Browser öffnen Spam-Links, Winupdate geblockt, IExplorer kann gar nicht geöffnet werden,...

Bernd_T · 17.07.2010, 21:24

Hallo zusammen,

Ich vermute einen Trojaner/Rootkit/Malware auf meinem Windows-Rechner und komme alleine leider kein Stück mehr weiter.

Auf einer Website öffnete sich ein Popup, das einem vorgaukelte, es sei ein Antimalware-Programm, das das System schützen wollte. Ein Tool Namens "AntimalwareDoctor" versuchte sich zu installieren, was ich unterbrochen habe. (Browser: Opera)

Die Symptome zeigten sich letzte Nacht zum ersten mal als sich beim surfen gelegentlich Links z.B. von Google nicht zur Zielseite, sondern irgendeiner externen Seite öffneten, die den Suchstring übernahm und offenbar relevanten Inhalt vorzutäuschen versuchte.

Auf dem System ist Avira Personal Edition installiert, der Guard ständig aktiv.
Kurz darauf hat Avira im Verzeichnis /Windows/Temp/ in regelmäßigem Abstand Dateien gefunden (setup.exe), die in Verzeichnissen der Form "<random>.tmp" angelegt wurden.

entsprechendes Avira-Event:
[CODE]
In der Datei 'C:\WINDOWS\Temp\jwtb.tmp\setup.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden.
Ausgeführte Aktion: Datei löschen
[CODE]

Dies wiederholte sich in exakt 10 minütigem Abstand.

Ein Suchlauf mit Malwarebytes identifizierte einen "Rootkitdropper" und löschte ihn. Logfile:

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4320

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

17.07.2010 01:37:45
mbam-log-2010-07-17 (01-37-45).txt

Scan type: Quick scan
Objects scanned: 125009
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\***\Local Settings\Temp\3E93.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\***\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\***\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

SpybotS&D hat außer ein paar Cookies nichts gefunden.

Nach dem Neustart des Systems wurden keine neuen infizierten Dateien im Windows/Temp erzeugt.

Folgende Symptome sind aber immernoch vorhanden:
- ProcMon zeigt Zugriffe auf diverse externe websites insbesondere panamamails.com durch den Browser-Prozess und SVCHOST.EXE
- Namensauflösungen beim Aufruf einer Website scheinen ungewöhnlich lange zu dauern.
- Suchergebniss-Links bei Google leiten manchmal auf falsche Seiten weiter oder öffnen einen neuen Tab mit einer auf seriös getrimmte Fake-Seite.
- URLs, in denen der String "windowsupdat e" enthalten ist, führt zu einem Fehler, vollkommen egal ob Link, direkte Eingabe, real existierende URL, etc. (wirft den Fehler also sowohl bei windwsupdate.microsoft.com als auch bei der fiktiven www.werbrauchtschoneinwndowsupdate.org)
- Der Internet Explorer lässt sich nicht öffnen, der Prozess wird in unter einer Sekunde wieder beendet. Einzige Möglichkeit, den IExplore zu öffnen ist direkt nach dem Booten.

Ich bin mit meinem Latein langsam am Ende, ich habe SPybot, Malwarebytes, OLT und GMER durchlaufen lassen, ohne Ergebnis. Ich hoffe, jemand von euch hat ne Idee, wie ich diesen nervigen Untermieter loswerde.

Hier noch die HijackThis Logdatei:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58:13, on 17.07.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\TerraTec\Remote\TTTVRC.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\FreePDF_XP\fpassist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Program Files\Common Files\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE0FA877-AD1C-49D6-AFB9-2806D13C77F9}: NameServer = 192.168.1.1,212.37.37.37
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4822 bytes

Gruß und Dank im Voraus,
Bernd

Bernd_T · 17.07.2010, 21:27

Hier noch die Logdateien von GMER und OTL

Gmer
[CODE]
GMER Logfile:
GMER Logfile:

Code:

ATTFilter

GMER 1.0.15.15281 - httpwww.gmer.net
Rootkit scan 2010-07-17 200315
Windows 5.1.2600 Service Pack 2
Running xtj2z9vg.exe; Driver CDOCUME~1LOCALS~1Temppgtdapow.sys


---- System - GMER 1.0.15 ----

SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwClose [0xB330D7EA]
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwCreateKey [0xB330D5E0]
SSDT      B87C8AE4                                                                                                                          ZwCreateThread
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwDeleteKey [0xB330D488]
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwDeleteValueKey [0xB330D4CE]
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwEnumerateKey [0xB330D3CE]
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwEnumerateValueKey [0xB330D32A]
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwFlushKey [0xB330D422]
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwLoadKey [0xB330D94E]
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwOpenKey [0xB330D7AC]
SSDT      B87C8AD0                                                                                                                          ZwOpenProcess
SSDT      B87C8AD5                                                                                                                          ZwOpenThread
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwQueryKey [0xB330D01A]
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwQueryValueKey [0xB330D0B2]
SSDT      B87C8B0C                                                                                                                          ZwReplaceKey
SSDT      B87C8B07                                                                                                                          ZwRestoreKey
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwSetValueKey [0xB330D1D6]
SSDT      B87C8ADF                                                                                                                          ZwTerminateProcess
SSDT      CWINDOWSsystem32DriversPROCMON20.SYS                                                                                     ZwUnloadKey [0xB330DA9E]

INT 0x73                                                                                                                                   89B94F00
INT 0x83                                                                                                                                   89DCEBF8
INT 0x83                                                                                                                                   89DCEBF8
INT 0x83                                                                                                                                   89DCEBF8
INT 0xB4                                                                                                                                   89B94F00

---- Kernel code sections - GMER 1.0.15 ----

.text     ntkrnlpa.exe!ZwCallbackReturn + 2B98                                                                                              80503798 4 Bytes  JMP 48B330D7 
         sprh.sys                                                                                                                          The system cannot find the file specified. !
.text     USBPORT.SYS!DllUnload                                                                                                             B72D262C 5 Bytes  JMP 89B944E0 
.text     CWINDOWSsystem32DRIVERSnv4_mini.sys                                                                                          section is writeable [0xB66AA380, 0x550AF5, 0xE8000020]
.text     a9nts2yb.SYS                                                                                                                      B65FC386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text     a9nts2yb.SYS                                                                                                                      B65FC3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text     a9nts2yb.SYS                                                                                                                      B65FC3C4 3 Bytes  [00, 80, 02]
.text     a9nts2yb.SYS                                                                                                                      B65FC3C9 1 Byte  [30]
.text     a9nts2yb.SYS                                                                                                                      B65FC3C9 11 Bytes  [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text     ...                                                                                                                               
init      CWINDOWSsystem32driversmonfilt.sys                                                                                           entry point in init section [0xB42C6280]
.reloc    CWINDOWSsystem32driversacedrv11.sys                                                                                          section is executable [0xB2BD9300, 0x25D4C, 0xE0000060]
pnidata   CWINDOWSsystem32DRIVERSsecdrv.sys                                                                                            unknown last section [0xB2A55F00, 0x24000, 0x48000000]
         CWINDOWSsystem32DriversPROCMON20.SYS                                                                                         The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text     CWINDOWSExplorer.EXE[412] ntdll.dll!NtProtectVirtualMemory                                                                     7C90DEB6 5 Bytes  JMP 00A0000A 
.text     CWINDOWSExplorer.EXE[412] ntdll.dll!NtWriteVirtualMemory                                                                       7C90EA32 5 Bytes  JMP 00AE000A 
.text     CWINDOWSExplorer.EXE[412] ntdll.dll!KiUserExceptionDispatcher                                                                  7C90EAEC 5 Bytes  JMP 009F000C 
.text     CProgram FilesInternet Exploreriexplore.exe[452] ntdll.dll!NtProtectVirtualMemory                                             7C90DEB6 5 Bytes  JMP 003F000A 
.text     CProgram FilesInternet Exploreriexplore.exe[452] ntdll.dll!NtWriteVirtualMemory                                               7C90EA32 5 Bytes  JMP 00AC000A 
.text     CProgram FilesInternet Exploreriexplore.exe[452] ntdll.dll!KiUserExceptionDispatcher                                          7C90EAEC 5 Bytes  JMP 003E000C 
.text     CWINDOWSSystem32svchost.exe[1404] ntdll.dll!NtProtectVirtualMemory                                                            7C90DEB6 5 Bytes  JMP 0082000A 
.text     CWINDOWSSystem32svchost.exe[1404] ntdll.dll!NtWriteVirtualMemory                                                              7C90EA32 5 Bytes  JMP 0083000A 
.text     CWINDOWSSystem32svchost.exe[1404] ntdll.dll!KiUserExceptionDispatcher                                                         7C90EAEC 5 Bytes  JMP 0081000C 
.text     CWINDOWSSystem32svchost.exe[1404] USER32.dll!GetCursorPos                                                                     77D4C566 5 Bytes  JMP 00B3000A 
.text     CWINDOWSSystem32svchost.exe[1404] ole32.dll!CoCreateInstance                                                                  77526009 5 Bytes  JMP 009E000A 

---- Kernel IATEAT - GMER 1.0.15 ----

IAT       atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                [B7EB6042] sprh.sys
IAT       atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                        [B7EB613E] sprh.sys
IAT       atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                               [B7EB60C0] sprh.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                       [B7EB6800] sprh.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                               [B7EB66D6] sprh.sys
IAT       SystemRootsystem32DRIVERSi8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                                [B7EC5B90] sprh.sys
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!KfAcquireSpinLock]                                                              0C8D1C46
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!READ_PORT_UCHAR]                                                                B48B8932
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!KeGetCurrentIrql]                                                               89000001
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!KfRaiseIrql]                                                                    0001C083
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!KfLowerIrql]                                                                    24468B00
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!HalGetInterruptVector]                                                          89820C8D
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!HalTranslateBusAddress]                                                         D18BF84D
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!KeStallExecutionProcessor]                                                      860F1639
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!KfReleaseSpinLock]                                                              000000BD
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                                        020CB389
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!READ_PORT_USHORT]                                                               83660000
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                       7400067E
IAT       SystemRootSystem32Driversa9nts2yb.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                               89D60320
IAT       SystemRootSystem32Driversa9nts2yb.SYS[WMILIB.SYS!WmiSystemControl]                                                            8D168B00
IAT       SystemRootSystem32Driversa9nts2yb.SYS[WMILIB.SYS!WmiCompleteRequest]                                                          F0003284

---- User IATEAT - GMER 1.0.15 ----

IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSExplorer.EXE [KERNEL32.dll!CreateProcessW]                                              [01751000] CWINDOWSsystem32dllhsn32.dll
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessA]                                       [0175105B] CWINDOWSsystem32dllhsn32.dll
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessW]                                       [01751000] CWINDOWSsystem32dllhsn32.dll
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32USER32.dll [KERNEL32.dll!CreateProcessW]                                       [01751000] CWINDOWSsystem32dllhsn32.dll
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessA]                                      [0175105B] CWINDOWSsystem32dllhsn32.dll
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessW]                                      [01751000] CWINDOWSsystem32dllhsn32.dll
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32SHELL32.dll [KERNEL32.dll!CreateProcessW]                                      [01751000] CWINDOWSsystem32dllhsn32.dll
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW]                                [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32ole32.dll [KERNEL32.dll!CreateProcessW]                                        [01751000] CWINDOWSsystem32dllhsn32.dll
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW]                                [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CWINDOWSExplorer.EXE[412] @ CWINDOWSsystem32USERENV.dll [KERNEL32.dll!CreateProcessW]                                      [01751000] CWINDOWSsystem32dllhsn32.dll
IAT       CProgram FilesWinampwinampa.exe[548] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessA]                          [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesWinampwinampa.exe[548] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessW]                          [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesWinampwinampa.exe[548] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessA]                           [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesWinampwinampa.exe[548] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessW]                           [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesWinampwinampa.exe[548] @ CWINDOWSsystem32USER32.dll [KERNEL32.dll!CreateProcessW]                           [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesWinampwinampa.exe[548] @ CWINDOWSsystem32SHELL32.dll [KERNEL32.dll!CreateProcessW]                          [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesWinampwinampa.exe[548] @ CWINDOWSsystem32SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW]                    [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CProgram FilesWinampwinampa.exe[548] @ CWINDOWSsystem32ole32.dll [KERNEL32.dll!CreateProcessW]                            [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessA]                                [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessW]                                [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32USER32.dll [KERNEL32.dll!CreateProcessW]                                [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32ole32.dll [KERNEL32.dll!CreateProcessW]                                 [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32SHELL32.dll [KERNEL32.dll!CreateProcessW]                               [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW]                         [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessA]                               [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessW]                               [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW]                         [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CWINDOWSsystem32ctfmon.exe[564] @ CWINDOWSsystem32USERENV.dll [KERNEL32.dll!CreateProcessW]                               [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesAviraAntiVir Desktopavgnt.exe[592] @ CWINDOWSsystem32USER32.dll [KERNEL32.dll!CreateProcessW]              [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesAviraAntiVir Desktopavgnt.exe[592] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessA]             [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesAviraAntiVir Desktopavgnt.exe[592] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessW]             [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesAviraAntiVir Desktopavgnt.exe[592] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessA]              [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesAviraAntiVir Desktopavgnt.exe[592] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessW]              [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesAviraAntiVir Desktopavgnt.exe[592] @ CWINDOWSsystem32SHELL32.dll [KERNEL32.dll!CreateProcessW]             [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesAviraAntiVir Desktopavgnt.exe[592] @ CWINDOWSsystem32SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW]       [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CProgram FilesAviraAntiVir Desktopavgnt.exe[592] @ CWINDOWSsystem32ole32.dll [KERNEL32.dll!CreateProcessW]               [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesLogitechGaming SoftwareLWEMon.exe[1092] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessA]         [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesLogitechGaming SoftwareLWEMon.exe[1092] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessW]         [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesLogitechGaming SoftwareLWEMon.exe[1092] @ CWINDOWSsystem32USER32.dll [KERNEL32.dll!CreateProcessW]         [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesLogitechGaming SoftwareLWEMon.exe[1092] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessA]        [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesLogitechGaming SoftwareLWEMon.exe[1092] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessW]        [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesLogitechGaming SoftwareLWEMon.exe[1092] @ CWINDOWSsystem32SHELL32.dll [KERNEL32.dll!CreateProcessW]        [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesLogitechGaming SoftwareLWEMon.exe[1092] @ CWINDOWSsystem32SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW]  [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CProgram FilesLogitechGaming SoftwareLWEMon.exe[1092] @ CWINDOWSsystem32ole32.dll [KERNEL32.dll!CreateProcessW]          [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessA]                             [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessW]                             [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32USER32.dll [KERNEL32.dll!CreateProcessW]                             [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32ole32.dll [KERNEL32.dll!CreateProcessW]                              [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32SHELL32.dll [KERNEL32.dll!CreateProcessW]                            [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW]                      [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessA]                            [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessW]                            [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW]                      [77E45400] CWINDOWSsystem32ADVAPI32.dll (Advanced Windows 32 Base APIMicrosoft Corporation)
IAT       CWINDOWSsystem32RUNDLL32.EXE[1188] @ CWINDOWSsystem32USERENV.dll [KERNEL32.dll!CreateProcessW]                            [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesFreePDF_XPfpassist.exe[1480] @ CWINDOWSsystem32USER32.dll [KERNEL32.dll!CreateProcessW]                     [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesFreePDF_XPfpassist.exe[1480] @ CWINDOWSsystem32ole32.dll [KERNEL32.dll!CreateProcessW]                      [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesFreePDF_XPfpassist.exe[1480] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessA]                     [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesFreePDF_XPfpassist.exe[1480] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessW]                     [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesFreePDF_XPfpassist.exe[1480] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessA]                    [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CProgram FilesFreePDF_XPfpassist.exe[1480] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessW]                    [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CDocuments and SettingsDesktopxtj2z9vg.exe[3628] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessA]     [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CDocuments and SettingsDesktopxtj2z9vg.exe[3628] @ CWINDOWSsystem32msvcrt.dll [KERNEL32.dll!CreateProcessW]     [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CDocuments and SettingsDesktopxtj2z9vg.exe[3628] @ CWINDOWSsystem32ole32.dll [KERNEL32.dll!CreateProcessW]      [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CDocuments and SettingsDesktopxtj2z9vg.exe[3628] @ CWINDOWSsystem32USER32.dll [KERNEL32.dll!CreateProcessW]     [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CDocuments and SettingsDesktopxtj2z9vg.exe[3628] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessA]    [7C882E05] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)
IAT       CDocuments and SettingsDesktopxtj2z9vg.exe[3628] @ CWINDOWSsystem32SHLWAPI.dll [KERNEL32.dll!CreateProcessW]    [7C882E00] CWINDOWSsystem32kernel32.dll (Windows NT BASE API Client DLLMicrosoft Corporation)

---- Devices - GMER 1.0.15 ----

Device    FileSystemNtfs Ntfs                                                                                                            89DCD1F8
Device    Driverusbohci DeviceUSBPDO-0                                                                                                  89B931F8
Device    Driverdmio DeviceDmControlDmIoDaemon                                                                                         89D5D1F8
Device    Driverdmio DeviceDmControlDmConfig                                                                                           89D5D1F8
Device    Driverdmio DeviceDmControlDmPnP                                                                                              89D5D1F8
Device    Driverdmio DeviceDmControlDmInfo                                                                                             89D5D1F8
Device    Driverusbehci DeviceUSBPDO-1                                                                                                  89AD31F8
Device    Driverusbohci DeviceUSBPDO-2                                                                                                  89B931F8
Device    Driverusbehci DeviceUSBPDO-3                                                                                                  89AD31F8
Device    DriverPCI_PNP2214 Device00000049                                                                                              sprh.sys
Device    DriverNetBT DeviceNetBT_Tcpip_{AE0FA877-AD1C-49D6-AFB9-2806D13C77F9}                                                          89B651F8
Device    DriverFtdisk DeviceHarddiskVolume1                                                                                            89DCF1F8
Device    DriverFtdisk DeviceHarddiskVolume2                                                                                            89DCF1F8
Device    DriverCdrom DeviceCdRom0                                                                                                      89ADE500
Device    Driversptd Device4070177214                                                                                                   sprh.sys
Device    DriverFtdisk DeviceHarddiskVolume3                                                                                            89DCF1F8
Device    DriverCdrom DeviceCdRom1                                                                                                      89ADE500
Device    Driveratapi DeviceIdeIdePort0                                                                                                89DCE1F8
Device    Driveratapi DeviceIdeIdePort1                                                                                                89DCE1F8
Device    Driveratapi DeviceIdeIdeDeviceP2T0L0-6                                                                                       89DCE1F8
Device    Driveratapi DeviceIdeIdeDeviceP2T1L0-e                                                                                       89DCE1F8
Device    Driveratapi DeviceIdeIdePort2                                                                                                89DCE1F8
Device    Driveratapi DeviceIdeIdePort3                                                                                                89DCE1F8
Device    DriverFtdisk DeviceHarddiskVolume4                                                                                            89DCF1F8
Device    DriverNetBT DeviceNetBt_Wins_Export                                                                                           89B651F8
Device    DriverNetBT DeviceNetbiosSmb                                                                                                  89B651F8
Device    Driverusbohci DeviceUSBFDO-0                                                                                                  89B931F8
Device    Driverusbehci DeviceUSBFDO-1                                                                                                  89AD31F8
Device    FileSystemMRxSmb DeviceLanmanDatagramReceiver                                                                                 89BA6500
Device    Driverusbohci DeviceUSBFDO-2                                                                                                  89B931F8
Device    FileSystemMRxSmb DeviceLanmanRedirector                                                                                       89BA6500
Device    Driverusbehci DeviceUSBFDO-3                                                                                                  89AD31F8
Device    DriverFtdisk DeviceFtControl                                                                                                  89DCF1F8
Device    Drivera9nts2yb DeviceScsia9nts2yb1                                                                                           899BD500
Device    Drivera9nts2yb DeviceScsia9nts2yb1Port4Path0Target0Lun0                                                                      899BD500
Device    FileSystemCdfs Cdfs                                                                                                            89988500

---- Registry - GMER 1.0.15 ----

Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg@s1                                                                                771343423
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg@s2                                                                                285507792
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg@h0                                                                                1
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC                                                  
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                               CProgram FilesDAEMON Tools Lite
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                               0xD4 0xC3 0x97 0x02 ...
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                               0
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                            0xFE 0xB6 0xF7 0x56 ...
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001                                         
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0                                      0x20 0x01 0x00 0x00 ...
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12                                   0xB2 0x9E 0x77 0x80 ...
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0                                    
Reg       HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12                              0xD3 0xAE 0x40 0xC5 ...
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                              
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                   CProgram FilesDAEMON Tools Lite
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                   0xD4 0xC3 0x97 0x02 ...
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                   0
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                0xFE 0xB6 0xF7 0x56 ...
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001 (not active ControlSet)                     
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0                                          0x20 0x01 0x00 0x00 ...
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12                                       0xB2 0x9E 0x77 0x80 ...
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0 (not active ControlSet)                
Reg       HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12                                  0xD3 0xAE 0x40 0xC5 ...

---- EOF - GMER 1.0.15 ----

--- --- ---

--- --- ---
[CODE]

OTL

Code:

ATTFilter

OTL logfile created on 17.07.2010 182332 - Run 1
OTL by OldTimer - Version 3.2.9.0     Folder = CDocuments and SettingsDesktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale 00000407  Country Germany  Language DEU  Date Format dd.MM.yyyy
 
2,00 Gb Total Physical Memory  1,00 Gb Available Physical Memory  64,00% Memory free
4,00 Gb Paging File  3,00 Gb Available in Paging File  83,00% Paging File free
Paging file location(s) Cpagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C  %SystemRoot% = CWINDOWS  %ProgramFiles% = CProgram Files
Drive C  73,24 Gb Total Space  24,82 Gb Free Space  33,89% Space Free  Partition Type NTFS
Drive D  5,12 Gb Total Space  0,00 Gb Free Space  0,00% Space Free  Partition Type CDFS
E Drive not present or media not loaded
F Drive not present or media not loaded
Drive G  100,01 Gb Total Space  8,71 Gb Free Space  8,71% Space Free  Partition Type NTFS
Drive H  132,87 Gb Total Space  1,63 Gb Free Space  1,23% Space Free  Partition Type NTFS
I Drive not present or media not loaded
Drive X  224,85 Gb Total Space  3,97 Gb Free Space  1,77% Space Free  Partition Type NTFS
 
Computer Name 
Current User Name 
Logged in as Administrator.
 
Current Boot Mode Normal
Scan Mode All users
Company Name Whitelist Off
Skip Microsoft Files Off
File Age = 30 Days
Output = Standard
 
[color=#E56717]========== Processes (SafeList) ==========[color]
 
PRC - [2010.07.17 174747  000,574,976  ----  M] (OldTimer Tools) -- CDocuments and SettingsDesktopOTL.exe
PRC - [2010.06.30 145222  000,836,464  ----  M] (Opera Software) -- CProgram FilesOperaopera.exe
PRC - [2010.01.14 004452  000,037,888  ----  M] (Nullsoft, Inc.) -- CProgram FilesWinampwinampa.exe
PRC - [2009.09.05 172906  000,385,024  ----  M] (shbox.de) -- CProgram FilesFreePDF_XPfpassist.exe
PRC - [2009.07.21 143428  000,185,089  ----  M] (Avira GmbH) -- CProgram FilesAviraAntiVir Desktopavguard.exe
PRC - [2009.05.13 164818  000,108,289  ----  M] (Avira GmbH) -- CProgram FilesAviraAntiVir Desktopsched.exe
PRC - [2009.03.05 160720  002,260,480  RHS-  M] (Safer-Networking Ltd.) -- CProgram FilesSpybot - Search & DestroyTeaTimer.exe
PRC - [2009.03.02 130843  000,209,153  ----  M] (Avira GmbH) -- CProgram FilesAviraAntiVir Desktopavgnt.exe
PRC - [2009.01.21 151954  000,092,168  ----  M] (Logitech Inc.) -- CProgram FilesLogitechGaming SoftwareLWEMon.exe
PRC - [2008.04.24 043230  000,598,016  ----  M] () -- CProgram FilesNVIDIA CorporationNetworkAccessManagerbin32nSvcAppFlt.exe
PRC - [2008.04.24 043154  000,176,128  ----  M] () -- CProgram FilesNVIDIA CorporationNetworkAccessManagerbin32nSvcIp.exe
PRC - [2007.06.05 142032  000,177,704  ----  M] () -- CWINDOWSsystem32PSIService.exe
PRC - [2004.08.04 065650  001,032,192  ----  M] (Microsoft Corporation) -- CWINDOWSexplorer.exe
 
 
[color=#E56717]========== Modules (SafeList) ==========[color]
 
MOD - [2010.07.17 174747  000,574,976  ----  M] (OldTimer Tools) -- CDocuments and SettingsDesktopOTL.exe
MOD - [2010.07.17 001910  000,046,592  -H--  M] () -- CWINDOWSsystem32dllhsn32.dll
MOD - [2004.08.04 065702  001,050,624  R---  M] (Microsoft Corporation) -- CWINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9comctl32.dll
MOD - [2004.08.04 050118  000,102,400  ----  M] (Microsoft Corporation) -- CWINDOWSsystem32msscript.ocx
 
 
[color=#E56717]========== Win32 Services (SafeList) ==========[color]
 
SRV - [2009.10.20 201948  000,117,264  ----  M] (CACE Technologies, Inc.) [On_Demand  Stopped] -- CProgram FilesWinPcaprpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009.08.17 085436  000,093,336  ----  M] (SiSoftware) [Disabled  Stopped] -- CProgram FilesSiSoftwareSiSoftware Sandra Lite 2010.SP1aRpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2009.07.21 143428  000,185,089  ----  M] (Avira GmbH) [Auto  Running] -- CProgram FilesAviraAntiVir Desktopavguard.exe -- (AntiVirService)
SRV - [2009.05.13 164818  000,108,289  ----  M] (Avira GmbH) [Auto  Running] -- CProgram FilesAviraAntiVir Desktopsched.exe -- (AntiVirSchedulerService)
SRV - [2008.04.24 043230  000,598,016  ----  M] () [Auto  Running] -- CProgram FilesNVIDIA CorporationNetworkAccessManagerbin32nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2008.04.24 043154  000,176,128  ----  M] () [Auto  Running] -- CProgram FilesNVIDIA CorporationNetworkAccessManagerbin32nSvcIp.exe -- (nSvcIp)
SRV - [2007.06.05 142032  000,177,704  ----  M] () [Auto  Running] -- CWINDOWSsystem32PSIService.exe -- (ProtexisLicensing)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[color]
 
DRV - File not found [Kernel  On_Demand  Stopped] -- CDOCUME~1LOCALS~1Tempcpuz130cpuz_x32.sys -- (cpuz130)
DRV - [2010.02.05 223248  000,691,696  ----  M] () [Kernel  Boot  Running] -- CWINDOWSSystem32Driverssptd.sys -- (sptd)
DRV - [2010.02.05 221815  000,223,440  ----  M] (TrueCrypt Foundation) [Kernel  System  Running] -- CWINDOWSsystem32driverstruecrypt.sys -- (truecrypt)
DRV - [2010.02.03 155656  000,026,176  -H--  M] (LogMeIn, Inc.) [Kernel  On_Demand  Stopped] -- CWINDOWSsystem32drivershamachi.sys -- (hamachi)
DRV - [2010.01.12 060333  010,276,768  ----  M] (NVIDIA Corporation) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversnv4_mini.sys -- (nv)
DRV - [2009.11.25 121902  000,056,816  ----  M] (Avira GmbH) [File_System  Auto  Running] -- CWINDOWSsystem32driversavgntflt.sys -- (avgntflt)
DRV - [2009.10.20 201944  000,050,704  ----  M] (CACE Technologies, Inc.) [Kernel  Auto  Running] -- CWINDOWSsystem32driversnpf.sys -- (NPF)
DRV - [2009.08.07 234656  000,023,112  ----  M] (SiSoftware) [Kernel  On_Demand  Stopped] -- CProgram FilesSiSoftwareSiSoftware Sandra Lite 2010.SP1aWNt500x86sandra.sys -- (SANDRA)
DRV - [2009.05.11 101220  000,028,520  ----  M] (Avira GmbH) [Kernel  System  Running] -- CWINDOWSsystem32driversssmdrv.sys -- (ssmdrv)
DRV - [2009.03.30 103303  000,096,104  ----  M] (Avira GmbH) [Kernel  System  Running] -- CWINDOWSsystem32driversavipbb.sys -- (avipbb)
DRV - [2009.02.13 123501  000,011,608  ----  M] (Avira GmbH) [Kernel  System  Running] -- CProgram FilesAviraAntiVir Desktopavgio.sys -- (avgio)
DRV - [2009.01.19 203156  000,277,544  ----  M] (Protect Software GmbH) [Kernel  Auto  Running] -- CWINDOWSsystem32driversacedrv11.sys -- (acedrv11)
DRV - [2009.01.13 201352  000,049,160  ----  M] (Logitech Inc.) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversWmXlCore.sys -- (WmXlCore)
DRV - [2009.01.13 201344  000,014,728  ----  M] (Logitech Inc.) [Kernel  On_Demand  Stopped] -- CWINDOWSsystem32driversWmVirHid.sys -- (WmVirHid)
DRV - [2009.01.13 201328  000,029,192  ----  M] (Logitech Inc.) [Kernel  On_Demand  Stopped] -- CWINDOWSsystem32driversWmFilter.sys -- (WmFilter)
DRV - [2009.01.13 201320  000,019,336  ----  M] (Logitech Inc.) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversWmBEnum.sys -- (WmBEnum)
DRV - [2008.05.08 232322  000,238,080  R---  M] (VIA Technologies, Inc.) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversviahduaa.sys -- (VIAHdAudAddService)
DRV - [2008.03.25 134808  000,022,016  R---  M] (NVIDIA Corporation) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversnvnetbus.sys -- (nvnetbus)
DRV - [2008.03.25 134806  000,054,400  R---  M] (NVIDIA Corporation) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversNVENETFD.sys -- (NVENETFD)
DRV - [2008.02.14 161200  001,389,056  R---  M] (Creative Technology Ltd.) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversmonfilt.sys -- (monfilt)
DRV - [2008.01.14 120632  000,021,632  ----  M] (ManyCam LLC.) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversManyCam.sys -- (ManyCam)
DRV - [2007.06.29 154734  000,034,304  ----  M] (AMD, Inc.) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversAmdLLD.sys -- (AmdLLD)
DRV - [2006.12.04 171314  001,121,536  ----  M] (Philips Semiconductors GmbH) [Kernel  On_Demand  Running] -- CWINDOWSsystem32drivers3xHybrid.sys -- (3xHybrid)
DRV - [2006.07.02 003028  000,043,520  ----  M] (Advanced Micro Devices) [Kernel  System  Running] -- CWINDOWSsystem32driversAmdK8.sys -- (AmdK8)
DRV - [2005.05.09 200840  000,033,792  ----  M] (Team H2O) [Kernel  On_Demand  Stopped] -- CWINDOWSsystem32driverscledx.sys -- (CLEDX)
DRV - [2005.01.07 180718  000,138,752  ----  M] (Windows (R) Server 2003 DDK provider) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversHdaudbus.sys -- (HDAudBus)
DRV - [2004.08.12 205620  000,005,810  R---  M] () [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversASACPI.sys -- (MTsensor)
DRV - [2004.08.04 001014  000,015,360  ----  M] (Microsoft Corporation) [Kernel  On_Demand  Stopped] -- CWINDOWSsystem32driversMPE.sys -- (MPE)
DRV - [2004.08.03 230756  000,059,264  ----  M] (Microsoft Corporation) [Kernel  On_Demand  Running] -- CWINDOWSsystem32driversUSBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2002.09.16 181432  000,004,228  ----  M] (PowerQuest Corporation) [Kernel  System  Running] -- CWINDOWSSystem32driversPQNTDRV.sys -- (PQNTDrv)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[color]
 
 
[color=#E56717]========== Internet Explorer ==========[color]
 
IE - HKLMSOFTWAREMicrosoftInternet ExplorerMain,Local Page = %SystemRoot%system32blank.htm
 
 
IE - HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings ProxyEnable = 0
 
IE - HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionInternet Settings ProxyEnable = 0
 
 
 
IE - HKUS-1-5-21-2052111302-343818398-839522115-1003SOFTWAREMicrosoftInternet ExplorerMain,Start Page = aboutblank
IE - HKUS-1-5-21-2052111302-343818398-839522115-1003SoftwareMicrosoftWindowsCurrentVersionInternet Settings ProxyEnable = 0
 
[color=#E56717]========== FireFox ==========[color]
 
FF - prefs.js..extensions.enabledItems {c45c406e-ab73-11d8-be73-000a95be3b12}1.1.8
FF - prefs.js..extensions.enabledItems {6AC85730-7D0F-4de0-B3FA-21142DD85326}2.0.2
FF - prefs.js..extensions.enabledItems {AB7308B2-C13C-4eba-AC78-2AD55B96EE09}3.0.0
FF - prefs.js..extensions.enabledItems {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}0.8.6.1
FF - prefs.js..extensions.enabledItems {e0204bd5-9d31-402b-a99d-a6aa8ffebdca}1.2.5
 
FF - HKLMsoftwaremozillaMozilla Firefox 3.6.6extensionsComponents CProgram FilesMozilla Firefoxcomponents [2010.07.01 140416  000,000,000  ---D  M]
FF - HKLMsoftwaremozillaMozilla Firefox 3.6.6extensionsPlugins CProgram FilesMozilla Firefoxplugins [2010.07.01 140416  000,000,000  ---D  M]
FF - HKLMsoftwaremozillaMozilla Thunderbird 3.0.5extensionsComponents CProgram FilesMozilla Thunderbirdcomponents [2010.06.18 152236  000,000,000  ---D  M]
FF - HKLMsoftwaremozillaMozilla Thunderbird 3.0.5extensionsPlugins CProgram FilesMozilla Thunderbirdplugins
 
[2010.03.11 161713  000,000,000  ---D  M] -- CDocuments and SettingsApplication DataMozillaExtensions
[2010.02.05 222318  000,000,000  ---D  M] (No name found) -- CDocuments and SettingsApplication DataMozillaExtensions{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010.03.11 161713  000,000,000  ---D  M] -- CDocuments and SettingsApplication DataMozillaExtensionsmozswing@mozswing.org
[2010.07.17 124227  000,000,000  ---D  M] -- CDocuments and SettingsApplication DataMozillaFirefoxProfiless7dsvfdj.defaultextensions
[2010.02.08 190604  000,000,000  ---D  M] (Html Validator) -- CDocuments and SettingsApplication DataMozillaFirefoxProfiless7dsvfdj.defaultextensions{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
[2010.02.08 190602  000,000,000  ---D  M] (ColorZilla) -- CDocuments and SettingsApplication DataMozillaFirefoxProfiless7dsvfdj.defaultextensions{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010.02.08 190602  000,000,000  ---D  M] (CSS Validator) -- CDocuments and SettingsApplication DataMozillaFirefoxProfiless7dsvfdj.defaultextensions{AB7308B2-C13C-4eba-AC78-2AD55B96EE09}
[2010.02.08 002450  000,000,000  ---D  M] (Web Developer) -- CDocuments and SettingsApplication DataMozillaFirefoxProfiless7dsvfdj.defaultextensions{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010.04.23 103928  000,000,000  ---D  M] (Torbutton) -- CDocuments and SettingsApplication DataMozillaFirefoxProfiless7dsvfdj.defaultextensions{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
[2010.02.05 220435  000,000,000  ---D  M] -- CProgram FilesMozilla Firefoxextensions
[2010.07.01 140413  000,001,392  ----  M] () -- CProgram FilesMozilla Firefoxsearchpluginsamazondotcom-de.xml
[2010.07.01 140413  000,002,344  ----  M] () -- CProgram FilesMozilla FirefoxsearchpluginseBay-de.xml
[2010.07.01 140413  000,006,805  ----  M] () -- CProgram FilesMozilla Firefoxsearchpluginsleo_ende_de.xml
[2010.07.01 140413  000,001,178  ----  M] () -- CProgram FilesMozilla Firefoxsearchpluginswikipedia-de.xml
[2010.07.01 140413  000,001,105  ----  M] () -- CProgram FilesMozilla Firefoxsearchpluginsyahoo-de.xml
 
O1 HOSTS File ([2010.07.17 111701  000,412,092  R---  M]) - CWINDOWSsystem32driversetchosts
O1 - Hosts 127.0.0.1       localhost
O1 - Hosts 127.0.0.1	www.007guard.com
O1 - Hosts 127.0.0.1	007guard.com
O1 - Hosts 127.0.0.1	008i.com
O1 - Hosts 127.0.0.1	www.008k.com
O1 - Hosts 127.0.0.1	008k.com
O1 - Hosts 127.0.0.1	www.00hq.com
O1 - Hosts 127.0.0.1	00hq.com
O1 - Hosts 127.0.0.1	010402.com
O1 - Hosts 127.0.0.1	www.032439.com
O1 - Hosts 127.0.0.1	032439.com
O1 - Hosts 127.0.0.1	www.0scan.com
O1 - Hosts 127.0.0.1	0scan.com
O1 - Hosts 127.0.0.1	1000gratisproben.com
O1 - Hosts 127.0.0.1	www.1000gratisproben.com
O1 - Hosts 127.0.0.1	1001namen.com
O1 - Hosts 127.0.0.1	www.1001namen.com
O1 - Hosts 127.0.0.1	100888290cs.com
O1 - Hosts 127.0.0.1	www.100888290cs.com
O1 - Hosts 127.0.0.1	www.100sexlinks.com
O1 - Hosts 127.0.0.1	100sexlinks.com
O1 - Hosts 127.0.0.1	10sek.com
O1 - Hosts 127.0.0.1	www.10sek.com
O1 - Hosts 127.0.0.1	www.1-2005-search.com
O1 - Hosts 127.0.0.1	1-2005-search.com
O1 - Hosts 14242 more lines...
O2 - BHO (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - CProgram FilesSpybot - Search & DestroySDHelper.dll (Safer Networking Limited)
O3 - HKUS-1-5-21-2052111302-343818398-839522115-1003..ToolbarWebBrowser (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..Run [amd_dc_opt] CProgram FilesAMDDual-Core Optimizeramd_dc_opt.exe (AMD)
O4 - HKLM..Run [avgnt] CProgram FilesAviraAntiVir Desktopavgnt.exe (Avira GmbH)
O4 - HKLM..Run [FreePDF Assistant] CProgram FilesFreePDF_XPfpassist.exe (shbox.de)
O4 - HKLM..Run [MSConfig] CWINDOWSPCHealthHelpCtrBinariesMSConfig.exe (Microsoft Corporation)
O4 - HKLM..Run [NvCplDaemon] CWINDOWSSystem32NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..Run [NvMediaCenter] CWINDOWSSystem32NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..Run [nwiz]  File not found
O4 - HKLM..Run [Start WingMan Profiler] CProgram FilesLogitechGaming SoftwareLWEMon.exe (Logitech Inc.)
O4 - HKLM..Run [TerraTec Remote Control] CProgram FilesCommon FilesTerraTecRemoteTTTVRC.exe (TerraTec Eletronic GmbH)
O4 - HKLM..Run [WinampAgent] CProgram FilesWinampwinampa.exe (Nullsoft, Inc.)
O4 - HKUS-1-5-21-2052111302-343818398-839522115-1003..Run [SpybotSD TeaTimer] CProgram FilesSpybot - Search & DestroyTeaTimer.exe (Safer-Networking Ltd.)
O7 - HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoDriveTypeAutoRun = 145
O7 - HKUS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoDriveTypeAutoRun = 145
O7 - HKUS-1-5-19SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoDriveTypeAutoRun = 145
O7 - HKUS-1-5-20SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoDriveTypeAutoRun = 145
O7 - HKUS-1-5-21-2052111302-343818398-839522115-1003SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem  Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - CProgram FilesSpybot - Search & DestroySDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9Catalog_Entries000000000001 - CWINDOWSsystem32nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9Catalog_Entries000000000002 - CWINDOWSsystem32nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9Catalog_Entries000000000003 - CWINDOWSsystem32nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9Catalog_Entries000000000009 - CWINDOWSsystem32nvLsp.dll (NVIDIA)
O16 - DPF {31435657-9980-0010-8000-00AA00389B71} httpdownload.microsoft.comdownloade2fe2fcec4b-6c8b-48b7-adab-ab9c403a978fwvc1dmo.cab (Reg Error Key error.)
O18 - ProtocolHandlerskype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - CProgram FilesCommon FilesSkypeSkype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon Shell - (Explorer.exe) - CWINDOWSexplorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper CDocuments and SettingsLocal SettingsApplication DataMicrosoftWallpaper1.bmp
O24 - Desktop BackupWallPaper CDocuments and SettingsLocal SettingsApplication DataMicrosoftWallpaper1.bmp
O32 - HKLM CDRom AutoRun - 0
O32 - AutoRun File - [2010.02.05 211056  000,000,000  ----  M] () - CAUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008.06.10 153242  000,000,044  R---  M] () - DAutorun.inf -- [ CDFS ]
O34 - HKLM BootExecute (autocheck autochk ) -  File not found
O35 - HKLM..comfile [open] -- %1 %
O35 - HKLM..exefile [open] -- %1 %
O36 - AppCertDlls odbcdial - (CWINDOWSsystem32dllhsn32.dll) - CWINDOWSsystem32dllhsn32.dll ()
O37 - HKLM...com [@ = comfile] -- %1 %
O37 - HKLM...exe [@ = exefile] -- %1 %
 
[color=#E56717]========== FilesFolders - Created Within 30 Days ==========[color]
 
[2010.07.17 174745  000,574,976  ----  C] (OldTimer Tools) -- CDocuments and SettingsDesktopOTL.exe
[2010.07.17 173624  000,000,000  --SD  C] -- CDocuments and SettingsUserData
[2010.07.17 173300  000,000,000  RH-D  C] -- CDocuments and SettingsRecent
[2010.07.17 145842  000,000,000  ---D  C] -- CProgram FilesCCleaner
[2010.07.17 143822  000,000,000  ---D  C] -- CProgram Fileslynx
[2010.07.17 143119  000,000,000  ---D  C] -- CDocuments and SettingsDesktoposam_autorun_manager_5_0_portable
[2010.07.17 131624  000,000,000  ---D  C] -- CDocuments and SettingsApplication DataWireshark
[2010.07.17 130814  000,000,000  ---D  C] -- CProgram FilesWinPcap
[2010.07.17 130732  000,000,000  ---D  C] -- CProgram FilesWireshark
[2010.07.17 063007  000,000,000  ---D  C] -- CDocuments and SettingsNetworkServiceApplication DataMacromedia
[2010.07.17 063007  000,000,000  ---D  C] -- CDocuments and SettingsNetworkServiceApplication DataAdobe
[2010.07.17 013703  000,000,000  ---D  C] -- CProgram FilesSpybot - Search & Destroy
[2010.07.17 013703  000,000,000  ---D  C] -- CDocuments and SettingsAll UsersApplication DataSpybot - Search & Destroy
[2010.07.17 013042  000,000,000  ---D  C] -- CDocuments and SettingsApplication DataMalwarebytes
[2010.07.17 013035  000,038,224  ----  C] (Malwarebytes Corporation) -- CWINDOWSSystem32driversmbamswissarmy.sys
[2010.07.17 013034  000,020,952  ----  C] (Malwarebytes Corporation) -- CWINDOWSSystem32driversmbam.sys
[2010.07.17 013034  000,000,000  ---D  C] -- CProgram FilesMalwarebytes' Anti-Malware
[2010.07.17 013034  000,000,000  ---D  C] -- CDocuments and SettingsAll UsersApplication DataMalwarebytes
[2010.07.17 005634  000,000,000  ---D  C] -- CDocuments and SettingsLocalServiceApplication DataAdobe
[2010.07.14 104944  000,000,000  ---D  C] -- CProgram FilesCommon FilesSkype
[2010.07.13 020914  000,000,000  ---D  C] -- CDocuments and SettingsApplication DataDropbox
[2010.07.11 170202  000,000,000  ---D  C] -- CDocuments and SettingsMy DocumentsDrakensang
[2010.07.11 170140  000,000,000  ---D  C] -- CProgram FilesProtectDisc Driver Installer
[2010.07.11 170137  000,000,000  ---D  C] -- CDocuments and SettingsApplication DataProtectDisc
[2010.07.09 234957  005,619,712  ----  C] (Gas Powered Games) -- CDocuments and SettingsDesktopsupcom_fa_patch_1.5.3596_to_1.5.3599.exe
[2010.07.09 233606  039,362,560  ----  C] (Gas Powered Games) -- CDocuments and SettingsDesktopsupcom_patch_1.0.3189_to_1.1.3280.exe
[2010.07.09 070026  000,000,000  ---D  C] -- CDocuments and SettingsDesktopdummy file generator12
[2010.07.08 030038  000,000,000  ---D  C] -- CDocuments and SettingsLocal SettingsApplication DataGas Powered Games
[2010.07.08 025952  000,108,144  ----  C] (Sony DADC Austria AG.) -- CWINDOWSSystem32CmdLineExt.dll
[2010.07.08 025813  000,000,000  ---D  C] -- CDocuments and SettingsAll UsersApplication DataMedia Center Programs
[2010.07.06 000315  000,000,000  ---D  C] -- CProgram FilesMusicLab
[2010.06.30 012219  000,000,000  ---D  C] -- CDocuments and SettingsApplication DataSteinberg
[2010.06.30 011818  000,033,792  ----  C] (Team H2O) -- CWINDOWSSystem32driverscledx.sys
[2010.06.30 011811  000,016,896  ----  C] (Syncrosoft GmbH) -- CWINDOWSSystem32driverssynasUSB.sys
[2010.06.26 024015  000,000,000  ---D  C] -- CDocuments and SettingsLocal SettingsApplication DataMy Games
[2010.06.22 032424  000,000,000  ---D  C] -- CDocuments and SettingsMy DocumentsNeverwinter Nights 2
[4 CWINDOWS.tmp files - CWINDOWS.tmp - ]
[3 CDocuments and SettingsAll UsersApplication Data.tmp files - CDocuments and SettingsAll UsersApplication Data.tmp - ]
[1 CWINDOWSSystem32.tmp files - CWINDOWSSystem32.tmp - ]
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[color]
 
[2010.07.17 174747  000,574,976  ----  M] (OldTimer Tools) -- CDocuments and SettingsDesktopOTL.exe
[2010.07.17 172332  000,000,574  ----  M] () -- CWINDOWSwin.ini
[2010.07.17 172332  000,000,270  ----  M] () -- CWINDOWSsystem.ini
[2010.07.17 172332  000,000,223  RHS-  M] () -- Cboot.ini
[2010.07.17 172329  000,275,208  ----  M] () -- CWINDOWSSystem32NvApps.xml
[2010.07.17 172323  000,000,006  -H--  M] () -- CWINDOWStasksSA.DAT
[2010.07.17 172322  000,002,048  --S-  M] () -- CWINDOWSbootstat.dat
[2010.07.17 172238  013,631,488  -H--  M] () -- CDocuments and SettingsNTUSER.DAT
[2010.07.17 163035  000,002,285  ----  M] () -- CDocuments and SettingsApplication DataMicrosoftInternet ExplorerQuick LaunchSkype.lnk
[2010.07.17 151514  000,293,376  ----  M] () -- CDocuments and SettingsDesktopxtj2z9vg.exe
[2010.07.17 150226  000,088,606  ----  M] () -- CDocuments and SettingsMy Documentscc_20100717_150208.reg
[2010.07.17 145843  000,000,688  ----  M] () -- CDocuments and SettingsDesktopCCleaner.lnk
[2010.07.17 143822  000,001,492  ----  M] () -- CDocuments and SettingsDesktopLynx Browser.lnk
[2010.07.17 130818  000,000,073  ----  M] () -- CWINDOWSSystem32-1
[2010.07.17 130751  000,001,501  ----  M] () -- CDocuments and SettingsApplication DataMicrosoftInternet ExplorerQuick LaunchWireshark.lnk
[2010.07.17 112058  000,029,184  ----  M] () -- CDocuments and SettingsDesktopMiet-Anzeigen.doc
[2010.07.17 111701  000,412,092  R---  M] () -- CWINDOWSSystem32driversetchosts
[2010.07.17 100639  100,667,044  ----  M] () -- CDocuments and SettingsDesktopchaosradio_express_159_nachrichtendienste.mp3
[2010.07.17 013708  000,000,939  ----  M] () -- CDocuments and SettingsDesktopSpybot - Search & Destroy.lnk
[2010.07.17 013038  000,000,702  ----  M] () -- CDocuments and SettingsAll UsersDesktopMalwarebytes' Anti-Malware.lnk
[2010.07.17 012448  000,002,206  ----  M] () -- CWINDOWSSystem32wpa.dbl
[2010.07.17 012439  000,393,568  ----  M] () -- CWINDOWSSystem32FNTCACHE.DAT
[2010.07.17 001910  000,046,592  -H--  M] () -- CWINDOWSSystem32dllhsn32.dll
[2010.07.16 205144  000,002,880  -HS-  M] () -- CWINDOWSSystem32KGyGaAvL.sys
[2010.07.16 145843  000,163,328  ----  M] () -- CDocuments and SettingsLocal SettingsApplication DataDCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.15 000316  000,004,096  ----  M] () -- CDocuments and SettingsAll UsersDocuments00001119.LCS
[2010.07.13 091426  006,178,944  ----  M] () -- CDocuments and SettingsDesktopDelta Blues- DHM ('Personally Groovy' take ).mp3
[2010.07.12 093350  000,119,000  ----  M] () -- CDocuments and SettingsApplication DataGDIPFONTCACHEV1.DAT
[2010.07.11 213438  118,095,214  ----  M] () -- CDocuments and SettingsDesktopchaosradio_express_158_liquidfeedback.mp3
[2010.07.11 013653  000,021,558  ----  M] () -- CDocuments and SettingsMy Documents019._2wav.wav
[2010.07.11 013546  000,021,558  ----  M] () -- CDocuments and SettingsMy Documents019.wav
[2010.07.10 231549  000,000,551  ----  M] () -- CDocuments and SettingsDesktopDrakensang.lnk
[2010.07.09 235031  005,619,712  ----  M] (Gas Powered Games) -- CDocuments and SettingsDesktopsupcom_fa_patch_1.5.3596_to_1.5.3599.exe
[2010.07.09 234122  039,362,560  ----  M] (Gas Powered Games) -- CDocuments and SettingsDesktopsupcom_patch_1.0.3189_to_1.1.3280.exe
[2010.07.09 025626  002,806,805  ----  M] () -- CDocuments and SettingsDesktop09 - BMission.mp3
[2010.07.08 025952  000,108,144  ----  M] (Sony DADC Austria AG.) -- CWINDOWSSystem32CmdLineExt.dll
[2010.07.08 025906  000,000,686  ----  M] () -- CDocuments and SettingsAll UsersDesktopSupCom.lnk
[2010.07.07 022100  000,000,025  ----  M] () -- CWINDOWSpopcinfot.dat
[2010.07.06 135406  000,119,000  ----  M] () -- CDocuments and SettingsLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
[2010.07.04 230648  000,000,616  ----  M] () -- CDocuments and SettingsApplication DataMicrosoftInternet ExplorerQuick LaunchOpera.lnk
[2010.06.30 015524  000,071,052  ----  M] () -- CDocuments and SettingsDesktopbreeda_110g_e.mp3
[2010.06.30 015515  000,084,844  ----  M] () -- CDocuments and SettingsDesktopshunta_92c_fsharp.mp3
[2010.06.30 015508  000,070,634  ----  M] () -- CDocuments and SettingsDesktopbreeda_110i_asharp.mp3
[2010.06.30 015502  000,066,872  ----  M] () -- CDocuments and SettingsDesktopmasha_117e_a.mp3
[2010.06.30 015427  000,071,052  ----  M] () -- CDocuments and SettingsDesktopbreeda_110e_c.mp3
[2010.06.30 015421  000,106,578  ----  M] () -- CDocuments and SettingsDesktopclankmonsta_146b_fsharp.mp3
[2010.06.30 015412  000,084,844  ----  M] () -- CDocuments and SettingsDesktopshunta_92i_b.mp3
[2010.06.30 015405  000,084,426  ----  M] () -- CDocuments and SettingsDesktopshunta_92a_e.mp3
[2010.06.29 173109  000,000,246  ----  M] () -- CWINDOWSCaligari.ini
[2010.06.29 102316  000,006,498  ----  M] () -- CDocuments and SettingsDesktopConquest.pdf
[2010.06.29 094458  000,136,524  ----  M] () -- CDocuments and SettingsDesktopGFRY_Fahne.aep
[2010.06.29 093037  000,080,236  ----  M] () -- CDocuments and SettingsDesktopGFRY.jpg
[4 CWINDOWS.tmp files - CWINDOWS.tmp - ]
[3 CDocuments and SettingsAll UsersApplication Data.tmp files - CDocuments and SettingsAll UsersApplication Data.tmp - ]
[1 CWINDOWSSystem32.tmp files - CWINDOWSSystem32.tmp - ]
 
[color=#E56717]========== Files Created - No Company Name ==========[color]
 
[2010.07.17 151514  000,293,376  ----  C] () -- CDocuments and SettingsDesktopxtj2z9vg.exe
[2010.07.17 150212  000,088,606  ----  C] () -- CDocuments and SettingsMy Documentscc_20100717_150208.reg
[2010.07.17 145843  000,000,688  ----  C] () -- CDocuments and SettingsDesktopCCleaner.lnk
[2010.07.17 143822  000,001,492  ----  C] () -- CDocuments and SettingsDesktopLynx Browser.lnk
[2010.07.17 130817  000,000,073  ----  C] () -- CWINDOWSSystem32-1
[2010.07.17 130751  000,001,501  ----  C] () -- CDocuments and SettingsApplication DataMicrosoftInternet ExplorerQuick LaunchWireshark.lnk
[2010.07.17 091131  100,667,044  ----  C] () -- CDocuments and SettingsDesktopchaosradio_express_159_nachrichtendienste.mp3
[2010.07.17 013708  000,000,939  ----  C] () -- CDocuments and SettingsDesktopSpybot - Search & Destroy.lnk
[2010.07.17 013038  000,000,702  ----  C] () -- CDocuments and SettingsAll UsersDesktopMalwarebytes' Anti-Malware.lnk
[2010.07.17 001910  000,046,592  -H--  C] () -- CWINDOWSSystem32dllhsn32.dll
[2010.07.13 091416  006,178,944  ----  C] () -- CDocuments and SettingsDesktopDelta Blues- DHM.mp3
[2010.07.11 170139  000,004,096  ----  C] () -- CDocuments and SettingsAll UsersDocuments00001119.LCS
[2010.07.11 170130  118,095,214  ----  C] () -- CDocuments and SettingsDesktopchaosradio_express_158_liquidfeedback.mp3
[2010.07.11 013653  000,021,558  ----  C] () -- CDocuments and SettingsMy Documents019._2wav.wav
[2010.07.11 013245  000,021,558  ----  C] () -- CDocuments and SettingsMy Documents019.wav
[2010.07.10 231549  000,000,551  ----  C] () -- CDocuments and SettingsDesktopDrakensang.lnk
[2010.07.09 025624  002,806,805  ----  C] () -- CDocuments and SettingsDesktop09 - BMission.mp3
[2010.07.08 025906  000,000,686  ----  C] () -- CDocuments and SettingsAll UsersDesktopSupCom.lnk
[2010.07.01 165856  000,029,184  ----  C] () -- CDocuments and SettingsDesktopMiet-Anzeigen.doc
[2010.06.30 015523  000,071,052  ----  C] () -- CDocuments and SettingsDesktopbreeda_110g_e.mp3
[2010.06.30 015515  000,084,844  ----  C] () -- CDocuments and SettingsDesktopshunta_92c_fsharp.mp3
[2010.06.30 015508  000,070,634  ----  C] () -- CDocuments and SettingsDesktopbreeda_110i_asharp.mp3
[2010.06.30 015502  000,066,872  ----  C] () -- CDocuments and SettingsDesktopmasha_117e_a.mp3
[2010.06.30 015426  000,071,052  ----  C] () -- CDocuments and SettingsDesktopbreeda_110e_c.mp3
[2010.06.30 015421  000,106,578  ----  C] () -- CDocuments and SettingsDesktopclankmonsta_146b_fsharp.mp3
[2010.06.30 015412  000,084,844  ----  C] () -- CDocuments and SettingsDesktopshunta_92i_b.mp3
[2010.06.30 015405  000,084,426  ----  C] () -- CDocuments and SettingsDesktopshunta_92a_e.mp3
[2010.06.29 102312  000,006,498  ----  C] () -- CDocuments and SettingsDesktopConquest.pdf
[2010.06.29 091734  000,136,524  ----  C] () -- CDocuments and SettingsDesktopGFRY_Fahne.aep
[2010.06.29 084901  000,080,236  ----  C] () -- CDocuments and SettingsDesktopGFRY.jpg
[2010.06.17 010454  000,116,224  ----  C] () -- CWINDOWSSystem32redmonnt.dll
[2010.06.05 021555  000,000,246  ----  C] () -- CWINDOWSCaligari.ini
[2010.05.28 200523  000,021,840  ----  C] () -- CWINDOWSSystem32SIntfNT.dll
[2010.05.28 200523  000,017,212  ----  C] () -- CWINDOWSSystem32SIntf32.dll
[2010.05.28 200523  000,012,067  ----  C] () -- CWINDOWSSystem32SIntf16.dll
[2010.02.06 003812  000,002,880  -HS-  C] () -- CWINDOWSSystem32KGyGaAvL.sys
[2010.02.06 003812  000,000,088  RHS-  C] () -- CWINDOWSSystem325AFCDF6B76.sys
[2010.02.05 233722  000,363,520  ----  C] () -- CWINDOWSSystem32PsisDecd.dll
[2010.02.05 223808  000,000,400  ----  C] () -- CWINDOWSODBC.INI
[2010.02.05 223248  000,691,696  ----  C] () -- CWINDOWSSystem32driverssptd.sys
[2010.02.05 213543  000,031,890  ----  C] () -- CWINDOWSAscd_log.ini
[2010.02.05 213511  000,005,810  R---  C] () -- CWINDOWSSystem32driversASACPI.sys
[2010.02.05 213451  000,031,577  ----  C] () -- CWINDOWSAscd_tmp.ini
[2010.02.05 213451  000,010,296  ----  C] () -- CWINDOWSSystem32driversASUSHWIO.SYS
[2009.10.20 201930  000,053,299  ----  C] () -- CWINDOWSSystem32pthreadVC.dll
[2008.05.03 004600  000,286,720  ----  C] () -- CWINDOWSSystem32nvnt4cpl.dll
[2008.02.01 015520  000,000,109  ----  C] () -- CWINDOWSSystem32OSENXPSUITE2005.INI
[2007.04.17 163440  000,135,716  ----  C] () -- CWINDOWSSystem32xlive.dll.cat
[2006.12.04 171312  000,003,072  ----  C] () -- CWINDOWSSystem3234CoInstaller.dll
[2004.08.04 065644  000,081,920  ----  C] () -- CWINDOWSSystem32ieencode.dll
 End of report

Larusso · 17.07.2010, 21:30

Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.

Bitte arbeite alle Schritte der Reihe nach ab.
Lese die Anleitungen sorgfältig. Sollte es Probleme geben, bitte stoppen und hier so gut es geht beschreiben.
Nur Scanns durchführen zu denen Du von einem Helfer aufgefordert wirst.
Bitte kein Crossposting ( posten in mehreren Foren).
Installiere oder Deinstalliere während der Bereinigung keine Software ausser Du wurdest dazu aufgefordert.
Lese Dir die Anleitung zuerst vollständig durch. Sollte etwas unklar sein, frage bevor Du beginnst.
Poste die Logfiles direkt in deinen Thread. Nicht anhängen ausser ich fordere Dich dazu auf. Erschwert mir nämlich das auswerten.

Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg.
Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis dir jemand vom Team sagt, dass Du clean bist.

Vista und Win7 User
Alle Tools mit Rechtsklick "als Administrator ausführen" starten.

Schritt 1

Poste mal die OTL und GMER logfile

Bernd_T · 17.07.2010, 21:32

Zitat:

Zitat von Larusso

Schritt 1

Poste mal die OTL und GMER logfile

Schon passiert, wahrscheinlich zeitgleich mit Deiner Antwort.
Danke für die Hilfe,
Bernd

Larusso · 17.07.2010, 21:34

was ist hier los ?
PRC - [2010.01.14 004452 000,037,888 ---- M] (Nullsoft, Inc.) -- CProgram FilesWinampwinampa.exe

Normal
PRC - [2010.01.14 004452 000,037,888 ---- M] (Nullsoft, Inc.) -- C:\Program Files\Winamp\winampa.exe

Schritt 1

Downloade Dir bitte defogger von jpshortstuff auf Deinem Desktop.

Starte das Tool mit Doppelklick.
Vista User: Bitte mit Rechtsklick "als Administrator starten".
Klicke nun auf den Disable Button um die Treiber gewisser Emulatoren zu deaktivieren.
Wenn der Scan beendet wurde ( Finished ), klicke auf OK.
Defogger fordert nun zum Neustart auf. Bestätige dies mit OK.
DeFogger erstellt nun ein Logfile auf dem Desktop (defogger_disable).

Poste bitte den Inhalt der Logfile in Deiner nächsten Antwort.

Schritt 2

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Starte bitte die OTL.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die Textbox.

Code:

ATTFilter

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Schliesse bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Quick Scan Button.
Klick auf .
Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread

Schritt 3

Bitte

alle anderen Scanner gegen Viren, Spyware, usw. deaktiviert sein,
keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
nichts am Rechner getan werden,
nach jedem Scan der Rechner neu gestartet werden.

Gmer scannen lassen

Lade Dir Gmer von dieser Seite herunter
(auf den Button Download EXE drücken) und das Programm auf dem Desktop speichern.
Alle anderen Programme sollen geschlossen sein.
Starte gmer.exe (Programm hat einen willkürlichen Programm-Namen).
Vista und Win7 User mit Rechtsklick und als Administrator starten.
Entferne rechts den Haken bei
- IAT/EAT
- Alle Festplatten ausser die Systemplatte (normalerweise ist nur C:\ angehackt)
- Show all (sollte abgehackt sein)
Sollte sich ein Fenster mit folgender Warnung öffnen:
WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity.
Do you want to fully scan your system ?
Unbedingt auf "No" klicken.
Starte den Scan mit "Scan". Mache nichts am Computer während der Scan läuft.
Wenn der Scan fertig ist klicke auf Save und speichere die Logfile unter Gmer.txt auf deinem Desktop. Mit "Ok" wird GMER beendet.

Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!

Bitte poste in Deiner nächsten Antwort
defogger_disable.txt
OTL.txt
Gmer.txt

Bernd_T · 17.07.2010, 22:01

Zitat:

Zitat von Larusso

was ist hier los ?
PRC - [2010.01.14 004452 000,037,888 ---- M] (Nullsoft, Inc.) -- CProgram FilesWinampwinampa.exe

Normal
PRC - [2010.01.14 004452 000,037,888 ---- M] (Nullsoft, Inc.) -- C:\Program Files\Winamp\winampa.exe

Ich hab keine Ahnung...

Zitat:

Zitat von Larusso

Bitte poste in Deiner nächsten Antwort
defogger_disable.txt
OTL.txt
Gmer.txt

defogger_disable.txt

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 22:38 on 17/07/2010 (****)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-

OTL.txt
[CODE]
OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 17.07.2010 22:43:00 - Run 2
OTL by OldTimer - Version 3.2.9.0     Folder = C:\Documents and Settings\****\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 71,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 87,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73,24 Gb Total Space | 24,80 Gb Free Space | 33,86% Space Free | Partition Type: NTFS
Drive D: | 5,12 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 100,01 Gb Total Space | 8,71 Gb Free Space | 8,71% Space Free | Partition Type: NTFS
Drive H: | 132,87 Gb Total Space | 1,63 Gb Free Space | 1,23% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive X: | 224,85 Gb Total Space | 3,97 Gb Free Space | 1,77% Space Free | Partition Type: NTFS
 
Computer Name: ELCH
Current User Name: ****
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2010.07.17 17:47:47 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\****\Desktop\OTL.exe
PRC - [2010.06.30 14:52:22 | 000,836,464 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2010.01.14 00:44:52 | 000,037,888 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Winamp\winampa.exe
PRC - [2009.09.05 17:29:06 | 000,385,024 | ---- | M] (shbox.de) -- C:\Program Files\FreePDF_XP\fpassist.exe
PRC - [2009.07.21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009.03.05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009.03.02 13:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009.01.21 15:19:54 | 000,092,168 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Gaming Software\LWEMon.exe
PRC - [2008.04.24 04:32:30 | 000,598,016 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
PRC - [2008.04.24 04:31:54 | 000,176,128 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
PRC - [2007.06.05 14:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2005.12.21 12:52:36 | 000,987,136 | ---- | M] (TerraTec Eletronic GmbH) -- C:\Program Files\Common Files\TerraTec\Remote\TTTVRC.exe
PRC - [2004.08.04 06:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010.07.17 17:47:47 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\****\Desktop\OTL.exe
MOD - [2010.07.17 00:19:10 | 000,046,592 | -H-- | M] () -- C:\WINDOWS\system32\dllhsn32.dll
MOD - [2004.08.04 06:57:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004.08.04 05:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2009.10.20 20:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009.08.17 08:54:36 | 000,093,336 | ---- | M] (SiSoftware) [Disabled | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP1a\RpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2009.07.21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008.04.24 04:32:30 | 000,598,016 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2008.04.24 04:31:54 | 000,176,128 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp)
SRV - [2007.06.05 14:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\HYPERG~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys -- (cpuz130)
DRV - [2010.02.05 22:32:48 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010.02.05 22:18:15 | 000,223,440 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2010.02.03 15:56:56 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2010.01.12 06:03:33 | 010,276,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009.11.25 12:19:02 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009.10.20 20:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009.08.07 23:46:56 | 000,023,112 | ---- | M] (SiSoftware) [Kernel | On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP1a\WNt500x86\sandra.sys -- (SANDRA)
DRV - [2009.05.11 10:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.03.30 10:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009.02.13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009.01.19 20:31:56 | 000,277,544 | ---- | M] (Protect Software GmbH) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\acedrv11.sys -- (acedrv11)
DRV - [2009.01.13 20:13:52 | 000,049,160 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2009.01.13 20:13:44 | 000,014,728 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2009.01.13 20:13:28 | 000,029,192 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2009.01.13 20:13:20 | 000,019,336 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2008.05.08 23:23:22 | 000,238,080 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2008.03.25 13:48:08 | 000,022,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008.03.25 13:48:06 | 000,054,400 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008.02.14 16:12:00 | 001,389,056 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2008.01.14 12:06:32 | 000,021,632 | ---- | M] (ManyCam LLC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ManyCam.sys -- (ManyCam)
DRV - [2007.06.29 15:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2006.12.04 17:13:14 | 001,121,536 | ---- | M] (Philips Semiconductors GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\3xHybrid.sys -- (3xHybrid)
DRV - [2006.07.02 00:30:28 | 000,043,520 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005.05.09 20:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cledx.sys -- (CLEDX)
DRV - [2005.01.07 18:07:18 | 000,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004.08.12 20:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004.08.04 00:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2004.08.03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2002.09.16 18:14:32 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: {AB7308B2-C13C-4eba-AC78-2AD55B96EE09}:3.0.0
FF - prefs.js..extensions.enabledItems: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}:0.8.6.1
FF - prefs.js..extensions.enabledItems: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca}:1.2.5
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.01 14:04:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.01 14:04:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.5\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.06.18 15:22:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.5\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
 
[2010.03.11 16:17:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Mozilla\Extensions
[2010.02.05 22:23:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\****\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010.03.11 16:17:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010.07.17 12:42:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Mozilla\Firefox\Profiles\s7dsvfdj.default\extensions
[2010.02.08 19:06:04 | 000,000,000 | ---D | M] (Html Validator) -- C:\Documents and Settings\****\Application Data\Mozilla\Firefox\Profiles\s7dsvfdj.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
[2010.02.08 19:06:02 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Documents and Settings\****\Application Data\Mozilla\Firefox\Profiles\s7dsvfdj.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010.02.08 19:06:02 | 000,000,000 | ---D | M] (CSS Validator) -- C:\Documents and Settings\****\Application Data\Mozilla\Firefox\Profiles\s7dsvfdj.default\extensions\{AB7308B2-C13C-4eba-AC78-2AD55B96EE09}
[2010.02.08 00:24:50 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\****\Application Data\Mozilla\Firefox\Profiles\s7dsvfdj.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010.04.23 10:39:28 | 000,000,000 | ---D | M] (Torbutton) -- C:\Documents and Settings\****\Application Data\Mozilla\Firefox\Profiles\s7dsvfdj.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
[2010.02.05 22:04:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.07.01 14:04:13 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.07.01 14:04:13 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.07.01 14:04:13 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.07.01 14:04:13 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.07.01 14:04:13 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2010.07.17 11:17:01 | 000,412,092 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: 127.0.0.1	www.007guard.com
O1 - Hosts: 127.0.0.1	007guard.com
O1 - Hosts: 127.0.0.1	008i.com
O1 - Hosts: 127.0.0.1	www.008k.com
O1 - Hosts: 127.0.0.1	008k.com
O1 - Hosts: 127.0.0.1	www.00hq.com
O1 - Hosts: 127.0.0.1	00hq.com
O1 - Hosts: 127.0.0.1	010402.com
O1 - Hosts: 127.0.0.1	www.032439.com
O1 - Hosts: 127.0.0.1	032439.com
O1 - Hosts: 127.0.0.1	www.0scan.com
O1 - Hosts: 127.0.0.1	0scan.com
O1 - Hosts: 127.0.0.1	1000gratisproben.com
O1 - Hosts: 127.0.0.1	www.1000gratisproben.com
O1 - Hosts: 127.0.0.1	1001namen.com
O1 - Hosts: 127.0.0.1	www.1001namen.com
O1 - Hosts: 127.0.0.1	100888290cs.com
O1 - Hosts: 127.0.0.1	www.100888290cs.com
O1 - Hosts: 127.0.0.1	www.100sexlinks.com
O1 - Hosts: 127.0.0.1	100sexlinks.com
O1 - Hosts: 127.0.0.1	10sek.com
O1 - Hosts: 127.0.0.1	www.10sek.com
O1 - Hosts: 127.0.0.1	www.1-2005-search.com
O1 - Hosts: 127.0.0.1	1-2005-search.com
O1 - Hosts: 14242 more lines...
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz]  File not found
O4 - HKLM..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe (Logitech Inc.)
O4 - HKLM..\Run: [TerraTec Remote Control] C:\Program Files\Common Files\TerraTec\Remote\TTTVRC.exe (TerraTec Eletronic GmbH)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\nvLsp.dll (NVIDIA)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\****\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\****\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2010.02.05 21:10:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008.06.10 15:32:42 | 000,000,044 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: odbcdial - (C:\WINDOWS\system32\dllhsn32.dll) - C:\WINDOWS\system32\dllhsn32.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)
 
========== Files/Folders - Created Within 90 Days ==========
 
[2010.07.17 17:47:45 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\****\Desktop\OTL.exe
[2010.07.17 17:36:24 | 000,000,000 | --SD | C] -- C:\Documents and Settings\****\UserData
[2010.07.17 17:33:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\****\Recent
[2010.07.17 14:58:42 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010.07.17 14:38:22 | 000,000,000 | ---D | C] -- C:\Program Files\lynx
[2010.07.17 14:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Desktop\osam_autorun_manager_5_0_portable
[2010.07.17 13:16:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\Wireshark
[2010.07.17 13:08:14 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2010.07.17 13:07:32 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark
[2010.07.17 06:30:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010.07.17 06:30:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010.07.17 01:37:03 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010.07.17 01:37:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010.07.17 01:30:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\Malwarebytes
[2010.07.17 01:30:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.07.17 01:30:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.07.17 01:30:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010.07.17 01:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010.07.17 00:56:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010.07.14 10:49:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010.07.13 02:09:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\Dropbox
[2010.07.11 17:02:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\My Documents\Drakensang
[2010.07.11 17:01:40 | 000,000,000 | ---D | C] -- C:\Program Files\ProtectDisc Driver Installer
[2010.07.11 17:01:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\ProtectDisc
[2010.07.09 23:49:57 | 005,619,712 | ---- | C] (Gas Powered Games) -- C:\Documents and Settings\****\Desktop\supcom_fa_patch_1.5.3596_to_1.5.3599.exe
[2010.07.09 23:36:06 | 039,362,560 | ---- | C] (Gas Powered Games) -- C:\Documents and Settings\****\Desktop\supcom_patch_1.0.3189_to_1.1.3280.exe
[2010.07.09 07:00:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Desktop\dummy file generator12
[2010.07.08 03:00:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Local Settings\Application Data\Gas Powered Games
[2010.07.08 02:59:52 | 000,108,144 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010.07.08 02:58:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Media Center Programs
[2010.07.06 00:03:15 | 000,000,000 | ---D | C] -- C:\Program Files\MusicLab
[2010.06.30 01:22:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\Steinberg
[2010.06.30 01:18:18 | 000,033,792 | ---- | C] (Team H2O) -- C:\WINDOWS\System32\drivers\cledx.sys
[2010.06.30 01:18:11 | 000,016,896 | ---- | C] (Syncrosoft GmbH) -- C:\WINDOWS\System32\drivers\synasUSB.sys
[2010.06.26 02:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Local Settings\Application Data\My Games
[2010.06.22 03:24:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\My Documents\Neverwinter Nights 2
[2010.06.17 16:07:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Local Settings\Application Data\FreePDF_XP
[2010.06.17 11:18:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\Microsoft Games
[2010.06.17 01:04:53 | 000,000,000 | ---D | C] -- C:\Program Files\FreePDF_XP
[2010.06.17 01:04:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FreePDF
[2010.06.17 01:04:24 | 000,000,000 | ---D | C] -- C:\Program Files\gs
[2010.06.10 13:40:40 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla
[2010.06.08 09:03:13 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2010.06.07 16:14:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\My Documents\Any Video Converter
[2010.06.07 16:12:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\AnvSoft
[2010.06.07 16:12:31 | 000,000,000 | ---D | C] -- C:\Program Files\Any Video Converter
[2010.06.07 06:28:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\My Documents\Disney Interactive Studios
[2010.06.05 03:41:20 | 000,000,000 | ---D | C] -- C:\Program Files\trueSpace761
[2010.06.05 02:47:47 | 000,000,000 | ---D | C] -- C:\Program Files\Python26
[2010.06.05 02:41:04 | 000,000,000 | ---D | C] -- C:\Program Files\Blender Foundation
[2010.05.30 08:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\DVDVideoSoftIEHelpers
[2010.05.30 08:36:49 | 000,000,000 | ---D | C] -- C:\Program Files\DVDVideoSoft
[2010.05.30 08:36:44 | 000,000,000 | ---D | C] -- C:\Program Files\Free YouTube to MP3 Converter
[2010.05.30 08:36:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DVDVideoSoft
[2010.05.28 20:04:25 | 000,094,208 | ---- | C] (Blizzard Entertainment) -- C:\WINDOWS\DIIUnin.exe
[2010.05.27 14:37:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010.05.27 12:26:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010.05.19 16:28:33 | 000,000,000 | ---D | C] -- C:\Program Files\ManyCam 2.4
[2010.05.19 16:28:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\ManyCam
[2010.05.19 16:28:27 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2010.05.19 16:14:54 | 000,000,000 | ---D | C] -- C:\Program Files\Webcam Simulator
[2010.05.17 23:29:20 | 000,278,528 | ---- | C] (Big Sphicter productions) -- C:\Documents and Settings\****\Desktop\cac106.exe
[2010.05.16 01:52:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010.05.16 01:27:11 | 000,131,072 | ---- | C] (Sunplus) -- C:\WINDOWS\System\SP5X_32.DLL
[2010.05.09 16:16:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\X-Chat 2
[2010.05.09 16:16:01 | 000,000,000 | ---D | C] -- C:\Program Files\X-Chat 2
[2010.05.06 02:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Local Settings\Application Data\WMTools Downloaded Files
[2010.05.05 19:07:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\quassel-irc.org
[2010.05.03 18:44:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Desktop\schach
[2010.05.02 17:34:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\InfraRecorder
[2010.05.02 17:33:39 | 000,000,000 | ---D | C] -- C:\Program Files\InfraRecorder
[2010.04.28 23:34:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010.04.22 06:28:57 | 000,704,512 | ---- | C] (Syncrosoft Hard- und Software GmbH) -- C:\WINDOWS\System32\SYNSOACC.dll
[2010.04.22 06:24:34 | 000,000,000 | ---D | C] -- C:\Program Files\Steinberg
[2010.04.21 19:20:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\Application Data\LucasArts
[2010.04.21 15:58:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\****\My Documents\DVDVideoSoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 90 Days ==========
 
[2010.07.17 22:40:21 | 000,275,208 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010.07.17 22:39:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.07.17 22:39:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.07.17 22:39:10 | 013,631,488 | -H-- | M] () -- C:\Documents and Settings\****\NTUSER.DAT
[2010.07.17 22:38:41 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\****\defogger_reenable
[2010.07.17 22:37:38 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Defogger.exe
[2010.07.17 20:49:29 | 000,000,574 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.07.17 20:49:29 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.07.17 20:49:29 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[2010.07.17 17:47:47 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\****\Desktop\OTL.exe
[2010.07.17 16:30:35 | 000,002,285 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2010.07.17 15:15:14 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\****\Desktop\xtj2z9vg.exe
[2010.07.17 15:02:26 | 000,088,606 | ---- | M] () -- C:\Documents and Settings\****\My Documents\cc_20100717_150208.reg
[2010.07.17 14:58:43 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\****\Desktop\CCleaner.lnk
[2010.07.17 14:38:22 | 000,001,492 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Lynx Browser.lnk
[2010.07.17 13:08:18 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2010.07.17 13:07:51 | 000,001,501 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk
[2010.07.17 11:20:58 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Miet-Anzeigen.doc
[2010.07.17 11:17:01 | 000,412,092 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.07.17 10:06:39 | 100,667,044 | ---- | M] () -- C:\Documents and Settings\****\Desktop\chaosradio_express_159_nachrichtendienste.mp3
[2010.07.17 01:37:08 | 000,000,939 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Spybot - Search & Destroy.lnk
[2010.07.17 01:30:38 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.07.17 01:24:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.07.17 01:24:39 | 000,393,568 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.07.17 00:19:10 | 000,046,592 | -H-- | M] () -- C:\WINDOWS\System32\dllhsn32.dll
[2010.07.16 20:51:44 | 000,002,880 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010.07.16 14:58:43 | 000,163,328 | ---- | M] () -- C:\Documents and Settings\****\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.15 00:03:16 | 000,004,096 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\00001119.LCS
[2010.07.13 09:14:26 | 006,178,944 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Delta Blues- Drunk Hearted Man ('Personally Groovy' take ).mp3
[2010.07.12 09:33:50 | 000,119,000 | ---- | M] () -- C:\Documents and Settings\****\Application Data\GDIPFONTCACHEV1.DAT
[2010.07.11 21:34:38 | 118,095,214 | ---- | M] () -- C:\Documents and Settings\****\Desktop\chaosradio_express_158_liquidfeedback.mp3
[2010.07.11 01:36:53 | 000,021,558 | ---- | M] () -- C:\Documents and Settings\****\My Documents\019._2wav.wav
[2010.07.11 01:35:46 | 000,021,558 | ---- | M] () -- C:\Documents and Settings\****\My Documents\019.wav
[2010.07.10 23:15:49 | 000,000,551 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Drakensang.lnk
[2010.07.09 23:50:31 | 005,619,712 | ---- | M] (Gas Powered Games) -- C:\Documents and Settings\****\Desktop\supcom_fa_patch_1.5.3596_to_1.5.3599.exe
[2010.07.09 23:41:22 | 039,362,560 | ---- | M] (Gas Powered Games) -- C:\Documents and Settings\****\Desktop\supcom_patch_1.0.3189_to_1.1.3280.exe
[2010.07.09 02:56:26 | 002,806,805 | ---- | M] () -- C:\Documents and Settings\****\Desktop\09 - BMission.mp3
[2010.07.08 02:59:52 | 000,108,144 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010.07.08 02:59:06 | 000,000,686 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Supreme Commander.lnk
[2010.07.07 02:21:00 | 000,000,025 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2010.07.06 13:54:06 | 000,119,000 | ---- | M] () -- C:\Documents and Settings\****\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010.07.04 23:06:48 | 000,000,616 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
[2010.06.30 01:55:24 | 000,071,052 | ---- | M] () -- C:\Documents and Settings\****\Desktop\breeda_110g_e.mp3
[2010.06.30 01:55:15 | 000,084,844 | ---- | M] () -- C:\Documents and Settings\****\Desktop\shunta_92c_fsharp.mp3
[2010.06.30 01:55:08 | 000,070,634 | ---- | M] () -- C:\Documents and Settings\****\Desktop\breeda_110i_asharp.mp3
[2010.06.30 01:55:02 | 000,066,872 | ---- | M] () -- C:\Documents and Settings\****\Desktop\masha_117e_a.mp3
[2010.06.30 01:54:27 | 000,071,052 | ---- | M] () -- C:\Documents and Settings\****\Desktop\breeda_110e_c.mp3
[2010.06.30 01:54:21 | 000,106,578 | ---- | M] () -- C:\Documents and Settings\****\Desktop\clankmonsta_146b_fsharp.mp3
[2010.06.30 01:54:12 | 000,084,844 | ---- | M] () -- C:\Documents and Settings\****\Desktop\shunta_92i_b.mp3
[2010.06.30 01:54:05 | 000,084,426 | ---- | M] () -- C:\Documents and Settings\****\Desktop\shunta_92a_e.mp3
[2010.06.29 17:31:09 | 000,000,246 | ---- | M] () -- C:\WINDOWS\Caligari.ini
[2010.06.29 10:23:16 | 000,006,498 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Ablauf Conquest.pdf
[2010.06.29 09:44:58 | 000,136,524 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Geoffrey_Fahne.aep
[2010.06.29 09:30:37 | 000,080,236 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Geoffrey.jpg
[2010.06.22 00:48:21 | 000,040,645 | ---- | M] () -- C:\Documents and Settings\****\Desktop\****062010.pdf
[2010.06.17 16:11:30 | 000,056,681 | ---- | M] () -- C:\Documents and Settings\****\Desktop\****hage.pdf
[2010.06.17 16:09:34 | 000,042,496 | ---- | M] () -- C:\Documents and Settings\****\Desktop\****.doc
[2010.06.17 11:12:51 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010.06.15 23:40:02 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Copy of Wordvorlage.doc
[2010.06.15 15:29:49 | 000,278,231 | ---- | M] () -- C:\Documents and Settings\****\Desktop\ARF_telserkd.sql
[2010.06.15 02:05:10 | 011,683,654 | ---- | M] () -- C:\Documents and Settings\****\My Documents\ColdSteel.pdf
[2010.06.14 15:18:37 | 175,413,889 | ---- | M] () -- C:\Documents and Settings\****\My Documents\FootballAll.mov
[2010.06.14 00:51:00 | 001,658,438 | ---- | M] () -- C:\Documents and Settings\****\Desktop\RW_ConQuest_V5.pdf
[2010.06.12 07:14:17 | 007,955,708 | -H-- | M] () -- C:\Documents and Settings\****\Local Settings\Application Data\IconCache.db
[2010.06.09 01:09:34 | 000,769,114 | ---- | M] () -- C:\Documents and Settings\****\Desktop\demo_loop_fahrstuhl.mp3
[2010.06.08 03:41:28 | 000,000,721 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\Any Video Converter.lnk
[2010.06.05 13:59:19 | 000,071,537 | ---- | M] () -- C:\Documents and Settings\****\My Documents\Strecklade_01.RsScn
[2010.06.05 03:43:37 | 000,001,634 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\trueSpace7.61 Beta 8.lnk
[2010.06.05 02:48:20 | 000,001,751 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\Blender.lnk
[2010.06.04 23:48:28 | 000,936,078 | ---- | M] () -- C:\Documents and Settings\****\Desktop\IMAG0184.JPG
[2010.06.01 06:59:05 | 003,294,650 | ---- | M] () -- C:\Documents and Settings\****\Desktop\turrican.mp3
[2010.05.31 01:47:44 | 000,013,155 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Bauchbinde_01.png
[2010.05.29 03:12:12 | 000,027,126 | ---- | M] () -- C:\WINDOWS\DIIUnin.dat
[2010.05.28 20:05:23 | 000,021,840 | ---- | M] () -- C:\WINDOWS\System32\SIntfNT.dll
[2010.05.28 20:05:23 | 000,017,212 | ---- | M] () -- C:\WINDOWS\System32\SIntf32.dll
[2010.05.28 20:05:23 | 000,012,067 | ---- | M] () -- C:\WINDOWS\System32\SIntf16.dll
[2010.05.28 20:04:26 | 000,094,208 | ---- | M] (Blizzard Entertainment) -- C:\WINDOWS\DIIUnin.exe
[2010.05.28 20:04:26 | 000,002,829 | ---- | M] () -- C:\WINDOWS\DIIUnin.pif
[2010.05.27 14:35:49 | 000,000,224 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2010.05.27 14:34:57 | 000,488,244 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.05.27 14:34:57 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.05.27 14:34:57 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.05.24 14:26:03 | 000,308,772 | ---- | M] () -- C:\Documents and Settings\****\Desktop\ZSL_Edirol_Performance.ope
[2010.05.19 16:28:41 | 000,001,592 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\ManyCam 2.4.lnk
[2010.05.15 10:40:21 | 000,308,772 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Danglar_Trailer_Edirol_Performance.ope
[2010.05.11 04:50:16 | 000,000,691 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\X-Chat 2.lnk
[2010.05.10 13:53:38 | 000,037,888 | ---- | M] () -- C:\Documents and Settings\****\Desktop\Kandeko - FAQ Quicktext.doc
[2010.05.02 17:33:39 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\InfraRecorder.lnk
[2010.04.29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.04.29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.04.19 23:23:37 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\HijackThis.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010.07.17 22:38:38 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\****\defogger_reenable
[2010.07.17 22:37:38 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Defogger.exe
[2010.07.17 15:15:14 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\****\Desktop\xtj2z9vg.exe
[2010.07.17 15:02:12 | 000,088,606 | ---- | C] () -- C:\Documents and Settings\****\My Documents\cc_20100717_150208.reg
[2010.07.17 14:58:43 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\****\Desktop\CCleaner.lnk
[2010.07.17 14:38:22 | 000,001,492 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Lynx Browser.lnk
[2010.07.17 13:08:17 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2010.07.17 13:07:51 | 000,001,501 | ---- | C] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk
[2010.07.17 09:11:31 | 100,667,044 | ---- | C] () -- C:\Documents and Settings\****\Desktop\chaosradio_express_159_nachrichtendienste.mp3
[2010.07.17 01:37:08 | 000,000,939 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Spybot - Search & Destroy.lnk
[2010.07.17 01:30:38 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.07.17 00:19:10 | 000,046,592 | -H-- | C] () -- C:\WINDOWS\System32\dllhsn32.dll
[2010.07.13 09:14:16 | 006,178,944 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Delta Blues- DHM.mp3
[2010.07.11 17:01:39 | 000,004,096 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\00001119.LCS
[2010.07.11 17:01:30 | 118,095,214 | ---- | C] () -- C:\Documents and Settings\****\Desktop\chaosradio_express_158_liquidfeedback.mp3
[2010.07.11 01:36:53 | 000,021,558 | ---- | C] () -- C:\Documents and Settings\****\My Documents\019._2wav.wav
[2010.07.11 01:32:45 | 000,021,558 | ---- | C] () -- C:\Documents and Settings\****\My Documents\019.wav
[2010.07.10 23:15:49 | 000,000,551 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Drakensang.lnk
[2010.07.09 02:56:24 | 002,806,805 | ---- | C] () -- C:\Documents and Settings\****\Desktop\09 - BMission.mp3
[2010.07.08 02:59:06 | 000,000,686 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SupCom.lnk
[2010.07.01 16:58:56 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\****\Desktop\MA.doc
[2010.06.30 01:55:23 | 000,071,052 | ---- | C] () -- C:\Documents and Settings\****\Desktop\breeda_110g_e.mp3
[2010.06.30 01:55:15 | 000,084,844 | ---- | C] () -- C:\Documents and Settings\****\Desktop\shunta_92c_fsharp.mp3
[2010.06.30 01:55:08 | 000,070,634 | ---- | C] () -- C:\Documents and Settings\****\Desktop\breeda_110i_asharp.mp3
[2010.06.30 01:55:02 | 000,066,872 | ---- | C] () -- C:\Documents and Settings\****\Desktop\masha_117e_a.mp3
[2010.06.30 01:54:26 | 000,071,052 | ---- | C] () -- C:\Documents and Settings\****\Desktop\breeda_110e_c.mp3
[2010.06.30 01:54:21 | 000,106,578 | ---- | C] () -- C:\Documents and Settings\****\Desktop\clankmonsta_146b_fsharp.mp3
[2010.06.30 01:54:12 | 000,084,844 | ---- | C] () -- C:\Documents and Settings\****\Desktop\shunta_92i_b.mp3
[2010.06.30 01:54:05 | 000,084,426 | ---- | C] () -- C:\Documents and Settings\****\Desktop\shunta_92a_e.mp3
[2010.06.29 10:23:12 | 000,006,498 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Ablauf Conquest.pdf
[2010.06.29 09:17:34 | 000,136,524 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Geoffrey_Fahne.aep
[2010.06.29 08:49:01 | 000,080,236 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Geoffrey.jpg
[2010.06.22 00:48:21 | 000,040,645 | ---- | C] () -- C:\Documents and Settings\****\Desktop\****062010.pdf
[2010.06.17 16:10:06 | 000,056,681 | ---- | C] () -- C:\Documents and Settings\****\Desktop\****hage.pdf
[2010.06.17 01:04:54 | 000,119,152 | ---- | C] () -- C:\WINDOWS\System32\redmon.hlp
[2010.06.17 01:04:54 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2010.06.17 01:04:54 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\unredmon.exe
[2010.06.15 23:40:10 | 000,040,960 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Copy of Wordvorlage.doc
[2010.06.15 15:29:49 | 000,278,231 | ---- | C] () -- C:\Documents and Settings\****\Desktop\ARF_telserkd.sql
[2010.06.15 14:39:51 | 000,042,496 | ---- | C] () -- C:\Documents and Settings\****\Desktop\****.doc
[2010.06.15 02:02:13 | 011,683,654 | ---- | C] () -- C:\Documents and Settings\****\My Documents\ColdSteel.pdf
[2010.06.14 14:33:30 | 175,413,889 | ---- | C] () -- C:\Documents and Settings\****\My Documents\FootballAll.mov
[2010.06.14 00:51:00 | 001,658,438 | ---- | C] () -- C:\Documents and Settings\****\Desktop\RW_ConQuest_V5.pdf
[2010.06.09 01:09:20 | 000,769,114 | ---- | C] () -- C:\Documents and Settings\****\Desktop\demo_loop_fahrstuhl.mp3
[2010.06.08 03:41:28 | 000,000,721 | ---- | C] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\Any Video Converter.lnk
[2010.06.05 13:32:01 | 000,071,537 | ---- | C] () -- C:\Documents and Settings\****\My Documents\Strecklade_01.RsScn
[2010.06.05 03:43:37 | 000,001,634 | ---- | C] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\trueSpace7.61 Beta 8.lnk
[2010.06.05 03:43:14 | 000,000,819 | ---- | C] () -- C:\WINDOWS\System32\regpackages.bat
[2010.06.05 02:48:20 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\Blender.lnk
[2010.06.05 02:15:55 | 000,000,246 | ---- | C] () -- C:\WINDOWS\Caligari.ini
[2010.06.04 23:48:28 | 000,936,078 | ---- | C] () -- C:\Documents and Settings\****\Desktop\IMAG0184.JPG
[2010.06.01 06:53:26 | 003,294,650 | ---- | C] () -- C:\Documents and Settings\****\Desktop\turrican.mp3
[2010.05.31 01:38:40 | 000,013,155 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Bauchbinde_01.png
[2010.05.28 20:05:23 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2010.05.28 20:05:23 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2010.05.28 20:05:23 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2010.05.28 20:04:27 | 000,027,126 | ---- | C] () -- C:\WINDOWS\DIIUnin.dat
[2010.05.28 20:04:26 | 000,002,829 | ---- | C] () -- C:\WINDOWS\DIIUnin.pif
[2010.05.27 14:35:49 | 000,000,224 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2010.05.22 01:43:11 | 000,308,772 | ---- | C] () -- C:\Documents and Settings\****\Desktop\ZSL_Edirol_Performance.ope
[2010.05.19 16:28:41 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\ManyCam 2.4.lnk
[2010.05.11 04:50:16 | 000,000,691 | ---- | C] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\X-Chat 2.lnk
[2010.05.07 14:06:55 | 000,037,888 | ---- | C] () -- C:\Documents and Settings\****\Desktop\Kandeko - FAQ Quicktext.doc
[2010.05.02 17:33:39 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\InfraRecorder.lnk
[2010.04.19 23:23:37 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\****\Application Data\Microsoft\Internet Explorer\Quick Launch\HijackThis.lnk
[2010.02.06 00:38:12 | 000,002,880 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010.02.06 00:38:12 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\5AFCDF6B76.sys
[2010.02.05 23:37:22 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010.02.05 22:38:08 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010.02.05 21:35:43 | 000,031,890 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2010.02.05 21:35:11 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2010.02.05 21:34:51 | 000,031,577 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2010.02.05 21:34:51 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009.10.20 20:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2008.05.03 00:46:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008.02.01 01:55:20 | 000,000,109 | ---- | C] () -- C:\WINDOWS\System32\OSENXPSUITE2005.INI
[2007.04.17 16:34:40 | 000,135,716 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2006.12.04 17:13:12 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\34CoInstaller.dll
[2004.08.04 06:56:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
 
========== LOP Check ==========
 
[2010.02.09 00:09:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2010.02.05 22:32:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010.06.17 01:04:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreePDF
[2010.02.18 21:31:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010.02.06 00:28:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2010.02.05 22:18:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TrueCrypt
[2010.06.07 16:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\AnvSoft
[2010.02.09 00:09:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Ashampoo
[2010.02.22 03:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Braid
[2010.03.10 04:10:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Builder
[2010.02.07 02:10:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\DAEMON Tools Lite
[2010.07.17 01:24:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Dropbox
[2010.05.30 08:41:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\DVDVideoSoftIEHelpers
[2010.07.17 21:15:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\EditPlus 3
[2010.07.16 21:09:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\FileZilla
[2010.05.02 17:34:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\InfraRecorder
[2010.04.21 19:20:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\LucasArts
[2010.05.19 16:33:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\ManyCam
[2010.04.11 06:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Natural Selection 2
[2010.05.23 18:51:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Opera
[2010.07.11 17:01:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\ProtectDisc
[2010.02.06 00:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Publish Providers
[2010.05.05 20:05:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\quassel-irc.org
[2010.03.25 06:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Red Alert 3
[2010.02.25 15:53:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Sony
[2010.02.06 00:13:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Sony Setup
[2010.06.30 01:22:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Steinberg
[2010.02.05 22:23:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Thunderbird
[2010.02.06 00:42:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\TrueCrypt
[2010.07.17 00:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\uTorrent
[2010.07.17 13:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Wireshark
[2010.05.09 16:18:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\X-Chat 2
[2010.03.03 00:19:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\****\Application Data\Zen of Sudoku
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.* >
[2010.02.05 21:10:56 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010.07.17 20:49:29 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[2010.02.05 21:10:56 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010.07.17 20:58:16 | 000,000,900 | ---- | M] () -- C:\fpRedmon.log
[2010.02.05 21:10:56 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010.02.05 21:10:56 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004.08.04 04:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004.08.04 04:59:34 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010.07.17 22:39:43 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< %systemroot%\Tasks\*.job /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
[2010.02.05 20:41:47 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010.02.05 20:41:47 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010.02.05 20:41:47 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
 
< %systemroot%\system32\drivers\*.sys /90 >
[2010.04.29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010.04.29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010.06.26 02:39:35 | 000,163,644 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys
 
< %systemroot%\system32\user32.dll /md5 >
[2004.08.04 06:56:48 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\WINDOWS\system32\user32.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< %systemroot%\system32\ws2_32.dll /md5 >
[2004.08.04 06:56:48 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\system32\ws2_32.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< %systemroot%\system32\ws2help.dll /md5 >
[2004.08.04 06:56:48 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9BEACB911CA61E5881102188AB7FB431 -- C:\WINDOWS\system32\ws2help.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdat e\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpd ate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >

--- --- ---

Extras.txt
[CODE]
OTL Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 17.07.2010 18:19:19 - Run 1
OTL by OldTimer - Version 3.2.9.0     Folder = C:\Documents and Settings\****\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 64,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 77,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73,24 Gb Total Space | 24,82 Gb Free Space | 33,89% Space Free | Partition Type: NTFS
Drive D: | 5,12 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 100,01 Gb Total Space | 8,71 Gb Free Space | 8,71% Space Free | Partition Type: NTFS
Drive H: | 132,87 Gb Total Space | 1,63 Gb Free Space | 1,23% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive X: | 224,85 Gb Total Space | 3,97 Gb Free Space | 1,77% Space Free | Partition Type: NTFS
 
Computer Name: ELCH
Current User Name: ****
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"G:\Mass Effect 2\Binaries\MassEffect2.exe" = G:\Mass Effect 2\Binaries\MassEffect2.exe:*:Enabled:Mass Effect 2 Game -- (BioWare)
"G:\Mass Effect 2\MassEffect2Launcher.exe" = G:\Mass Effect 2\MassEffect2Launcher.exe:*:Enabled:Mass Effect 2 Launcher -- (BioWare)
"G:\Steam\Steam.exe" = G:\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP1a\RpcAgentSrv.exe" = C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP1a\RpcAgentSrv.exe:*:Enabled:SiSoftware Deployment Agent Service -- (SiSoftware)
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP1a\WNt500x86\RpcSandraSrv.exe" = C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP1a\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service -- (SiSoftware)
"G:\Blood Bowl\BB.exe" = G:\Blood Bowl\BB.exe:*:Enabled:Blood Bowl -- (Cyanide)
"G:\Blood Bowl\Autorun\Exe\Autorun.exe" = G:\Blood Bowl\Autorun\Exe\Autorun.exe:*:Enabled:Blood Bowl - AutoRun -- ()
"G:\Steam\steamapps\common\natural selection 2\NS2.exe" = G:\Steam\steamapps\common\natural selection 2\NS2.exe:*:Enabled:Natural Selection 2 -- ()
"G:\Split Second\SplitSecond.exe" = G:\Split Second\SplitSecond.exe:*:Enabled:Split/Second -- (Disney Interactive Studios)
"G:\Neverwinter Nights 2\nwn2main.exe" = G:\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main -- (Obsidian Entertainment, Inc.)
"G:\Neverwinter Nights 2\nwn2main_amdxp.exe" = G:\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD -- (Obsidian Entertainment, Inc.)
"G:\Neverwinter Nights 2\nwupdate.exe" = G:\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- (Obsidian Entertainment, Inc.)
"G:\Neverwinter Nights 2\nwn2server.exe" = G:\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- (Obsidian Entertainment, Inc.)
"G:\Supreme Commander\bin\SupremeCommander.exe" = G:\Supreme Commander\bin\SupremeCommander.exe:*:Enabled:Supreme Commander -- (Gas Powered Games)
"G:\GPGNet\GPG.Multiplayer.Client.exe" = G:\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander -- (Gas Powered Games)
"C:\Documents and Settings\****\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\****\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- File not found
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{1864B4F0-7777-4A57-9930-C2B307597966}" = MusicLab RealGuitar 2.0
"{1D2C96C3-A3F3-49E7-B839-95279DED837F}" = Opera 10.60
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{25A1E6A4-2DBD-4AC0-8650-8EA9A45B183D}" = Supreme Commander
"{28526951-55EF-4901-A0CA-B9AC966D1DD1}" = Split/Second
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4723f199-fa64-4233-8e6e-9fccc95a18ee}" = Python 2.6.5
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB}" = Mass Effect 2
"{768F22DC-2D20-4F52-A9A1-5E231FB7F752}" = Logitech Gaming Software 5.04
"{7C9AD221-994C-45B2-B46D-26F5735158CF}" = Sony Vegas Pro 8.0
"{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{839916F4-D8B5-4407-BE6D-6D4EB9D96AF4}" = LIVE gaming on Windows Runtime Version 1.0.6027
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90280407-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional mit FrontPage
"{91B79CFA-5662-11D4-8398-0800096F616B}" = TerraTec Cinergy TV
"{96606195-A36C-4614-9482-D4E61464159D}" = DDS Converter 2
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.3 - Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C194D333-B84A-4BB7-B35E-060732D98DC4}" = GPGNet
"{C2C284D2-6BD7-3B34-B0C5-B2CAED168DF7}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2010.SP1a
"{C314CE45-3392-3B73-B4E1-139CD41CA933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DD362256-A7A2-4524-9457-213DDC2AFC2A}" = Adobe After Effects 7.0
"{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}" = NVIDIA PhysX
"{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{FF3D660E-E5CC-47FD-8050-1B4DE3BA81A9}" = Dual-Core Optimizer
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Any Video Converter_is1" = Any Video Converter 3.0.3
"Ashampoo Burning Studio 6 FREE_is1" = Ashampoo Burning Studio 6 FREE
"ASIO4ALL" = ASIO4ALL
"Audacity_is1" = Audacity 1.2.6
"AVI2Flash Converter v.1.4_is1" = AVI2Flash Converter v.1.4
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Blender" = Blender (remove only)
"BloodBowl_is1" = Blood Bowl 1.0.1.7
"Caligari trueSpace7.61 Beta 8_is1" = Uninstall trueSpace7.61 Beta 8
"CCleaner" = CCleaner
"Collab" = Collab
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"Cool Edit Pro 2.1" = Cool Edit Pro 2.1
"Diablo II" = Diablo II
"Drakensang_is1" = Drakensang
"East West EWQLSO Silver Edition" = East West EWQLSO Silver Edition
"East West Ra" = East West Ra
"East West Stormdrum Kompakt" = East West Stormdrum Kompakt
"Edirol HQ Orchestral v1.01" = Edirol HQ Orchestral v1.01
"EditPlus 3" = EditPlus 3
"FileZilla Client" = FileZilla Client 3.3.3
"FL Studio 8" = FL Studio 8
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.3
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 6.1
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.5
"FreePDF_XP" = FreePDF (Remove only)
"GPL Ghostscript 8.71" = GPL Ghostscript 8.71
"HijackThis" = HijackThis 2.0.2
"IL Download Manager" = IL Download Manager
"Image-Line PoiZone v2.1" = Image-Line PoiZone v2.1
"InfraRecorder" = InfraRecorder
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Plattform-Geräte-Manager
"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0
"InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Lynx Web Browser_is1" = Lynx 2.8.5rel.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"ManyCam" = ManyCam 2.4 (remove only)
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"mIRC" = mIRC
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"Mozilla Thunderbird (3.0.5)" = Mozilla Thunderbird (3.0.5)
"Native Instruments Absynth 4" = Native Instruments Absynth 4
"Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS" = Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS
"Natural Selection_is1" = Natural Selection 3.2
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"OpenAL" = OpenAL
"PoiZone" = PoiZone
"Polipo" = Polipo 1.0.4
"ProtectDisc Driver 11" = ProtectDisc Driver, Version 11
"RADVideo" = RAD Video Tools
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"reFX quadraSID 1.6.0_is1" = reFX quadraSID 1.6.0
"seopowersuite" = SEO SpyGlass
"Starcraft" = Starcraft
"Steam App 10" = Counter-Strike
"Steam App 400" = Portal
"Steam App 4900" = Zen of Sudoku
"Steam App 4920" = Natural Selection 2
"Steam App 70" = Half-Life
"SWiSHmax" = SWiSHmax
"The Grand" = Steinberg The Grand
"Tor" = Tor 0.2.1.22
"Toxic Biohazard" = Toxic Biohazard
"TrueCrypt" = TrueCrypt
"Uninstall_is1" = Uninstall 1.0.0.1
"uTorrent" = µTorrent
"Vidalia" = Vidalia 0.2.6
"Virtual Guitarist" = Steinberg Virtual Guitarist
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinPcapInst" = WinPcap 4.1.1
"WinRAR archiver" = WinRAR
"Wireshark" = Wireshark 1.2.9
"X-Chat 2_is1" = X-Chat 2.8.6-2
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0
"YDKJG" = YOU DON'T KNOW JACK®
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-2052111302-343818398-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ExeIco" = ExeIco (remove only)
"Winamp Detect" = Winamp Erkennungs-Plug-in
 
========== Last 10 Event Log Errors ==========
 
[ System Events ]
Error - 28.05.2010 14:26:33 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:26:37 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:26:40 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:26:48 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:26:52 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:26:56 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:27:02 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:27:06 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:27:10 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
Error - 28.05.2010 14:27:13 | Computer Name = ELCH | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
 
 
< End of report >

--- --- ---

Gmar liefere ich gleich nach, vorher noch kurz der Hinweis:
Avira war während der Scans deaktiviert, LAN-Verbindung habe ich versucht zu deaktivieren, habe allerdings eine Fehlermeldung bekommen:

Code:

ATTFilter

"Error Disabling Connection- It is not possible to disable the connection at this time. This connection may have one or more protocals that do not support Plug-and-Play"

Larusso · 17.07.2010, 22:12

Das kann jetzt vieles sein. Sehen wir uns später an.

Irgendein Netzwerk zuhause ?

Windows + R Taste --> devmgmt.msc (eingeben) --> Ok --> Netzwerkadapter --> Rechtsklick auf den Adapter den Du deaktivieren musst

Bernd_T · 18.07.2010, 01:13

Ok, hab den Gmer-Scan mit deinen Vorgaben laufen lassen, hat in den ersten ca 2-3 Minuten ein paar Ausgaben erzeugt, danach für laaange Zeit nichts mehr und war dann fertig. Beim Versuch, den Output als Datei zu speichern, ist das System in die Knie gegangen, nix ging mehr, Hard-Reset.
Habe dann den Scan wieder laufen lassen und nach den 2-3 Minuten abgebrochen und konnte jetzt den Kram speichern. Ich bin mir sehr sicher, dass es der gleiche Output ist, wie auch beim "kompletten" Durchlauf, wie gesagt, nach ein paar Minuten gab es keinerlei neue Einträge im Fenster.

GMER Logfile:
GMER Logfile:

Code:

ATTFilter

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-07-18 01:55:26
Windows 5.1.2600 Service Pack 2
Running: xtj2z9vg.exe; Driver: C:\DOCUME~1\****\LOCALS~1\Temp\pgtdapow.sys


---- System - GMER 1.0.15 ----

SSDT     B87D9746                                                                                                            ZwCreateKey
SSDT     B87D973C                                                                                                            ZwCreateThread
SSDT     B87D974B                                                                                                            ZwDeleteKey
SSDT     B87D9755                                                                                                            ZwDeleteValueKey
SSDT     B87D975A                                                                                                            ZwLoadKey
SSDT     B87D9728                                                                                                            ZwOpenProcess
SSDT     B87D972D                                                                                                            ZwOpenThread
SSDT     B87D9764                                                                                                            ZwReplaceKey
SSDT     B87D975F                                                                                                            ZwRestoreKey
SSDT     B87D9750                                                                                                            ZwSetValueKey
SSDT     B87D9737                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text    C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                            section is writeable [0xB6D18380, 0x550AF5, 0xE8000020]
init     C:\WINDOWS\system32\drivers\monfilt.sys                                                                             entry point in "init" section [0xB48FA280]
.reloc   C:\WINDOWS\system32\drivers\acedrv11.sys                                                                            section is executable [0xB35D1300, 0x25D4C, 0xE0000060]
pnidata  C:\WINDOWS\system32\DRIVERS\secdrv.sys                                                                              unknown last section [0xB34EDF00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text    C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtProtectVirtualMemory                                              7C90DEB6 5 Bytes  JMP 0082000A 
.text    C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtWriteVirtualMemory                                                7C90EA32 5 Bytes  JMP 0083000A 
.text    C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!KiUserExceptionDispatcher                                           7C90EAEC 5 Bytes  JMP 0081000C 
.text    C:\WINDOWS\System32\svchost.exe[1080] ole32.dll!CoCreateInstance                                                    77526009 5 Bytes  JMP 00AF000A 
.text    C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtProtectVirtualMemory                                                      7C90DEB6 5 Bytes  JMP 00A0000A 
.text    C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtWriteVirtualMemory                                                        7C90EA32 5 Bytes  JMP 00AE000A 
.text    C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!KiUserExceptionDispatcher                                                   7C90EAEC 5 Bytes  JMP 009F000C 

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0xFE 0xB6 0xF7 0x56 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0xB2 0x9E 0x77 0x80 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0xD3 0xAE 0x40 0xC5 ...
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0xFE 0xB6 0xF7 0x56 ...
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0xB2 0x9E 0x77 0x80 ...
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg      HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xD3 0xAE 0x40 0xC5 ...

---- EOF - GMER 1.0.15 ----

--- --- ---

Larusso · 18.07.2010, 08:01

Fragen bitte beantworten !!

Schritt 1

Teatimer abstellen

Mit laufendem TeaTimer von Spybot Search&Destroy lässt sich keine Reinigung durchführen, da er alle gelöschten Einträge wiederherstellt. Der Teatimer muss also während der Reinigungsarbeiten abgestellt werden (lasse den Teatimer so lange ausgeschaltet, bis wir mit der Reinigung fertig sind):
Starte Spybot S&D => stelle im Menü "Modus" den "Erweiterten Modus" ein => klicke dann links unten auf "Werkzeuge" => klicke auf "Resident" => das Häkchen entfernen bei Resident "TeaTimer" (Schutz aller Systemeinstellungen) => Spybot Search&Destroy schließen => Rechner neu starten. Bebilderte Anleitung.

Schritt 2

Starte bitte die OTL.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die Textbox.

Code:

ATTFilter

:OTL
O36 - AppCertDlls odbcdial - (CWINDOWSsystem32dllhsn32.dll) - CWINDOWSsystem32dllhsn32.dll ()
[2010.05.19 16:28:27 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
:services
:files
:reg
:Commands
[purity]
[emptytemp]
[reboot]

Schliesse bitte nun alle Programme.
Klicke nun bitte auf den Fix Button.
Klick auf .
OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
Nach dem Neustart findest Du ein Textdokument auf deinem Desktop.
( Auch zu finden unter C:\_OTL\MovedFiles\<time_date>.txt)
Kopiere nun den Inhalt hier in Deinen Thread

Schritt 3

Downloade dir bitte GooredFix.exe auf Deinem Desktop.

Schliesse bitte alle laufenden Programme inklusive Browser.
Doppelklick auf die .exe
Vista User: Mit Rechtsklick "als Administrator starten".
Gib bitte in folgendes Fenster 1 ein und drücke Enter.
Wenn der Scan beendet wurde, erstellt das Tool eine GooredLog.
Diese ist auch auf Deinem Desktop zu finden.

Poste mir bitte den Inhalt der GooredLog.txt
Hinweis: Bitte nicht Option 2 selbständig laufen lassen.

Bitte poste in Deiner nächsten Antwort
OTLFix Log
GooredLog.txt

Bernd_T · 18.07.2010, 12:48

Zitat:

Zitat von Larusso

Fragen bitte beantworten !!

Sorry. Hab zwei Rechner und einen Router (Linksys Wrt54gL) zuhause. Der Desktoprechner ist der Hauptarbeitsrechner und infiziert. Verbindung mit dem ROuter ist per Kabel hergestellt. Das andere ist ein recht alter Laptop, der eigentlich nur in den Fällen überhaupt benutzt (und dann per Kabel mit dem Router verbunden) wird, falls der Desktoprechner durch Rendering-Aufgaben etc. für absehbare Zeit ausgelastet ist und ich trotzdem ins Netz muss.
(Habe ich sonst noch eine Frage überlesen bzw. irgendwie nicht als "echte" Frage realisiert? Sorry.)

Zitat:

Zitat von Larusso

Schritt 1

Teatimer abstellen

Teatimer wurde abgestellt.

Zitat:

Zitat von Larusso

Schritt 2
Starte bitte die OTL.exe.
[...]
Nach dem Neustart findest Du ein Textdokument auf deinem Desktop.
( Auch zu finden unter C:\_OTL\MovedFiles\<time_date>.txt)
Kopiere nun den Inhalt hier in Deinen Thread

Inhalt der Log-Datei:

Code:

ATTFilter

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\O36 not found.
File CWINDOWSsystem32dllhsn32.dll not found.
C:\Program Files\Ask.com folder moved successfully.
========== SERVICES/DRIVERS ==========
========== FILES ==========
========== REGISTRY ==========
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: ****
->Temp folder emptied: 15304886 bytes
->Temporary Internet Files folder emptied: 47264 bytes
->FireFox cache emptied: 0 bytes
->Opera cache emptied: 9813930 bytes
->Flash cache emptied: 5205 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 382064 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 15093231 bytes
->Flash cache emptied: 971 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2343418 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66502 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 31878 bytes
 
Total Files Cleaned = 41,00 mb
 
 
OTL by OldTimer - Version 3.2.9.0 log created on 07182010_132823

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Zitat:

Zitat von Larusso

Schritt 3

Downloade dir bitte GooredFix.exe auf Deinem Desktop.
Schliesse bitte alle laufenden Programme inklusive Browser.
Doppelklick auf die .exe
Vista User: Mit Rechtsklick "als Administrator starten".
Gib bitte in folgendes Fenster 1 ein und drücke Enter.
Wenn der Scan beendet wurde, erstellt das Tool eine GooredLog.
Diese ist auch auf Deinem Desktop zu finden.
Poste mir bitte den Inhalt der GooredLog.txt
Hinweis: Bitte nicht Option 2 selbständig laufen lassen.

Klappt so nicht!
Habe GooredFix heruntergeladen und ausgeführt. Dos-Fenster öffnet sich, Windows-Alter wird angezeigt: "GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit".
Habe "Yes" angeklickt. Folgende Logfile mit dem Namen GooredFix.txt wurde auf dem Desktop erstellt:

Code:

ATTFilter

GooredFix by jpshortstuff (03.07.10.1)
Log created at 13:32 on 18/07/2010 (Hypergrip)
Firefox version 3.6.6 (de)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:04 05/02/2010]

C:\Documents and Settings\Hypergrip\Application Data\Mozilla\Firefox\Profiles\s7dsvfdj.default\extensions\
{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e} [17:05 08/02/2010]
{6AC85730-7D0F-4de0-B3FA-21142DD85326} [17:06 08/02/2010]
{AB7308B2-C13C-4eba-AC78-2AD55B96EE09} [17:06 08/02/2010]
{c45c406e-ab73-11d8-be73-000a95be3b12} [22:24 07/02/2010]
{e0204bd5-9d31-402b-a99d-a6aa8ffebdca} [08:39 23/04/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [12:36 27/05/2010]

-=E.O.F=-

Larusso · 18.07.2010, 13:34

Lade ComboFix von einem der unten aufgeführten Links herunter. Du musst diese umbenennen, bevor Du es auf den Desktop speicherst. Speichere ComboFix auf deinen Desktop.

**NB: Es ist wichtig, das ComboFix.exe auf dem Desktop gespeichert wird**

Deaktivere Deine Anti-Virus- und Anti-Spyware-Programme. Normalerweise kannst Du dies über einen Rechtsklick auf das Systemtray-Icon tun. Die Programme könnten sonst eventuell unsere Programme bei deren Arbeit stören.
Doppel-klicke auf ComboFix.exe und folge den Aufforderungen.
- Wenn ComboFix fertig ist, wird es ein Log für dich erstellen.
- Bitte poste mir den Inhalt von C:\ComboFix.txt hier in de Thread.

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Bernd_T · 18.07.2010, 13:47

Bekomme eine Fehlermeldung bezüglich des Internet Explorers (siehe Anhang). Der IExplore lässt sich - wie im Eingangsposting beschrieben - nicht starten bzw. Beendet den Prozess innerhalb einer Sekunde direkt wieder.
Bei Bedarf könnte ich ein ausführliches Log liefern, das der Process Monitor von sysinternals.com liefert.

Nach der Fehlermeldung bzgl. des IE kommt der Disclaimer der Combo-Fix.exe, soll ich da trotzdem weitermachen oder muss erst etwas anderes in Hinsicht auf denIE unternommen werden? (Ich hatte z.B. mit der Idee gespielt, den neuen IE8 installieren zu wollen bzw. es zu versuchen, habe aber wegen der SUpport-Anleitung keine Programme installiert/entfernt.

Larusso · 18.07.2010, 13:52

Mach mit CF weiter

Bernd_T · 18.07.2010, 15:12

CF läuft bzw. hängt. (Sitze jetzt am Laptop)

Chronologie:

1.) Beim Start nach Annahme des Disclaimers erscheint folgende Nachricht:

Code:

ATTFilter

Folgende Dateien haben versucht, sich an Combofix anzuhelften und wurden deaktiviert. Bitte notiere Die den Namen jeder Datei auf einem Stueck Papier. Wir benötigen diese vielleicht später noch einmal.
C:\WINDOWS\system32\dllhsn32.dll

2.) CF stellt fest, dass die Wiederherstellungskonsole nicht installiert ist, und läd sie herunter. Systemspeicherpunkt wird erstellt.

3.) Scan beginnt

4.) CF stellt Rootkit-Aktivität fest. Neustart des Rechners.

5.) Nach dem Neustart hat sich der Avira Guard aktiviert und findet während des Scans durch CF ein paar Treffer mit "Patch" in der Bezeichnung (hab mir die bezeichnung nicht genau aufgeschrieben, ich Depp

). Ich wollte, dass CF möglichst nicht unterbrochen oder gestört wird, und habe Avira angewiesen, die Fund zu ignorieren!
Zeitpunkt der Funde war bei Stufe 1-2 von CF. Die Virenbezeichnung hatte "Patch" und ggf "Gen" im Namen. Gefunden wurden insgesammt 3 Treffer. Gefunden wurden sie in einem Verzeichnis auf "C:\Qood" oder etwas in der Art und ich glaub, dass im Pfad auch sowas wie Quarantäne stand.
Sorry, ich hatte echt ein Brett vorm Kopf, dass ich mir die Sachen nicht notiert habe, bevor ich es weggeklickt habe

6.) Aktuell "hängt" der Rechner bzw. CF bei Stufe_16. Festplattenaktivität in irgendeiner Form ist nicht festzustellen. Maus reagiert und das Dos-Fenster in dem CF läuft, lässt sich problemlos vergrößern/verschieben.

Warte auf Handlungsanweisung. Neustarten? Warten?

Larusso · 18.07.2010, 15:14

C:\qoobox ?

Das gehört zu CF.

Starte den Rechner neu auf.

18.07.2010, 13:52	#13
Larusso /// Selecta Jahrusso	Browser öffnen Spam-Links, Winupdate geblockt, IExplorer kann gar nicht geöffnet werden,... Mach mit CF weiter __________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie

18.07.2010, 15:14	#15
Larusso /// Selecta Jahrusso	Browser öffnen Spam-Links, Winupdate geblockt, IExplorer kann gar nicht geöffnet werden,... C:\qoobox ? Das gehört zu CF. Starte den Rechner neu auf. __________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie

Browser öffnen Spam-Links, Winupdate geblockt, IExplorer kann gar nicht geöffnet werden,...

Log-Analyse und Auswertung: Browser öffnen Spam-Links, Winupdate geblockt, IExplorer kann gar nicht geöffnet werden,...