sdra64.exe ++

silxc · 28.04.2010, 20:33

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:37, on 29.4.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WZShutdown\P_zero.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\D-Link\AirPlus G DWL-G510\AirGCFG.exe
C:\WINDOWS\ATKKBService.exe
C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Programme\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOKUME~1\TISCHL~1\LOKALE~1\Temp\smss.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\Programme\Opera\Opera.exe
C:\WINDOWS\Fdotoa.exe
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: C:\WINDOWS\system32\ep8h80ikt.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\ep8h80ikt.dll
O4 - HKLM\..\Run: [WZShutdown] C:\WZShutdown\P_zero.exe -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [D-Link AirPlus G DWL-G510] C:\Programme\D-Link\AirPlus G DWL-G510\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-21-790525478-1580436667-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Besitzer')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\ep8h80ikt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programme\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programme\Sandboxie\SbieSvc.exe

--
End of file - 4334 bytes

FLr hat sich in den autostart gesetzt, scheint wohl ein Backdoor-trojaner zu sein

Chris4You · 28.04.2010, 20:51

Hi,

bevor ich mich verkünstele:

Malwarebytes Antimalware (MAM)
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html
Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen:
http://filepony.de/download-chameleon/
Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen")
Fullscan und alles bereinigen lassen! Log posten.

OTL
Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop

Doppelklick auf die OTL.exe

Vista/Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen

Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output

Unter Extra Registry, wähle bitte Use SafeList

Klicke nun auf Run Scan links oben

Wenn der Scan beendet wurde werden 2 Logfiles erstellt

Poste die Logfiles hier in den Thread

chris
Für mich:
O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\ep8h80ikt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: C:\WINDOWS\system32\ep8h80ikt.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\ep8h80ikt.dll
C:\DOKUME~1\TISCHL~1\LOKALE~1\Temp\smss.exe
C:\WINDOWS\Fdotoa.exe

silxc · 29.04.2010, 00:39

Hallo , danke für die schnelle antwort.
mbam-log ->

Zitat:

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\Programme\Trend Micro\HijackThis\backups\backup-20100429-211749-343.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Programme\Trend Micro\HijackThis\backups\backup-20100429-211806-463.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Programme\Trend Micro\HijackThis\backups\backup-20100429-212156-904.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\drmva.sys (Rootkit.Agent) -> Delete on reboot.
C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Temp\opj79t4.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Temp\wlzd6.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Temp\sbqhgt.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Temp\fsboz63x.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

extras log ->

Zitat:

OTL Extras logfile created on: 30.4.2010 01:13:34 - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Dokumente und Einstellungen\Tischle\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: d.M.yyyy

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 80,00% Memory free
6,00 Gb Paging File | 6,00 Gb Available in Paging File | 90,00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 149,05 Gb Total Space | 19,58 Gb Free Space | 13,13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: Tischle-30E793DBB
Current User Name: Tischle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Programme\Opera\Opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Programme\Opera\opera.exe" (Opera Software)
https [open] -- "C:\Programme\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Programme\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Programme\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Programme\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56458:TCP" = 56458:TCP:*:Enabled:Pando Media Booster
"56458:UDP" = 56458:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"56458:TCP" = 56458:TCP:*:Enabled:Pando Media Booster
"56458:UDP" = 56458:UDP:*:Enabled:Pando Media Booster
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programme\Pando Networks\Media Booster\PMB.exe" = C:\Programme\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Neuer Ordner (5)\qip.exe" = C:\Neuer Ordner (5)\qip.exe:*:Enabled:Quiet Internet Pager -- (The Author of QIP)
"C:\Programme\QIP\qip.exe" = C:\Programme\QIP\qip.exe:*:Enabled:Quiet Internet Pager -- (The Author of QIP)
"C:\Programme\VideoLAN\VLC\vlc.exe" = C:\Programme\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Programme\Opera\opera.exe" = C:\Programme\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Programme\Pando Networks\Media Booster\PMB.exe" = C:\Programme\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Programme\Messenger\msmsgs.exe" = C:\Programme\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- File not found
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Team17\Worms2\frontend.exe" = C:\Team17\Worms2\frontend.exe:*:Enabled:Worms 2 Frontend -- File not found
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Xampp\xampp\apache\bin\httpd.exe" = C:\Xampp\xampp\apache\bin\httpd.exe:*:Enabled:Apache HTTP Server -- File not found
"C:\Xampp\xampp\mysql\bin\mysqld.exe" = C:\Xampp\xampp\mysql\bin\mysqld.exe:*:Enabled:The MySQL Server -- File not found"C:\Programme\SopCast\adv\SopAdver.exe" = C:\Programme\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)
"C:\Programme\SopCast\SopCast.exe" = C:\Programme\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)
"C:\Programme\Java\jre6\bin\javaw.exe" = C:\Programme\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Programme\RealVNC\VNC4\vncviewer.exe" = C:\Programme\RealVNC\VNC4\vncviewer.exe:*:Enabled:VNC Viewer Free Edition for Win32 -- File not found
"C:\Programme\Xfire\Xfire.exe" = C:\Programme\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\Programme\TmNationsForever\TmForever.exe" = C:\Programme\TmNationsForever\TmForever.exe:*:Enabled:TmForever -- ()
"C:\Programme\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe" = C:\Programme\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI) -- ()
"C:\Programme\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe" = C:\Programme\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV) -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0893078B-8A9A-84D6-D393-119B9B0B033A}" = CCC Help French
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0E2A60F7-2907-5718-FF16-7D8FAF70051E}" = CCC Help Chinese Standard
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{14FAE013-AE19-4FC9-B5BF-E56ADC01ECE6}" = CCC Help Turkish
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{17BB2784-6EE4-D7FF-FE63-58A3AD2B3708}" = CCC Help Russian
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.3
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{233588CF-96D5-46AF-EF74-7EC382662791}" = Catalyst Control Center Graphics Full Existing
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 15
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{29F05234-DCBB-4FE0-88DC-5160C9250312}" = Adobe Photoshop CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}" = ASUS Enhanced Display Driver
"{3260ECBC-9DDF-E7A3-0863-449473BC7BD5}" = CCC Help Chinese Traditional
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{39C6C229-CFFD-639E-229A-E463FCD87478}" = CCC Help German
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{411F3ABA-2AB5-4799-AA19-6ADF0A8F7424}" = Adobe Setup
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{44E240EC-2224-4078-A88B-2CEE0D3016EF}" = Adobe After Effects CS4 Presets
"{45EC816C-0771-4C14-AE6D-72D1B578F4C8}" = Adobe After Effects CS4
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{4F11FC80-CE8C-1BD4-5C39-EBE5744E5135}" = CCC Help Portuguese
"{4FAB2BA7-E16C-95D2-F326-60A68409373F}" = Catalyst Control Center HydraVision Full
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{529AA9A8-5020-6CFB-A809-BC5943C87077}" = CCC Help Thai
"{53604297-26FD-516D-6FF7-1063BA64A0A4}" = Catalyst Control Center Graphics Light
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{55BD3B0B-F054-9341-514F-295A5F7EA450}" = CCC Help Spanish
"{561968FD-56A1-49FD-9ED0-F55482C7C5BC}" = Adobe Media Encoder CS4 Exporter
"{5A4FA9C8-ED56-08C3-153B-FC5C19256290}" = CCC Help Dutch
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}" = Adobe After Effects CS4 Third Party Content
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6C390D51-E5F0-4FCD-24C4-731ACAF34571}" = CCC Help Japanese
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{70C592EC-AE9B-4734-928B-676E824FB41E}" = MFC RunTime files
"{71D4305B-56E6-4971-A799-FB7678A1D1A5}" = ASUS ATI Driver
"{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}" = RollerCoaster Tycoon 2
"{73B5D990-04EA-4751-B10F-5534770B91F2}" = Adobe Color EU Recommended Settings
"{7AA8FA9A-1656-7DBD-633B-FE7A62BBED0C}" = CCC Help Czech
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B128562-681D-4FFA-BEBF-A825985B2CB9}" = AirPlus G DWL-G510
"{8C22131B-8634-CECF-F0D1-A2ECC160B450}" = CCC Help Norwegian
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{90FBE4D0-2ACA-A8A8-2CC4-CFFBAE528504}" = CCC Help Finnish
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{98AD61BF-A229-411A-8723-B5E7F72D725C}" = Opera 10.52
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9D74375E-3012-E7D2-9229-B220C91F326A}" = Catalyst Control Center Core Implementation
"{9EE8BDCA-7505-4895-D91E-8108DD16292E}" = CCC Help English
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A83E1338-52B8-4C99-9289-200AFFBACA65}" = TurbulenceRuntime
"{A8AF8BD3-61B5-7945-4D1B-217421F604FC}" = CCC Help Hungarian
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AA46E1C5-A709-6D9B-D99D-92E4C6E042A9}" = CCC Help Korean
"{AA62A33C-9E5E-3913-7D88-7E58A8CB1493}" = CCC Help Greek
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1031-7B44-A92000000001}" = Adobe Reader 9.2 - Deutsch
"{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}" = Adobe Bridge 1.0
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}" = Adobe MotionPicture Color Files CS4
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B15381DD-FF97-4FCD-A881-ED4DB0975500}" = Adobe Color Video Profiles AE CS4
"{B1AD83A0-DC92-41E3-B111-E9472349768C}" = RollerCoaster Tycoon 2: Wacky Worlds
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B45FABE7-D101-4D99-A671-E16DA40AF7F0}" = Microsoft Games for Windows - LIVE
"{B578C85A-A84C-4230-A177-C5B2AF565B8C}" = Microsoft Games for Windows - LIVE Redistributable
"{B653F643-A1B4-9936-2DB6-FEA9A3110D8D}" = ccc-core-preinstall
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B71C4637-0247-78CE-6A3D-D61645CB8921}" = ccc-utility
"{BA1E1AFD-D1F2-4C52-88C3-186FC5E61604}" = RollerCoaster Tycoon 2: Time Twister
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BC2E7C0B-1AC6-5F6C-F31D-E1E72D8E0B5C}" = CCC Help Danish
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}" = Adobe Media Encoder CS4 Additional Exporter
"{BF8C7DA7-2DE6-ED67-6C82-6BE82F8BA8D3}" = Catalyst Control Center Graphics Full New
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C409F338-BB20-6C4A-F40D-20CA07AF714C}" = CCC Help Polish
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D4B7B2DC-E688-A9D6-6EC0-56AE540E074C}" = Catalyst Control Center Localization All
"{D765F1CE-5AE5-4C47-B134-AE58AC474740}" = OpenOffice.org 3.1
"{D9CD701B-3F04-FC69-D974-F3A7F5E9BA30}" = CCC Help Swedish
"{D9D93D74-107D-4BD3-87D0-AABCF7C98BD5}" = Catalyst Control Center - Branding
"{DD362256-A7A2-4524-9457-213DDC2AFC2A}" = Adobe After Effects 7.0
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{E0D51394-1D45-460A-B62D-383BC4F8B335}" = QuickTime
"{E213321B-1E88-B38D-DAB2-D8CB9355984A}" = Skins
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{F01F79AD-1F47-4685-AE4E-CCFA4EA9FF7C}" = Adobe Setup
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4148D8F-ED3A-3097-509C-04D5560220F9}" = ccc-core-static
"{F7E68997-E626-952B-A7BF-F72066CD5D77}" = Catalyst Control Center Graphics Previews Common
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FA36C82B-464D-51F2-A6A1-0BC9140BE067}" = CCC Help Italian
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}" = Adobe Color NA Extra Settings
"{FFC1ADE3-944B-4231-894E-3903C37271D2}" = Adobe Setup
"7-Zip" = 7-Zip 9.10 beta
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_3dcb365ab9e01871fb8c6f27b0ea079" = Adobe After Effects CS4
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_5f143314a5d434c8511097393d17397" = Adobe Photoshop CS3
"Adobe_c3c7fe8b09d497ab2b3fd91c9353390" = Adobe Flash CS3 Professional
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"ATI Display Driver" = ATI Display Driver
"ATITool" = ATITool Overclocking Utility
"Audacity_is1" = Audacity 1.2.6
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"C-Media PCI Sound" = C-Media PCI Audio Device
"CMIDriver" = CMI 8738/8768 Audio Driver (remove only)
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.54
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"DFX for Winamp" = DFX for Winamp
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Frets on Fire" = Frets On Fire
"Hamachi" = Hamachi 1.0.2.0
"HijackThis" = HijackThis 2.0.2
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.5.3 (Full)
"LDraw2006 3rd Quarter" = LDraw
"LeoCAD" = LeoCAD
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSNINST" = MSN
"OpenAL" = OpenAL
"PCI Audio Driver" = PCI Audio Driver
"PSPad editor_is1" = PSPad editor
"PunkBusterSvc" = PunkBuster Services
"RADVideo" = RAD Video Tools
"S.T.A.L.K.E.R. - Shadow of Chernobyl_is1" = S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0006]
"Sandboxie" = Sandboxie 3.34
"SopCast" = SopCast 3.2.4
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"TmNationsForever_is1" = TmNationsForever Update 2010-03-15
"VLC media player" = VLC media player 0.9.8a
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR
"Xfire" = Xfire (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"QIP 2005" = QIP 2005 8095

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 8.3.2010 19:11:08 | Computer Name = Tischle-30E793DBB | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung opera.exe, Version 10.10.1893.0, fehlgeschlagenes
Modul npswf32.dll, Version 10.0.45.2, Fehleradresse 0x00230bd1.

Error - 19.3.2010 23:23:52 | Computer Name = Tischle-30E793DBB | Source = MsiInstaller | ID = 10005
Description = Produkt: Burnout(TM) Paradise The Ultimate Box -- Unerwarteter Fehler
bei der Installation dieses Pakets. Möglicherweise liegt ein Problem mit diesem
Paket vor. Der Fehlercode lautet 2318. The arguments are: C:\Programme\Electronic
Arts\Burnout(TM) Paradise The Ultimate Box\SOUND\STREAMS\ONLINEVO_11M_DE.SNS, ,

Error - 31.3.2010 18:58:46 | Computer Name = Tischle-30E793DBB | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung photoshop.exe, Version 10.0.0.0, fehlgeschlagenes
Modul unknown, Version 0.0.0.0, Fehleradresse 0x65637275.

Error - 1.4.2010 18:08:45 | Computer Name = Tischle-30E793DBB | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung leocad.exe, Version 1.0.0.1, fehlgeschlagenes
Modul leocad.exe, Version 1.0.0.1, Fehleradresse 0x0003f63d.

[ System Events ]
Error - 29.4.2010 16:13:22 | Computer Name = Tischle-30E793DBB | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "netman"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 29.4.2010 16:13:25 | Computer Name = Tischle-30E793DBB | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "EventSystem"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 29.4.2010 16:14:49 | Computer Name = Tischle-30E793DBB | Source = Ftdisk | ID = 262189
Description = Das System konnte den Treiber für das Speicherabbild nicht laden.

Error - 29.4.2010 16:14:49 | Computer Name = Tischle-30E793DBB | Source = Ftdisk | ID = 262193
Description = Die Konfiguration der Auslagerungsdatei für das Speicherabbild ist
fehlgeschlagen. Stellen Sie sicher, dass eine Auslagerungsdatei auf der Startpartition
vorhanden ist und dass diese groß genug ist, um den gesamten physikalischen Speicher
abbilden zu können.

Error - 29.4.2010 16:14:49 | Computer Name = Tischle-30E793DBB | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Treiber für parallelen Anschluss" wurde aufgrund folgenden
Fehlers nicht gestartet: %%1058

Error - 29.4.2010 17:12:55 | Computer Name = Tischle-30E793DBB | Source = System Error | ID = 1003
Description = Fehlercode 0000000a, 1. Parameter 7b007a54, 2. Parameter 0000001c,
3. Parameter 00000001, 4. Parameter 80502cca.

Error - 29.4.2010 18:48:06 | Computer Name = Tischle-30E793DBB | Source = sr | ID = 1
Description = Beim Verarbeiten der Datei "" auf Volume "HarddiskVolume1" ist im
Wiederherstellungsfilter der unerwartete Fehler "0xC0000001" aufgetreten. Die Volumeüberwachung
wurde angehalten.

Error - 29.4.2010 18:48:06 | Computer Name = Tischle-30E793DBB | Source = Ftdisk | ID = 262189
Description = Das System konnte den Treiber für das Speicherabbild nicht laden.

Error - 29.4.2010 18:48:06 | Computer Name = Tischle-30E793DBB | Source = Ftdisk | ID = 262193
Description = Die Konfiguration der Auslagerungsdatei für das Speicherabbild ist
fehlgeschlagen. Stellen Sie sicher, dass eine Auslagerungsdatei auf der Startpartition
vorhanden ist und dass diese groß genug ist, um den gesamten physikalischen Speicher
abbilden zu können.

Error - 29.4.2010 18:48:16 | Computer Name = Tischle-30E793DBB | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Treiber für parallelen Anschluss" wurde aufgrund folgenden
Fehlers nicht gestartet: %%1058

< End of report >

OTL log ->

Zitat:

OTL logfile created on: 30.4.2010 01:13:34 - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Dokumente und Einstellungen\Tischle\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: d.M.yyyy

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 80,00% Memory free
6,00 Gb Paging File | 6,00 Gb Available in Paging File | 90,00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 149,05 Gb Total Space | 19,58 Gb Free Space | 13,13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: Tischle-30E793DBB
Current User Name: Tischle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Dokumente und Einstellungen\Tischle\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Opera\opera.exe (Opera Software)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Programme\QIP\qip.exe (The Author of QIP)
PRC - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WZShutdown\P_zero.exe (www.elligs.net)
PRC - C:\Programme\Sandboxie\SbieSvc.exe (tzuk)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\D-Link\AirPlus G DWL-G510\AirGCFG.exe (D-Link)
PRC - C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
PRC - C:\WINDOWS\ATKKBService.exe (ASUSTeK COMPUTER INC.)

========== Modules (SafeList) ==========

MOD - C:\Dokumente und Einstellungen\Tischle\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (FLEXnet Licensing Service) -- C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (Adobe LM Service) -- C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (SbieSvc) -- C:\Programme\Sandboxie\SbieSvc.exe (tzuk)
SRV - (ANIWZCSdService) -- C:\Programme\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)
SRV - (ATKKeyboardService) -- C:\WINDOWS\ATKKBService.exe (ASUSTeK COMPUTER INC.)
SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)

========== Driver Services (SafeList) ==========

DRV - (PSSDK42) -- C:\WINDOWS\system32\drivers\pssdk42.sys (microOLAP Technologies LTD)
DRV - (cpuz133) -- C:\WINDOWS\system32\drivers\cpuz133_x32.sys (Windows (R) Win 7 DDK provider)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (LGBusEnum) -- C:\WINDOWS\system32\drivers\LGBusEnum.sys (Logitech Inc.)
DRV - (cmipci) -- C:\WINDOWS\system32\drivers\cmipci.sys (Dogbert)
DRV - (LMouKE) -- C:\WINDOWS\system32\drivers\LMouKE.Sys (Logitech, Inc.)
DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (L8042mou) -- C:\WINDOWS\system32\drivers\L8042mou.Sys (Logitech, Inc.)
DRV - (L8042Kbd) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys (Logitech, Inc.)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (cmuda3) -- C:\WINDOWS\system32\drivers\cmudax3.sys (C-Media Inc)
DRV - (ATIAVAIW) -- C:\WINDOWS\system32\drivers\atinavt2.sys (ATI Technologies Inc.)
DRV - (SbieDrv) -- C:\Programme\Sandboxie\SbieDrv.sys (tzuk)
DRV - (AtcL001) -- C:\WINDOWS\system32\drivers\l151x86.sys (Atheros Communications, Inc.)
DRV - (MPE) -- C:\WINDOWS\system32\drivers\mpe.sys (Microsoft Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (ATITool) -- C:\WINDOWS\system32\drivers\ATITool.sys ()
DRV - (EIO) -- C:\WINDOWS\system32\drivers\EIO.sys (ASUSTeK Computer Inc.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys (Alpha Networks Inc.)
DRV - (asuskbnt) -- C:\WINDOWS\system32\drivers\atkkbnt.sys (ASUSTeK COMPUTER INC.)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (cmpci) C-Media PCI Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\cmaudio.sys (C-Media Inc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.6.6.117
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.04.15 15:15:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.04.15 15:15:48 | 000,000,000 | ---D | M]

[2009.02.10 22:37:54 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Tischle\Anwendungsdaten\Mozilla\Extensions
[2010.04.25 12:55:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Tischle\Anwendungsdaten\Mozilla\Firefox\Profiles\w9cm8f5u.default\extensions
[2009.09.05 21:10:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\Tischle\Anwendungsdaten\Mozilla\Firefox\Profiles\w9cm8f5u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.04.25 12:54:54 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Tischle\Anwendungsdaten\Mozilla\Firefox\Profiles\w9cm8f5u.default\extensions\toolbar@ask.com
[2010.04.25 12:55:02 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2009.08.22 12:16:47 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Programme\Mozilla Firefox\plugins\npPandoWebInst.dll
[2009.08.19 03:02:43 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2009.08.19 03:02:43 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2009.08.19 03:02:43 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2009.08.19 03:02:43 | 000,000,986 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2009.08.19 03:02:43 | 000,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.11.06 00:36:11 | 000,000,853 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [D-Link AirPlus G DWL-G510] C:\Programme\D-Link\AirPlus G DWL-G510\AirGCFG.exe (D-Link)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [WZShutdown] C:\WZShutdown\P_zero.exe (www.elligs.net)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.02.06 15:19:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c73547d4-025f-11de-86ed-0015000400dc}\Shell - "" = AutoRun
O33 - MountPoints2\{c73547d4-025f-11de-86ed-0015000400dc}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c73547d4-025f-11de-86ed-0015000400dc}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.04.30 00:55:23 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\Desktop\Neuer Ordner
[2010.04.29 23:17:48 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.04.29 23:17:48 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.04.29 23:15:32 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\Anwendungsdaten\Malwarebytes
[2010.04.29 23:15:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.04.29 23:15:31 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\mbam-installer
[2010.04.29 23:15:31 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.04.29 23:14:41 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Tischle\Desktop\OTL.exe
[2010.04.29 22:52:23 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Macromedia
[2010.04.29 21:43:12 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\Anwendungsdaten\Avira
[2010.04.29 21:30:03 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010.04.29 21:30:02 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010.04.29 21:30:02 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010.04.29 21:30:02 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010.04.29 21:30:02 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010.04.29 21:30:02 | 000,000,000 | ---D | C] -- C:\Programme\Avira
[2010.04.29 21:30:02 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
[2010.04.29 17:02:08 | 000,610,304 | ---- | C] (Speed Guide Inc.) -- C:\TCPOptimizer.exe
[2010.04.29 15:53:01 | 000,038,976 | ---- | C] (microOLAP Technologies LTD) -- C:\WINDOWS\System32\drivers\pssdk42.sys
[2010.04.29 15:36:17 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\Anwendungsdaten\Locktime
[2010.04.29 15:35:25 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Locktime
[2010.04.28 23:41:47 | 001,327,189 | ---- | C] (Funk Software, Inc.) -- C:\WINDOWS\System32\odSupp_M.dll
[2010.04.28 23:41:47 | 000,667,648 | ---- | C] (Wireless Service) -- C:\WINDOWS\System32\ANIWZCS2.dll
[2010.04.28 23:41:47 | 000,249,856 | ---- | C] (Wireless Service) -- C:\WINDOWS\System32\wnicapi.dll
[2010.04.28 23:41:47 | 000,225,280 | ---- | C] (ANI ) -- C:\WINDOWS\System32\WlanApp.dll
[2010.04.28 23:41:47 | 000,204,800 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\aIPH.dll
[2010.04.28 23:41:47 | 000,049,152 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\AQCKGen.dll
[2010.04.28 23:41:47 | 000,045,115 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANICtl.dll
[2010.04.28 23:41:35 | 000,036,864 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIOApi.dll
[2010.04.28 23:41:35 | 000,028,195 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIO.sys
[2010.04.28 23:41:34 | 000,048,128 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIO64.sys
[2010.04.28 23:41:34 | 000,011,904 | ---- | C] (ANI ) -- C:\WINDOWS\System32\anio4.sys
[2010.04.28 23:41:34 | 000,000,000 | ---D | C] -- C:\Programme\ANI
[2010.04.28 23:41:23 | 000,000,000 | ---D | C] -- C:\Programme\D-Link
[2010.04.28 13:41:58 | 000,000,000 | ---D | C] -- C:\Programme\Spybot - Search & Destroy
[2010.04.28 13:41:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
[2010.04.26 17:23:37 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\Desktop\VIdeo
[2010.04.25 14:11:24 | 000,118,272 | ---- | C] (Lucent Technologies) -- C:\WINDOWS\System32\SX5363S.DLL
[2010.04.25 14:11:24 | 000,102,400 | ---- | C] (RADVision) -- C:\WINDOWS\System32\RV32RTP.dll
[2010.04.23 13:44:09 | 000,000,000 | ---D | C] -- C:\Programme\THQ
[2010.04.21 21:33:11 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\Eigene Dateien\My Games
[2010.04.21 21:04:32 | 000,020,968 | ---- | C] (Windows (R) Win 7 DDK provider) -- C:\WINDOWS\System32\drivers\cpuz133_x32.sys
[2010.04.21 21:04:32 | 000,000,000 | ---D | C] -- C:\Programme\CPUID
[2010.04.21 20:17:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Lang
[2010.04.21 20:13:32 | 000,053,248 | ---- | C] (Windows XP Bundled build C-Centric Single User) -- C:\WINDOWS\System32\CSVer.dll
[2010.04.21 20:13:32 | 000,000,000 | ---D | C] -- C:\Programme\Intel
[2010.04.21 20:13:26 | 000,000,000 | ---D | C] -- C:\Intel
[2010.04.21 20:08:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RTCOM
[2010.04.21 20:08:28 | 001,822,720 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SkyTel.exe
[2010.04.21 20:08:28 | 000,086,016 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SoundMan.exe
[2010.04.21 20:08:27 | 009,715,200 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTLCPL.exe
[2010.04.21 20:08:27 | 004,395,008 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys
[2010.04.21 20:08:27 | 001,191,936 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RtlUpd.exe
[2010.04.21 20:08:27 | 000,282,624 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\RTSndMgr.cpl
[2010.04.21 20:08:25 | 002,808,832 | R--- | C] (RealTek Semicoductor Corp.) -- C:\WINDOWS\alcwzrd.exe
[2010.04.21 20:08:25 | 002,157,568 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\MicCal.exe
[2010.04.21 20:08:25 | 000,299,008 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\ALSndMgr.cpl
[2010.04.21 20:08:25 | 000,069,632 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\Alcmtr.exe
[2010.04.21 20:08:25 | 000,000,000 | ---D | C] -- C:\Programme\Realtek
[2010.04.21 20:08:20 | 000,520,192 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RtlExUpd.dll
[2010.04.21 20:08:20 | 000,315,392 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\HideWin.exe
[2010.04.21 17:53:32 | 000,020,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbuhci.sys
[2010.04.21 17:53:18 | 000,006,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\enum1394.sys
[2010.04.21 17:53:18 | 000,006,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\enum1394.sys
[2010.04.21 17:53:16 | 000,061,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ohci1394.sys
[2010.04.21 17:53:16 | 000,053,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\1394bus.sys
[2010.04.21 17:53:16 | 000,053,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\1394bus.sys
[2010.04.14 12:46:01 | 000,000,000 | ---D | C] -- C:\Programme\Infogrames
[2010.04.10 06:29:42 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Adobe AIR
[2010.04.10 01:07:16 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TrackMania
[2010.04.10 01:04:25 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\Eigene Dateien\TrackMania
[2010.04.10 00:58:34 | 000,000,000 | ---D | C] -- C:\Programme\TmNationsForever
[2010.04.09 00:35:46 | 000,000,000 | --SD | C] -- C:\Dokumente und Einstellungen\Tischle\UserData
[2010.04.09 00:35:45 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Xfire
[2010.04.09 00:35:03 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Tischle\Anwendungsdaten\Xfire
[2010.04.09 00:34:59 | 000,000,000 | ---D | C] -- C:\Programme\Xfire
[2010.04.02 20:51:25 | 000,720,896 | ---- | C] (Indigo Rose Corporation) -- C:\WINDOWS\iun6002.exe
[2010.04.02 20:50:46 | 000,000,000 | ---D | C] -- C:\LDraw
[2010.04.02 00:05:21 | 000,000,000 | ---D | C] -- C:\Programme\LeoCAD
[2010.04.01 23:17:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010.04.01 17:47:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2010.03.31 17:23:38 | 000,000,000 | ---D | C] -- C:\Programme\JDownloader
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.04.30 01:01:00 | 000,000,238 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010.04.30 00:48:24 | 000,000,012 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{1EC353DC-76D2-415E-838B-BD03C9191616}
[2010.04.30 00:47:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.04.30 00:47:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.04.30 00:46:29 | 007,602,176 | -H-- | M] () -- C:\Dokumente und Einstellungen\Tischle\NTUSER.DAT
[2010.04.30 00:46:29 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\Tischle\ntuser.ini
[2010.04.29 23:17:52 | 000,000,681 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.04.29 23:14:45 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Tischle\Desktop\OTL.exe
[2010.04.29 23:13:39 | 001,042,118 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.04.29 23:13:39 | 000,448,800 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.04.29 23:13:39 | 000,432,492 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.04.29 23:13:39 | 000,080,108 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.04.29 23:13:39 | 000,067,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.04.29 23:12:29 | 000,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2010.04.29 22:15:13 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.04.29 21:50:04 | 3488,657,408 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010.04.29 21:37:48 | 000,000,265 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2010.04.29 21:35:56 | 000,000,810 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.04.29 21:35:56 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.04.29 21:35:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010.04.29 21:30:14 | 000,001,676 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010.04.29 21:11:33 | 000,161,280 | ---- | M] () -- C:\WINDOWS\Fdotoa.exe
[2010.04.29 17:03:24 | 000,002,745 | ---- | M] () -- C:\sg_backup_2010-04-29-1703.spg
[2010.04.29 17:03:24 | 000,002,745 | ---- | M] () -- C:\FirstBackup.spg
[2010.04.29 17:02:22 | 000,610,304 | ---- | M] (Speed Guide Inc.) -- C:\TCPOptimizer.exe
[2010.04.29 16:19:14 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010.04.29 15:53:01 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) -- C:\WINDOWS\System32\drivers\pssdk42.sys
[2010.04.28 23:42:37 | 000,003,284 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCS{1EC353DC-76D2-415E-838B-BD03C9191616}
[2010.04.28 23:42:02 | 000,001,649 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\D-Link AirPlus Utility.lnk
[2010.04.28 23:39:24 | 000,003,284 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCS{C37E1AA8-CD1F-4C9B-82A0-5B726943B887}
[2010.04.28 23:38:05 | 000,000,012 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{C37E1AA8-CD1F-4C9B-82A0-5B726943B887}
[2010.04.28 13:53:17 | 000,000,577 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Opera.lnk
[2010.04.28 13:42:01 | 000,000,910 | ---- | M] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\Spybot - Search & Destroy.lnk
[2010.04.27 13:59:11 | 002,197,720 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.04.27 02:45:20 | 000,072,704 | ---- | M] () -- C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.04.26 17:51:09 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010.04.26 17:51:09 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010.04.26 17:24:44 | 000,027,120 | ---- | M] () -- C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
[2010.04.25 00:13:43 | 002,115,948 | -H-- | M] () -- C:\Dokumente und Einstellungen\Tischle\Lokale Einstellungen\Anwendungsdaten\IconCache.db
[2010.04.23 09:34:12 | 000,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{2E84C127-BE83-4855-AC0C-5F6CFE3EECB1}
[2010.04.21 21:29:55 | 000,445,016 | ---- | M] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2010.04.21 21:29:55 | 000,109,144 | ---- | M] (Portions (C) Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2010.04.21 20:17:20 | 000,940,794 | ---- | M] () -- C:\WINDOWS\System32\LoopyMusic.wav
[2010.04.21 20:17:20 | 000,146,650 | ---- | M] () -- C:\WINDOWS\System32\BuzzingBee.wav
[2010.04.21 20:13:18 | 000,001,769 | ---- | M] () -- C:\WINDOWS\Language_trs.ini
[2010.04.21 20:08:20 | 000,315,392 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\HideWin.exe
[2010.04.19 17:31:45 | 000,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{073473D6-3491-4A52-A627-4532F2E21674}
[2010.04.18 18:25:17 | 000,962,254 | ---- | M] () -- C:\Ebene.1Farbe.bmp
[2010.04.16 22:26:30 | 000,041,872 | ---- | M] () -- C:\WINDOWS\System32\xfcodec.dll
[2010.04.15 07:32:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010.04.13 08:13:55 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010.04.10 01:03:54 | 000,000,760 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\TmNationsForever.lnk
[2010.04.09 00:35:01 | 000,000,615 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Xfire.lnk
[2010.04.02 20:51:26 | 000,000,660 | ---- | M] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\LDview.lnk
[2010.04.02 20:51:26 | 000,000,644 | ---- | M] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\MLCad.lnk
[2010.04.02 20:50:19 | 000,720,896 | ---- | M] (Indigo Rose Corporation) -- C:\WINDOWS\iun6002.exe
[2010.04.02 18:51:04 | 000,008,068 | ---- | M] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\1072058784b59d830c1024.dlc
[2010.03.31 17:23:48 | 000,000,747 | ---- | M] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\JDownloader.lnk
[2010.03.31 17:14:32 | 000,006,512 | ---- | M] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\818137364ae0b0dd0a839.dlc
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.04.29 23:17:52 | 000,000,681 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.04.29 21:30:14 | 000,001,676 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010.04.29 21:11:36 | 000,161,280 | ---- | C] () -- C:\WINDOWS\Fdotoa.exe
[2010.04.29 17:03:24 | 000,002,745 | ---- | C] () -- C:\sg_backup_2010-04-29-1703.spg
[2010.04.29 17:03:24 | 000,002,745 | ---- | C] () -- C:\FirstBackup.spg
[2010.04.29 15:53:01 | 000,001,024 | ---- | C] () -- C:\.rnd
[2010.04.28 23:42:37 | 000,003,284 | ---- | C] () -- C:\WINDOWS\System32\ANIWZCS{1EC353DC-76D2-415E-838B-BD03C9191616}
[2010.04.28 23:42:02 | 000,001,649 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\D-Link AirPlus Utility.lnk
[2010.04.28 23:41:58 | 000,000,012 | ---- | C] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{1EC353DC-76D2-415E-838B-BD03C9191616}
[2010.04.28 23:41:47 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2010.04.28 23:41:35 | 000,016,997 | ---- | C] () -- C:\WINDOWS\System32\ANIO.VXD
[2010.04.28 23:41:23 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\rt2661.bin
[2010.04.28 23:41:23 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\rt2561s.bin
[2010.04.28 23:41:23 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\rt2561.bin
[2010.04.28 13:42:01 | 000,000,910 | ---- | C] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\Spybot - Search & Destroy.lnk
[2010.04.26 17:51:09 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010.04.26 17:51:09 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010.04.25 14:11:24 | 000,000,040 | ---- | C] () -- C:\WINDOWS\System32\Sx5363.ini
[2010.04.23 09:49:10 | 000,003,284 | ---- | C] () -- C:\WINDOWS\System32\ANIWZCS{C37E1AA8-CD1F-4C9B-82A0-5B726943B887}
[2010.04.23 09:45:45 | 000,000,012 | ---- | C] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{C37E1AA8-CD1F-4C9B-82A0-5B726943B887}
[2010.04.21 21:04:28 | 000,000,238 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010.04.21 20:20:50 | 000,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2010.04.21 20:17:20 | 000,940,794 | ---- | C] () -- C:\WINDOWS\System32\LoopyMusic.wav
[2010.04.21 20:17:20 | 000,146,650 | ---- | C] () -- C:\WINDOWS\System32\BuzzingBee.wav
[2010.04.21 20:13:18 | 000,001,769 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2010.04.21 20:08:39 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010.04.21 19:47:16 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{2E84C127-BE83-4855-AC0C-5F6CFE3EECB1}
[2010.04.18 18:25:17 | 000,962,254 | ---- | C] () -- C:\Ebene.1Farbe.bmp
[2010.04.16 22:26:30 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010.04.10 01:03:54 | 000,000,760 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\TmNationsForever.lnk
[2010.04.09 00:35:01 | 000,000,615 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Xfire.lnk
[2010.04.02 20:51:26 | 000,000,660 | ---- | C] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\LDview.lnk
[2010.04.02 20:51:26 | 000,000,644 | ---- | C] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\MLCad.lnk
[2010.04.02 18:50:58 | 000,008,068 | ---- | C] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\1072058784b59d830c1024.dlc
[2010.03.31 17:23:48 | 000,000,747 | ---- | C] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\JDownloader.lnk
[2010.03.31 17:14:32 | 000,006,512 | ---- | C] () -- C:\Dokumente und Einstellungen\Tischle\Desktop\818137364ae0b0dd0a839.dlc
[2010.03.10 02:33:08 | 000,001,445 | ---- | C] () -- C:\WINDOWS\aopr.ini
[2010.03.02 14:50:20 | 003,237,376 | ---- | C] () -- C:\WINDOWS\System32\frysdk32.dll
[2009.12.14 07:03:43 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.11.01 16:07:34 | 000,000,066 | ---- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfl
[2009.11.01 16:07:06 | 000,001,480 | ---- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfg
[2009.11.01 16:07:05 | 000,002,421 | ---- | C] () -- C:\WINDOWS\cmudax3.ini
[2009.10.25 02:17:32 | 000,010,496 | ---- | C] () -- C:\WINDOWS\System32\ATKOSDMini.DLL
[2009.10.25 02:17:32 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini
[2009.10.25 02:17:31 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\asfrench.dll
[2009.10.25 02:17:31 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asrussian.dll
[2009.10.25 02:17:31 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asgerman.dll
[2009.10.25 02:17:31 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll
[2009.10.25 02:17:31 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\askorean.dll
[2009.10.25 02:17:31 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\asjapan.dll
[2009.10.25 02:17:31 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\ASCHT.dll
[2009.10.25 02:17:31 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\aschs.dll
[2009.10.22 21:06:52 | 000,000,265 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009.10.20 00:16:13 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\KMVIDC32.DLL
[2009.09.11 12:43:25 | 000,000,080 | RHS- | C] () -- C:\WINDOWS\System32\E3CB24DCAF.dll
[2009.09.01 14:31:28 | 000,000,237 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009.09.01 14:27:31 | 000,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009.07.14 18:15:00 | 000,178,432 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009.04.26 16:05:39 | 004,762,112 | ---- | C] () -- C:\WINDOWS\System32\NCMedia.dll
[2009.04.26 16:05:39 | 000,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2009.02.06 22:40:30 | 000,002,162 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2009.02.06 20:33:23 | 000,000,101 | ---- | C] () -- C:\WINDOWS\CMMIXER.INI
[2009.02.06 18:49:10 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.02.06 18:49:07 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.02.06 18:49:07 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.02.06 18:49:06 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009.02.06 18:49:05 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009.02.06 18:18:45 | 000,000,025 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2009.02.06 18:14:30 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.ini
[2009.02.06 17:54:58 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2008.03.24 16:24:36 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\RegisterDialog.dll
[2007.01.10 09:44:26 | 001,457,024 | R--- | C] () -- C:\WINDOWS\System32\SSCProt.dll
[2006.11.10 15:08:50 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATITool.sys
[2006.09.19 06:22:32 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\LPubRay.dll
[2006.09.09 17:28:52 | 000,221,184 | ---- | C] () -- C:\WINDOWS\System32\glut32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 129 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:05EE1EEF
< End of report >

Chris4You · 29.04.2010, 08:08

Hi,

Java upaten updaten!

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen! (nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:

Code:

ATTFilter

C:\WINDOWS\Fdotoa.exe
C:\WINDOWS\System32\JJAKEn.dll
C:\WINDOWS\System32\ANIO.VXD
C:\WINDOWS\System32\frysdk32.dll
C:\WINDOWS\System32\E3CB24DCAF.dll

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Gmer:
http://www.trojaner-board.de/74908-a...t-scanner.html
Den Downloadlink findest Du links oben (GMER - Rootkit Detector and Remover), dort dann
auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken).
Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. Ist dieser beendet, wähle Copy und füge den Bericht ein.

chris

silxc · 29.04.2010, 15:14

Fdotoa.exe

Zitat:

AhnLab-V3 2010.04.29.05 2010.04.29 -
AntiVir 8.2.1.224 2010.04.29 TR/Dldr.Zlob.cbf
Antiy-AVL 2.0.3.7 2010.04.29 -
Authentium 5.2.0.5 2010.04.29 -
Avast 4.8.1351.0 2010.04.29 Win32:Fraudo
Avast5 5.0.332.0 2010.04.29 Win32:Fraudo
AVG 9.0.0.787 2010.04.29 Fake_AntiSpyware.FAH
BitDefender 7.2 2010.04.29 -
CAT-QuickHeal 10.00 2010.04.29 -
ClamAV 0.96.0.3-git 2010.04.29 -
Comodo 4710 2010.04.29 -
DrWeb 5.0.2.03300 2010.04.29 Trojan.DownLoad1.55745
eSafe 7.0.17.0 2010.04.29 -
eTrust-Vet 35.2.7457 2010.04.29 -
F-Prot 4.5.1.85 2010.04.29 -
F-Secure 9.0.15370.0 2010.04.29 Suspicious:W32/Malware!Gemini
Fortinet 4.0.14.0 2010.04.27 -
GData 21 2010.04.29 Win32:Fraudo
Ikarus T3.1.1.80.0 2010.04.29 -
Jiangmin 13.0.900 2010.04.29 -
Kaspersky 7.0.0.125 2010.04.29 -
McAfee 5.400.0.1158 2010.04.29 -
McAfee-GW-Edition 6.8.5 2010.04.29 Trojan.Dldr.Zlob.cbf
Microsoft 1.5703 2010.04.29 -
NOD32 5072 2010.04.29 a variant of Win32/Kryptik.EAE
Norman 6.04.12 2010.04.29 -
nProtect 2010-04-29.01 2010.04.29 -
Panda 10.0.2.7 2010.04.28 Suspicious file
PCTools 7.0.3.5 2010.04.29 -
Prevx 3.0 2010.04.29 High Risk Cloaked Malware
Rising 22.45.03.03 2010.04.29 -
Sophos 4.53.0 2010.04.29 Mal/FakeAV-CX
Sunbelt 6235 2010.04.28 VirTool.Win32.Obfuscator.hg!b (v)
Symantec 20091.2.0.41 2010.04.29 Trojan.FakeAV!gen24
TheHacker 6.5.2.0.272 2010.04.29 -
TrendMicro 9.120.0.1004 2010.04.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.04.29 -
VBA32 3.12.12.4 2010.04.29 -
ViRobot 2010.4.27.2295 2010.04.28 -
VirusBuster 5.0.27.0 2010.04.29 Trojan.Codecpack.Gen.4
weitere Informationen
File size: 161280 bytes
MD5...: f85319ea9a81489f7325270056d52d1f
SHA1..: 9bdf20ff86b6a1301c7c4cfa328bfc9a6cbf2607
SHA256: 3199587107b162c52b2ba26702aacf664b895f2e5b07510bbd07179758f475e6
ssdeep: 3072:BHIrYiqLXZIbzMpDvz+uDpDshuddm8cvTVJliG:+MLRDvROunNCVri
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4c7e
timedatestamp.....: 0x4a8df018 (Fri Aug 21 00:53:44 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8a4e 0x8c00 6.00 68e84b116182ff38e5ab79f7620a5247
.rdata 0xa000 0x1d449 0x1d600 7.44 d1b6c195b511cd0080347350f65135a2
.init 0x28000 0xb7 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
DATA 0x29000 0x1b456 0x600 0.00 53e979547d8c2ea86560ac45de08ae25
.edata 0x45000 0x466 0x600 0.25 92b89d40966b0cd999fa5a64a79f35d5

( 7 imports )
> kernel32.dll: lstrcpynA, SetHandleCount, LockResource, GetACP, RaiseException, GetCurrentProcessId, SetLastError, DeleteFileA, EnterCriticalSection, GetCPInfo, GetFileType, SetFilePointer, CloseHandle, FreeLibrary, LocalReAlloc, GetStartupInfoA, GetFileSize, lstrlenA, LoadLibraryExA, GetStringTypeA, VirtualFree, GetSystemDefaultLangID, CreateFileA, lstrcatA, FindResourceA, GetDateFormatA, GetVersionExA, HeapDestroy, VirtualQuery, LocalFree, GetCurrentThreadId, GlobalAddAtomA, GetUserDefaultLCID, GetVersion, GetTickCount, GetFullPathNameA, CreateEventA, WaitForSingleObject, GetProcessHeap, VirtualAlloc, WriteFile, DeleteCriticalSection, GetLastError, MoveFileA, ResetEvent, GetOEMCP, GetLocaleInfoA, GetStringTypeW, lstrcmpA, GetDiskFreeSpaceA, WideCharToMultiByte, GetModuleFileNameA, MoveFileExA, lstrcmpiA, lstrcpyA, GetModuleHandleA, FreeResource, LoadResource, HeapFree, GlobalDeleteAtom, LoadLibraryA, CompareStringA, GlobalFindAtomA, ReadFile, Sleep
> msvcrt.dll: asin, memcpy, strcmp, calloc
> oleaut32.dll: VariantChangeType, RegisterTypeLib, GetErrorInfo, SafeArrayUnaccessData, OleLoadPicture, VariantCopyInd
> version.dll: VerQueryValueA, VerInstallFileA, GetFileVersionInfoA
> COMDLG32.DLL: ChooseColorA
> user32.dll: GetIconInfo, DrawFrameControl, DrawIconEx, GetClipboardData, GetClientRect, GetScrollInfo, GetForegroundWindow, GetFocus, GetClassLongA, GetSysColorBrush, BeginDeferWindowPos, DeferWindowPos, GetMenuItemCount, IsChild, GetDCEx, HideCaret, EnumWindows, DispatchMessageA, GetCursor, GetClassInfoA, CreatePopupMenu, CharNextA, GetDC, GetKeyNameTextA, MessageBoxA, GetCursorPos, GetCapture, CallWindowProcA, GetDesktopWindow, GetDlgItem, GetActiveWindow
> OLE32.DLL: OleCreateStaticFromData, CLSIDFromProgID, CoReleaseMarshalData

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (58.4%)
Clipper DOS Executable (13.8%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.7%)
VXD Driver (0.2%)
<a href='hxxp://info.prevx.com/aboutprogramtext.asp?PX5=9BA8ACD2002995D7766902E828089300148B6AF0' target='_blank'>hxxp://info.prevx.com/aboutprogramtext.asp?PX5=9BA8ACD2002995D7766902E828089300148B6AF0</a>
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

JJaken.dll

Zitat:

MD5: b9fecd748f2d0096bcf1da11579eba13
First received: 2007.02.15 18:09:47 UTC
Datum 2010.03.23 19:33:25 UTC [>36D]
Ergebnisse 0/42

ANIO.vxd

Zitat:

0/41
File size: 16997 bytes
MD5...: ee2e0325a6053991c0d2c117841e4b38
SHA1..: 848452dd59df01a9ae5029f719928d418d64bf63
SHA256: 8f8d9fb4131335b78a6c43bb32b574d4381b87562316442a6fbe5dfcca336648
ssdeep: 192:FXWNN6KEj5o4YV2dYk8InpG+HlZtY7dOT0j3wB8YUfEYGtlzd6pGIIP:FXWN
N6x+rV2KO7HlZOpOT8YUfE3spS
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.5%)
DOS Executable Generic (49.5%)
VXD Driver (0.7%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

frysdk32.dll

Zitat:

0/41
File size: 3237376 bytes
MD5...: c9fc164155fabb4cd60b9b8d0ddb4557
SHA1..: fdd7997db29083869efe27eaa5ddbef117130eb5
SHA256: a6264c48e97068e90ec5dd929e09019f0a3c2205afa4b1a46e0901678be3f05c
ssdeep: 49152:l/UktC5yzL7vGyPaFZI+IZDGlj1BIbCTxxe9pXLf2N9h:l/UkYI7vGyPGI
JG11TMbLf2N
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x12246c
timedatestamp.....: 0x49c513e4 (Sat Mar 21 16:20:52 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x14aeab 0x14b000 6.52 48473c4ab4a56508ab94e7a8c8f7ecf0
.text1 0x14c000 0x5110 0x5200 5.61 4347b17bfe1e66b49615a9b9b6a6d705
.rdata 0x152000 0x48b84 0x48c00 5.47 a7abf295df6285837ddb60b2ef9756c6
.data 0x19b000 0x19935c 0x150000 6.90 800aedcf817dd96b5dc239df0da67d3c
.data1 0x335000 0x14cc8 0x14e00 3.51 39f2d49fe632180806512c2ea2876f15
.trace 0x34a000 0x4398 0x4400 5.92 b430d8f21f5ec2d76152bd5a8fa1dd99
.reloc 0x34f000 0x1400e 0x14200 5.78 6c99d0bb3479c3c361ad93982e4f1f58

( 7 imports )
> KERNEL32.dll: DeleteFileA, QueryPerformanceCounter, GetTickCount, Sleep, SetThreadAffinityMask, GetCurrentThread, GetProcessAffinityMask, GetCurrentProcess, GetProcAddress, GetModuleHandleA, GetCommandLineA, GetModuleFileNameA, GetTempPathA, FindClose, FindNextFileA, FindFirstFileA, MultiByteToWideChar, WaitForSingleObject, CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc, GlobalSize, GlobalFree, InterlockedDecrement, InterlockedIncrement, CloseHandle, CreateMutexA, ReleaseMutex, ReadFile, WriteFile, SetFilePointer, GetFileSize, MapViewOfFile, CreateFileMappingA, UnmapViewOfFile, CreateFileA, LocalFree, LocalAlloc, lstrlenA, FormatMessageA, LoadLibraryA, GetThreadLocale, RtlUnwind, GetCurrentDirectoryA, GetLastError, HeapFree, GetCurrentThreadId, HeapReAlloc, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, GetModuleHandleW, ExitProcess, EnterCriticalSection, LeaveCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, DeleteCriticalSection, VirtualFree, VirtualAlloc, HeapCreate, HeapDestroy, GetStdHandle, SetHandleCount, GetFileType, GetStartupInfoA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, GetCurrentProcessId, GetSystemTimeAsFileTime, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, FlushFileBuffers, InitializeCriticalSectionAndSpinCount, SetCurrentDirectoryA, SetStdHandle, GetStringTypeA, GetStringTypeW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringA, CompareStringW, SetEnvironmentVariableA, SetEndOfFile, GetProcessHeap, HeapAlloc, GetLocaleInfoA
> USER32.dll: GetClientRect, EndPaint, BeginPaint, SetWindowLongA, GetWindowLongA, DefWindowProcA, SendMessageA, GetDlgItem, KillTimer, SetTimer, GetParent, GetWindowTextA, SetWindowTextA, SetWindowPos, MoveWindow, IsWindow, ShowWindow, EnableWindow, IsWindowEnabled, GetWindowRect, SetRect, GetSystemMetrics, DestroyWindow, MapWindowPoints, CreateDialogIndirectParamA, CreateWindowExA, RegisterClassA, LoadCursorA, GetClassInfoA, InvalidateRect, ReleaseCapture, SetCapture, InflateRect, GetKeyState, ScreenToClient, ReleaseDC, GetDC, FillRect, SetCursorPos, DestroyCursor, OffsetRect, IsRectEmpty, GetFocus, wvsprintfA, wsprintfA, MessageBoxA, EndDialog, GetCursorPos, PtInRect, WindowFromPoint, SetCursor, SetFocus, DialogBoxIndirectParamA
> GDI32.dll: CreateFontA, CreateSolidBrush, DeleteObject, SetBkMode, SetTextAlign, TextOutA, SetStretchBltMode, StretchDIBits, SelectObject, GetTextExtentPoint32A, CreateRectRgn, SelectClipRgn, SetTextColor, SetBkColor
> COMDLG32.dll: GetSaveFileNameA, GetOpenFileNameA
> ADVAPI32.dll: RegSetValueA, RegQueryValueA
> SHELL32.dll: SHCreateDirectoryExA, SHBrowseForFolderA, ShellExecuteA, SHGetMalloc, SHGetPathFromIDListA
> ole32.dll: RevokeDragDrop, RegisterDragDrop, DoDragDrop, ReleaseStgMedium

( 295 exports )
__0frysdk_camera_c@@QAE@ABV0@@Z, __0frysdk_camera_c@@QAE@XZ, __0frysdk_dumper_c@@QAE@ABV0@@Z, __0frysdk_dumper_c@@QAE@XZ, __0frysdk_env_c@@QAE@ABV0@@Z, __0frysdk_env_c@@QAE@XZ, __0frysdk_img_c@@QAE@ABV0@@Z, __0frysdk_img_c@@QAE@XZ, __0frysdk_log_c@@QAE@ABV0@@Z, __0frysdk_log_c@@QAE@XZ, __0frysdk_material_c@@QAE@ABV0@@Z, __0frysdk_material_c@@QAE@XZ, __0frysdk_obj_c@@QAE@ABV0@@Z, __0frysdk_obj_c@@QAE@XZ, __0frysdk_pblocky_c@@QAE@ABV0@@Z, __0frysdk_pblocky_c@@QAE@XZ, __0frysdk_pxy_c@@QAE@ABV0@@Z, __0frysdk_pxy_c@@QAE@HM@Z, __0frysdk_ren_c@@QAE@ABV0@@Z, __0frysdk_ren_c@@QAE@XZ, __0frysdk_scene_c@@QAE@ABV0@@Z, __0frysdk_scene_c@@QAE@_N@Z, __0frysdk_wrapper_c@@QAE@ABV0@@Z, __0frysdk_wrapper_c@@QAE@XZ, __1frysdk_camera_c@@UAE@XZ, __1frysdk_dumper_c@@UAE@XZ, __1frysdk_env_c@@UAE@XZ, __1frysdk_img_c@@UAE@XZ, __1frysdk_log_c@@UAE@XZ, __1frysdk_material_c@@UAE@XZ, __1frysdk_obj_c@@UAE@XZ, __1frysdk_pblocky_c@@UAE@XZ, __1frysdk_pxy_c@@UAE@XZ, __1frysdk_ren_c@@UAE@XZ, __1frysdk_scene_c@@UAE@XZ, __1frysdk_wrapper_c@@UAE@XZ, __4frysdk_camera_c@@QAEAAV0@ABV0@@Z, __4frysdk_dumper_c@@QAEAAV0@ABV0@@Z, __4frysdk_env_c@@QAEAAV0@ABV0@@Z, __4frysdk_img_c@@QAEAAV0@ABV0@@Z, __4frysdk_log_c@@QAEAAV0@ABV0@@Z, __4frysdk_material_c@@QAEAAV0@ABV0@@Z, __4frysdk_obj_c@@QAEAAV0@ABV0@@Z, __4frysdk_pblocky_c@@QAEAAV0@ABV0@@Z, __4frysdk_pxy_c@@QAEAAV0@ABV0@@Z, __4frysdk_ren_c@@QAEAAV0@ABV0@@Z, __4frysdk_scene_c@@QAEAAV0@ABV0@@Z, __4frysdk_wrapper_c@@QAEAAV0@ABV0@@Z, ___7frysdk_camera_c@@6B@, ___7frysdk_dumper_c@@6B@, ___7frysdk_env_c@@6B@, ___7frysdk_img_c@@6B@, ___7frysdk_log_c@@6B@, ___7frysdk_material_c@@6B@, ___7frysdk_obj_c@@6B@, ___7frysdk_pblocky_c@@6B@, ___7frysdk_pxy_c@@6B@, ___7frysdk_ren_c@@6B@, ___7frysdk_scene_c@@6B@, ___7frysdk_wrapper_c@@6B@, _about@frysdk_ren_c@@SAXPAUHINSTANCE__@@PAUHWND__@@PAD2@Z, _add_default_layer@frysdk_material_c@@QAEXXZ, _add_layer@frysdk_material_c@@QAEXPAD@Z, _add_t@frysdk_scene_c@@QAEXPAXHHHNNNNNNNNNNNNNNNNNN@Z, _add_v@frysdk_scene_c@@QAEXNNN@Z, _begin_frame@frysdk_scene_c@@QAEXXZ, _begin_node@frysdk_scene_c@@QAEXNNNNNNNNN@Z, _begin_scene@frysdk_scene_c@@QAE_NPAVfrysdk_log_c@@@Z, _cam_hfov@frysdk_scene_c@@QAENHH@Z, _cam_name@frysdk_scene_c@@QAEXHHPAD@Z, _cam_pos@frysdk_scene_c@@QAEXHHAAVfrysdk_dvec3_c@@@Z, _cam_strf@frysdk_scene_c@@QAEXHHAAVfrysdk_dvec3_c@@@Z, _cam_vfov@frysdk_scene_c@@QAENHHMM@Z, _cam_wfwd@frysdk_scene_c@@QAEXHHAAVfrysdk_dvec3_c@@@Z, _change_camera@frysdk_scene_c@@QAEXH@Z, _clear@frysdk_material_c@@QAEXXZ, _copy@frysdk_env_c@@UAEXPAVfrysdk_pblocky_c@@@Z, _copy@frysdk_material_c@@UAEXPAV1@@Z, _copy@frysdk_obj_c@@UAEXPAVfrysdk_pblocky_c@@@Z, _copy@frysdk_pblocky_c@@UAEXPAV1@@Z, _copy@frysdk_ren_c@@UAEXPAVfrysdk_pblocky_c@@@Z, _create@frysdk_img_c@@QAEXHH@Z, _create_camera@frysdk_scene_c@@QAEXHPADMMMMMMMMMPAVfrysdk_camera_c@@@Z, _create_material@frysdk_scene_c@@QAEXHPAX@Z, _create_material@frysdk_scene_c@@QAEXHPAXPADPAVfrysdk_material_c@@@Z, _create_material_editor@frysdk_material_c@@QAEPAXPAUHWND__@@_NP6AXJ@ZJ@Z, _cuid_bumpmap@frysdk_material_c@@QAEIH@Z, _cuid_diffuse@frysdk_material_c@@QAEIH@Z, _cuid_ref0map@frysdk_material_c@@QAEIH@Z, _cuid_ref1map@frysdk_material_c@@QAEIH@Z, _cuid_rougmap@frysdk_material_c@@QAEIH@Z, _cuid_weigmap@frysdk_material_c@@QAEIH@Z, _destroy_material_editor@frysdk_material_c@@SAXPAX@Z, _display@frysdk_log_c@@QAE_NPAUHINSTANCE__@@PAUHWND__@@_N@Z, _done@frysdk_log_c@@QAEXXZ, _end_frame@frysdk_scene_c@@QAEXPAVfrysdk_log_c@@@Z, _end_node@frysdk_scene_c@@QAEXHPAD_NAAH2PAVfrysdk_obj_c@@PAVfrysdk_log_c@@@Z, _end_scene@frysdk_scene_c@@QAEXXZ, _error@frysdk_log_c@@QAAXPADZZ, _errors@frysdk_log_c@@QAEHXZ, _get_alias@frysdk_material_c@@QAEXPAD@Z, _get_anim_mode@frysdk_ren_c@@QAE_AW4ANIM_MODE@1@XZ, _get_basic_abbe@frysdk_material_c@@QAEMH@Z, _get_basic_absorption@frysdk_material_c@@QAEMH@Z, _get_basic_anisotropy@frysdk_material_c@@QAEMH@Z, _get_basic_bump_factor@frysdk_material_c@@QAEMH@Z, _get_basic_color0_rgb@frysdk_material_c@@QAEKH@Z, _get_basic_color1_rgb@frysdk_material_c@@QAEKH@Z, _get_basic_nd@frysdk_material_c@@QAEMH@Z, _get_basic_rotation@frysdk_material_c@@QAEMH@Z, _get_basic_roughness@frysdk_material_c@@QAEMH@Z, _get_basic_use_abbe@frysdk_material_c@@QAE_NH@Z, _get_basic_use_absorption@frysdk_material_c@@QAE_NH@Z, _get_basic_use_xmittance@frysdk_material_c@@QAEHH@Z, _get_data@frysdk_material_c@@QAEPAXXZ, _get_diffuse@frysdk_material_c@@QAEKH@Z, _get_emitter_efficacy@frysdk_material_c@@QAEMH@Z, _get_emitter_intensity@frysdk_material_c@@QAEMH@Z, _get_env@frysdk_scene_c@@QAEXPAVfrysdk_env_c@@@Z, _get_film@frysdk_camera_c@@QAEHXZ, _get_fnumber@frysdk_camera_c@@QAEMXZ, _get_fps@frysdk_ren_c@@QAEHXZ, _get_geo_location@frysdk_env_c@@QAEXPAH000@Z, _get_heading@frysdk_env_c@@QAEHXZ, _get_hfov@frysdk_camera_c@@QAEMXZ, _get_internal@frysdk_wrapper_c@@UAEPAXXZ, _get_lens@frysdk_camera_c@@QAEMXZ, _get_material_thumbnail@frysdk_scene_c@@QAEXPAVfrysdk_img_c@@HHH@Z, _get_maxpasses@frysdk_ren_c@@QAE_NAAH@Z, _get_maxtime@frysdk_ren_c@@QAE_NAAH00@Z, _get_moblur@frysdk_camera_c@@QAE_NXZ, _get_name@frysdk_material_c@@QAEXPAD@Z, _get_num_tris@frysdk_pxy_c@@QAEHXZ, _get_obj_properties@frysdk_scene_c@@QAEXHHPAVfrysdk_obj_c@@@Z, _get_offset_x@frysdk_pxy_c@@QAEMXZ, _get_offset_y@frysdk_pxy_c@@QAEMXZ, _get_offset_z@frysdk_pxy_c@@QAEMXZ, _get_path@frysdk_ren_c@@QAEXPAD@Z, _get_ren@frysdk_scene_c@@QAEXPAVfrysdk_ren_c@@@Z, _get_resolution@frysdk_ren_c@@QAEXAAH0@Z, _get_rgb@frysdk_img_c@@QAEKHH@Z, _get_scale@frysdk_scene_c@@QAENXZ, _get_shiftfilmx@frysdk_camera_c@@QAEHXZ, _get_shiftfilmy@frysdk_camera_c@@QAEHXZ, _get_speed@frysdk_camera_c@@QAEMXZ, _get_sun_date@frysdk_env_c@@QAEXPAH00@Z, _get_sun_dir@frysdk_env_c@@QAEXAAVfrysdk_dvec3_c@@@Z, _get_sun_time@frysdk_env_c@@QAEXPAH00@Z, _get_targetdist@frysdk_camera_c@@QAEMXZ, _get_thumbnail_size@frysdk_material_c@@QAEXAAUtagSIZE@@@Z, _get_use_zclip@frysdk_camera_c@@QAE_NXZ, _get_v@frysdk_scene_c@@QAEPANH@Z, _get_weight@frysdk_material_c@@QAEHH@Z, _get_zclip@frysdk_camera_c@@QAEMXZ, _h@frysdk_img_c@@QAEHXZ, _ignition@frysdk_ren_c@@QAEXXZ, _is_active_bumpmap@frysdk_material_c@@QAE_NH@Z, _is_active_diffuse@frysdk_material_c@@QAE_NH@Z, _is_active_opacity@frysdk_material_c@@QAE_NXZ, _is_active_ref0map@frysdk_material_c@@QAE_NH@Z, _is_active_ref1map@frysdk_material_c@@QAE_NH@Z, _is_active_rougmap@frysdk_material_c@@QAE_NH@Z, _is_active_weigmap@frysdk_material_c@@QAE_NH@Z, _is_basic@frysdk_material_c@@QAE_NH@Z, _is_coat@frysdk_material_c@@QAE_NH@Z, _is_emitter@frysdk_material_c@@QAE_NH@Z, _is_ghost@frysdk_material_c@@QAE_NXZ, _is_group@frysdk_material_c@@QAE_NH@Z, _is_sss@frysdk_material_c@@QAE_NH@Z, _is_xmit@frysdk_material_c@@QAE_NH@Z, _load@frysdk_camera_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _load@frysdk_env_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _load@frysdk_material_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _load@frysdk_obj_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _load@frysdk_ren_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _load@frysdk_scene_c@@QAE_NPAD@Z, _load_frm@frysdk_material_c@@QAE_NPAD@Z, _load_pblock@frysdk_pblocky_c@@IAE_NPAVfrysdk_dumper_c@@PAX@Z, _load_pblocky@frysdk_pblocky_c@@IAE_NPAVfrysdk_dumper_c@@PAX@Z, _make_company_logo@frysdk_img_c@@QAEXXZ, _make_fryrender_logo@frysdk_img_c@@QAEXXZ, _message@frysdk_log_c@@QAEXW4MSG_ID@1@PAD@Z, _messagebox@frysdk_log_c@@SA_NPAUHWND__@@W4MSB_ID@1@@Z, _nc@frysdk_scene_c@@QAEHH@Z, _nf@frysdk_scene_c@@QAEHXZ, _nl@frysdk_material_c@@QAEHXZ, _nm@frysdk_scene_c@@QAEHXZ, _no@frysdk_scene_c@@QAEHH@Z, _obj_name@frysdk_scene_c@@QAEXHHPAD@Z, _obj_nm@frysdk_scene_c@@QAEHHH@Z, _obj_nt@frysdk_scene_c@@QAEHHHH@Z, _obj_nv@frysdk_scene_c@@QAEHHHH@Z, _obj_tN@frysdk_scene_c@@QAEXHHHHHAAVfrysdk_dvec3_c@@@Z, _obj_tt@frysdk_scene_c@@QAEXHHHHHAAVfrysdk_dvec2_c@@@Z, _obj_tv@frysdk_scene_c@@QAEHHHHHH@Z, _obj_v@frysdk_scene_c@@QAEXHHHHAAVfrysdk_dvec3_c@@@Z, _obj_vB@frysdk_scene_c@@QAEXHHHHAAVfrysdk_dvec3_c@@@Z, _obj_vT@frysdk_scene_c@@QAEXHHHHAAVfrysdk_dvec3_c@@@Z, _open_editor@frysdk_camera_c@@UAEXPAUHINSTANCE__@@PAUHWND__@@@Z, _open_editor@frysdk_env_c@@UAEXPAUHINSTANCE__@@PAUHWND__@@@Z, _open_editor@frysdk_material_c@@UAEXPAUHINSTANCE__@@PAUHWND__@@@Z, _open_editor@frysdk_obj_c@@UAEXPAUHINSTANCE__@@PAUHWND__@@@Z, _open_editor@frysdk_pblocky_c@@UAEXPAUHINSTANCE__@@PAUHWND__@@@Z, _open_editor@frysdk_pxy_c@@QAEXPAUHINSTANCE__@@PAUHWND__@@@Z, _open_editor@frysdk_ren_c@@UAEXPAUHINSTANCE__@@PAUHWND__@@@Z, _open_editor_sky@frysdk_env_c@@UAEXPAUHINSTANCE__@@PAUHWND__@@@Z, _printf@frysdk_log_c@@QAAXPADZZ, _reset@frysdk_log_c@@QAEXXZ, _sample_bumpmap@frysdk_material_c@@QAEEHMM@Z, _sample_diffuse@frysdk_material_c@@QAEKHMM@Z, _sample_opacity@frysdk_material_c@@QAEEMM@Z, _sample_ref0map@frysdk_material_c@@QAEKHMM@Z, _sample_ref1map@frysdk_material_c@@QAEKHMM@Z, _sample_rougmap@frysdk_material_c@@QAEEHMM@Z, _sample_weigmap@frysdk_material_c@@QAEEHMM@Z, _save@frysdk_camera_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _save@frysdk_env_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _save@frysdk_img_c@@QAE_NPADH@Z, _save@frysdk_log_c@@QAE_NPAD0@Z, _save@frysdk_material_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _save@frysdk_obj_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _save@frysdk_ren_c@@UAE_NPAVfrysdk_dumper_c@@@Z, _save@frysdk_scene_c@@QAE_NPAD_N@Z, _save_pblock@frysdk_pblocky_c@@IAE_NPAVfrysdk_dumper_c@@PAX@Z, _save_pblocky@frysdk_pblocky_c@@IAE_NPAVfrysdk_dumper_c@@PAXH@Z, _set_alias@frysdk_material_c@@QAEXHPAD@Z, _set_alias@frysdk_material_c@@QAEXPAD@Z, _set_autofocus@frysdk_camera_c@@QAEX_N@Z, _set_basic_abbe@frysdk_material_c@@QAEXHM@Z, _set_basic_absorption@frysdk_material_c@@QAEXHM@Z, _set_basic_anisotropy@frysdk_material_c@@QAEXHM@Z, _set_basic_anisotropy_map@frysdk_material_c@@QAEXHPAD@Z, _set_basic_bump_factor@frysdk_material_c@@QAEXHM@Z, _set_basic_bump_map@frysdk_material_c@@QAEXHPAD@Z, _set_basic_color0_map@frysdk_material_c@@QAEXHPAD@Z, _set_basic_color0_rgb@frysdk_material_c@@QAEXHK@Z, _set_basic_color1_map@frysdk_material_c@@QAEXHPAD@Z, _set_basic_color1_rgb@frysdk_material_c@@QAEXHK@Z, _set_basic_nd@frysdk_material_c@@QAEXHM@Z, _set_basic_rotation@frysdk_material_c@@QAEXHM@Z, _set_basic_rotation_map@frysdk_material_c@@QAEXHPAD@Z, _set_basic_roughness@frysdk_material_c@@QAEXHM@Z, _set_basic_roughness_map@frysdk_material_c@@QAEXHPAD@Z, _set_basic_use_abbe@frysdk_material_c@@QAEXH_N@Z, _set_basic_use_absorption@frysdk_material_c@@QAEXH_N@Z, _set_basic_use_xmittance@frysdk_material_c@@QAEXHH@Z, _set_basic_xmittance_map@frysdk_material_c@@QAEXHPAD@Z, _set_basic_xmittance_rgb@frysdk_material_c@@QAEXHK@Z, _set_channel_ao@frysdk_ren_c@@QAEX_NM@Z, _set_channel_mask@frysdk_ren_c@@QAEX_N@Z, _set_displacement_map@frysdk_material_c@@QAEXPAD@Z, _set_emitter_color_map@frysdk_material_c@@QAEXHPAD@Z, _set_emitter_color_rgb@frysdk_material_c@@QAEXHK@Z, _set_emitter_efficacy@frysdk_material_c@@QAEXHM@Z, _set_emitter_intensity@frysdk_material_c@@QAEXHM@Z, _set_env@frysdk_scene_c@@QAEXPAVfrysdk_env_c@@@Z, _set_film@frysdk_camera_c@@QAEXH@Z, _set_fnumber@frysdk_camera_c@@QAEXM@Z, _set_geo_location@frysdk_env_c@@QAEXHHHH@Z, _set_heading@frysdk_env_c@@QAEXH@Z, _set_hfov@frysdk_camera_c@@QAEXM@Z, _set_instance@frysdk_obj_c@@QAEXPAD@Z, _set_lens@frysdk_camera_c@@QAEXM@Z, _set_map@frysdk_material_c@@AAEXPAXPADM@Z, _set_mask@frysdk_obj_c@@QAEX_N@Z, _set_material@frysdk_scene_c@@QAEXHHH@Z, _set_matte@frysdk_obj_c@@QAEX_N@Z, _set_maxpasses@frysdk_ren_c@@QAEX_NH@Z, _set_maxtime@frysdk_ren_c@@QAEX_NHHH@Z, _set_moblur@frysdk_camera_c@@QAEX_N@Z, _set_moving@frysdk_obj_c@@QAEX_N@Z, _set_obj_properties@frysdk_scene_c@@QAEXHHPAVfrysdk_obj_c@@@Z, _set_opacity_map@frysdk_material_c@@QAEXPAD@Z, _set_output_dsi@frysdk_ren_c@@QAEXPAD@Z, _set_output_rgb@frysdk_ren_c@@QAEXPAD@Z, _set_path@frysdk_ren_c@@QAEXPAD@Z, _set_pixel@frysdk_material_c@@QAEXHHK@Z, _set_ren@frysdk_scene_c@@QAEXPAVfrysdk_ren_c@@@Z, _set_resolution@frysdk_ren_c@@QAEXHH@Z, _set_rgb@frysdk_img_c@@QAEXHHK@Z, _set_shiftfilmx@frysdk_camera_c@@QAEXH@Z, _set_shiftfilmy@frysdk_camera_c@@QAEXH@Z, _set_speed@frysdk_camera_c@@QAEXM@Z, _set_sun_date@frysdk_env_c@@QAEXHHH@Z, _set_sun_dir@frysdk_env_c@@QAEXAAVfrysdk_dvec3_c@@@Z, _set_sun_time@frysdk_env_c@@QAEXHHH@Z, _set_targetdist@frysdk_camera_c@@QAEXM@Z, _set_tiny@frysdk_material_c@@QAEX_N@Z, _set_twosided@frysdk_material_c@@QAEX_N@Z, _set_use_zclip@frysdk_camera_c@@QAEX_N@Z, _set_weight@frysdk_material_c@@QAEXHH@Z, _set_zclip@frysdk_camera_c@@QAEXM@Z, _w@frysdk_img_c@@QAEHXZ, _warning@frysdk_log_c@@QAAXPADZZ, _warnings@frysdk_log_c@@QAEHXZ
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

E3CB24DCAF.dll

Zitat:

0/41
File size: 80 bytes
MD5...: f34913baa1bf42f48165508a848e7307
SHA1..: ad8784e2da19cfbb7e1f35897b13961fd6a96239
SHA256: 085f99ec61364b5cbb6b2dcc4d153be6f8bb3eb3419e001a3ea8cdda926431f5
ssdeep: 3:sl1n79D/XtlhUr4xqlchY7Ln:Et79DA6Un
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: MS Flight Simulator Aircraft Performance Info (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Chris4You · 29.04.2010, 20:43

Hi,

Doppelklick auf die OTL.exe, um das Programm auszuführen.

Vista/Win7-User bitte per Rechtsklick und "Ausführen als Administrator" starten.

Kopiere den Inhalt der folgenden Codebox komplett in die OTL-Box unter "Custom Scan/Fixes"

Code:

ATTFilter

:OTL

[2010.04.29 21:11:36 | 000,161,280 | ---- | C] () -- C:\WINDOWS\Fdotoa.exe

:Commands
[emptytemp]
[Reboot]

Den roten Run Fixes! Button anklicken.

Bitte alles aus dem Ergebnisfenster (Results) herauskopieren.

Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert:

%systemroot%\_OTL

Poste noch das Gmer-Log...

chris

silxc · 30.04.2010, 01:29

hi

Zitat:

All processes killed
========== OTL ==========
C:\WINDOWS\Fdotoa.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: All Users

User: Besitzer
->Temp folder emptied: 587193 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1652692 bytes
->Flash cache emptied: 613 bytes

User: Chris
->Temp folder emptied: 252378743 bytes
->Temporary Internet Files folder emptied: 74465679 bytes
->Java cache emptied: 25486768 bytes
->FireFox cache emptied: 76827276 bytes
->Google Chrome cache emptied: 593984 bytes
->Opera cache emptied: 256085128 bytes
->Flash cache emptied: 44887 bytes

%systemdrive% .tmp files removed: 2 bytes
%systemroot% .tmp files removed: 4249097 bytes
%systemroot%\System32 .tmp files removed: 2951 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1211407 bytes
RecycleBin emptied: 7428293 bytes

Total Files Cleaned = 669,00 mb

OTL by OldTimer - Version 3.2.3.0 log created on 05012010_022341

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Nach ca 10 stunden laufzeit von GMER hat sich mein pc aufgehängt, ich werde noch eben einen versuch starten

und hier ein Log ohne Files aktiviert

Zitat:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-05-01 02:36:39
Windows 5.1.2600 Service Pack 3
Running: etyrjp19.exe; Driver: C:\DOKUME~1\TISCHL~1\LOKALE~1\Temp\awpiyaow.sys

---- System - GMER 1.0.15 ----

SSDT sprg.sys ZwCreateKey [0xB9EA70E0]
SSDT BA6A05AC ZwCreateThread
SSDT sprg.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT sprg.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT sprg.sys ZwOpenKey [0xB9EA70C0]
SSDT BA6A0598 ZwOpenProcess
SSDT BA6A059D ZwOpenThread
SSDT sprg.sys ZwQueryKey [0xB9EC610A]
SSDT sprg.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT sprg.sys ZwSetValueKey [0xB9EC619C]

INT 0x63 ? 8A69ABF8
INT 0x63 ? 8A69ABF8
INT 0x63 ? 8A69ABF8
INT 0x63 ? 8A69ABF8
INT 0x63 ? 8A69ABF8
INT 0x83 ? 8A69ABF8
INT 0x83 ? 8A69ABF8
INT 0x83 ? 8A0BAF00
INT 0x83 ? 8A69ABF8
INT 0x84 ? 8A0BAF00
INT 0x94 ? 8A0BAF00
INT 0xA4 ? 8A0BAF00
INT 0xA4 ? 8A0BAF00
INT 0xA4 ? 8A0BAF00
INT 0xA4 ? 8A0BAF00
INT 0xB4 ? 8A0BAF00

---- Kernel code sections - GMER 1.0.15 ----

? sprg.sys Das System kann die angegebene Datei nicht finden. !
.rsrc C:\WINDOWS\system32\drivers\isapnp.sys entry point in ".rsrc" section [0xBA0B0014]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB914A000, 0x1C5D38, 0xE8000020]
.text USBPORT.SYS!DllUnload A8F578AC 5 Bytes JMP 8A0BA4E0
.text a33loq48.SYS A8E82386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a33loq48.SYS A8E823AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a33loq48.SYS A8E823C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a33loq48.SYS A8E823C9 1 Byte [30]
.text a33loq48.SYS A8E823C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text win32k.sys!EngAcquireSemaphore + 20E2 BF8082E1 5 Bytes JMP 883144D0
.text win32k.sys!EngFreeUserMem + 5BD2 BF80EE68 5 Bytes JMP 88314430
.text win32k.sys!EngCreateBitmap + DDB2 BF845CCB 5 Bytes JMP 88314610
.text win32k.sys!EngMultiByteToWideChar + 2F32 BF852C47 5 Bytes JMP 88314750
.text win32k.sys!XLATEOBJ_iXlate + 3A50 BF86368D 5 Bytes JMP 88314570
.text win32k.sys!FONTOBJ_pxoGetXform + CC3E BF8C31D6 5 Bytes JMP 883146B0
.text win32k.sys!PATHOBJ_vGetBounds + 74EE BF8F00FB 5 Bytes JMP 883147F0

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[432] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[432] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[432] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00A0000C
.text C:\WINDOWS\System32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1068] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 007D000C
.text C:\WINDOWS\system32\wuauclt.exe[2060] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\wuauclt.exe[2060] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 0084000A
.text C:\WINDOWS\system32\wuauclt.exe[2060] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 003D000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] sprg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] sprg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] sprg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] sprg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] sprg.sys
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\a33loq48.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] sprg.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6991F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A0CE32AB-2F20-448E-ADDF-C5F3CCA69B6F} 8A047500
Device \Driver\usbuhci \Device\USBPDO-0 8A1A2500
Device \Driver\usbuhci \Device\USBPDO-1 8A1A2500
Device \Driver\usbuhci \Device\USBPDO-2 8A1A2500
Device \Driver\usbehci \Device\USBPDO-3 8A19D500
Device \Driver\usbuhci \Device\USBPDO-4 8A1A2500
Device \Driver\usbuhci \Device\USBPDO-5 8A1A2500
Device \Driver\usbuhci \Device\USBPDO-6 8A1A2500
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A70A1F8
Device \Driver\usbehci \Device\USBPDO-7 8A19D500
Device \Driver\Cdrom \Device\CdRom0 8A441500
Device \Driver\Cdrom \Device\CdRom1 8A441500
Device \Driver\atapi \Device\Ide\IdePort0 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\sptd \Device\3402785504 sprg.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A047500
Device \Driver\NetBT \Device\NetbiosSmb 8A047500
Device \Driver\PCI_PNP5504 \Device\0000004c sprg.sys
Device \Driver\usbuhci \Device\USBFDO-0 8A1A2500
Device \Driver\usbuhci \Device\USBFDO-1 8A1A2500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A03E500
Device \Driver\usbuhci \Device\USBFDO-2 8A1A2500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A03E500
Device \Driver\usbehci \Device\USBFDO-3 8A19D500
Device \Driver\usbuhci \Device\USBFDO-4 8A1A2500
Device \Driver\Ftdisk \Device\FtControl 8A70A1F8
Device \Driver\usbuhci \Device\USBFDO-5 8A1A2500
Device \Driver\usbuhci \Device\USBFDO-6 8A1A2500
Device \Driver\usbehci \Device\USBFDO-7 8A19D500
Device \Driver\a33loq48 \Device\Scsi\a33loq481Port6Path0Target0Lun0 8A19B3B0
Device \Driver\a33loq48 \Device\Scsi\a33loq481 8A19B3B0
Device \Driver\a33loq48 \Device\Scsi\a33loq481Port6Path0Target1Lun0 8A19B3B0
Device \FileSystem\Cdfs \Cdfs 8A03D500
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A55EEE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x5A 0x0A 0x2A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFD 0x03 0x1D 0xEB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9F 0x45 0x03 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x28 0x71 0x2E 0x0A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x5A 0x0A 0x2A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFD 0x03 0x1D 0xEB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9F 0x45 0x03 0xE8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x28 0x71 0x2E 0x0A ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\isapnp.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

hat sich danach aber trotzdem aufgehangen

Chris4You · 30.04.2010, 06:22

Hi,

ja, dafür hat GMER ein Rootkit gefunden...

Zitat:

File C:\WINDOWS\system32\drivers\isapnp.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

(Um das ganz klar erkennen zu können, müsste Daemontools deinstalliert und hinterhergeräumt werden...)

TDSS-Killer
Download und Anweisung unter: http://www.trojaner-board.de/82358-tdsskiller-google-umleitungen-tdss-tdl3-alureon-rootkit-entfernen.html#post640150
Entpacke alle Dateien!

Start.bat erstellen:
Start->alle Programme->Zubehör->Editor und kopiere folgenden Text rein:

Code:

ATTFilter

@ECHO OFF
TDSSKiller.exe -l report.txt -v
DEL %0

Speichern als: start.bat

abspeichern unter : Dateityp: alle Dateien

speichere die Datei im Ordner wo auch TDSSKiller.exe steht

Doppelklick start.bat

TDSSKiller.exe wird gestartet und ein Log erzeugen(report.txt).
Wenn TDSSKiller fertig ist poste den Inhalt der report.txt.

Wenn der Killer das Rootkit "erlegt" hat, bitte sofort MAM updaten und hinterher jagen...

chris

silxc · 30.04.2010, 12:09

hi, hier die report.txt

Zitat:

12:59:12:343 3240 UnloadDriverW: NtUnloadDriver error 2
12:59:12:343 3240 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:59:12:359 3240 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:59:12:359 3240 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:59:12:359 3240 wfopen_ex: Trying to KLMD file open
12:59:12:359 3240 wfopen_ex: File opened ok (Flags 2)
12:59:12:359 3240 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:59:12:359 3240 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:59:12:359 3240 wfopen_ex: Trying to KLMD file open
12:59:12:359 3240 wfopen_ex: File opened ok (Flags 2)
12:59:12:359 3240 Initialize success
12:59:12:359 3240
12:59:12:359 3240 Scanning Services ...
12:59:12:843 3240 Raw services enum returned 355 services
12:59:12:843 3240
12:59:12:843 3240 Scanning Kernel memory ...
12:59:12:843 3240 Devices to scan: 2
12:59:12:843 3240
12:59:12:843 3240 Driver Name: Disk
12:59:12:843 3240 IRP_MJ_CREATE : BA0EEBB0
12:59:12:843 3240 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:59:12:843 3240 IRP_MJ_CLOSE : BA0EEBB0
12:59:12:843 3240 IRP_MJ_READ : BA0E8D1F
12:59:12:843 3240 IRP_MJ_WRITE : BA0E8D1F
12:59:12:843 3240 IRP_MJ_QUERY_INFORMATION : 804F4562
12:59:12:843 3240 IRP_MJ_SET_INFORMATION : 804F4562
12:59:12:843 3240 IRP_MJ_QUERY_EA : 804F4562
12:59:12:843 3240 IRP_MJ_SET_EA : 804F4562
12:59:12:843 3240 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
12:59:12:843 3240 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:59:12:843 3240 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:59:12:843 3240 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:59:12:843 3240 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:59:12:843 3240 IRP_MJ_DEVICE_CONTROL : BA0E93BB
12:59:12:843 3240 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
12:59:12:843 3240 IRP_MJ_SHUTDOWN : BA0E92E2
12:59:12:843 3240 IRP_MJ_LOCK_CONTROL : 804F4562
12:59:12:843 3240 IRP_MJ_CLEANUP : 804F4562
12:59:12:843 3240 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:59:12:843 3240 IRP_MJ_QUERY_SECURITY : 804F4562
12:59:12:843 3240 IRP_MJ_SET_SECURITY : 804F4562
12:59:12:843 3240 IRP_MJ_POWER : BA0EAC82
12:59:12:843 3240 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
12:59:12:843 3240 IRP_MJ_DEVICE_CHANGE : 804F4562
12:59:12:843 3240 IRP_MJ_QUERY_QUOTA : 804F4562
12:59:12:843 3240 IRP_MJ_SET_QUOTA : 804F4562
12:59:12:890 3240 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:59:12:890 3240
12:59:12:890 3240 Driver Name: atapi
12:59:12:890 3240 IRP_MJ_CREATE : 8A58AEE4
12:59:12:890 3240 IRP_MJ_CREATE_NAMED_PIPE : 8A58AEE4
12:59:12:890 3240 IRP_MJ_CLOSE : 8A58AEE4
12:59:12:890 3240 IRP_MJ_READ : 8A58AEE4
12:59:12:890 3240 IRP_MJ_WRITE : 8A58AEE4
12:59:12:890 3240 IRP_MJ_QUERY_INFORMATION : 8A58AEE4
12:59:12:890 3240 IRP_MJ_SET_INFORMATION : 8A58AEE4
12:59:12:890 3240 IRP_MJ_QUERY_EA : 8A58AEE4
12:59:12:890 3240 IRP_MJ_SET_EA : 8A58AEE4
12:59:12:890 3240 IRP_MJ_FLUSH_BUFFERS : 8A58AEE4
12:59:12:890 3240 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A58AEE4
12:59:12:890 3240 IRP_MJ_SET_VOLUME_INFORMATION : 8A58AEE4
12:59:12:890 3240 IRP_MJ_DIRECTORY_CONTROL : 8A58AEE4
12:59:12:890 3240 IRP_MJ_FILE_SYSTEM_CONTROL : 8A58AEE4
12:59:12:890 3240 IRP_MJ_DEVICE_CONTROL : 8A58AEE4
12:59:12:890 3240 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A58AEE4
12:59:12:890 3240 IRP_MJ_SHUTDOWN : 8A58AEE4
12:59:12:890 3240 IRP_MJ_LOCK_CONTROL : 8A58AEE4
12:59:12:890 3240 IRP_MJ_CLEANUP : 8A58AEE4
12:59:12:890 3240 IRP_MJ_CREATE_MAILSLOT : 8A58AEE4
12:59:12:890 3240 IRP_MJ_QUERY_SECURITY : 8A58AEE4
12:59:12:890 3240 IRP_MJ_SET_SECURITY : 8A58AEE4
12:59:12:890 3240 IRP_MJ_POWER : 8A58AEE4
12:59:12:890 3240 IRP_MJ_SYSTEM_CONTROL : 8A58AEE4
12:59:12:890 3240 IRP_MJ_DEVICE_CHANGE : 8A58AEE4
12:59:12:890 3240 IRP_MJ_QUERY_QUOTA : 8A58AEE4
12:59:12:890 3240 IRP_MJ_SET_QUOTA : 8A58AEE4
12:59:12:890 3240 Driver "atapi" infected by TDSS rootkit!
12:59:12:890 3240 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
12:59:12:890 3240 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 12:59:12:890 3240 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
12:59:12:890 3240 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
12:59:13:078 3240 vfvi6
12:59:13:109 3240 !dsvbh1
12:59:13:843 3240 dsvbh2
12:59:13:843 3240 fdfb2
12:59:13:843 3240 Backup copy found, using it..
12:59:13:859 3240 will be cured on next reboot
12:59:13:859 3240 Reboot required for cure complete..
12:59:13:875 3240 Cure on reboot scheduled successfully
12:59:13:875 3240
12:59:13:875 3240 Completed
12:59:13:875 3240
12:59:13:875 3240 Results:
12:59:13:875 3240 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
12:59:13:875 3240 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:59:13:875 3240 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:59:13:875 3240
12:59:13:875 3240 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:59:13:875 3240 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:59:13:875 3240 UnloadDriverW: NtUnloadDriver error 1
12:59:13:875 3240 KLMD(ARK) unloaded successfully

Chris4You · 30.04.2010, 12:24

Hi,

wie erwartet der TDSS-Rootkit...

Zitat:

12:59:12:890 3240 Driver "atapi" infected by TDSS rootkit!
12:59:12:890 3240 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
12:59:12:890 3240 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 12:59:12:890 3240 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

Was macht MAM?

Hmm, normalerweise infiziert der neue gleich zwei Treiber ...
Der zweite Treiber "C:\WINDOWS\system32\drivers\isapnp.sys" wurde nich erkannt, das kann ins Auge gegangen sein (d.h. wurde zwar temporär entfernt aber gleich wieder infiziert über den zweiten Treiber)...
Um sicherzugehen, gleich noch CureIT hinterher:
http://www.trojaner-board.de/59299-a...eb-cureit.html
Nach Beendigung des Scans findes Du das Log unter %USERPROFILE%\DoctorWeb\CureIt.log.
Bevor du irgendwelche Aktionen unternimmst, kopiere bitte den Inhalt des Logs und poste ihn.
Die Log Datei ist sehr groß, ca. über 5MB Text. Benutzt einfach die Suche nach "infiziert" und kopiert betreffende Teile heraus, bevor Du sie postet.

chris

silxc · 30.04.2010, 14:10

Hi ,MAM hat nichts mehr gefunden.
Ich werd gleich mal mit CureIT scannen.
Mir ist seit eben aufgefallen das sich zufällig werbeseiten öffnen
ps danke für die hilfe!

Chris4You · 30.04.2010, 14:28

Hi,

ja,das sind die Symptome einer TDSS-Infektion, ergo die Entfernung hat nicht funktioniert ...
Das schlimme ist, wenn er Dir verseuchte Seiten öffnet dann ...

Daher möglichst wenig Online gehen...

Wenn CureIT nicht hilft, dann bleibt noch CF oder die Entfernung per Hand (dann brauchen wir die Treiber von einer sauberen XP-CD...

Hierschon mal CF (wobei ich einen Fall habe, wo der Rootkit die Ausführung von CF unterbunden hat!):
Combofix
Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Achtung: Benenne die ComboFix.exe bereits im Downloaddialog auf z.B. "test.exe" um!

Achtung: In einigen wenigen Fällen kann es vorkommen, das der Rechner nicht mehr booten kann und Neuaufgesetzt werden muß!

Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report (ComboFix.txt) angezeigt, den bitte kopieren und in deinem Thread einfuegen.

Per Hand Treiber kopieren (atapi.sys etc.)

Code:

ATTFilter

Von XP-CD booten und in die Rettungskonsole/Wiederherstellungskonsole gehen.
Wenn auf der Festplatte das Verzeichnis "C:\WINDOWS\ServicePackFiles\i386"
zur Verfügung steht:
expand C:\WINDOWS\ServicePackFiles\i386\atapi.sy_ c:\windows\system32
oder sonst von CD entpacken
expand X:\i386\atapi.sy_ c:\windows\system32

Wobei "X" Dein CD/DVD-Laufwerk ist!
Mehr zur Wiederherstellungs/Rettungskonsole unter:
Installieren und Verwenden der Wiederherstellungskonsole in Windows XP
und
How to expand Windows XP files from the installation disk
Das gleiche dann auch für den zweiten verseuchten Treiber (isapnp.sys).
Achtung: Nicht einfach kopieren, die Dateien sind gepackt und müssen entpackt werden (daher "expand")
Und noch was: Geht dabei was schief, bootet der Rechner nicht mehr...

chris

silxc · 30.04.2010, 15:13

hi, cureit hängt sich bei der datei 1394bus.sys jedesmal auf.(nach cf lief CureIT durch und hat nichts mehr gefunden)
Ich probiers jetzt mit cf
edit:nach cf lief CureIT durch und hat nichts mehr gefunden

silxc · 30.04.2010, 16:19

Zitat:

Zitat von silxc

hi, cureit hängt sich bei der datei 1394bus.sys jedesmal auf.(nach cf lief CureIT durch und hat nichts mehr gefunden)
Ich probiers jetzt mit cf
edit:nach cf lief CureIT durch und hat nichts mehr gefunden

hätte ich fast vergessen noch das logfile

Zitat:

ComboFix 10-04-29.05 - Chris 01.05.2010 16:25:12.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.3327.2850 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Chris\Desktop\shf98374.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1123561945-362288127-839522115-1004
c:\recycler\S-1-5-21-1229272821-1214440339-839522115-1004
c:\recycler\S-1-5-21-350281380-233495102-1455855570-1004
c:\windows\system32\uZQEtNDuIS.dll

Infizierte Kopie von c:\windows\system32\drivers\isapnp.sys wurde gefunden und desinfiziert
Kopie von - Kitty had a snack

wurde wiederhergestellt
.
((((((((((((((((((((((( Dateien erstellt von 2010-04-01 bis 2010-05-01 ))))))))))))))))))))))))))))))
.

2010-05-01 13:55 . 2010-05-01 13:55 -------- d-----w- c:\dokumente und einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Opera
2010-05-01 13:16 . 2010-05-01 13:16 -------- d-----w- c:\dokumente und einstellungen\Administrator\DoctorWeb
2010-05-01 13:15 . 2010-05-01 13:15 -------- d-----r- c:\dokumente und einstellungen\Administrator\Eigene Dateien
2010-05-01 11:03 . 2010-05-01 11:03 6153352 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-01 00:23 . 2010-05-01 00:23 -------- d-----w- C:\_OTL
2010-04-30 14:18 . 2010-04-30 14:18 503808 ----a-w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f42677e-n\msvcp71.dll
2010-04-30 14:18 . 2010-04-30 14:18 499712 ----a-w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f42677e-n\jmc.dll
2010-04-30 14:18 . 2010-04-30 14:18 348160 ----a-w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f42677e-n\msvcr71.dll
2010-04-30 14:18 . 2010-04-30 14:18 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
2010-04-30 14:17 . 2010-04-30 14:17 61440 ----a-w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-64426d31-n\decora-sse.dll
2010-04-30 14:17 . 2010-04-30 14:17 12800 ----a-w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-64426d31-n\decora-d3d.dll
2010-04-30 14:17 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 21:17 . 2010-05-01 13:08 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-04-29 21:17 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 21:15 . 2010-04-29 21:15 -------- d-----w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Malwarebytes
2010-04-29 21:15 . 2010-04-29 21:16 -------- d-----w- c:\dokumente und einstellungen\Chris\mbam-installer
2010-04-29 21:15 . 2010-04-29 21:15 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-04-29 21:15 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:52 . 2010-04-29 19:52 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Avira
2010-04-29 19:43 . 2010-04-29 19:43 -------- d-----w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Avira
2010-04-29 19:30 . 2010-04-29 19:30 -------- d-----w- c:\programme\Avira
2010-04-29 19:30 . 2010-04-29 19:30 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2010-04-29 19:30 . 2010-03-01 08:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-29 19:30 . 2010-02-16 12:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-29 19:30 . 2009-05-11 10:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-29 19:30 . 2009-05-11 10:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-29 19:17 . 2010-04-29 19:17 -------- d-s---w- c:\dokumente und einstellungen\NetworkService\UserData
2010-04-29 15:02 . 2010-04-29 15:02 610304 ----a-w- C:\TCPOptimizer.exe
2010-04-29 13:53 . 2010-04-29 13:53 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2010-04-29 13:35 . 2010-04-29 13:35 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Locktime
2010-04-28 11:41 . 2010-04-29 13:05 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2010-04-28 11:41 . 2010-04-28 11:43 -------- d-----w- c:\programme\Spybot - Search & Destroy
2010-04-25 12:11 . 2004-05-10 11:14 118272 ----a-w- c:\windows\system32\SX5363S.DLL
2010-04-25 12:11 . 2004-05-10 11:14 102400 ----a-w- c:\windows\system32\RV32RTP.dll
2010-04-23 11:44 . 2010-04-23 11:44 -------- d-----w- c:\programme\THQ
2010-04-21 19:33 . 2010-04-21 19:33 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Codemasters
2010-04-21 19:16 . 2010-04-21 19:16 -------- d-----w- c:\programme\Codemasters
2010-04-21 19:04 . 2010-04-21 19:04 -------- d-----w- c:\programme\CPUID
2010-04-21 19:04 . 2010-03-30 21:38 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-04-21 18:20 . 2004-08-14 00:56 5810 ----a-w- c:\windows\system32\drivers\ASACPI.sys
2010-04-21 18:17 . 2010-04-21 18:17 -------- d-----w- c:\windows\system32\Lang
2010-04-21 18:13 . 2010-04-21 18:13 -------- d-----w- c:\programme\Intel
2010-04-21 18:13 . 2009-08-18 11:44 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-04-21 18:13 . 2010-04-21 18:13 -------- d-----w- C:\Intel
2010-04-21 15:53 . 2008-04-13 17:45 20608 -c--a-w- c:\windows\system32\dllcache\usbuhci.sys
2010-04-21 15:53 . 2008-04-13 17:45 20608 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2010-04-21 15:53 . 2001-08-17 11:46 6400 -c--a-w- c:\windows\system32\dllcache\enum1394.sys
2010-04-21 15:53 . 2001-08-17 11:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-04-21 15:53 . 2008-04-13 17:46 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-04-21 15:53 . 2008-04-13 17:46 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-04-21 15:53 . 2008-04-13 17:46 53376 -c--a-w- c:\windows\system32\dllcache\1394bus.sys
2010-04-21 15:53 . 2008-04-13 17:46 53376 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-04-14 10:46 . 2010-04-14 10:46 -------- d-----w- c:\programme\Infogrames
2010-04-13 06:17 . 2010-04-13 06:17 -------- d-----w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Ascaron Entertainment
2010-04-13 06:13 . 2010-04-13 06:13 -------- d-----w- c:\programme\Ascaron Entertainment
2010-04-10 04:29 . 2010-04-11 16:08 -------- d-----w- c:\programme\Gemeinsame Dateien\Adobe AIR
2010-04-09 23:07 . 2010-04-09 23:18 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TrackMania
2010-04-09 22:58 . 2010-04-09 23:07 -------- d-----w- c:\programme\TmNationsForever
2010-04-08 22:35 . 2010-04-08 22:35 -------- d-s---w- c:\dokumente und einstellungen\Chris\UserData
2010-04-08 22:35 . 2010-04-08 22:35 -------- d-----w- c:\dokumente und einstellungen\NetworkService\Anwendungsdaten\Xfire
2010-04-08 22:35 . 2010-04-29 19:15 -------- d-----w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Xfire
2010-04-08 22:34 . 2010-05-01 13:04 -------- d-----w- c:\programme\Xfire
2010-04-03 16:57 . 2010-04-03 16:57 -------- d-----w- c:\programme\KONAMI
2010-04-03 16:57 . 2010-04-03 16:57 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\KONAMI
2010-04-02 18:51 . 2010-04-02 18:50 720896 ----a-w- c:\windows\iun6002.exe
2010-04-02 18:50 . 2010-04-02 18:51 -------- d-----w- C:\LDraw
2010-04-01 22:05 . 2010-04-01 22:05 -------- d-----w- c:\programme\LeoCAD
2010-04-01 21:17 . 2010-04-01 21:17 -------- d-----w- c:\windows\Sun
2010-04-01 15:47 . 2010-04-01 15:54 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 12:06 . 2009-02-06 16:03 -------- d-----w- c:\programme\Opera
2010-05-01 11:00 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-30 14:17 . 2009-02-13 19:18 -------- d-----w- c:\programme\Java
2010-04-29 21:13 . 2004-08-04 12:00 80108 ----a-w- c:\windows\system32\perfc007.dat
2010-04-29 21:13 . 2004-08-04 12:00 448800 ----a-w- c:\windows\system32\perfh007.dat
2010-04-29 00:23 . 2009-02-23 06:10 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2010-04-28 21:41 . 2010-04-28 21:41 -------- d-----w- c:\programme\ANI
2010-04-28 21:41 . 2009-02-06 15:39 -------- d--h--w- c:\programme\InstallShield Installation Information
2010-04-28 21:41 . 2010-04-28 21:41 -------- d-----w- c:\programme\D-Link
2010-04-26 16:04 . 2008-05-24 22:26 -------- d-----w- c:\programme\Audacity
2010-04-26 15:24 . 2009-02-06 15:56 27120 ----a-w- c:\dokumente und einstellungen\Chris\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2010-04-22 21:04 . 2009-02-06 16:01 -------- d-----w- c:\programme\Gameforge4D
2010-04-21 19:29 . 2010-02-18 22:39 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-21 19:29 . 2010-02-18 22:39 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-21 18:08 . 2010-04-21 18:08 -------- d-----w- c:\programme\Realtek
2010-04-21 18:08 . 2010-04-21 18:08 315392 ----a-w- c:\windows\HideWin.exe
2010-04-13 19:33 . 2010-03-31 15:23 -------- d-----w- c:\programme\JDownloader
2010-04-13 00:06 . 2009-02-06 16:39 -------- d-----w- c:\programme\QIP
2010-04-10 02:28 . 2009-10-19 21:15 -------- d-----w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\Hamachi
2010-03-26 08:32 . 2010-03-26 07:52 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Blizzard Entertainment
2010-03-20 13:54 . 2010-03-20 13:01 -------- d-----w- c:\programme\SopCast
2010-03-20 07:28 . 2010-03-20 07:28 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Blizzard
2010-03-20 07:09 . 2010-03-20 02:20 -------- d-----w- c:\programme\Gemeinsame Dateien\Blizzard Entertainment
2010-03-20 03:16 . 2009-02-07 17:36 -------- d-----w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\MAXON
2010-03-13 23:08 . 2009-02-06 20:04 -------- d-----w- c:\programme\Next Limit
2010-03-13 22:01 . 2009-03-09 22:22 -------- d-----w- c:\programme\MAXON
2010-03-13 21:59 . 2010-03-13 21:59 -------- d-----w- c:\programme\7-Zip
2010-03-12 20:23 . 2010-03-12 19:50 -------- d-----w- c:\dokumente und einstellungen\Chris\Anwendungsdaten\GetRightToGo
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 13:05 . 2010-03-07 13:05 -------- d-----w- c:\programme\RADVideo
2010-03-06 21:33 . 2010-03-06 21:33 -------- d-sh--w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\SecuROM
2010-03-02 12:50 . 2010-03-02 12:50 3237376 ----a-w- c:\windows\system32\frysdk32.dll
2010-02-26 05:41 . 2004-08-04 12:00 672768 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:41 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 05:02 . 2010-02-22 05:02 6538 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-02-16 19:04 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:04 . 2004-08-04 00:50 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 15:56 . 2010-02-15 15:56 0 ----a-r- C:\logwmemory.bin
2010-02-12 10:03 . 2010-03-07 10:47 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-04 09:01 . 2010-02-11 09:40 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 09:01 . 2010-02-11 09:40 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 09:01 . 2010-02-11 09:40 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 09:01 . 2010-02-11 09:40 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programme\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programme\opera\program\plugins\ssldivx.dll
2009-09-11 10:43 . 2009-09-11 10:43 80 --sh--r- c:\windows\system32\E3CB24DCAF.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\programme\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WZShutdown"="c:\wzshutdown\P_zero.exe" [2009-02-06 276480]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"ISUSPM Startup"="c:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"D-Link AirPlus G DWL-G510"="c:\programme\D-Link\AirPlus G DWL-G510\AirGCFG.exe" [2007-10-24 1552384]
"ANIWZCS2Service"="c:\programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2007-12-11 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= firefox.exe
"2"= opera.exe
"3"= chrome.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^BDARemote.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\BDARemote.lnk
backup=c:\windows\pss\BDARemote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Chris^Startmenü^Programme^Autostart^Logitech . Produktregistrierung.lnk]
path=c:\dokumente und einstellungen\Chris\Startmenü\Programme\Autostart\Logitech . Produktregistrierung.lnk
backup=c:\windows\pss\Logitech . Produktregistrierung.lnkStartup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Chris^Startmenü^Programme^Autostart^OpenOffice.org 3.1.lnk]
path=c:\dokumente und einstellungen\Chris\Startmenü\Programme\Autostart\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- c:\programme\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2007-01-19 09:49 49152 ----a-w- c:\programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATITool]
2006-12-08 15:23 3035136 ----a-w- c:\programme\ATITool\ATITool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G DWL-G510]
2007-10-24 12:30 1552384 ----a-w- c:\programme\D-Link\AirPlus G DWL-G510\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\programme\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
2008-01-14 12:18 3182248 ----a-w- c:\fraps\fraps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 05:03 221184 ----a-w- c:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 05:03 81920 ----a-w- c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 09:56 286720 ----a-w- c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2009-01-05 14:39 336896 ----a-w- c:\programme\Sandboxie\SbieCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-07-21 09:00 61440 ----a-w- c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Neuer Ordner (5)\\qip.exe"=
"c:\\Programme\\QIP\\qip.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Next Limit\\RealFlow4\\realflow.exe"=
"c:\\Programme\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programme\\Opera\\opera.exe"=
"c:\\Programme\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Programme\\Next Limit\\Maxwell 2\\maxwell.exe"=
"c:\\Programme\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Dokumente und Einstellungen\\Chris\\Eigene Dateien\\soldat\\Soldat\\Soldat.exe"=
"c:\\Programme\\Codemasters\\Dirt 2\\dirt2_game.exe"=
"c:\\Programme\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programme\\SopCast\\SopCast.exe"=
"c:\\World of Warcraft\\WoW-3.2.0-deDE-downloader.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Programme\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Programme\\Xfire\\Xfire.exe"=
"c:\\Programme\\TmNationsForever\\TmForever.exe"=
"c:\\Programme\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Programme\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56458:TCP"= 56458:TCP:Pando Media Booster
"56458:UDP"= 56458:UDP:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [29.4.2010 21:30 135336]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [21.4.2010 21:04 20968]
S0 drmva;drmva; [x]
S0 lnpjftc;lnpjftc;c:\windows\system32\drivers\whjlohy.sys --> c:\windows\system32\drivers\whjlohy.sys [?]
S3 AhnRptTfFRegFNT;AhnRptTfFRegFNT;\??\c:\dokume~1\TISCHL~1\LOKALE~1\Temp\nsu369.tmp\TfFRegNt.sys --> c:\dokume~1\TISCHL~1\LOKALE~1\Temp\nsu369.tmp\TfFRegNt.sys [?]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [12.11.2008 14:54 37376]
S3 cmipci;CMI8738/8768 Audio Driver;c:\windows\system32\drivers\cmipci.sys [1.11.2009 15:41 37888]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [14.7.2009 16:35 19720]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [29.4.2010 15:53 38976]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1.9.2009 14:27 721904]
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Suchlauf -------
.
FF - ProfilePath - c:\dokumente und einstellungen\Chris\Anwendungsdaten\Mozilla\Firefox\Profiles\w9cm8f5u.default\
FF - plugin: c:\programme\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programme\Opera\program\plugins\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-CmPCIaudio - CMICNFG3.cpl
MSConfigStartUp-hsf87efjhdsf87f3jfsdi7fhsujfd - c:\dokume~1\TISCHL~1\LOKALE~1\Temp\smss.exe
MSConfigStartUp-MSMSGS - c:\programme\Messenger\msmsgs.exe
MSConfigStartUp-SunJavaUpdateSched - c:\programme\Java\jre6\bin\jusched.exe
MSConfigStartUp-YVIBBBHA8C - c:\dokume~1\TISCHL~1\LOKALE~1\Temp\Flr.exe
AddRemove-AVIConverter - c:\programme\AVIConverter\uninst.exe
AddRemove-BF2ALL64 - c:\programme\EA GAMES\Battlefield 2\mods\bf2all64\Uninstall.exe
AddRemove-DAEMON Tools Toolbar - c:\programme\DAEMON Tools Toolbar\uninst.exe
AddRemove-FL Studio 7 - c:\programme\Image-Line\FL Studio 7\uninstall.exe
AddRemove-Flash-SWF to AVI-GIF - c:\programme\Flash-SWF to AVI-GIF\uninst.exe
AddRemove-Freez FLV to MP3 Converter V1.2_is1 - c:\programme\Smallvideosoft\Freez FLV to MP3 Converter\unins000.exe
AddRemove-Frets on Fire - c:\programme\Frets on Fire\Uninstall.exe
AddRemove-IL Autogun - c:\programme\Image-Line\IL Autogun\uninstall.exe
AddRemove-IL Download Manager - c:\programme\Image-Line\Downloader\uninstall.exe
AddRemove-MSNINST - c:\programme\MSN\MsnInstaller\msninst.exe
AddRemove-Theme Park_is1 - c:\programme\Theme Park\unins000.exe
R11\plugins\Turbulence4D\uninst.exe
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - c:\programme\YouTube Downloader\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-05-01 16:32
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-790525478-1580436667-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a5,8f,f1,c0,4b,bd,f2,b4,11,13,e2,9d,ee,51,ed,77,9e,1e,5e,77,ac,a4,52,
d3,8f,28,98,76,15,d0,08,47,4f,70,9f,a2,29,8e,5e,95,6f,57,16,28,e7,ce,f3,e8,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-790525478-1580436667-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:e0,1e,e0,c4,f6,49,a0,d9,72,2f,17,3b,62,20,f4,d7,f6,3a,90,6e,08,
df,f1,da,13,39,8c,98,5d,de,bd,7c,f1,50,70,e8,f4,56,7b,8e,14,f3,57,88,45,1d,\
"rkeysecu"=hex:b8,3b,19,bd,c7,bb,d9,ff,bd,e3,7c,00,3b,26,bc,62
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
.
Zeit der Fertigstellung: 2010-05-01 16:34:09
ComboFix-quarantined-files.txt 2010-05-01 14:34

Vor Suchlauf: 24 Verzeichnis(se), 26.600.890.368 Bytes frei
Nach Suchlauf: 25 Verzeichnis(se), 31.582.715.904 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0DF15DFE7A5805183BF3D55C1487216A

Chris4You · 30.04.2010, 17:25

Hi,

sieht recht gut aus, bitte noch folgende Files prüfen:

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen!
(nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den
Button „Durchsuchen“ und suche folgende Datei/Dateien:

Code:

ATTFilter

c:\windows\system32\SX5363S.DLL
c:\windows\system32\RV32RTP.dll

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Was macht der Rechner?

CF hat die andere infizierte Datei erwischt, der Killer die atapi.sys (nennt sich dann wohl "Aufgabenteilung" ;o)

chris

sdra64.exe ++

Log-Analyse und Auswertung: sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

sdra64.exe ++

Ähnliche Themen: sdra64.exe ++

30.04.2010, 14:10	#11
silxc	sdra64.exe ++ Hi ,MAM hat nichts mehr gefunden. Ich werd gleich mal mit CureIT scannen. Mir ist seit eben aufgefallen das sich zufällig werbeseiten öffnen ps danke für die hilfe!

30.04.2010, 15:13	#13
silxc	sdra64.exe ++ hi, cureit hängt sich bei der datei 1394bus.sys jedesmal auf.(nach cf lief CureIT durch und hat nichts mehr gefunden) Ich probiers jetzt mit cf edit:nach cf lief CureIT durch und hat nichts mehr gefunden Geändert von silxc (30.04.2010 um 16:11 Uhr)