Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe

innocent · 06.07.2010, 13:19

Avira Antivir hat gestern bei mir den genannten Trojaner gefunden und ihn auch in Quarantäne gestellt. Desweitern wurde mir angezeigt, dass sich das Erkennungsmuster RKIT/Bubnix.AU in C:\Windows\System32\drivers\neyrpram.sys befindet. Dies wurde auch in Quarantäne gestellt.
Meine Frage ist jetzt wie kann ich diese ganz löschen?

Breedfight · 06.07.2010, 13:23

antivir wird nen grund haben diesen trojaner in quarantäne zu stecken und nicht zu löschen, warum kann ich nicht 100%ig sagen, aber bei mir gabs mal einen trojaner, der hat sich aus dem recycler-ordner (nicht papierkorb) wieder hergestellt und deswegen glaub ich, dass es besser is manche trojaner(und auch viren) in quarantäne zu lassen und sie vor allem als anfänger nicht wieder "befreien", weil wie gesagt: manche können sich selbst wiederherstellen

cosinus · 06.07.2010, 14:03

Hallo und

bitte nen Vollscan mit Malwarebytes machen und Log posten. Danach OTL:

Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Doppelklick auf die OTL.exe
Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
Unter Extra Registry, wähle bitte Use SafeList
Klicke nun auf Run Scan links oben
Wenn der Scan beendet wurde werden 2 Logfiles erstellt
Poste die Logfiles hier in den Thread.

innocent · 06.07.2010, 14:05

Bei den drei zuerst aufgeführten Funden wird zwar gesagt, dass diese nich in Quarantäne verschoben werden konnten, aber bei mri auf dem Rechner werden diese dort angezeigt.

Also hier mal den genauen Befund:

Die Datei 'C:\Windows\System32\drivers\neyrpram.sys'
enthielt einen Virus oder unerwünschtes Programm 'RKIT/Bubnix.AU' [trojan].
Durchgeführte Aktion(en):
Beim Versuch eine Sicherungskopie der Datei anzulegen ist ein Fehler aufgetreten und die Datei wurde nicht gelöscht. Fehlernummer: 26004.
Die Quelldatei konnte nicht gefunden werden.
Es wird versucht die Aktion mit Hilfe der ARK Library durchzuführen.
Die Datei konnte nicht ins Quarantäneverzeichnis verschoben werden!
Die Datei konnte nicht gelöscht werden!
Die Datei konnte nicht zum Löschen nach dem Neustart markiert werden. Mögliche Ursache: Ein an das System angeschlossenes Gerät funktioniert nicht.
.

Die Datei 'C:\Windows\System32\drivers\neyrpram.sys'
enthielt einen Virus oder unerwünschtes Programm 'RKIT/Bubnix.AU' [trojan].
Durchgeführte Aktion(en):
Beim Versuch eine Sicherungskopie der Datei anzulegen ist ein Fehler aufgetreten und die Datei wurde nicht gelöscht. Fehlernummer: 26004.
Die Quelldatei konnte nicht gefunden werden.
Es wird versucht die Aktion mit Hilfe der ARK Library durchzuführen.
Die Datei konnte nicht ins Quarantäneverzeichnis verschoben werden!
Die Datei konnte nicht gelöscht werden!
Die Datei konnte nicht zum Löschen nach dem Neustart markiert werden. Mögliche Ursache: Ein an das System angeschlossenes Gerät funktioniert nicht.
.

Die Datei 'C:\Windows\System32\drivers\neyrpram.sys'
enthielt einen Virus oder unerwünschtes Programm 'RKIT/Bubnix.AU' [trojan].
Durchgeführte Aktion(en):
Beim Versuch eine Sicherungskopie der Datei anzulegen ist ein Fehler aufgetreten und die Datei wurde nicht gelöscht. Fehlernummer: 26004.
Die Quelldatei konnte nicht gefunden werden.
Es wird versucht die Aktion mit Hilfe der ARK Library durchzuführen.
Die Datei konnte nicht ins Quarantäneverzeichnis verschoben werden!
Die Datei konnte nicht gelöscht werden!
Die Datei konnte nicht zum Löschen nach dem Neustart markiert werden. Mögliche Ursache: Ein an das System angeschlossenes Gerät funktioniert nicht.
.

Die Datei 'C:\Users\Verena\AppData\Local\Temp\svchost.exe'
enthielt einen Virus oder unerwünschtes Programm 'TR/Crypt.XPACK.Gen' [trojan].
Durchgeführte Aktion(en):
Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '5082414a.qua' verschoben!

innocent · 06.07.2010, 15:33

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4281

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

06.07.2010 16:27:58
mbam-log-2010-07-06 (16-27-58).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 311090
Laufzeit: 1 Stunde(n), 7 Minute(n), 15 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 3
Infizierte Dateien: 12

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
C:\ProgramData\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\REFOG Keylogger (Refog.Keylogger) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Windows\System32\drivers\neyrpram.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\key.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\REFOG Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\1\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\REFOG Keylogger\Hilfe Themen.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\REFOG Keylogger\Jetzt bestellen!.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\REFOG Keylogger\REFOG Keylogger entfernen.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\REFOG Keylogger\REFOG Keylogger im Internet.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\REFOG Keylogger\REFOG Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.

cosinus · 06.07.2010, 15:37

Hast Du Dir den MPK-Keylogger mal bewusst installiert?

innocent · 06.07.2010, 15:40

OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 06.07.2010 16:35:46 - Run 1
OTL by OldTimer - Version 3.2.7.1     Folder = C:\Users\Verena\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 62,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144,09 Gb Total Space | 35,22 Gb Free Space | 24,44% Space Free | Partition Type: NTFS
Drive D: | 144,00 Gb Total Space | 143,70 Gb Free Space | 99,79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: VERENA-PC
Current User Name: Verena
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Verena\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\pdf24\pdf24.exe (Geek Software GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - \\?\C:\Windows\System32\wbem\WMIADAP.EXE ()
PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\OpenVPN\bin\openvpn.exe ()
PRC - C:\Programme\OpenVPN\bin\openvpnserv.exe ()
PRC - C:\Programme\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
PRC - C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
PRC - C:\Programme\Samsung\Easy Display Manager\dmhkcore.exe (SAMSUNG Electronics)
PRC - C:\Programme\Samsung\Samsung Update Plus\SLUTrayNotifier.exe ()
PRC - C:\Programme\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe (Samsung Electronics Co., Ltd.)
PRC - C:\Programme\Samsung\EBM\EasyBatteryMgr3.exe (SAMSUNG Electronics co., LTD.)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Programme\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe (Samsung Electronics Co., Ltd.)
PRC - C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Users\Verena\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\BtMmHook.dll (Broadcom Corporation.)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (OpenVPNService) -- C:\Programme\OpenVPN\bin\openvpnserv.exe ()
SRV - (EvtEng) -- C:\Programme\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
SRV - (RegSrvc) -- C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
SRV - (Samsung Update Plus) -- C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe ()
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (UsbserFilt) -- C:\Windows\System32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\Windows\System32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (nmwcdc) -- C:\Windows\System32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia)
DRV - (tap0901) -- C:\Windows\System32\drivers\tap0901.sys (The OpenVPN Project)
DRV - (pccsmcfd) -- C:\Windows\System32\drivers\pccsmcfd.sys (Nokia)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (NETw5v32) Intel(R) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (VMC302) -- C:\Windows\System32\drivers\vmc302.sys (Vimicro Corporation)
DRV - (btwaudio) -- C:\Windows\System32\drivers\btwaudio.sys (Broadcom Corporation.)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (btwrchid) -- C:\Windows\System32\drivers\btwrchid.sys (Broadcom Corporation.)
DRV - (btwavdt) -- C:\Windows\System32\drivers\btwavdt.sys (Broadcom Corporation.)
DRV - (KMDFMEMIO) -- C:\Windows\System32\drivers\KMDFMEMIO.sys (SAMSUNG ELECTRONICS CO., LTD.)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\agrsm.sys (Agere Systems)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (ialm) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (tap0801) -- C:\Windows\System32\drivers\tap0801.sys (The OpenVPN Project)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
IE - HKLM\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.)
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825
IE - HKCU\..\URLSearchHook:  - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Winload Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319825&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Winload Customized Web Search"
FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2319825&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
 
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.06.29 10:43:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.05 12:28:58 | 000,000,000 | ---D | M]
 
[2008.11.06 00:29:21 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\mozilla\Extensions
[2010.02.05 08:28:18 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\mozilla\Firefox\Profiles\ajieacm6.default\extensions
[2009.12.16 15:35:14 | 000,000,917 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\conduit.xml
[2010.06.30 11:08:37 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-1.xml
[2009.04.23 22:19:38 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-2.xml
[2009.04.29 18:26:44 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-3.xml
[2009.06.16 16:29:44 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-4.xml
[2009.07.24 07:49:23 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-5.xml
[2009.08.11 17:08:53 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-6.xml
[2009.03.25 12:49:20 | 000,000,944 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin.xml
[2010.07.06 11:17:14 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.05.14 15:33:08 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.05.14 15:32:58 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.03.12 15:44:48 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.03.12 15:44:48 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.03.12 15:44:48 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.03.12 15:44:48 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.03.12 15:44:48 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Winload Toolbar) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Winload Toolbar) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Winload Toolbar) - {40C3CC16-7269-4B32-9531-17F2950FB06F} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Programme\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PDFPrint] C:\Programme\pdf24\pdf24.exe (Geek Software GmbH)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} hxxp://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab (Oberon Flash Game Host)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.6.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img34.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img34.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{0da65834-163f-11df-81a9-0013779efc8e}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found
O33 - MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\Shell - "" = AutoRun
O33 - MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\Shell - "" = Autorun
O33 - MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\Shell\Open\command - "" = RECYCLER\S-2-4-38-100026351-100008458-100006666-2738.com f:\
O33 - MountPoints2\{ee16fdb2-30fe-11de-9773-0013779efc8e}\Shell\AutoRun\command - "" = F:\wd_windows_tools\setup.exe -- File not found
O33 - MountPoints2\{ff559042-da80-11de-89eb-0013779efc8e}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.07.06 16:34:23 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Verena\Desktop\OTL.exe
[2010.07.06 16:28:38 | 000,000,000 | ---D | C] -- C:\Users\Verena\Documents\log
[2010.07.06 15:09:45 | 000,000,000 | ---D | C] -- C:\Users\Verena\AppData\Roaming\Malwarebytes
[2010.07.06 15:08:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.07.06 15:08:42 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.07.06 15:08:42 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.07.06 15:08:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.07.06 14:26:19 | 000,000,000 | ---D | C] -- C:\Programme\HijackThis
[2010.07.05 12:22:31 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010.07.01 11:45:50 | 000,000,000 | ---D | C] -- C:\xampp
[2010.06.29 10:35:43 | 000,000,000 | ---D | C] -- C:\Users\Verena\AppData\Local\AOL
[2010.06.29 10:35:25 | 000,000,000 | ---D | C] -- C:\Programme\ICQ7.2
[2010.06.24 12:12:47 | 000,000,000 | ---D | C] -- C:\Programme\iPod
[2010.06.24 12:12:46 | 000,000,000 | ---D | C] -- C:\Programme\iTunes
[2010.06.24 12:09:48 | 000,000,000 | ---D | C] -- C:\Programme\Bonjour
[2010.06.23 15:13:27 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010.06.23 15:13:27 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010.06.23 15:13:27 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010.06.23 12:40:21 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010.06.23 12:40:21 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010.06.16 11:53:57 | 000,000,000 | ---D | C] -- C:\Programme\SPORT619D
[2010.06.15 10:46:03 | 000,000,000 | ---D | C] -- C:\Users\Verena\Documents\Eignungstests
[2010.06.14 11:45:45 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010.06.14 11:45:45 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010.06.14 11:45:43 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll
[2010.06.14 11:45:33 | 002,037,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010.06.14 11:45:25 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010.06.14 11:45:24 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010.06.14 11:45:24 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010.06.14 11:45:24 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010.06.14 11:45:24 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010.06.14 11:45:23 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010.06.14 11:45:23 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010.06.14 11:45:23 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010.06.14 11:45:23 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010.06.14 11:45:23 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010.06.14 11:45:23 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010.06.14 11:45:23 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010.06.14 11:45:23 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010.06.14 11:45:23 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010.06.14 11:45:22 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2006.11.24 07:14:44 | 000,139,264 | ---- | C] ( ) -- C:\Windows\System32\MACSSDK_wiz.dll
[2006.11.24 07:14:44 | 000,126,976 | ---- | C] ( ) -- C:\Windows\System32\MACSSDK.dll
 
========== Files - Modified Within 30 Days ==========
 
[2010.07.06 16:37:17 | 000,741,376 | ---- | M] () -- C:\Windows\System32\drivers\neyrpram.sys
[2010.07.06 16:35:08 | 002,621,440 | -HS- | M] () -- C:\Users\Verena\NTUSER.DAT
[2010.07.06 16:34:28 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Verena\Desktop\OTL.exe
[2010.07.06 16:30:33 | 000,186,460 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010.07.06 16:30:32 | 000,186,460 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010.07.06 16:30:25 | 000,004,912 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010.07.06 16:30:25 | 000,004,912 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010.07.06 16:30:20 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.07.06 16:30:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.07.06 16:30:11 | 3215,572,992 | -HS- | M] () -- C:\hiberfil.sys
[2010.07.06 16:29:38 | 000,524,288 | -HS- | M] () -- C:\Users\Verena\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010.07.06 16:29:38 | 000,065,536 | -HS- | M] () -- C:\Users\Verena\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010.07.06 16:29:31 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010.07.06 16:29:28 | 001,355,803 | -H-- | M] () -- C:\Users\Verena\AppData\Local\IconCache.db
[2010.07.06 14:30:34 | 000,001,972 | ---- | M] () -- C:\Users\Verena\Desktop\HiJackThis.lnk
[2010.07.06 14:01:04 | 001,441,486 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010.07.06 14:01:04 | 000,626,780 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.07.06 14:01:04 | 000,594,224 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.07.06 14:01:04 | 000,126,396 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.07.06 14:01:04 | 000,104,038 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.07.06 10:20:59 | 000,036,352 | ---- | M] () -- C:\Users\Verena\Documents\WM Tipprunde.xls
[2010.07.05 12:26:25 | 270,547,880 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010.07.01 11:47:15 | 000,000,393 | ---- | M] () -- C:\Users\Verena\Desktop\XAMPP Control Panel.lnk
[2010.06.17 13:48:11 | 000,027,648 | ---- | M] () -- C:\Users\Verena\Documents\Geburtstag_Tim.doc
[2010.06.16 14:29:03 | 000,101,248 | ---- | M] () -- C:\Users\Verena\AppData\Local\GDIPFONTCACHEV1.DAT
[2010.06.16 14:28:08 | 000,369,008 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010.06.16 11:55:15 | 000,000,253 | ---- | M] () -- C:\Windows\win.ini
[2010.06.16 11:31:35 | 000,000,016 | -H-- | M] () -- C:\Windows\System32\servdat.slm
[2010.06.16 11:30:30 | 000,000,219 | ---- | M] () -- C:\Windows\System32\lsprst7.tgz
[2010.06.16 11:30:30 | 000,000,205 | ---- | M] () -- C:\Windows\System32\lsprst7.dll
[2010.06.16 11:30:30 | 000,000,014 | ---- | M] () -- C:\Windows\System32\ssprs.tgz
[2010.06.16 11:28:12 | 000,001,024 | ---- | M] () -- C:\Windows\System32\clauth2.dll
[2010.06.16 11:28:12 | 000,001,024 | ---- | M] () -- C:\Windows\System32\clauth1.dll
[2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\ssprs.dll
[2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\serauth2.dll
[2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\serauth1.dll
[2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\nsprs.tgz
[2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\nsprs.dll
[2010.06.16 11:27:12 | 000,001,025 | ---- | M] () -- C:\Windows\System32\sysprs7.tgz
[2010.06.16 11:27:12 | 000,001,025 | ---- | M] () -- C:\Windows\System32\sysprs7.dll
[2010.06.14 15:24:44 | 000,000,039 | ---- | M] () -- C:\Windows\vbaddin.ini
 
========== Files Created - No Company Name ==========
 
[2010.07.06 14:30:34 | 000,001,972 | ---- | C] () -- C:\Users\Verena\Desktop\HiJackThis.lnk
[2010.07.06 12:30:42 | 3215,572,992 | -HS- | C] () -- C:\hiberfil.sys
[2010.07.05 12:22:23 | 270,547,880 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010.07.01 11:47:15 | 000,000,393 | ---- | C] () -- C:\Users\Verena\Desktop\XAMPP Control Panel.lnk
[2010.06.16 11:28:12 | 000,001,024 | ---- | C] () -- C:\Windows\System32\clauth2.dll
[2010.06.16 11:28:12 | 000,001,024 | ---- | C] () -- C:\Windows\System32\clauth1.dll
[2010.06.16 11:28:12 | 000,000,014 | ---- | C] () -- C:\Windows\System32\ssprs.tgz
[2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\ssprs.dll
[2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\serauth2.dll
[2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\serauth1.dll
[2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nsprs.tgz
[2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nsprs.dll
[2010.06.16 11:27:13 | 000,000,219 | ---- | C] () -- C:\Windows\System32\lsprst7.tgz
[2010.06.16 11:27:12 | 000,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.tgz
[2010.06.16 11:27:12 | 000,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.dll
[2010.06.16 11:27:12 | 000,000,205 | ---- | C] () -- C:\Windows\System32\lsprst7.dll
[2010.06.16 11:27:12 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\servdat.slm
[2010.06.15 13:35:43 | 000,027,648 | ---- | C] () -- C:\Users\Verena\Documents\Geburtstag_Tim.doc
[2010.05.13 23:10:14 | 000,741,376 | ---- | C] () -- C:\Windows\System32\drivers\neyrpram.sys
[2009.09.17 10:23:12 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2008.11.06 01:00:07 | 000,000,284 | ---- | C] () -- C:\Windows\matlab.ini
[2008.11.05 10:01:19 | 000,000,534 | ---- | C] () -- C:\Windows\ODBC.INI
[2008.07.08 16:50:18 | 000,000,684 | ---- | C] () -- C:\Windows\HotFixList.ini
[2008.07.08 16:31:32 | 000,000,135 | R--- | C] () -- C:\Windows\System32\lngEng.ini
[2008.07.08 16:31:32 | 000,000,117 | ---- | C] () -- C:\Windows\System32\lngKor.ini
[2008.07.08 14:45:50 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007.02.15 09:51:02 | 000,274,432 | ---- | C] () -- C:\Windows\System32\NDADLL.dll
[2006.11.29 10:00:28 | 000,307,200 | ---- | C] () -- C:\Windows\System32\LDBGenWizView.dll
[2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 12:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.10.09 03:01:28 | 000,061,440 | ---- | C] () -- C:\Windows\System32\AVSAudioWideStereoDMO.dll
[2003.02.20 18:53:42 | 000,005,702 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[2001.11.14 05:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:48CF36A1
< End of report >

--- --- ---

innocent · 06.07.2010, 15:42

OTL EXTRAS Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 06.07.2010 16:35:47 - Run 1
OTL by OldTimer - Version 3.2.7.1     Folder = C:\Users\Verena\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 62,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144,09 Gb Total Space | 35,22 Gb Free Space | 24,44% Space Free | Partition Type: NTFS
Drive D: | 144,00 Gb Total Space | 143,70 Gb Free Space | 99,79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: VERENA-PC
Current User Name: Verena
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-113378734-2685825776-4182880352-1003]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{17C9712C-B0FF-4DE2-8825-DACFF07A2A6D}" = lport=445 | protocol=6 | dir=in | app=system | 
"{1ACC8B81-4A32-4952-B23E-3B83139AA64F}" = lport=138 | protocol=17 | dir=in | app=system | 
"{20000877-69F7-4346-B4CE-B9E1BB47C55E}" = rport=138 | protocol=17 | dir=out | app=system | 
"{2677158A-5F0E-4049-969B-0CF2018C79DB}" = rport=445 | protocol=6 | dir=out | app=system | 
"{3FD0B431-FA3C-48C4-97FD-5484C4111559}" = rport=137 | protocol=17 | dir=out | app=system | 
"{5A5CACB9-A9DC-4CA0-8C73-6ADEB81F3B58}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{B90197B0-98B8-4132-BB41-BF493DD0CD59}" = lport=139 | protocol=6 | dir=in | app=system | 
"{C644570E-17B8-4601-A65F-E80EE9425ABE}" = lport=137 | protocol=17 | dir=in | app=system | 
"{E912E8C0-725B-4AAE-89C4-D664C62E8944}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{FC0AEC55-BED7-4381-B956-96A224A80686}" = rport=139 | protocol=6 | dir=out | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1C583C8D-F7CA-43F8-93A4-435CC02A320F}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{291D306C-48AA-4223-B4A4-5D53D8E45FDD}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{31DCBC26-833A-4C18-9392-CA2E651AB737}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{35A3779F-1D36-4A27-B8DA-0771AF95C0DF}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{3A3291D1-0A9B-4AF1-A82B-3A8D1792CD0D}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{488A824F-49E4-4B26-B264-E0A76CBB9250}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{58C5113D-DAED-4A8C-BBDA-64AC31289468}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{5E921802-5CAB-447C-ADDF-357A1B489944}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{5F8C8DE1-6B64-4F99-8D3A-0A252E10F3EE}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{605444A3-46C6-4D3D-BFB7-043AD845BB30}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{6779FCAE-5815-46CF-89C3-D6A107FAA6AC}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{6A111E58-19FB-4938-8E1F-CBA92F24D251}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{6C708175-E552-40D1-A8A6-13CFD9899760}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{C4201925-B526-429E-A410-76D3A9F6E55C}" = dir=in | app=c:\program files\skype\phone\skype.exe | 
"{C5E0CE70-5233-480B-B04C-82930B33F6FF}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{DA0FB6EE-453A-44E7-AD3C-E4553E6E4C05}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{DF055CF5-5EE1-4BB0-A800-5AC016DBB9D1}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{E75CBF35-506F-418D-825D-14AC26E40972}" = dir=in | app=c:\program files\cyberlink\powerdvd\powerdvd.exe | 
"{F3912D98-47DA-4BFE-B323-AD57CAD00D05}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{F4A4C267-ABA5-402E-A1DA-6DC9232380A6}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{FE9A3759-7938-4A11-8F78-7FB9210BA2FB}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{FF45B251-962B-4EF4-B0FF-6B8404EC51D0}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{FFE802C9-B147-4651-9BE1-5B48A6CDC045}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe | 
"TCP Query User{3D4CDFC7-E891-45E1-9D43-E3AD48C7E823}C:\xampp\mysql\bin\mysqld.exe" = protocol=6 | dir=in | app=c:\xampp\mysql\bin\mysqld.exe | 
"TCP Query User{62C4C1CA-B5E8-4BE5-AC85-424C136E679F}C:\program files\icq6\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6\icq.exe | 
"TCP Query User{8C9FDD66-2498-48BA-805F-A5AE91C78571}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"TCP Query User{D0F21E8F-B8FE-4733-8583-413F2F79258F}C:\program files\packet tracer 5.0\bin\packettracer5.exe" = protocol=6 | dir=in | app=c:\program files\packet tracer 5.0\bin\packettracer5.exe | 
"UDP Query User{38268769-3F55-4ACB-9A8B-516A2DC381CF}C:\program files\icq6\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6\icq.exe | 
"UDP Query User{74F80BA2-8848-45A2-AE5B-C470AA099FD3}C:\program files\packet tracer 5.0\bin\packettracer5.exe" = protocol=17 | dir=in | app=c:\program files\packet tracer 5.0\bin\packettracer5.exe | 
"UDP Query User{986D05A7-8DE5-4B5B-964E-54D977607EAC}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"UDP Query User{CA7C2A00-8CF0-4D1B-9374-A0E800EF7C58}C:\xampp\mysql\bin\mysqld.exe" = protocol=17 | dir=in | app=c:\xampp\mysql\bin\mysqld.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{004C5DA2-2051-4D25-94BA-51CF810C91EB}" = LightScribe System Software  1.12.37.1
"{00AF10C1-44BD-4862-9D7F-24E6BA3E87FD}" = imagine digital freedom - Samsung
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.0.1.6300
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{04983D37-2202-4295-94A2-8B547C66133F}" = Atheros WLAN Client
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0E592C31-09EF-3CA1-A7DE-05D13DFCF791}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - deu
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution III
"{146E206D-7D2C-493A-B431-1F1D16E822AF}" = MobileMe Control Panel
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}" = Samsung Magic Doctor
"{36BEAD11-8577-49AD-9250-E06A50AE87B0}" = Microsoft SOAP Toolkit 2.0 SP2
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EA8EA5D-8E46-4698-9BF7-2F2AD8E1C185}" = Easy Network Manager 3.0
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{685707A4-911C-468D-BFC4-64A50E5E3A0C}" = Samsung Update Plus
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F730513-8688-4C3C-90A3-6B9792CE2EF3}" = Easy Battery Manager
"{71A51B09-E7D3-11DB-A386-005056C00008}" = Vimicro UVC Camera
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{804F1285-8CBF-408D-8CDC-D4D40003B2E4}" = PlayCamera
"{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator
"{82427977-8776-4087-90CA-9F65174D3C4D}" = Nokia Connectivity Cable Driver
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_VISPROR_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}_WebDesigner_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_VISPROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_WebDesigner_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_VISPROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_WebDesigner_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_VISPROR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}_WebDesigner_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-0026-0000-0000-0000000FF1CE}" = Microsoft Expression Web
"{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{9037FDA8-8383-4B6F-859D-D49C3C625225}" = Microsoft Expression Web Service Pack 1 (SP1)
"{90120000-0026-0407-0000-0000000FF1CE}" = Microsoft Expression Web MUI (German)
"{90120000-0026-0407-0000-0000000FF1CE}_WebDesigner_{0B9EAEAC-F271-45DC-BDCB-06ABEEF19825}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0054-0407-0000-0000000FF1CE}" = Microsoft Office Visio MUI (German) 2007
"{90120000-0054-0407-0000-0000000FF1CE}_VISPROR_{60CC0F2D-BFA0-4851-903D-809D876DD87B}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_VISPROR_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}_WebDesigner_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90A40407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{955597D8-E5E1-474D-B647-60AC44566D24}" = Play AVStation
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1031-7B44-A82000000003}" = Adobe Reader 8.2.3 - Deutsch
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B7CB0BF3-791E-44D3-9F04-786E36D51C9D}" = PC Connectivity Solution
"{BA5F3E0E-8F3E-47BD-88E4-AD3EB5225F51}" = Intel(R) PROSet/Wireless WiFi-Software
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5A7D7AB-3093-3619-9261-74DB250ECF7B}" = Microsoft Visual C++ 2008 Express Edition with SP1 - DEU
"{EF367AA4-070B-493C-9575-85BE59D789C9}" = Easy SpeedUp Manager
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone-Konfigurationsprogramm
"504244733D18C8F63FF584AEB290E3904E791693" = Windows-Treiberpaket - Nokia pccsmcfd  (08/22/2008 7.0.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v4.60
"FileZilla Client" = FileZilla Client 3.3.2
"InstallShield_{4EA8EA5D-8E46-4698-9BF7-2F2AD8E1C185}" = Easy Network Manager 3.0
"InstallShield_{685707A4-911C-468D-BFC4-64A50E5E3A0C}" = Samsung Update Plus
"InstallShield_{955597D8-E5E1-474D-B647-60AC44566D24}" = Play AVStation
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2006b" = MATLAB R2006b
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Visual C++ 2008 Express Edition with SP1 - DEU" = Microsoft Visual C++ 2008 Express Edition mit SP1 - DEU
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"NVIDIA Drivers" = NVIDIA Drivers
"OpenVPN" = OpenVPN 2.1_rc13
"Packet Tracer 5.0_is1" = Packet Tracer 5.0
"ProInst" = Intel PROSet Wireless
"SPORT619" = SPORT
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TextMaker Viewer" = TextMaker Viewer
"VISPROR" = Microsoft Office Visio Professional 2007
"VLC media player" = VLC media player 0.9.6
"WebDesigner" = Microsoft Expression Web
"Winload Toolbar" = Winload Toolbar
"WinRAR archiver" = WinRAR
"xampp" = XAMPP 1.6.6a
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 26.05.2010 12:18:09 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 26.05.2010 12:18:14 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 28.05.2010 05:08:55 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 28.05.2010 05:09:36 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 28.05.2010 12:23:41 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 28.05.2010 12:23:47 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.05.2010 05:04:36 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 31.05.2010 05:05:39 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.05.2010 06:16:26 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 31.05.2010 06:16:44 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
[ System Events ]
Error - 06.07.2010 06:34:15 | Computer Name = Verena-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am 06.07.2010 um 12:32:40 unerwartet heruntergefahren.
 
Error - 06.07.2010 06:34:38 | Computer Name = Verena-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 06.07.2010 06:34:42 | Computer Name = Verena-PC | Source = Dhcp | ID = 1002
Description = Die IP-Adresslease 192.168.6.14 für die Netzwerkkarte mit der Netzwerkadresse
 00FF4EBAD1E9 wurde durch den DHCP-Server 192.168.6.13 abgelehnt (der DHCP-Server
 hat eine DHCPNACK-Meldung gesendet).
 
Error - 06.07.2010 06:35:41 | Computer Name = Verena-PC | Source = Microsoft-Windows-LanguagePackSetup | ID = 1001
Description = 
 
Error - 06.07.2010 07:55:07 | Computer Name = Verena-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 06.07.2010 07:55:07 | Computer Name = Verena-PC | Source = Dhcp | ID = 1002
Description = Die IP-Adresslease 192.168.6.14 für die Netzwerkkarte mit der Netzwerkadresse
 00FF4EBAD1E9 wurde durch den DHCP-Server 192.168.6.13 abgelehnt (der DHCP-Server
 hat eine DHCPNACK-Meldung gesendet).
 
Error - 06.07.2010 07:56:02 | Computer Name = Verena-PC | Source = Microsoft-Windows-LanguagePackSetup | ID = 1001
Description = 
 
Error - 06.07.2010 10:30:33 | Computer Name = Verena-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 06.07.2010 10:30:39 | Computer Name = Verena-PC | Source = Dhcp | ID = 1002
Description = Die IP-Adresslease 192.168.6.14 für die Netzwerkkarte mit der Netzwerkadresse
 00FF4EBAD1E9 wurde durch den DHCP-Server 192.168.6.13 abgelehnt (der DHCP-Server
 hat eine DHCPNACK-Meldung gesendet).
 
Error - 06.07.2010 10:31:17 | Computer Name = Verena-PC | Source = Microsoft-Windows-LanguagePackSetup | ID = 1001
Description = 
 
 
< End of report >

--- --- ---

innocent · 06.07.2010, 15:45

Also den MPK-Keylogger habe ich mir nicht bewusst installiert.

innocent · 08.07.2010, 09:42

Wie kann ich den denn wieder runter bekommen? Weil so kann ich den nirgends finden.
Bin für jede Hilfe dankbar.

cosinus · 08.07.2010, 10:32

Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:

ATTFilter

:OTL
O33 - MountPoints2\{0da65834-163f-11df-81a9-0013779efc8e}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found
O33 - MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\Shell - "" = AutoRun
O33 - MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\Shell - "" = Autorun
O33 - MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\Shell\Open\command - "" = RECYCLER\S-2-4-38-100026351-100008458-100006666-2738.com f:\
O33 - MountPoints2\{ee16fdb2-30fe-11de-9773-0013779efc8e}\Shell\AutoRun\command - "" = F:\wd_windows_tools\setup.exe -- File not found
O33 - MountPoints2\{ff559042-da80-11de-89eb-0013779efc8e}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found
[2010.07.06 16:37:17 | 000,741,376 | ---- | M] () -- C:\Windows\System32\drivers\neyrpram.sys
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:48CF36A1
:Commands
[purity]
[resethosts]
[emptytemp]

Klick dann auf den Button Run Fixes!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

innocent · 08.07.2010, 11:23

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0da65834-163f-11df-81a9-0013779efc8e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0da65834-163f-11df-81a9-0013779efc8e}\ not found.
File F:\Launcher.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48e4eda8-fc71-11de-96cc-0013779efc8e}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48e4eda8-fc71-11de-96cc-0013779efc8e}\ not found.
File G:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\ not found.
File C:\RECYCLER\S-2-4-38-100026351-100008458-100006666-2738.com f:\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee16fdb2-30fe-11de-9773-0013779efc8e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee16fdb2-30fe-11de-9773-0013779efc8e}\ not found.
File F:\wd_windows_tools\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff559042-da80-11de-89eb-0013779efc8e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff559042-da80-11de-89eb-0013779efc8e}\ not found.
File F:\Launcher.exe not found.
File C:\Windows\System32\drivers\neyrpram.sys not found.
ADS C:\ProgramData\TEMP:48CF36A1 deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Verena
->Temp folder emptied: 799412852 bytes
->Temporary Internet Files folder emptied: 37488978 bytes
->Java cache emptied: 8055893 bytes
->FireFox cache emptied: 86577467 bytes
->Apple Safari cache emptied: 1168326 bytes
->Flash cache emptied: 49777 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 48980035 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 936,00 mb

OTL by OldTimer - Version 3.2.7.1 log created on 07082010_121908

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

cosinus · 08.07.2010, 12:27

Ok. Bitte jetzt CF anwenden:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

innocent · 09.07.2010, 11:02

Combofix Logfile:

Code:

ATTFilter

ComboFix 10-07-08.02 - Verena 09.07.2010  11:29:14.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.3066.2038 [GMT 2:00]
ausgeführt von:: c:\users\Verena\Desktop\cofi.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Public\media
c:\users\Public\media\index.html
c:\users\Public\media\system\css\calendar-jos.css
c:\users\Public\media\system\css\index.html
c:\users\Public\media\system\css\modal.css
c:\users\Public\media\system\css\mootree.css
c:\users\Public\media\system\images\closebox.png
c:\users\Public\media\system\images\index.html
c:\users\Public\media\system\images\mootree.gif
c:\users\Public\media\system\images\mootree_loader.gif
c:\users\Public\media\system\images\spinner.gif
c:\users\Public\media\system\index.html
c:\users\Public\media\system\js\calendar-setup.js
c:\users\Public\media\system\js\calendar.js
c:\users\Public\media\system\js\caption.js
c:\users\Public\media\system\js\combobox.js
c:\users\Public\media\system\js\index.html
c:\users\Public\media\system\js\modal.js
c:\users\Public\media\system\js\mootools-uncompressed.js
c:\users\Public\media\system\js\mootools.js
c:\users\Public\media\system\js\mootree.js
c:\users\Public\media\system\js\mootree_packed.js
c:\users\Public\media\system\js\openid.js
c:\users\Public\media\system\js\swf.js
c:\users\Public\media\system\js\switcher.js
c:\users\Public\media\system\js\tabs.js
c:\users\Public\media\system\js\uploader.js
c:\users\Public\media\system\js\validate.js
c:\users\Public\media\system\swf\uploader.swf
c:\windows\SEC
c:\windows\SEC\172100logo.bmp
c:\windows\SEC\banner.png
c:\windows\SEC\Computer.png
c:\windows\SEC\Media _S_ Logo.png
c:\windows\SEC\Samsung.png
c:\windows\SEC\Samsung2.png
c:\windows\SEC\SamsungLogo.png
c:\windows\SEC\Wallpapers\wallpaper.jpg
c:\windows\SEC\Wallpapers\wallpaper1.jpg
c:\windows\SEC\Wallpapers\Wallpaper2.jpg
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll

.
(((((((((((((((((((((((   Dateien erstellt von 2010-06-09 bis 2010-07-09  ))))))))))))))))))))))))))))))
.

2010-07-09 09:34 . 2010-07-09 09:34	--------	d-----w-	c:\users\Verena\AppData\Local\temp
2010-07-09 09:34 . 2010-07-09 09:34	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-07-08 13:01 . 2010-07-08 13:01	--------	d-----w-	c:\program files\CCleaner
2010-07-08 10:19 . 2010-07-08 10:19	--------	d-----w-	C:\_OTL
2010-07-06 13:09 . 2010-07-06 13:09	--------	d-----w-	c:\users\Verena\AppData\Roaming\Malwarebytes
2010-07-06 13:08 . 2010-04-29 10:19	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-06 13:08 . 2010-07-06 13:08	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-07-06 13:08 . 2010-07-06 13:08	--------	d-----w-	c:\programdata\Malwarebytes
2010-07-06 13:08 . 2010-04-29 10:19	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-07-06 12:30 . 2010-07-06 12:30	388096	----a-r-	c:\users\Verena\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-01 09:45 . 2010-07-01 09:47	--------	d-----w-	C:\xampp
2010-06-29 08:35 . 2010-06-29 08:35	--------	d-----w-	c:\users\Verena\AppData\Local\AOL
2010-06-29 08:35 . 2010-06-29 08:36	--------	d-----w-	c:\program files\ICQ7.2
2010-06-24 10:12 . 2010-06-24 10:12	--------	d-----w-	c:\program files\iPod
2010-06-24 10:12 . 2010-06-24 10:13	--------	d-----w-	c:\program files\iTunes
2010-06-24 10:09 . 2010-06-24 10:09	--------	d-----w-	c:\program files\Bonjour
2010-06-24 10:06 . 2010-06-24 10:06	72504	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-23 13:13 . 2009-11-08 08:55	99176	----a-w-	c:\windows\system32\PresentationHostProxy.dll
2010-06-23 13:13 . 2009-11-08 08:55	49472	----a-w-	c:\windows\system32\netfxperf.dll
2010-06-23 13:13 . 2009-11-08 08:55	297808	----a-w-	c:\windows\system32\mscoree.dll
2010-06-23 13:13 . 2009-11-08 08:55	295264	----a-w-	c:\windows\system32\PresentationHost.exe
2010-06-23 13:13 . 2009-11-08 08:55	1130824	----a-w-	c:\windows\system32\dfshim.dll
2010-06-23 10:40 . 2010-04-16 16:43	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2010-06-23 10:40 . 2010-04-16 14:39	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-16 09:53 . 2010-06-16 09:54	--------	d-----w-	c:\program files\SPORT619D
2010-06-16 09:28 . 2010-06-16 09:28	1024	----a-w-	c:\windows\system32\clauth2.dll
2010-06-16 09:28 . 2010-06-16 09:28	1024	----a-w-	c:\windows\system32\clauth1.dll
2010-06-16 09:27 . 2010-06-16 09:27	1025	----a-w-	c:\windows\system32\sysprs7.dll
2010-06-14 09:45 . 2010-05-26 17:06	34304	----a-w-	c:\windows\system32\atmlib.dll

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 09:15 . 2008-07-08 12:54	626780	----a-w-	c:\windows\system32\perfh007.dat
2010-07-09 09:15 . 2008-07-08 12:54	126396	----a-w-	c:\windows\system32\perfc007.dat
2010-07-09 09:10 . 2008-07-08 14:39	186460	----a-w-	c:\programdata\nvModes.dat
2010-07-08 13:15 . 2008-07-09 06:09	12	----a-w-	c:\windows\bthservsdp.dat
2010-07-08 12:42 . 2008-11-04 23:45	--------	d-----w-	c:\users\Verena\AppData\Roaming\ICQ
2010-06-29 08:36 . 2009-06-15 18:56	--------	d-----w-	c:\program files\ICQ6.5
2010-06-29 08:35 . 2008-07-08 14:13	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-06-25 12:20 . 2008-07-08 14:42	--------	d-----w-	c:\program files\Microsoft.NET
2010-06-24 10:42 . 2009-02-06 15:40	--------	d-----w-	c:\users\Verena\AppData\Roaming\Apple Computer
2010-06-24 10:12 . 2009-02-06 15:37	--------	d-----w-	c:\program files\Common Files\Apple
2010-06-16 12:29 . 2008-11-04 17:41	101248	----a-w-	c:\users\Verena\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-15 08:26 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-06-14 13:25 . 2008-07-08 14:40	--------	d-----w-	c:\programdata\Microsoft Help
2010-05-26 14:47 . 2010-06-14 09:45	289792	----a-w-	c:\windows\system32\atmfd.dll
2010-05-21 12:14 . 2009-10-03 12:31	221568	------w-	c:\windows\system32\MpSigStub.exe
2010-05-18 14:35 . 2010-05-18 14:35	91424	----a-w-	c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35	107808	----a-w-	c:\windows\system32\dns-sd.exe
2010-05-14 13:33 . 2010-05-14 13:33	--------	d-----w-	c:\program files\Common Files\Java
2010-05-14 13:32 . 2010-05-14 13:33	411368	----a-w-	c:\windows\system32\deployJava1.dll
2010-05-13 21:08 . 2010-05-13 21:08	16	----a-w-	c:\users\Verena\AppData\Roaming\wqhtpi.dat
2010-05-04 05:59 . 2010-06-14 09:45	916480	----a-w-	c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-14 09:45	71680	----a-w-	c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-14 09:45	109056	----a-w-	c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-14 09:45	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2010-05-02 05:51 . 2008-12-24 17:48	589	----a-w-	c:\windows\system32\dmlg.dat
2010-05-01 14:13 . 2010-06-14 09:45	2037248	----a-w-	c:\windows\system32\win32k.sys
2010-04-23 14:13 . 2010-05-28 09:16	2048	----a-w-	c:\windows\system32\tzres.dll
2010-04-16 16:43 . 2010-06-23 10:40	173056	----a-w-	c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:43 . 2010-06-23 10:40	458752	----a-w-	c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:43 . 2010-06-23 10:40	542720	----a-w-	c:\windows\AppPatch\AcLayers.dll
2010-04-16 16:43 . 2010-06-23 10:40	2159616	----a-w-	c:\windows\AppPatch\AcGenral.dll
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{40c3cc16-7269-4b32-9531-17f2950fb06f}"= "c:\program files\Winload\tbWin1.dll" [2010-04-04 2349080]

[HKEY_CLASSES_ROOT\clsid\{40c3cc16-7269-4b32-9531-17f2950fb06f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40c3cc16-7269-4b32-9531-17f2950fb06f}]
2010-04-04 12:35	2349080	----a-w-	c:\program files\Winload\tbWin1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{40c3cc16-7269-4b32-9531-17f2950fb06f}"= "c:\program files\Winload\tbWin1.dll" [2010-04-04 2349080]

[HKEY_CLASSES_ROOT\clsid\{40c3cc16-7269-4b32-9531-17f2950fb06f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{40C3CC16-7269-4B32-9531-17F2950FB06F}"= "c:\program files\Winload\tbWin1.dll" [2010-04-04 2349080]

[HKEY_CLASSES_ROOT\clsid\{40c3cc16-7269-4b32-9531-17f2950fb06f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-08 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-08 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-17 6111232]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"PDFPrint"="c:\program files\pdf24\pdf24.exe" [2010-03-10 208528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-2-12 723496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):41,21,30,ee,53,a6,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-113378734-2685825776-4182880352-1003]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\DRIVERS\kmdfmemio.sys [2007-05-23 13312]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows Vista 32-Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-05-20 3663360]
S3 VMC302;Vimicro Camera Service VMC302;c:\windows\system32\Drivers\VMC302.sys [2008-04-05 242560]


--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - neyrpram

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-03-17 08:56	451872	----a-w-	c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\ICQ7.2\ICQ.exe
FF - ProfilePath - c:\users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\ajieacm6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319825&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Winload Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2319825&SearchSource=13
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-07-09 11:34
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\neyrpram]

.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2010-07-09  11:36:33
ComboFix-quarantined-files.txt  2010-07-09 09:36

Vor Suchlauf: 31 Verzeichnis(se), 39.650.131.968 Bytes frei
Nach Suchlauf: 36 Verzeichnis(se), 39.582.609.408 Bytes frei

Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 2DF114DC0A46B69C9E5741A8698D0B71

--- --- ---

cosinus · 09.07.2010, 11:19

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus

06.07.2010, 15:37	#6
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	$Trojaner TR/Crypt.XPACK.Gen in C:\Users\*\AppData\Local\Temp\svchost.exe - Standard$ Trojaner TR/Crypt.XPACK.Gen in C:\Users\\AppData\Local\Temp\svchost.exe Hast Du Dir den MPK-Keylogger mal bewusst installiert? __________________ --> Trojaner TR/Crypt.XPACK.Gen in C:\Users\**\AppData\Local\Temp\svchost.exe

Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe

Plagegeister aller Art und deren Bekämpfung: Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe