C:\Users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)
O4 - HKU\Tobi_ON_C..\Run: [PPAP] C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe (PPLive Corporation)
O4 - HKU\Tobi_ON_C..\Run: [Steam] C:\Spiele\Steam\Steam.exe (Valve Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10a.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Default\Anwendungsdaten [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\AppData [2009/07/13 22:37:05 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Default\Application Data [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Desktop [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Documents [2009/11/01 09:09:48 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Downloads [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Druckumgebung [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Eigene Dateien [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Favorites [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Links [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Local Settings [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Lokale Einstellungen [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Music [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\My Documents [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\NetHood [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Netzwerkumgebung [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\NTUSER.DAT ()
O4 - Startup: C:\Users\Default\NTUSER.DAT.LOG ()
O4 - Startup: C:\Users\Default\NTUSER.DAT.LOG1 ()
O4 - Startup: C:\Users\Default\NTUSER.DAT.LOG2 ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Default\Pictures [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\PrintHood [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Recent [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Saved Games [2009/07/13 22:04:25 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Default\SendTo [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Start Menu [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Startmenü [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Templates [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Videos [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Vorlagen [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Anwendungsdaten [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\AppData [2009/07/13 22:37:05 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Default User\Application Data [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Desktop [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default User\Documents [2009/11/01 09:09:48 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default User\Downloads [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default User\Druckumgebung [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Eigene Dateien [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Favorites [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default User\Links [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default User\Local Settings [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Lokale Einstellungen [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Music [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default User\My Documents [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\NetHood [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Netzwerkumgebung [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\NTUSER.DAT ()
O4 - Startup: C:\Users\Default User\NTUSER.DAT.LOG ()
O4 - Startup: C:\Users\Default User\NTUSER.DAT.LOG1 ()
O4 - Startup: C:\Users\Default User\NTUSER.DAT.LOG2 ()
O4 - Startup: C:\Users\Default User\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf ()
O4 - Startup: C:\Users\Default User\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Default User\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Default User\Pictures [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default User\PrintHood [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Recent [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Saved Games [2009/07/13 22:04:25 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Default User\SendTo [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Start Menu [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Startmenü [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Templates [2009/07/14 00:53:55 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default User\Videos [2009/07/13 22:04:25 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default User\Vorlagen [2009/11/01 09:09:48 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Public\.DS_Store ()
O4 - Startup: C:\Users\Public\AppData [2010/04/11 12:29:05 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Public\Desktop [2010/04/14 11:23:56 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Users\Public\Documents [2009/11/08 16:25:21 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Downloads [2009/07/14 00:41:57 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Favorites [2009/07/13 22:04:25 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Users\Public\Libraries [2009/11/01 09:09:48 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Users\Public\Music [2009/07/14 00:41:57 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Pictures [2009/07/14 00:41:57 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Recorded TV [2009/07/14 04:56:56 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Videos [2009/07/14 00:41:57 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\.gimp-2.6 [2009/12/10 09:20:41 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Tobi\.recently-used.xbel ()
O4 - Startup: C:\Users\Tobi\.thumb [2009/12/10 16:46:26 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Tobi\.thumbnails [2009/12/10 09:11:15 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Tobi\Anwendungsdaten [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Tobi\AppData [2009/11/01 09:10:05 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Tobi\Bluetooth Software [2009/11/01 09:40:26 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Tobi\Contacts [2009/11/01 09:10:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Cookies [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Tobi\defogger_reenable ()
O4 - Startup: C:\Users\Tobi\Desktop [2010/04/16 08:52:43 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Documents [2010/02/05 12:21:07 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Downloads [2009/11/01 10:02:11 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Druckumgebung [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Tobi\Documents [2010/02/05 12:21:07 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Favorites [2009/11/01 09:11:21 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Links [2009/11/01 09:10:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Lokale Einstellungen [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Tobi\Music [2009/12/21 19:41:02 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Netzwerkumgebung [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Tobi\NTUSER.DAT ()
O4 - Startup: C:\Users\Tobi\ntuser.dat.LOG ()
O4 - Startup: C:\Users\Tobi\ntuser.dat.LOG1 ()
O4 - Startup: C:\Users\Tobi\ntuser.dat.LOG2 ()
O4 - Startup: C:\Users\Tobi\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf ()
O4 - Startup: C:\Users\Tobi\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Tobi\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Tobi\ntuser.ini ()
O4 - Startup: C:\Users\Tobi\Pictures [2009/11/08 16:25:28 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Recent [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Tobi\Saved Games [2009/11/01 09:10:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Searches [2009/11/01 09:10:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\SendTo [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Tobi\Startmenü [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Tobi\Videos [2010/02/11 05:58:50 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Tobi\Vorlagen [2009/11/01 09:10:05 | 000,000,000 | -HSD | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\Tobi_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Program Files\ICQ7.0\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Program Files\ICQ7.0\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPTV\PPLive.exe (PPLive Corporation)
O9 - Extra 'Tools' menuitem : PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPTV\PPLive.exe (PPLive Corporation)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/16 08:52:43 | 000,000,000 | ---D | C] -- C:\Users\Tobi\Desktop\FileLister
[2010/04/15 15:19:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/04/15 15:18:16 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/04/15 15:07:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/04/14 12:49:44 | 003,954,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/14 12:49:44 | 003,899,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/14 12:08:04 | 000,000,000 | ---D | C] -- C:\Program Files\LSoft Technologies
[2010/04/14 12:07:20 | 004,940,440 | ---- | C] (Macrovision Corporation) -- C:\Users\Tobi\Desktop\IsoBurner-Setup.exe
[2010/04/14 11:19:54 | 000,427,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/13 12:33:35 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/04/12 16:10:26 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Local\temp
[2010/04/12 15:57:04 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/04/12 15:42:26 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Tobi\Desktop\TFC.exe
[2010/04/12 15:01:50 | 000,880,624 | ---- | C] (Duplex Secure Ltd.) -- C:\Users\Tobi\Desktop\SPTDinst-v162-x86.exe
[2010/04/12 15:00:45 | 001,065,968 | ---- | C] (Duplex Secure Ltd.) -- C:\Users\Tobi\Desktop\SPTDinst-v162-x64.exe
[2010/04/12 10:38:11 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Users\Tobi\Desktop\TDSSKiller.exe
[2010/04/11 12:15:23 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/04/11 12:15:23 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/04/11 12:15:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/04/11 12:15:07 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/04/11 12:13:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/11 06:26:07 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/11 06:25:36 | 005,650,240 | ---- | C] (SurfRight B.V.) -- C:\Users\Tobi\Desktop\HitmanPro35.exe
[2010/04/10 19:08:11 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/10 17:00:38 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\Tobi\Desktop\OTL.exe
[2010/04/10 13:21:43 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Roaming\Avira
[2010/04/10 12:18:03 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2010/04/10 12:18:02 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/04/10 12:18:02 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys
[2010/04/10 12:18:02 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys
[2010/04/10 11:51:23 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/10 11:51:20 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/10 11:50:39 | 005,918,776 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Tobi\Desktop\mbam-setup-1.45.exe
[2010/04/10 07:53:06 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/04/10 07:53:06 | 000,000,000 | ---D | C] -- C:\rsit
[2010/04/09 04:52:17 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Roaming\Malwarebytes
[2010/04/09 04:52:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/09 04:51:35 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/08 15:18:27 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/04/08 09:18:52 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/03/31 09:17:08 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/03/31 09:17:08 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/03/31 09:17:08 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/03/30 11:30:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/03/26 13:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\3DO Shared
[2010/03/26 13:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\3DO
[2010/03/26 13:58:05 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\Windows\IsUninst.exe
[2010/03/21 07:11:15 | 000,000,000 | ---D | C] -- C:\Users\Tobi\AppData\Local\Zattoo
[2010/03/21 07:09:44 | 000,000,000 | ---D | C] -- C:\Program Files\Zattoo4
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/16 08:54:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/16 08:52:21 | 000,020,359 | ---- | M] () -- C:\Users\Tobi\Desktop\FileLister.zip
[2010/04/16 08:24:00 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/16 08:22:57 | 000,001,088 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/16 08:22:43 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/16 08:22:28 | 2411,872,256 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/16 05:29:57 | 000,013,248 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/16 05:29:57 | 000,013,248 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/15 16:48:41 | 002,850,878 | -H-- | M] () -- C:\Users\Tobi\AppData\Local\IconCache.db
[2010/04/15 15:22:03 | 000,013,319 | ---- | M] () -- C:\OTL.zip
[2010/04/15 15:16:52 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/04/15 15:07:36 | 003,916,476 | R--- | M] () -- C:\Users\Tobi\Desktop\Combo-Fix.exe
[2010/04/15 14:51:44 | 000,293,376 | ---- | M] () -- C:\Users\Tobi\Desktop\kz2ufo7c.exe
[2010/04/15 14:36:06 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/04/15 14:23:55 | 000,036,956 | ---- | M] () -- C:\Users\Tobi\Desktop\Unbenannt.JPG
[2010/04/15 13:26:00 | 001,472,002 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/15 13:26:00 | 000,643,866 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010/04/15 13:26:00 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/15 13:26:00 | 000,126,394 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010/04/15 13:26:00 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/15 13:03:22 | 000,079,996 | ---- | M] () -- C:\Users\Tobi\Desktop\transfermarkt.JPG
[2010/04/14 12:19:08 | 290,242,560 | ---- | M] () -- C:\Users\Tobi\Desktop\OTLPE.iso
[2010/04/14 12:07:31 | 004,940,440 | ---- | M] (Macrovision Corporation) -- C:\Users\Tobi\Desktop\IsoBurner-Setup.exe
[2010/04/14 11:20:27 | 000,100,908 | ---- | M] () -- C:\Users\Tobi\Desktop\SystemLook.exe
[2010/04/13 15:55:45 | 000,000,113 | ---- | M] () -- C:\Users\Tobi\Desktop\file.bat
[2010/04/13 15:21:15 | 000,008,962 | ---- | M] () -- C:\Users\Tobi\Desktop\winmail.doc
[2010/04/13 15:08:03 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Tobi\Desktop\OTL.exe
[2010/04/12 16:12:02 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/04/12 15:42:27 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Tobi\Desktop\TFC.exe
[2010/04/12 15:03:05 | 000,880,624 | ---- | M] (Duplex Secure Ltd.) -- C:\Users\Tobi\Desktop\SPTDinst-v162-x86.exe
[2010/04/12 15:02:19 | 001,065,968 | ---- | M] (Duplex Secure Ltd.) -- C:\Users\Tobi\Desktop\SPTDinst-v162-x64.exe
[2010/04/12 11:13:07 | 000,023,899 | ---- | M] () -- C:\Users\Tobi\Desktop\OTL.zip
[2010/04/12 10:47:23 | 000,021,560 | ---- | M] () -- C:\Users\Tobi\Desktop\OTL.rar
[2010/04/11 17:14:34 | 000,404,310 | ---- | M] () -- C:\Users\Tobi\Desktop\ergebnis.xps
[2010/04/11 13:38:16 | 377,442,582 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/04/11 13:18:33 | 000,050,477 | ---- | M] () -- C:\Users\Tobi\Desktop\Defogger.exe
[2010/04/11 06:45:19 | 000,000,234 | ---- | M] () -- C:\Windows\System32\.crusader
[2010/04/11 06:26:01 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\Users\Tobi\Desktop\HitmanPro35.exe
[2010/04/11 06:14:00 | 042,341,360 | ---- | M] () -- C:\Users\Tobi\Desktop\avira_antivir_personal10_de.exe
[2010/04/10 11:51:02 | 005,918,776 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Tobi\Desktop\mbam-setup-1.45.exe
[2010/04/10 11:36:53 | 000,781,909 | ---- | M] () -- C:\Users\Tobi\Desktop\RSIT.exe
[2010/04/10 07:54:12 | 000,002,043 | ---- | M] () -- C:\Users\Tobi\Desktop\HijackThis.lnk
[2010/04/09 04:51:38 | 000,001,835 | ---- | M] () -- C:\Users\Tobi\Desktop\CCleaner.lnk
[2010/03/29 18:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/29 18:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/28 15:58:51 | 000,001,153 | ---- | M] () -- C:\Users\Tobi\Desktop\Frozen Throne - Verknüpfung.lnk
[2010/03/24 14:02:46 | 000,014,476 | ---- | M] () -- C:\Users\Tobi\Desktop\OT4749926968902302117398232.pdf
[2010/03/22 11:57:43 | 000,119,506 | ---- | M] () -- C:\Windows\War3Unin.dat
[2010/03/22 04:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Users\Tobi\Desktop\TDSSKiller.exe
[2010/03/21 07:14:44 | 000,017,408 | ---- | M] () -- C:\Users\Tobi\AppData\Local\WebpageIcons.db
[2010/03/21 07:09:46 | 000,001,818 | ---- | M] () -- C:\Users\Tobi\Desktop\Zattoo.lnk
[2010/03/18 12:00:32 | 003,163,136 | ---- | M] () -- C:\Users\Tobi\Desktop\Elektrotechnik WS 2009.doc
[2010/03/17 17:33:16 | 000,001,792 | ---- | M] () -- C:\Users\Tobi\Desktop\ICQ7.lnk
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 08:52:20 | 000,020,359 | ---- | C] () -- C:\Users\Tobi\Desktop\FileLister.zip
[2010/04/15 16:42:54 | 000,012,043 | ---- | C] () -- C:\Users\Tobi\Desktop\svcwht.dat
[2010/04/15 15:22:03 | 000,013,319 | ---- | C] () -- C:\OTL.zip
[2010/04/15 15:07:35 | 003,916,476 | R--- | C] () -- C:\Users\Tobi\Desktop\Combo-Fix.exe
[2010/04/15 14:51:44 | 000,293,376 | ---- | C] () -- C:\Users\Tobi\Desktop\kz2ufo7c.exe
[2010/04/15 14:23:55 | 000,036,956 | ---- | C] () -- C:\Users\Tobi\Desktop\Unbenannt.JPG
[2010/04/15 13:03:21 | 000,079,996 | ---- | C] () -- C:\Users\Tobi\Desktop\transfermarkt.JPG
[2010/04/14 12:08:04 | 290,242,560 | ---- | C] () -- C:\Users\Tobi\Desktop\OTLPE.iso
[2010/04/14 11:20:26 | 000,100,908 | ---- | C] () -- C:\Users\Tobi\Desktop\SystemLook.exe
[2010/04/13 15:55:45 | 000,000,113 | ---- | C] () -- C:\Users\Tobi\Desktop\file.bat
[2010/04/13 15:21:15 | 000,008,962 | ---- | C] () -- C:\Users\Tobi\Desktop\winmail.doc
[2010/04/13 12:30:20 | 000,731,136 | ---- | C] () -- C:\Users\Tobi\Desktop\avenger.exe
[2010/04/12 11:13:07 | 000,023,899 | ---- | C] () -- C:\Users\Tobi\Desktop\OTL.zip
[2010/04/12 10:47:23 | 000,021,560 | ---- | C] () -- C:\Users\Tobi\Desktop\OTL.rar
[2010/04/11 17:14:32 | 000,404,310 | ---- | C] () -- C:\Users\Tobi\Desktop\ergebnis.xps
[2010/04/11 13:18:33 | 000,050,477 | ---- | C] () -- C:\Users\Tobi\Desktop\Defogger.exe
[2010/04/11 12:15:23 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/04/11 12:15:23 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/04/11 12:15:23 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/04/11 12:15:23 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/04/11 12:15:23 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/04/11 06:45:19 | 000,000,234 | ---- | C] () -- C:\Windows\System32\.crusader
[2010/04/11 06:26:22 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/04/10 12:13:41 | 042,341,360 | ---- | C] () -- C:\Users\Tobi\Desktop\avira_antivir_personal10_de.exe
[2010/04/10 07:54:37 | 000,781,909 | ---- | C] () -- C:\Users\Tobi\Desktop\RSIT.exe
[2010/04/10 07:54:12 | 000,002,043 | ---- | C] () -- C:\Users\Tobi\Desktop\HijackThis.lnk
[2010/04/09 06:47:31 | 377,442,582 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/04/09 04:51:38 | 000,001,835 | ---- | C] () -- C:\Users\Tobi\Desktop\CCleaner.lnk
[2010/03/24 14:02:46 | 000,014,476 | ---- | C] () -- C:\Users\Tobi\Desktop\OT4749926968902302117398232.pdf
[2010/03/21 07:11:15 | 000,017,408 | ---- | C] () -- C:\Users\Tobi\AppData\Local\WebpageIcons.db
[2010/03/21 07:09:46 | 000,001,818 | ---- | C] () -- C:\Users\Tobi\Desktop\Zattoo.lnk
[2010/03/18 12:00:15 | 003,163,136 | ---- | C] () -- C:\Users\Tobi\Desktop\Elektrotechnik WS 2009.doc
[2010/03/17 17:33:16 | 000,001,792 | ---- | C] () -- C:\Users\Tobi\Desktop\ICQ7.lnk
[2009/12/17 13:26:30 | 000,000,055 | ---- | C] () -- C:\Windows\wininit.ini
[2009/12/10 17:22:10 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009/11/01 17:38:13 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/11/01 17:09:50 | 000,011,776 | ---- | C] () -- C:\Users\Tobi\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/01 09:28:52 | 000,055,808 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2009/07/13 20:02:54 | 000,245,248 | ---- | C] () -- C:\Windows\System32\DShowRdpFilter.dll
[2009/07/13 20:01:41 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\RDPREFMP.sys
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/12/10 05:11:04 | 000,002,045 | -H-- | C] () -- C:\Windows\System32\whlpda32e.dll
[2001/11/14 08:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== LOP Check ==========

[2009/12/09 16:09:18 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\EPSON
[2009/12/10 09:20:39 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\gtk-2.0
[2010/04/15 15:04:34 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\ICQ
[2009/11/01 09:56:46 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\Leadertech
[2009/12/06 10:29:34 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\Microgaming
[2009/11/03 15:35:17 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\Octoshape
[2009/11/20 17:01:02 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\Opera
[2009/12/08 18:45:03 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\Pegasys Inc
[2010/03/16 08:48:08 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\PPLive
[2009/11/01 10:00:01 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\Thunderbird
[2009/12/10 14:23:04 | 000,000,000 | ---D | M] -- C:\Users\Tobi\AppData\Roaming\Video DVD Maker FREE
[2010/04/15 06:51:01 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========



< c:\windows\system32\drivers\*.sys /90 >
[2010/02/16 07:24:01 | 000,060,936 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/03/01 03:05:19 | 000,124,784 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/04/15 14:36:06 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/03/29 18:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/29 18:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/27 03:32:05 | 000,123,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb.sys
[2010/02/27 03:32:26 | 000,221,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2010/02/27 03:32:12 | 000,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys
[1 c:\windows\system32\drivers\*.tmp files -> c:\windows\system32\drivers\*.tmp -> ]
< End of report >

Alt 16.04.2010, 21:27   #50
Larusso
/// Selecta Jahrusso
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Okay einen Versuch gebe ich uns noch.
Hast Du die dateien mittels OTLPE kopiert ? Das ist nämlich wichtig

Speichere folgendes Skript als fix.txt auf dem Desktop

Code:
ATTFilter
:otl
DRV - File not found [Kernel | On_Demand] -- -- (GarenaPEngine)
:files
c:\programdata\5XAtt3xo2.dat
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys|C:\Windows\System32\drivers\atapi.sys /replace
:commands
[emptytemp]
Starte OTLPE und klicke auf den Run Fix Button. Wenn du nach einem Script gefragt wirst, wähle die fix.txt von deinem Desktop und klicke auf öffnen --> Run Fix


Lösche die aktuelle GMER Logfile und lade dir eine neue Version von hier herunter.




Poste mir die Logfile von Gmer

(Ich will das Ding finden -.- )

__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie
Alt 16.04.2010, 22:44   #51
Dev
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Jo, wurde per OTLPE kopiert.

Hier aktueller GMER log:

Zitat:
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-17 00:42:38
Windows 6.1.7600
Running: 6lm7o3dq.exe; Driver: C:\Users\Tobi\AppData\Local\Temp\kxddqpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83233AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83233104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832333F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8321C2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8321B898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832331DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83233958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832336F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83233F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832341A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E4C5C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E71052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90C34000, 0x2D5378, 0xE8000020]
.text peauth.sys 99612C9D 28 Bytes [84, 92, 05, 14, 23, 44, 66, ...]
.text peauth.sys 99612CC1 28 Bytes [84, 92, 05, 14, 23, 44, 66, ...]
PAGE peauth.sys 99618E20 101 Bytes [89, 51, 90, D6, A1, 70, 64, ...]
PAGE peauth.sys 9961902C 102 Bytes [10, DE, 13, 7F, 68, 8D, E6, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A7422000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A7422123 486 Bytes [D5, 41, A7, FE, 05, 34, D5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 529A A742230A 142 Bytes [41, A7, 3B, 08, 77, 04, 3B, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A7422399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A74223FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1008] ntdll.dll!NtProtectVirtualMemory 76EC5360 5 Bytes JMP 0025000A
.text C:\Windows\system32\svchost.exe[1008] ntdll.dll!NtWriteVirtualMemory 76EC5EE0 5 Bytes JMP 003E000A
.text C:\Windows\system32\svchost.exe[1008] ntdll.dll!KiUserExceptionDispatcher 76EC6448 5 Bytes JMP 0024000A
.text C:\Program Files\Winamp Remote\bin\OrbTray.exe[3100] kernel32.dll!SetUnhandledExceptionFilter 75323162 5 Bytes JMP 00413C70 C:\Program Files\Winamp Remote\bin\OrbTray.exe (Orb/Orb Networks)
.text C:\Windows\Explorer.EXE[3112] ntdll.dll!NtProtectVirtualMemory 76EC5360 5 Bytes JMP 0055000A
.text C:\Windows\Explorer.EXE[3112] ntdll.dll!NtWriteVirtualMemory 76EC5EE0 5 Bytes JMP 0056000A
.text C:\Windows\Explorer.EXE[3112] ntdll.dll!KiUserExceptionDispatcher 76EC6448 5 Bytes JMP 001D000A
.text C:\Program Files\Winamp Remote\bin\Orb.exe[3736] kernel32.dll!SetUnhandledExceptionFilter 75323162 5 Bytes JMP 00402CD0 C:\Program Files\Winamp Remote\bin\Orb.exe (Orb Application/Orb Networks, Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D62494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D45624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D456E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D6250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D58573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D54D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D550CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D551A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73D566D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D582CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D58819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D5907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D5E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73D54C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86477AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
beim run fix gabs kein log, hoffe das ist normal

Alt 17.04.2010, 06:42   #52
Larusso
/// Selecta Jahrusso
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Hy, sichere bitte einmal deine persönlichen Daten. Wenn meine nächste Idee in die Hose geht, dann wirds wohl oder übel zum formatieren

Gib mir bitte bescheid wenn Du das erledigt hast.
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie
Alt 17.04.2010, 11:51   #53
Dev
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


So Windows Partition ist gesichert. Sollte ja reichen, oder kann auch was mit den Daten der anderen Partitionen passieren?

Alt 17.04.2010, 22:34   #54
Larusso
/// Selecta Jahrusso
 
TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


Am besten alle persönlichen Dateien sichern. Keine ausführbaren Dateien. Insbesondere .sys Dateien
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie
Antwort
Seite 4 von 4 « Erste 23 4

Themen zu TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe
.dll, 0 bytes, administratorrechte, antivir, audiodg.exe, avg, conhost.exe, desktop, dwm.exe, erste mal, fehler, jusched.exe, log, löschen, modul, musik, netzwerk, neustart, nicht gefunden, nt.dll, prozess, prozesse, quelldatei, recycle.bin, registry, scan, services.exe, skype.exe, starten, sttray.exe, suchlauf, svchost.exe, system, taskhost.exe, temp, tr/crypt.xpack.ge, trojaner, versteckte objekte, verweise, virus gefunden, windows, winlogon.exe


« Backdoor Trojaner Hilfe!!! | ICQ Virus/Spammer - Spammt downloadlink seiner datei in icq »


Ähnliche Themen: TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe


  1. tr crypt.zpack.gen im Temp Ordner
    Plagegeister aller Art und deren Bekämpfung - 18.11.2010 (20)
  2. TR/Crypt.ZPACK.Gen in C:\Users\***\AppData\Local\Temp\eapp32hst.dl
    Plagegeister aller Art und deren Bekämpfung - 18.10.2010 (18)
  3. Antivir meldet C:\Windows\temp\xxxx.tmp (TR/Crypt.ZPACK.Gen) alle paar Minuten
    Plagegeister aller Art und deren Bekämpfung - 10.10.2010 (4)
  4. TR\Crypt.ZPACK.Gen in C:\Windows\Temp\gsxm.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 01.05.2010 (1)
  5. Datensicherung bei TR/Crypt.ZPack.Gen Temp Ordner
    Plagegeister aller Art und deren Bekämpfung - 01.05.2010 (1)
  6. TR/Crypt.ZPACK.Gen C:\WINDOWS\Temp\uagx.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 01.05.2010 (1)
  7. Trojaner TR/Crypt.ZPACK.gen in C:/WINDOWS/TEMP/xxxx.temp/svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 30.04.2010 (33)
  8. Antivir meldet TR/Crypt.ZPACK.Gen in C/Windows/Temp/xxxx.tmp/svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 26.04.2010 (2)
  9. Avira meldet TR/Crypt.ZPACK.Gen in C:\Windows\Temp\xxxx.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 24.04.2010 (1)
  10. Antivir meldet TR/Crypt.ZPACK.Gen in C/Windows/Temp/xxxx.tmp/svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 24.04.2010 (4)
  11. TR/Crypt.ZPACK.Gen in C:\Temp\bcot.tmp\svchost.exe , C:\Temp\qmub.tmp\svchost.exe usw
    Plagegeister aller Art und deren Bekämpfung - 12.04.2010 (1)
  12. TR/Crypt.ZPACK.Gen in SVCHOST.exe
    Plagegeister aller Art und deren Bekämpfung - 09.04.2010 (1)
  13. AntiVir: C:\Windows\Tem\dtnp.tmp\svchost.exe Is the TR/Crypt.ZPACK.Gen Trojan
    Plagegeister aller Art und deren Bekämpfung - 06.04.2010 (45)
  14. Antivir meldet C:\Windows\temp\xxxx.tmp (TR/Crypt.ZPACK.Gen) alle 10 Minuten
    Plagegeister aller Art und deren Bekämpfung - 04.11.2009 (6)
  15. 'TR/Crypt.ZPACK.Gen' in 'C:\WINDOWS\Temp\akjo.tmp'
    Log-Analyse und Auswertung - 03.11.2009 (5)
  16. TR/Crypt.ZPACK.Gen in C:\WINDOWS\Temp\
    Plagegeister aller Art und deren Bekämpfung - 31.10.2009 (11)
  17. TR/Crypt.ZPACK.Gen in C:\WINDOWS\Temp\b2.exe
    Plagegeister aller Art und deren Bekämpfung - 27.07.2009 (1)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Bei Filelister, hast Du das Tool als Admin gestartet? Besteht ein Ordner Filelister auf dem Desktop? Wenn nicht, kann es sein das die Log auf dem Desktop ist oder nit - TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe...
Archiv
Du betrachtest: TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131