Nach "Antimalware Doctor" weiterhin Probleme

Geas · 26.07.2010, 23:48

Zwar gibt es schon eine Vielzahl ähnlicher Threads, aber da doch immer wieder nach den Log-Files verlangt wird ist es wohl in Ordnung wenn jeder seinen eigenen Thread zu diesem Problem öffnet, oder? *g*

Jedenfalls habe ich mir vorgestern irgendwie diesen "Antimalware Doctor" + sonst was für "Security" Software eingefangen. Der Autostart war direkt mit über 10 Anwendungen wie "fsnklfdlksf" zugemüllt etc...

Nach dieser Anleitung habe ich dann die ungewünschte Software entfernt:
http://www.trojaner-board.de/83172-a...entfernen.html
(ich gehe mal davon aus das interne Links in Ordnung sind)

Jetzt bin ich zwar diesen Security-Käse los, aber das erst kürzlich aufgesetzte System (Win Vista 32Bit) hat nun sehr seltsame Probleme:
Vor allem beim Windows Explorer gibt es eine stark erhöhte "Aufhäng-Gefahr".
Anwendungen brauchen teilweise erheblich länger zum starten.
Wenn im Browser z. B. ein Bild zum speichern ausgewählt wird, hängt er sich auf anstatt das "Speichern unter"-Fenster zu bringen.
Der Systemstart und Dienst-Autostart dürfte soweit ich das beurteilen kann völlig sauber sein.

CCleaner und Malwarebytes Anti-Malware ist standardmäßig installiert, RSIT habe ich mir gerade runter geladen.
Mit welchen Logs könnt ihr nun etwas anfangen?

Vielen Dank im Voraus für die tolle Hilfe..

cosinus · 27.07.2010, 14:12

Zitat:

Mit welchen Logs könnt ihr nun etwas anfangen?

Poste bitte alle Logs von Malwarebytes

Geas · 27.07.2010, 14:56

Es gibt nur einen bei dem was gefunden wurde:

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4347

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18928

25.07.2010 23:03:20
mbam-log-2010-07-25 (23-03-20).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 124027
Laufzeit: 3 Minute(n), 55 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 21
Infizierte Registrierungswerte: 2
Infizierte Dateiobjekte der Registrierung: 3
Infizierte Verzeichnisse: 3
Infizierte Dateien: 21

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
C:\Windows\System32\cbsretsh.dll (Trojan.Vundo) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f13266e9-ea81-4091-879a-605d33f94310} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{f13266e9-ea81-4091-879a-605d33f94310} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f13266e9-ea81-4091-879a-605d33f94310} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{05022f51-cb08-465a-b4cf-79c8f9a35fe9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{05022f51-cb08-465a-b4cf-79c8f9a35fe9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05022f51-cb08-465a-b4cf-79c8f9a35fe9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setupupdate70700.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Users\Administrator\AppData\Roaming\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec (Stolen.data) -> Delete on reboot.
C:\Windows\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Users\Administrator\AppData\Roaming\EDA404E935DDDDF88EF95503A843866B\setupupdate70700.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\bzsop.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\Windows\System32\ozsop.exe (Trojan.Adware) -> Quarantined and deleted successfully.
C:\Windows\System32\szetyj67v.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\szetyj67vx.exe (Trojan.LVBP) -> Quarantined and deleted successfully.
C:\Windows\System32\tzsop.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\5vyg862fd.exe (Trojan.LVBP) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\D340.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\esomxcarwn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\jydtya.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\ufgxxw.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Roaming\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Roaming\SystemProc\upd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\Windows\System32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Windows\System32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\Windows\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Windows\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Windows\System32\cbsretsh.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\comsats.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

Danach noch ein Scan im nicht abgesicherten Modus:

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4347

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

27.07.2010 15:23:56
mbam-log-2010-07-27 (15-23-56).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 125223
Laufzeit: 4 Minute(n), 41 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

Edit: Oubs, die Datenbankversion wurde innerhalb der beiden Tage schon wieder veraltet, mache eben noch einen Scan von der System-Partition mit der jüngsten MalwareDb.

cosinus · 27.07.2010, 15:12

Bitte einen Vollscan mit Malwarebytes machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Danach OTL:

Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Doppelklick auf die OTL.exe
Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
Unter Extra Registry, wähle bitte Use SafeList
Klicke nun auf Run Scan links oben
Wenn der Scan beendet wurde werden 2 Logfiles erstellt
Poste die Logfiles hier in den Thread.

Geas · 27.07.2010, 16:23

Malwarebytes vollständiger Suchlauf (mit aktuellerer Version als bei den beiden zuvor):

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4357

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

27.07.2010 16:40:25
mbam-log-2010-07-27 (16-40-25).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Durchsuchte Objekte: 197306
Laufzeit: 43 Minute(n), 43 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Users\Administrator\AppData\Local\easyqxgxr\pfyscintssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

OTL (Extras.txt)

Code:

ATTFilter

OTL Extras logfile created on: 27.07.2010 16:57:59 - Run 1
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Users\Administrator\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 56,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 80,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144,29 Gb Total Space | 108,48 Gb Free Space | 75,18% Space Free | Partition Type: NTFS
Drive D: | 140,79 Gb Total Space | 37,24 Gb Free Space | 26,45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: CORE
Current User Name: Administrator
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Program Files\Opera\opera.exe (Opera Software)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Opera\opera.exe" "%1" (Opera Software)
https [open] -- "C:\Program Files\Opera\opera.exe" "%1" (Opera Software)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VLC Player\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VLC Player\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0D6909E3-3380-4708-89D1-E44C4F1C5BC1}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{408CCAE0-BE78-4BCB-B2B5-6F273201ECBF}" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe | 
"{42F059C4-2EAD-418C-9ED6-AFF91A149BA1}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{86703079-5D27-4191-BB54-CED64F7DE4F0}" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe | 
"{EF3239C8-F3E7-48FB-936A-550BECE0835A}" = dir=in | app=c:\program files\acer\acer vcm\vc.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.0.1.4900
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{0F022A2E-7022-497D-90A5-0F46746D8275}" = Macromedia Extension Manager
"{192A107E-C6B9-41B9-BDBF-38E3AA226054}" = OpenOffice.org 3.2
"{1D2C96C3-A3F3-49E7-B839-95279DED837F}" = Opera 10.60
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{35C0A1E4-D02A-412C-841F-266DBB116ABB}" = Intel(R) PROSet/Wireless WiFi-Software
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Acer Crystal Eye webcam
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{427967BF-09F8-46D5-9275-37001CCBBA5D}" = Winbond CIR Drivers
"{44025BD7-AD10-4769-99AE-6378FD0303D6}" = Macromedia Dreamweaver 8
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}" = Macromedia Fireworks 8
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
"{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}" = RGSS-RTP Standard
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 4.1.2
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B34CAC6-738F-4A20-B428-A115C3E3474C}" = RPGXP
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AA047D7C-5E7C-4878-B75C-77589151B563}" = Acer Crystal Eye webcam
"{B4F3A360-E1E2-479D-ADE7-9BE3B07F4539}" = NVIDIA PhysX
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe  1.4.142.1
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"Dragonica(DE)" = Dragonica(DE)
"Expstudio Audio Editor FREE" = Expstudio Audio Editor FREE
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.7
"IrfanView" = IrfanView (remove only)
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Miranda IM" = Miranda IM 0.8.27
"Mozilla Firefox (3.6.7)" = Mozilla Firefox (3.6.7)
"Nettalk_is1" = Nettalk 6.7
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel PROSet Wireless
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"Uninstall_is1" = Uninstall 1.0.0.1
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.1
"WinPcapInst" = WinPcap 4.1.1
"winscp3_is1" = WinSCP 4.2.8
"Wireshark" = Wireshark 1.2.9
"XnView_is1" = XnView 1.97.4
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 14.07.2010 09:52:24 | Computer Name = Core | Source = System Restore | ID = 8193
Description = 
 
Error - 14.07.2010 09:52:35 | Computer Name = Core | Source = VSS | ID = 39
Description = 
 
Error - 14.07.2010 09:52:35 | Computer Name = Core | Source = VSS | ID = 8193
Description = 
 
Error - 14.07.2010 09:52:35 | Computer Name = Core | Source = System Restore | ID = 8193
Description = 
 
Error - 14.07.2010 10:58:01 | Computer Name = Core | Source = VSS | ID = 39
Description = 
 
Error - 14.07.2010 10:58:01 | Computer Name = Core | Source = VSS | ID = 8193
Description = 
 
Error - 14.07.2010 10:58:01 | Computer Name = Core | Source = System Restore | ID = 8193
Description = 
 
Error - 14.07.2010 10:58:09 | Computer Name = Core | Source = VSS | ID = 39
Description = 
 
Error - 14.07.2010 10:58:09 | Computer Name = Core | Source = VSS | ID = 8193
Description = 
 
Error - 14.07.2010 10:58:09 | Computer Name = Core | Source = System Restore | ID = 8193
Description = 
 
[ System Events ]
Error - 14.07.2010 08:06:51 | Computer Name = Core | Source = Microsoft-Windows-Servicing | ID = 4385
Description = 
 
Error - 14.07.2010 08:06:51 | Computer Name = Core | Source = Microsoft-Windows-Servicing | ID = 4385
Description = 
 
Error - 14.07.2010 08:06:51 | Computer Name = Core | Source = Microsoft-Windows-Servicing | ID = 4385
Description = 
 
Error - 14.07.2010 08:06:51 | Computer Name = Core | Source = Microsoft-Windows-Servicing | ID = 4385
Description = 
 
Error - 14.07.2010 08:06:51 | Computer Name = Core | Source = Microsoft-Windows-Servicing | ID = 4375
Description = 
 
Error - 14.07.2010 08:06:51 | Computer Name = Core | Source = Microsoft-Windows-Servicing | ID = 4375
Description = 
 
Error - 14.07.2010 08:06:51 | Computer Name = Core | Source = Microsoft-Windows-Servicing | ID = 4375
Description = 
 
Error - 14.07.2010 08:06:51 | Computer Name = Core | Source = Microsoft-Windows-Servicing | ID = 4375
Description = 
 
Error - 14.07.2010 08:13:24 | Computer Name = Core | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 14.07.2010 08:13:24 | Computer Name = Core | Source = Service Control Manager | ID = 7000
Description = 
 
 
< End of report >

OTL (OTL.txt) - lässt sich nicht in einem Thread posten, ist zu groß:
chaoswoody.de/files/OTL.Txt

cosinus · 27.07.2010, 16:36

Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:

ATTFilter

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: jgyo0w = C:\Users\ADMINI~1\AppData\Local\Temp\19aqp.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O36 - AppCertDlls: helprcfg - (C:\Windows\system32\cbsretsh.dll) - C:\Windows\System32\cbsretsh.dll File not found
[2010.07.25 22:30:03 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\easyqxgxr
[2010.07.27 16:59:11 | 000,766,464 | ---- | M] () -- C:\Windows\System32\drivers\gdtssxcd.sys
[2010.07.26 18:34:22 | 000,000,056 | RHS- | C] () -- C:\Windows\System32\F869CFDC1B.sys
:Commands
[purity]
[resethosts]
[emptytemp]

Klick dann auf den Button Run Fixes!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Geas · 27.07.2010, 16:51

Ja, der Laptop musste neu starten.

Code:

ATTFilter

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\jgyo0w deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\helprcfg:C:\Windows\system32\cbsretsh.dll deleted successfully.
C:\Users\Administrator\AppData\Local\easyqxgxr folder moved successfully.
File C:\Windows\System32\drivers\gdtssxcd.sys not found.
C:\Windows\System32\F869CFDC1B.sys moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 290874 bytes
->Temporary Internet Files folder emptied: 66369 bytes
->Java cache emptied: 259237 bytes
->FireFox cache emptied: 17025495 bytes
->Opera cache emptied: 6539001 bytes
->Flash cache emptied: 970 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Eigenes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1775909 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 25,00 mb
 
 
OTL by OldTimer - Version 3.2.9.1 log created on 07272010_174658

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

cosinus · 27.07.2010, 16:52

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Geas · 27.07.2010, 17:15

Es erschien eine Meldung ähnlich wie:
"Combofix hat Rootkit Anwesenheit festgestellt und muss den Rechner neu starten"
Nach dem Neustart war keine ComboFix.txt in C.
Allerdings ist in C nun das neue Verzeichnis "cofi" mit einer Vielzahl von Dateien.

cosinus · 28.07.2010, 19:36

Findest Du einen Ordner Qoobox direkt auf c:\ ?
Da sollte evtl. eine combofix.txt o.ä. drin sein.

Wenn der Ordner da auch nicht ist, bitte die alte cofi.exe löschen, CF neu als cofi.exe herunterladen und wieder nach Anleitung ausführen.

Geas · 28.07.2010, 22:42

Ja, der Ordner Qoobox ist direkt auf C, aber eine combofix.txt ist auch da nicht drinnen. Auch nicht in einem Unterverzeichnis.

Trotzdem mit einer erneut runtergeladenen cofi.exe noch einmal versuchen?

cosinus · 29.07.2010, 14:42

Ja, probier es mit einer neu heruntergeladenen cofi.exe

Geas · 29.07.2010, 17:26

Jetzt hat's geklappt.
Combofix hat allerdings mehrfach die Meldung "Failed to get Data for 'EnableLUA'" ausgegeben.

Hier der Log:

Code:

ATTFilter

ComboFix 10-07-28.04 - Administrator 29.07.2010  18:17:10.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.3070.2202 [GMT 2:00]
ausgeführt von:: c:\users\Administrator\Desktop\cofi.exe
SP: Windows-Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Administrator\AppData\Roaming\EDA404E935DDDDF88EF95503A843866B
c:\users\Administrator\AppData\Roaming\EDA404E935DDDDF88EF95503A843866B\enemies-names.txt
c:\users\Administrator\AppData\Roaming\EDA404E935DDDDF88EF95503A843866B\local.ini
c:\windows\hide.exe

.
(((((((((((((((((((((((   Dateien erstellt von 2010-06-28 bis 2010-07-29  ))))))))))))))))))))))))))))))
.

2010-07-29 16:21 . 2010-07-29 16:21	--------	d-----w-	c:\users\Administrator\AppData\Local\temp
2010-07-29 16:21 . 2010-07-29 16:21	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-07-27 16:08 . 2010-07-27 16:10	--------	d-----w-	C:\cofi
2010-07-27 15:46 . 2010-07-27 15:46	--------	d-----w-	C:\_OTL
2010-07-26 16:34 . 2010-07-26 22:08	952	--sha-w-	c:\windows\system32\KGyGaAvL.sys
2010-07-26 16:32 . 2010-07-26 16:32	--------	d-----w-	c:\program files\RPG Maker
2010-07-26 14:02 . 2010-07-26 14:02	--------	d-----w-	c:\program files\IrfanView
2010-07-25 20:55 . 2010-07-25 20:55	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-07-25 20:55 . 2010-04-29 10:19	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-25 20:55 . 2010-07-25 20:55	--------	d-----w-	c:\program files\ Malwarebytes Anti-Malware 
2010-07-25 20:55 . 2010-07-25 20:55	--------	d-----w-	c:\programdata\Malwarebytes
2010-07-25 20:55 . 2010-04-29 10:19	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-07-25 19:29 . 2010-07-25 19:29	--------	d-----w-	c:\windows\Sun
2010-07-25 16:52 . 2010-07-28 23:10	1	----a-w-	c:\users\Administrator\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-25 16:52 . 2010-07-25 16:52	--------	d-----w-	c:\users\Administrator\AppData\Roaming\OpenOffice.org
2010-07-25 16:49 . 2010-07-28 23:21	--------	d-----w-	c:\program files\OpenOffice.org 3
2010-07-25 16:48 . 2010-07-25 16:48	--------	d-----w-	c:\program files\Common Files\Java
2010-07-25 16:48 . 2010-07-25 16:48	411368	----a-w-	c:\windows\system32\deploytk.dll
2010-07-25 16:48 . 2010-07-25 16:48	--------	d-----w-	c:\program files\Java
2010-07-25 00:09 . 2010-07-25 00:09	--------	d-----w-	c:\users\Eigenes\Zeug
2010-07-23 22:12 . 2010-07-23 22:12	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Wireshark
2010-07-23 21:49 . 2010-07-25 21:17	--------	d-----w-	c:\users\Eigenes\Tools
2010-07-23 21:23 . 2010-07-23 21:23	--------	d-----w-	c:\program files\WinPcap
2010-07-23 21:22 . 2010-07-23 21:23	--------	d-----w-	c:\program files\Wireshark
2010-07-23 19:11 . 2010-07-27 20:15	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Nettalk
2010-07-23 19:09 . 2010-07-23 19:11	--------	d-----w-	c:\program files\Nettalk
2010-07-23 18:12 . 2010-07-23 18:12	0	----a-w-	c:\windows\nsreg.dat
2010-07-23 18:12 . 2010-07-23 18:12	--------	d-----w-	c:\users\Administrator\AppData\Local\Mozilla
2010-07-23 17:46 . 2010-07-23 17:47	--------	d-----w-	c:\program files\EXP AudioEditor
2010-07-23 17:46 . 2010-07-23 17:46	161149	----a-w-	c:\windows\Expstudio Audio Editor FREE Uninstaller.exe
2010-07-23 17:46 . 2010-07-23 17:46	--------	d-----w-	c:\windows\system32\EXP
2010-07-23 17:31 . 2010-07-23 17:31	--------	d-----w-	c:\users\Administrator\AppData\Roaming\DVDVideoSoftIEHelpers
2010-07-23 17:31 . 2010-07-23 17:33	--------	d-----w-	c:\program files\YouTube Converter
2010-07-23 17:31 . 2010-07-23 17:32	--------	d-----w-	c:\program files\Common Files\DVDVideoSoft
2010-07-23 00:48 . 2010-07-28 23:22	--------	d-----w-	c:\users\Administrator\AppData\Roaming\vlc
2010-07-21 14:24 . 2010-07-21 14:24	1861000	----a-w-	c:\programdata\Nexon\Common\NMService.exe
2010-07-21 14:24 . 2010-07-21 14:24	1774992	----a-w-	c:\programdata\Nexon\Common\nmconew.dll
2010-07-20 21:41 . 2010-07-26 22:52	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Media Player Classic
2010-07-20 03:45 . 2010-07-20 03:47	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Miranda
2010-07-20 03:44 . 2010-07-20 03:44	--------	d-----w-	c:\program files\Miranda IM
2010-07-14 14:57 . 2010-07-16 13:58	--------	d-----w-	c:\windows\Downloaded Installations
2010-07-14 14:38 . 2005-01-03 15:43	4682	----a-w-	c:\windows\system32\npptNT2.sys
2010-07-14 14:37 . 2010-07-14 14:37	--------	d-----w-	c:\program files\Common Files\INCA Shared
2010-07-14 14:20 . 2010-07-14 14:20	--------	d-----w-	c:\program files\IZArc
2010-07-14 14:02 . 2010-07-14 14:21	--------	d-----w-	c:\program files\TeamSpeak3
2010-07-14 13:42 . 2010-07-14 13:42	--------	d-----w-	c:\windows\system32\ca-ES
2010-07-14 13:42 . 2010-07-14 13:42	--------	d-----w-	c:\windows\system32\eu-ES
2010-07-14 13:42 . 2010-07-14 13:42	--------	d-----w-	c:\windows\system32\vi-VN
2010-07-14 13:24 . 2010-07-14 13:24	--------	d-----w-	c:\windows\system32\EventProviders
2010-07-14 13:22 . 2009-04-11 06:28	29184	----a-w-	c:\windows\system32\wsepno.dll
2010-07-14 13:08 . 2008-05-27 04:59	18904	----a-w-	c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-07-14 13:07 . 2010-07-14 13:07	--------	d-----w-	c:\program files\Microsoft.NET
2010-07-14 13:05 . 2010-05-01 14:13	2037248	----a-w-	c:\windows\system32\win32k.sys
2010-07-14 12:41 . 2008-01-19 07:33	227840	----a-w-	c:\windows\system32\msconfig.exe
2010-07-14 12:40 . 2008-01-19 07:35	35328	----a-w-	c:\windows\system32\mspatcha.dll
2010-07-14 12:40 . 2008-01-19 07:34	305152	----a-w-	c:\windows\system32\msdelta.dll
2010-07-14 12:40 . 2008-01-19 07:34	258560	----a-w-	c:\windows\system32\dpx.dll
2010-07-14 12:40 . 2006-11-02 09:39	6656	----a-w-	c:\windows\system32\kbd106.dll
2010-07-14 12:23 . 2010-03-05 14:01	420352	----a-w-	c:\windows\system32\vbscript.dll
2010-07-14 12:00 . 2010-07-14 12:00	377344	----a-w-	c:\windows\system32\winhttp.dll
2010-07-14 11:59 . 2010-07-14 11:59	293376	----a-w-	c:\windows\system32\browserchoice.exe
2010-07-14 08:18 . 2010-07-14 08:18	3	------w-	c:\windows\AFirst.cmd
2010-07-14 08:18 . 2007-11-16 01:54	17733320	------w-	c:\windows\eRy.exe
2010-07-14 08:18 . 2007-11-27 10:23	86016	------w-	c:\windows\SetSpkDefault.exe
2010-07-14 08:18 . 2007-04-26 15:02	294	------w-	c:\windows\offline.reg
2010-07-14 08:18 . 2007-01-15 12:28	336	------w-	c:\windows\ACERTOURREMINDERRUN.REG
2010-07-14 08:18 . 2010-07-13 22:32	1289	------w-	c:\windows\CLEANUP.CMD
2010-07-14 08:18 . 2002-11-14 14:32	55808	------w-	c:\windows\devcon.exe
2010-07-14 06:54 . 2010-07-14 06:54	--------	d-----w-	c:\users\Administrator\Catalog
2010-07-14 06:43 . 2010-07-14 06:43	--------	d-----w-	c:\users\Administrator\Report Files
2010-07-14 05:01 . 2010-07-14 05:01	--------	d-----w-	c:\programdata\NVIDIA Corporation
2010-07-14 05:01 . 2010-07-14 05:06	--------	d-----w-	c:\program files\NVIDIA Corporation
2010-07-14 05:00 . 2010-06-07 23:57	795104	------w-	c:\windows\system32\dpinst.exe
2010-07-14 05:00 . 2010-06-07 23:57	56936	------w-	c:\windows\system32\OpenCL.dll
2010-07-14 05:00 . 2010-06-07 23:57	10888168	------w-	c:\windows\system32\drivers\nvlddmkm.sys
2010-07-14 05:00 . 2010-06-07 23:57	4967528	------w-	c:\windows\system32\nvwgf2um.dll
2010-07-14 05:00 . 2010-06-07 23:57	15764072	------w-	c:\windows\system32\nvoglv32.dll
2010-07-14 05:00 . 2010-06-07 23:57	4513384	------w-	c:\windows\system32\nvcuda.dll
2010-07-14 05:00 . 2010-06-07 23:57	2632296	------w-	c:\windows\system32\nvcuvenc.dll
2010-07-14 05:00 . 2010-06-07 23:57	232040	------w-	c:\windows\system32\nvcod1921.dll
2010-07-14 05:00 . 2010-06-07 23:57	232040	------w-	c:\windows\system32\nvcod.dll
2010-07-14 05:00 . 2010-06-07 23:57	2145896	------w-	c:\windows\system32\nvcuvid.dll
2010-07-14 05:00 . 2010-06-07 23:57	10263144	------w-	c:\windows\system32\nvcompiler.dll
2010-07-14 04:55 . 2010-07-14 04:55	--------	d-----w-	c:\users\Administrator\Bluetooth Software
2010-07-14 04:55 . 2010-07-29 13:56	12	----a-w-	c:\windows\bthservsdp.dat
2010-07-14 04:49 . 2010-07-18 01:38	69840	----a-w-	c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-14 04:39 . 2010-07-14 12:19	--------	d-----w-	c:\users\Administrator\TaskBar Menüs
2010-07-14 04:34 . 2010-07-14 04:34	--------	d-----w-	c:\users\Administrator\AppData\Local\Opera
2010-07-14 04:22 . 2010-07-14 04:22	--------	d-----w-	c:\users\Public\Roaming
2010-07-14 04:22 . 2010-07-14 04:22	--------	d-----w-	c:\users\Default\Roaming
2010-07-14 04:22 . 2010-07-14 04:22	--------	d-----w-	c:\programdata\Roaming
2010-07-14 04:22 . 2010-07-14 04:22	--------	d-----w-	c:\program files\Cisco
2010-07-14 04:22 . 2010-07-14 04:22	--------	d-----w-	c:\programdata\Intel
2010-07-14 04:22 . 2010-07-14 04:22	--------	d-----w-	c:\program files\Common Files\Intel
2010-07-14 04:21 . 2010-07-14 04:21	72704	----a-w-	c:\windows\system32\fontsub.dll
2010-07-14 04:21 . 2010-07-14 04:21	23552	----a-w-	c:\windows\system32\lpk.dll
2010-07-14 04:21 . 2010-07-14 04:21	156672	----a-w-	c:\windows\system32\t2embed.dll
2010-07-14 04:21 . 2010-07-14 04:21	10240	----a-w-	c:\windows\system32\dciman32.dll
2010-07-14 04:18 . 2010-07-14 04:18	61440	----a-w-	c:\windows\system32\winipsec.dll
2010-07-14 04:18 . 2010-07-14 04:18	272896	----a-w-	c:\windows\system32\polstore.dll
2010-07-14 04:17 . 2010-07-14 04:17	98816	----a-w-	c:\windows\system32\drivers\srvnet.sys
2010-07-14 04:17 . 2010-07-14 04:17	302080	----a-w-	c:\windows\system32\drivers\srv.sys
2010-07-14 04:17 . 2010-07-14 04:17	17920	----a-w-	c:\windows\system32\netevent.dll
2010-07-14 04:17 . 2010-07-14 04:17	9728	----a-w-	c:\windows\system32\TCPSVCS.EXE
2010-07-14 04:17 . 2010-07-14 04:17	8704	----a-w-	c:\windows\system32\HOSTNAME.EXE
2010-07-14 04:17 . 2010-07-14 04:17	27136	----a-w-	c:\windows\system32\NETSTAT.EXE
2010-07-14 04:17 . 2010-07-14 04:17	19968	----a-w-	c:\windows\system32\ARP.EXE
2010-07-14 04:17 . 2010-07-14 04:17	17920	----a-w-	c:\windows\system32\ROUTE.EXE
2010-07-14 04:17 . 2010-07-14 04:17	11264	----a-w-	c:\windows\system32\MRINFO.EXE
2010-07-14 04:17 . 2010-07-14 04:17	105984	----a-w-	c:\windows\system32\netiohlp.dll
2010-07-14 04:17 . 2010-07-14 04:17	10240	----a-w-	c:\windows\system32\finger.exe
2010-07-14 04:15 . 2010-07-14 04:15	127488	----a-w-	c:\windows\system32\L2SecHC.dll
2010-07-14 04:15 . 2010-07-14 04:15	68096	----a-w-	c:\windows\system32\wlanhlp.dll
2010-07-14 04:15 . 2010-07-14 04:15	65024	----a-w-	c:\windows\system32\wlanapi.dll
2010-07-14 04:15 . 2010-07-14 04:15	513536	----a-w-	c:\windows\system32\wlansvc.dll
2010-07-14 04:15 . 2010-07-14 04:15	302592	----a-w-	c:\windows\system32\wlansec.dll
2010-07-14 04:15 . 2010-07-14 04:15	293376	----a-w-	c:\windows\system32\wlanmsm.dll
2010-07-14 04:15 . 2010-07-14 04:15	15181	----a-w-	c:\windows\system32\gatherWirelessInfo.vbs
2010-07-14 04:14 . 2010-07-14 04:14	1248768	----a-w-	c:\windows\system32\msxml3.dll
2010-07-14 04:14 . 2010-07-14 04:14	2048	----a-w-	c:\windows\system32\msxml3r.dll
2010-07-14 04:14 . 2010-07-14 04:14	1401856	----a-w-	c:\windows\system32\msxml6.dll
2010-07-14 04:14 . 2010-07-14 04:14	2048	----a-w-	c:\windows\system32\msxml6r.dll
2010-07-14 04:13 . 2010-07-14 04:13	218624	----a-w-	c:\windows\system32\msv1_0.dll
2010-07-14 04:12 . 2010-07-14 04:12	79360	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2010-07-14 04:12 . 2010-07-14 04:12	212992	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 16:20 . 2006-11-02 15:33	628742	----a-w-	c:\windows\system32\perfh007.dat
2010-07-29 16:20 . 2006-11-02 15:33	126260	----a-w-	c:\windows\system32\perfc007.dat
2010-07-29 01:37 . 2010-07-15 01:57	--------	d-----w-	c:\users\Administrator\AppData\Roaming\uTorrent
2010-07-25 03:35 . 2010-07-15 01:44	--------	d-----w-	c:\program files\XnView
2010-07-23 00:48 . 2010-07-15 02:41	--------	d-----w-	c:\program files\VLC Player
2010-07-16 13:59 . 2010-07-14 14:58	--------	d-----w-	c:\program files\Common Files\Macromedia
2010-07-16 13:59 . 2010-07-14 14:58	--------	d-----w-	c:\program files\Macromedia
2010-07-15 02:44 . 2010-07-15 02:44	--------	d-----w-	c:\program files\CCCP
2010-07-15 01:57 . 2010-07-15 01:57	--------	d-----w-	c:\program files\uTorrent
2010-07-15 01:55 . 2010-07-15 01:55	--------	d-----w-	c:\program files\WinSCP
2010-07-15 01:44 . 2010-07-15 01:44	--------	d-----w-	c:\users\Administrator\AppData\Roaming\XnView
2010-07-15 00:53 . 2010-07-15 00:53	--------	d-----w-	c:\programdata\Nexon
2010-07-14 13:42 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Sidebar
2010-07-14 13:42 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Photo Gallery
2010-07-14 13:42 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Journal
2010-07-14 13:42 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Defender
2010-07-14 13:42 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Collaboration
2010-07-14 13:42 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Calendar
2010-07-14 13:42 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-07-14 13:42 . 2006-11-02 10:25	665600	----a-w-	c:\windows\inf\drvindex.dat
2010-07-14 12:48 . 2006-11-02 10:32	82432	----a-w-	c:\windows\system32\axaltocm.dll
2010-07-14 12:48 . 2006-11-02 10:32	101888	----a-w-	c:\windows\system32\ifxcardm.dll
2010-07-14 12:01 . 2007-12-21 08:16	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-07-14 11:53 . 2007-12-21 09:23	--------	d-----w-	c:\program files\Common Files\NewTech Infosystems
2010-07-14 05:03 . 2007-12-21 08:08	--------	d-----w-	c:\programdata\NVIDIA
2010-07-14 03:27 . 2010-07-14 03:27	2560	----a-w-	c:\windows\AppPatch\AcRes.dll
2010-07-13 23:34 . 2007-12-21 09:49	--------	d-----w-	c:\programdata\Microsoft Help
2010-07-13 23:11 . 2007-12-21 09:58	--------	d-----w-	c:\programdata\Symantec
2010-07-13 22:58 . 2007-12-21 09:32	--------	d-----w-	c:\programdata\CyberLink
2010-07-13 22:28 . 2010-07-13 22:28	--------	d-sh--we	c:\programdata\Vorlagen
2010-07-13 22:28 . 2010-07-13 22:28	--------	d-sh--we	c:\programdata\Startmenü
2010-07-13 22:28 . 2010-07-13 22:28	--------	d-sh--we	c:\programdata\Favoriten
2010-07-13 22:28 . 2010-07-13 22:28	--------	d-sh--we	c:\programdata\Dokumente
2010-07-13 22:28 . 2010-07-13 22:28	--------	d-sh--we	c:\programdata\Anwendungsdaten
2010-07-13 22:28 . 2010-07-13 22:28	--------	d-sh--we	c:\program files\Gemeinsame Dateien
2010-07-13 22:23 . 2010-07-13 22:23	319456	------w-	c:\windows\DIFxAPI.dll
2010-07-13 22:23 . 2010-07-13 22:23	315392	------w-	c:\windows\HideWin.exe
2010-07-13 22:23 . 2010-07-13 22:23	--------	d-----w-	c:\program files\Realtek
2010-06-07 23:57 . 2010-07-14 05:00	10920	------w-	c:\windows\system32\drivers\nvBridge.kmd
2010-06-07 23:57 . 2007-12-21 15:45	600680	------w-	c:\windows\system32\nvudisp.exe
2010-06-07 23:57 . 2007-12-21 15:45	9712744	------w-	c:\windows\system32\nvd3dum.dll
2010-06-07 23:57 . 2007-12-21 15:45	1592424	------w-	c:\windows\system32\nvapi.dll
2010-06-07 15:47 . 2010-06-07 15:47	66664	------w-	c:\windows\system32\nvshext.dll
2010-06-07 15:47 . 2010-06-07 15:47	255592	------w-	c:\windows\system32\nvhotkey.dll
2010-06-07 15:47 . 2010-06-07 15:47	1691752	------w-	c:\windows\system32\nvsvcr.dll
2010-06-07 15:47 . 2010-06-07 15:47	13917800	------w-	c:\windows\system32\nvcpl.dll
2010-06-07 15:47 . 2010-06-07 15:47	1331816	------w-	c:\windows\system32\nvsvc.dll
2010-06-07 15:47 . 2010-06-07 15:47	129640	------w-	c:\windows\system32\nvvsvc.exe
2010-06-07 15:47 . 2010-06-07 15:47	110696	------w-	c:\windows\system32\nvmctray.dll
2010-05-28 10:58 . 2007-12-21 15:45	600680	------w-	c:\windows\system32\nvuninst.exe
2010-05-26 17:06 . 2010-07-14 13:06	34304	----a-w-	c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-07-14 13:06	289792	----a-w-	c:\windows\system32\atmfd.dll
2010-05-04 05:59 . 2010-07-14 12:11	916480	----a-w-	c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-07-14 12:11	71680	----a-w-	c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-07-14 12:11	109056	----a-w-	c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-07-14 12:11	133632	----a-w-	c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-12-14 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-12-14 4702208]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-3-29 719664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-12-14 08:55	174616	------w-	c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSet]
2007-04-25 11:47	45056	----a-w-	c:\windows\PLFSet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 13:21	246504	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38	1008184	----a-w-	c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28	2153472	----a-w-	c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33	202240	----a-w-	c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):f4,8c,0a,b0,a6,2d,cb,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [x]
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\DRIVERS\AVerA310USB.sys [2007-07-10 26368]
R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2007-07-10 42240]
R3 dump_wmimmc;dump_wmimmc;c:\games\Dragonica\Release\GameGuard\dump_wmimmc.sys [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-06-07 3549224]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-12-14 179712]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-12-14 43008]


--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - gdtssxcd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
mStart Page = hxxp://de.intl.acer.yahoo.com
IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Free YouTube to Mp3 Converter - c:\users\Administrator\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q8siash0.default\
FF - prefs.js: browser.startup.homepage - 
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\VLC Player\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-eRecoveryService - (no file)
HKU-Default-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
MSConfigStartUp-MChk - c:\windows\system32\ozsop.exe
MSConfigStartUp-RTHDBPL - c:\users\Administrator\AppData\Roaming\SystemProc\lsass.exe
MSConfigStartUp-setupupdate70700 - c:\users\Administrator\AppData\Roaming\EDA404E935DDDDF88EF95503A843866B\setupupdate70700.exe
MSConfigStartUp-sta - bzsop.dll
MSConfigStartUp-szetyj67v - c:\windows\system32\szetyj67v.exe
MSConfigStartUp-szetyj67vx - c:\windows\system32\szetyj67vx.exe
MSConfigStartUp-tghlig - c:\users\ADMINI~1\AppData\Local\Temp\msgciutr.dll
MSConfigStartUp-vhyfjuec - c:\users\Administrator\AppData\Local\easyqxgxr\pfyscintssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-07-29 18:21
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\gdtssxcd]

.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3e,2e,06,22,cd,4d,88,4e,ab,f4,36,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3e,2e,06,22,cd,4d,88,4e,ab,f4,36,\

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\MSPaint.exe"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="VLC.mp3"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (Administrator)
"Progid"="XnView.png"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-1015238528-2963362459-2859341902-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(1876)
c:\windows\system32\btmmhook.dll
.
Zeit der Fertigstellung: 2010-07-29  18:23:21
ComboFix-quarantined-files.txt  2010-07-29 16:23

Vor Suchlauf: 6 Verzeichnis(se), 116.703.678.464 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 116.334.886.912 Bytes frei

- - End Of File - - 451ACD996B8F2F175B03E7440A5C63BE

cosinus · 29.07.2010, 19:04

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus

Anschließend den bootkit_remover herunterladen. Entpacke das Tool in einen eigenen Ordner auf dem Desktop und führe in diesem Ordner die Datei remove.exe aus.

Wenn Du Windows Vista oder Windows 7 verwendest, musst Du die remover.exe über ein Rechtsklick => als Administrator ausführen

Ein schwarzes Fenster wird sich öffnen und automatisch nach bösartigen Veränderungen im MBR suchen.
Poste dann bitte, ob es Veränderungen gibt und wenn ja in welchem device. Am besten alles posten was die remover.exe ausgibt.

Geas · 30.07.2010, 13:50

GMER:

Code:

ATTFilter

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-07-30 14:35:17
Windows 6.0.6002 Service Pack 2
Running: ox3f9r83.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\ugrdqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

?               System32\Drivers\gdtssxcd.sys                                                                       Ein an das System angeschlossenes Gerät funktioniert nicht. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                [74357817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                 [743AA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]             [7435BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]       [7434F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                 [743575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]              [7434E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]  [74388395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]     [7435DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]             [7434FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]              [7434FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]               [743471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]       [743DCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]          [7437C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]             [7434D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                       [74346853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                      [7434687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[608] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]         [74352AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                              86C86BF0

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                             Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                             Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service          (*** hidden *** )                                                                                  [BOOT] gdtssxcd                                                                                                                                                       <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001e4cef3767                         
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gdtssxcd@Type                                                1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gdtssxcd@Start                                               0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gdtssxcd@ErrorControl                                        0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gdtssxcd@Group                                               Boot Bus Extender
Reg             HKLM\SYSTEM\ControlSet002\Services\BthPort\Parameters\Keys\001e4cef3767 (not active ControlSet)     
Reg             HKLM\SYSTEM\ControlSet002\Services\gdtssxcd@Type                                                    1
Reg             HKLM\SYSTEM\ControlSet002\Services\gdtssxcd@Start                                                   0
Reg             HKLM\SYSTEM\ControlSet002\Services\gdtssxcd@ErrorControl                                            0
Reg             HKLM\SYSTEM\ControlSet002\Services\gdtssxcd@Group                                                   Boot Bus Extender

---- EOF - GMER 1.0.15 ----

OSAM:

Code:

ATTFilter

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 14:43:04 on 30.07.2010

OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit
Default Browser: Opera Software Opera Internet Browser 10.60

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"iproset.cpl" - "Intel(R) Corporation" - C:\Windows\system32\iproset.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"PROSet Tools" - "Intel(R) Corporation" - C:\Windows\System32\iPROSet.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"catchme" (catchme) - ? - C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys  (File not found)
"gdtssxcd" (gdtssxcd) - ? - C:\Windows\system32\drivers\gdtssxcd.sys  (Hidden registry entry, rootkit activity | File not found)
"int15" (int15) - "Acer, Inc." - C:\Acer\Empowering Technology\eRecovery\int15.sys
"IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys  (File not found)
"IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys  (File not found)
"IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys  (File not found)
"NetGroup Packet Filter Driver" (NPF) - "CACE Technologies, Inc." - C:\Windows\System32\drivers\npf.sys
"ugrdqpow" (ugrdqpow) - ? - C:\Users\ADMINI~1\AppData\Local\Temp\ugrdqpow.sys  (Hidden registry entry, rootkit activity | File not found)
"Upper Class Filter Driver" (NTIDrvr) - "NewTech Infosystems, Inc." - C:\Windows\System32\DRIVERS\NTIDrvr.sys

[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{0561EC90-CE54-4f0c-9C55-E226110A740C} "Haali Column Provider" - ? - C:\Program Files\CCCP\Filters\Haali\mmfinfo.dll  (File found, but it contains no detailed information)
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? -   (File not found | COM-object registry key not found)
{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? -   (File not found | COM-object registry key not found)
{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? -   (File not found | COM-object registry key not found)
{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? -   (File not found | COM-object registry key not found)
{A70C977A-BF00-412C-90B7-034C51DA2439} "DesktopContext Class" - "NVIDIA Corporation" - C:\Windows\system32\nvcpl.dll
{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? -   (File not found | COM-object registry key not found)
{0561EC90-CE54-4f0c-9C55-E226110A740C} "Haali Column Provider" - ? - C:\Program Files\CCCP\Filters\Haali\mmfinfo.dll  (File found, but it contains no detailed information)
{5574006C-28F5-4a65-A28C-74DE6BFBE0BB} "Haali Matroska Shell Property Page" - ? - C:\Program Files\CCCP\Filters\Haali\mmfinfo.dll  (File found, but it contains no detailed information)
{327669A0-59A7-4be9-B99E-1C9F3A57611A} "Haali Matroska Thumbnail Extractor" - ? - C:\Program Files\CCCP\Filters\Haali\mmfinfo.dll  (File found, but it contains no detailed information)
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? -   (File not found | COM-object registry key not found)
{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682} "IZArc DragDrop Menu" - ? - C:\PROGRA~1\IZArc\IZArcCM.dll  (File found, but it contains no detailed information)
{BC593DF5-466F-44EC-8FFD-C4DBC603B917} "IZArc Shell Context Menu" - ? - C:\PROGRA~1\IZArc\IZArcCM.dll  (File found, but it contains no detailed information)
{00020d75-0000-0000-c000-000000000046} "lnkfile" - ? -   (File not found | COM-object registry key not found)
{7842554E-6BED-11D2-8CDB-B05550C10000} "Monitor Class" - "Broadcom Corporation." - C:\Windows\system32\btncopy.dll
{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} "NVIDIA CPL Context Menu Extension" - "NVIDIA Corporation" - C:\Windows\system32\nvshext.dll
{FFB699E0-306A-11d3-8BD1-00104B6F7516} "NVIDIA CPL Extension" - "NVIDIA Corporation" - C:\Windows\system32\nvcpl.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? -   (File not found | COM-object registry key not found)
{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? -   (File not found | COM-object registry key not found)
{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? -   (File not found | COM-object registry key not found)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\Windows\system32\Macromed\Flash\Flash10h.ocx / hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} "{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}" - ? -   (File not found | COM-object registry key not found) / C:\Program Files\Yahoo!\Common\Yinsthelper.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
"@btrez.dll,-4015" - ? - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"BTTray.lnk" - "Broadcom Corporation." - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe  (Shortcut exists | File exists)
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"LManager" - "Dritek System Inc." - C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100" (WPFFontCache_v0400) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
"Intel® PROSet/Wireless Event Log" (EvtEng) - "Intel(R) Corporation" - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
"Intel® PROSet/Wireless Registry Service" (RegSrvc) - "Intel(R) Corporation" - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"nProtect GameGuard Service" (npggsvc) - "INCA Internet Co., Ltd." - C:\Windows\system32\GameMon.des
"NVIDIA Display Driver Service" (nvsvc) - "NVIDIA Corporation" - C:\Windows\system32\nvvsvc.exe
"Raw Socket Service" (RS_Service) - ? - C:\Program Files\Acer\Acer VCM\RS_Service.exe  (File not found)

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

bootkit remover:

Code:

ATTFilter

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`70a00000
Boot sector MD5 is: dc220266e2471b59f5999b434294b525

     Size  Device Name          MBR Status
 --------------------------------------------
   298 GB  \\.\PhysicalDrive0   Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

28.07.2010, 19:36	#10
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Nach "Antimalware Doctor" weiterhin Probleme Findest Du einen Ordner Qoobox direkt auf c:\ ? Da sollte evtl. eine combofix.txt o.ä. drin sein. Wenn der Ordner da auch nicht ist, bitte die alte cofi.exe löschen, CF neu als cofi.exe herunterladen und wieder nach Anleitung ausführen. __________________ Logfiles bitte immer in CODE-Tags posten

29.07.2010, 14:42	#12
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Nach "Antimalware Doctor" weiterhin Probleme Ja, probier es mit einer neu heruntergeladenen cofi.exe __________________ Logfiles bitte immer in CODE-Tags posten

Nach "Antimalware Doctor" weiterhin Probleme

Log-Analyse und Auswertung: Nach "Antimalware Doctor" weiterhin Probleme