Google Hijack - ich bekomm es nicht gelöscht

KAL · 31.07.2010, 13:32

Sowohl mit Firefox als auch mit Opera werden Google Links
sporadisch umgeleitet und die Browser öffnen sporadisch selbstständig
neue Tabs oder Fenster die auf Seiten wie clk.relestar.com
verlinken. Ich habe eine recht lange hosts Liste wo viele der Seiten gar
nicht zur Anzeige gelangen, aber lästig ist es schon.
Vor allem gehts mir auch darum zu lernen, welcher Schädling das ist und wie
ich den kille.

MBAM, OSAM, SuperAntispyware, Bitdefender online.
Bisher hat kein Programm das hijacking beenden können.

Danke

Swisstreasure · 31.07.2010, 13:39

Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.

Bitte arbeite alle Schritte der Reihe nach ab.
Sollte es Probleme geben, bitte stoppen und hier so gut es geht beschreiben.
Nur Scanns durchführen zu denen Du von einem Helfer aufgefordert wirst.
Bitte kein Crossposting ( posten in mehreren Foren).
Bitte keine Code Tags.

Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg.
Solltest Du Dich für eine Bereinigung entscheiden, arbeite bitte folgendes ab.

Vista und Win7 User
Alle Tools mit Rechtsklick "als Administrator ausführen" starten.

Schritt 1

Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop.

Doppelklick auf die OTL.exe
Vista und Windows 7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen.
Oben findest Du ein Kästchen mit Ausgabe.
Wähle bitte Minimal-Ausgabe
Unter Extra-Registrierung wähle bitte Benutze SafeList.
Mache Häckchen bei LOP- und Purity-Prüfung.
Klicke nun auf Scan links oben.
Wenn der Scan beendet wurde werden zwei Logfiles erstellt.
Du findest die Logfiles auf Deinem Desktop => OTL.txt und Extras.txt
Poste die Logfiles in Code-Tags hier in den Thread.

Schritt 2

Rootkit-Suche mit Gmer

Was sind Rootkits?

Wichtig: Bei jedem Rootkit-Scans soll/en:

Deaktiviere zunächst nach dieser Anleitung evtl. vorhandene CD-Emulatoren wie Alcohol, Daemon-Tools oder ähnliche.
Alle anderen Programme gegen Viren, Spyware, usw. deaktiviert sein,
keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
nichts am Rechner getan werden,
nach jedem Scan der Rechner neu gestartet werden.
Nicht vergessen, nach dem Rootkit-Scan die Security-Programme wieder einzuschalten!

Lade Dir Gmer von dieser Seite herunter
(auf den Button Download EXE drücken) und das Programm auf dem Desktop speichern.

Gmer ist geeignet für => NT/W2K/XP/VISTA (nur 32Bit).
Alle anderen Programme sollen geschlossen sein.
Starte gmer.exe (hat einen willkürlichen Programm-Namen).
Vista-User mit Rechtsklick und als Administrator starten.
Gmer startet automatisch einen ersten Scan.

Sollte sich ein Fenster mit folgender Warnung öffnen:

Code:

ATTFilter

WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity.
Do you want to fully scan your system?

Unbedingt auf "No" klicken,
in dem Fall über den Save-Button das bisherige Resultat auf dem Desktop als gmer_first.log speichern.

.
Falls das nicht der Fall war, wähle nun den Reiter "Rootkit/Malware",
Hake an: System, Sections, Devices, Modules, Processes, Threads, Libraries, Services, Registry und Files.
Wichtig: "Show all" darf nicht angehakt sein!
Starte den Scan durch Drücken des Buttons "Scan".
Mache nichts am Computer während der Scan läuft (unten links wird angezeigt, was gerade gescannt wird).
Wenn der Scan fertig ist, bleibt die Zeile leer.
Kllicke auf "Save" und speichere das Logfile als gmer.log auf dem Desktop.
Mit "Ok" wird GMER beendet.

Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!

Nun das Logfile in Code-Tags posten.

KAL · 31.07.2010, 13:53

OTL.txt :

Code:

ATTFilter

OTL logfile created on: 31.07.2010 14:47:32 - Run 2
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Users\User\Desktop
 Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 71,00% Memory free
7,00 Gb Paging File | 6,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): d:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 29,81 Gb Total Space | 13,85 Gb Free Space | 46,46% Space Free | Partition Type: NTFS
Drive D: | 931,51 Gb Total Space | 490,52 Gb Free Space | 52,66% Space Free | Partition Type: NTFS
Drive E: | 372,61 Gb Total Space | 140,91 Gb Free Space | 37,82% Space Free | Partition Type: NTFS
Drive F: | 186,31 Gb Total Space | 91,43 Gb Free Space | 49,07% Space Free | Partition Type: NTFS
Drive G: | 232,88 Gb Total Space | 134,55 Gb Free Space | 57,77% Space Free | Partition Type: NTFS
Drive H: | 931,51 Gb Total Space | 271,67 Gb Free Space | 29,16% Space Free | Partition Type: NTFS
Drive I: | 1397,26 Gb Total Space | 934,66 Gb Free Space | 66,89% Space Free | Partition Type: NTFS
Drive J: | 279,46 Gb Total Space | 129,85 Gb Free Space | 46,46% Space Free | Partition Type: NTFS
Drive K: | 1397,26 Gb Total Space | 575,32 Gb Free Space | 41,17% Space Free | Partition Type: NTFS
 
Computer Name: BASEX
Current User Name: User
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\User\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Programme\PhraseExpress\phraseexpress.exe (Bartels Media GmbH)
PRC - C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe (TuneUp Software)
PRC - C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe (TuneUp Software)
PRC - C:\Programme\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Programme\TCB Networks\StrokeIt\strokeit.exe ()
PRC - D:\EverythingPortableAlpha\App\Everything\Everything-1.2.1.451a.exe ()
PRC - D:\EverythingPortableAlpha\EverythingPortableAlpha.exe (PortableApps.com)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - G:\Dienst\IP-Symcon_work\ips.exe (IP-Symcon)
PRC - C:\Programme\Virtual CD v10\System\vc10tray.exe (H+H Software GmbH)
PRC - C:\Programme\Virtual CD v10\System\VC10SecS.exe (H+H Software GmbH)
PRC - C:\Programme\Virtual CD v10\System\VC10Play.exe (H+H Software GmbH)
PRC - C:\Programme\Gembird\Power Manager\pm.exe ()
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Users\User\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Programme\TCB Networks\StrokeIt\mhook.dll ()
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (Stereo Service) -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (TuneUp.Defrag) -- C:\Programme\TuneUp Utilities 2010\TuneUpDefragService.exe (TuneUp Software)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (TuneUp.UtilitiesSvc) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe (TuneUp Software)
SRV - (UxTuneUp) -- C:\Windows\System32\uxtuneup.dll (TuneUp Software)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (IPSServer) -- G:\Dienst\IP-Symcon_work\ips.exe (IP-Symcon)
SRV - (VC10SecS) -- C:\Programme\Virtual CD v10\System\VC10SecS.exe (H+H Software GmbH)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX-Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (RTL8167) -- C:\Windows\System32\drivers\Rt86win7.sys (Realtek                                            )
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (TuneUpUtilitiesDrv) -- C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys (TuneUp Software)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\System32\drivers\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (HH10Help.sys) -- C:\Windows\System32\drivers\HH10Help.sys (H+H Software GmbH)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5E 8D A4 B9 D0 21 CB 01  [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: multilinks@plugin:2.0.0.17
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.23
FF - prefs.js..network.proxy.type: 0
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.30 15:44:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.31 11:21:58 | 000,000,000 | ---D | M]
 
[2010.04.21 20:18:52 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\mozilla\Extensions
[2010.07.31 13:10:14 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\tegft5l5.default\extensions
[2010.07.10 19:46:39 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\tegft5l5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010.07.31 13:10:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\tegft5l5.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2010.06.19 00:04:12 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\tegft5l5.default\extensions\multilinks@plugin
[2010.07.31 13:10:14 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.05.06 20:31:08 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010.07.31 10:30:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010.07.31 10:30:00 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.07.30 15:44:13 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.07.30 15:44:13 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.07.30 15:44:13 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.07.30 15:44:13 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.07.30 15:44:13 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2010.07.30 15:46:52 | 001,012,530 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1  localhost
O1 - Hosts: 127.0.0.1  hh-software.com
O1 - Hosts: 127.0.0.1  www.hh-software.com
O1 - Hosts: 127.0.0.1  www.hamrick.com
O1 - Hosts: 127.0.0.1  www.w3.org
O1 - Hosts: 127.0.0.1  www.vectan.de
O1 - Hosts: 127.0.0.1  www.mafiaclans.eu
O1 - Hosts: 127.0.0.1  fr.a2dfp.net
O1 - Hosts: 127.0.0.1  m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1  ad.a8.net
O1 - Hosts: 127.0.0.1  asy.a8ww.net
O1 - Hosts: 127.0.0.1  adserver.abv.bg
O1 - Hosts: 127.0.0.1  adv.abv.bg
O1 - Hosts: 127.0.0.1  bimg.abv.bg
O1 - Hosts: 127.0.0.1  www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1  track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1  accuserveadsystem.com
O1 - Hosts: 127.0.0.1  www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1  achmedia.com
O1 - Hosts: 127.0.0.1  aconti.net
O1 - Hosts: 127.0.0.1  secure.aconti.net
O1 - Hosts: 127.0.0.1  www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1  ads.active.com
O1 - Hosts: 127.0.0.1  am1.activemeter.com
O1 - Hosts: 127.0.0.1  www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 30135 more lines...
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Power Manager] C:\Program Files\Gembird\Power Manager\pm.exe ()
O4 - HKLM..\Run: [VC10Player] C:\Programme\Virtual CD v10\System\VC10Play.exe (H+H Software GmbH)
O4 - HKCU..\Run: [StrokeIt] C:\Programme\TCB Networks\StrokeIt\strokeit.exe ()
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Reg Error: Value error. File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{d8f76aa8-4ef4-11df-95eb-001a4d4ccd7a}\Shell - "" = AutoRun
O33 - MountPoints2\{d8f76aa8-4ef4-11df-95eb-001a4d4ccd7a}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.07.31 14:45:42 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2010.07.31 14:35:54 | 000,000,000 | ---D | C] -- C:\Programme\trend micro
[2010.07.31 14:35:54 | 000,000,000 | ---D | C] -- C:\rsit
[2010.07.31 13:24:20 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\SUPERAntiSpyware.com
[2010.07.31 13:24:20 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010.07.31 13:24:18 | 000,000,000 | ---D | C] -- C:\Programme\SUPERAntiSpyware
[2010.07.31 13:10:17 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\QuickScan
[2010.07.31 11:56:46 | 000,000,000 | ---D | C] -- C:\Programme\PocketKnife Peek
[2010.07.31 11:21:54 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010.07.31 10:58:38 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Online Solutions
[2010.07.31 10:30:09 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Java
[2010.07.31 10:30:03 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010.07.31 10:30:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010.07.31 10:30:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010.07.30 17:41:19 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010.07.30 15:15:30 | 000,000,000 | ---D | C] -- C:\Programme\Spybot - Search & Destroy
[2010.07.30 15:15:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010.07.28 21:57:32 | 000,000,000 | ---D | C] -- C:\Programme\CCleaner
[2010.07.28 20:00:30 | 000,136,192 | ---- | C] (FSPro Labs) -- C:\Windows\System32\fsproflt.exe
[2010.07.28 20:00:30 | 000,043,792 | ---- | C] (FSPro Labs) -- C:\Windows\System32\drivers\FSPFltd.sys
[2010.07.28 19:59:23 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\display32
[2010.07.28 19:47:17 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010.07.27 21:00:17 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\ImgBurn
[2010.07.23 14:57:13 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2010.07.14 19:49:35 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\Square Enix
[2010.07.14 17:02:42 | 000,000,000 | ---D | C] -- C:\Programme\K-Lite Codec Pack
[2010.07.14 16:53:28 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2010.07.14 16:53:03 | 015,764,072 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvoglv32.dll
[2010.07.14 16:53:03 | 010,888,168 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys
[2010.07.14 16:53:03 | 004,967,528 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvwgf2um.dll
[2010.07.14 16:53:03 | 002,890,856 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvencodemft.dll
[2010.07.14 16:53:03 | 000,332,392 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvdecodemft.dll
[2010.07.14 16:53:03 | 000,056,936 | ---- | C] (Khronos Group) -- C:\Windows\System32\OpenCL.dll
[2010.07.14 16:53:03 | 000,010,920 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvBridge.kmd
[2010.07.14 16:53:02 | 010,263,144 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcompiler.dll
[2010.07.14 16:53:02 | 009,712,744 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvd3dum.dll
[2010.07.14 16:53:02 | 004,513,384 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuda.dll
[2010.07.14 16:53:02 | 002,632,296 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvenc.dll
[2010.07.14 16:53:02 | 002,145,896 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvid.dll
[2010.07.14 16:53:02 | 000,232,040 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcod1921.dll
[2010.07.14 16:53:02 | 000,232,040 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcod.dll
[2010.07.13 09:50:59 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Frameworkx.com
[2010.07.13 09:50:16 | 000,000,000 | ---D | C] -- C:\Programme\Frameworkx
[2010.07.12 09:07:41 | 000,000,000 | ---D | C] -- C:\ProgramData\elsterformular
[2010.07.12 09:07:38 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\elsterformular
[2010.07.01 23:52:18 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dcsx_42.dll
[2010.07.01 23:52:18 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll
[2010.07.01 23:52:18 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll
[2010.07.01 23:52:18 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_6.dll
[2010.07.01 23:52:18 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_5.dll
[2010.07.01 23:52:18 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll
[2010.07.01 23:52:18 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_6.dll
[2010.07.01 23:52:18 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_5.dll
[2010.07.01 23:52:18 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_42.dll
[2010.07.01 23:52:18 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_4.dll
[2010.07.01 23:52:18 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_7.dll
[2010.07.01 23:52:17 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_3.dll
[2010.07.01 23:52:17 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_2.dll
[2010.07.01 23:52:17 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_3.dll
[2010.07.01 23:52:17 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_2.dll
[2010.07.01 23:52:17 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_3.dll
[2010.07.01 23:52:17 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_1.dll
[2010.07.01 23:52:17 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_5.dll
[2010.07.01 23:52:16 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_2.dll
 
========== Files - Modified Within 30 Days ==========
 
[2010.07.31 14:47:25 | 006,553,600 | -HS- | M] () -- C:\Users\User\ntuser.dat
[2010.07.31 14:45:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2010.07.31 14:34:49 | 000,339,991 | ---- | M] () -- C:\Users\User\Desktop\RSIT.exe
[2010.07.31 14:04:27 | 000,019,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010.07.31 14:04:27 | 000,019,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010.07.31 14:01:30 | 001,507,106 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010.07.31 14:01:30 | 000,657,438 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.07.31 14:01:30 | 000,618,714 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.07.31 14:01:30 | 000,130,810 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.07.31 14:01:30 | 000,107,034 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.07.31 13:57:19 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.07.31 13:57:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.07.31 13:56:15 | 001,590,751 | -H-- | M] () -- C:\Users\User\AppData\Local\IconCache.db
[2010.07.31 13:24:19 | 000,001,965 | ---- | M] () -- C:\Users\User\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010.07.31 10:59:02 | 000,767,488 | ---- | M] () -- C:\Windows\System32\drivers\mqjprhau.sys
[2010.07.31 10:29:59 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2010.07.31 10:29:59 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010.07.31 10:29:59 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010.07.31 10:29:59 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010.07.30 15:46:52 | 001,012,530 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010.07.29 23:39:40 | 000,034,304 | ---- | M] () -- C:\42 Heinlein AZ.doc
[2010.07.29 23:38:38 | 000,139,671 | ---- | M] () -- C:\42 Heinlein AZ.pdf
[2010.07.28 21:57:33 | 000,000,969 | ---- | M] () -- C:\Users\User\Desktop\CCleaner.lnk
[2010.07.28 20:17:54 | 000,524,288 | -HS- | M] () -- C:\Users\User\ntuser.dat{240da24e-9a70-11df-97aa-001a4d4ccd7a}.TMContainer00000000000000000002.regtrans-ms
[2010.07.28 20:17:54 | 000,524,288 | -HS- | M] () -- C:\Users\User\ntuser.dat{240da24e-9a70-11df-97aa-001a4d4ccd7a}.TMContainer00000000000000000001.regtrans-ms
[2010.07.28 20:17:54 | 000,065,536 | -HS- | M] () -- C:\Users\User\ntuser.dat{240da24e-9a70-11df-97aa-001a4d4ccd7a}.TM.blf
[2010.07.23 13:09:54 | 000,141,481 | ---- | M] () -- C:\Users\User\Documents\42 Heinlein AZ.pdf
[2010.07.15 16:46:22 | 000,127,484 | ---- | M] () -- C:\sonic.jpg
[2010.07.14 19:45:49 | 000,000,574 | ---- | M] () -- C:\Users\Public\Desktop\Just Cause 2.lnk
[2010.07.11 14:11:59 | 000,054,674 | ---- | M] () -- C:\LMC 20 X_ConCeal_AJHorn.jpg
[2010.07.11 14:02:16 | 000,090,236 | ---- | M] () -- C:\W170S_intus170_ajhorn.jpg
[2010.07.09 19:44:05 | 000,050,887 | ---- | M] () -- C:\UE40C6710US_5_Large.jpg
[2010.07.09 18:34:00 | 000,014,476 | ---- | M] () -- C:\Heinlein Ansicht 1.pdf
[2010.07.09 18:34:00 | 000,014,459 | ---- | M] () -- C:\Heinlein Ansicht 2.pdf
 
========== Files Created - No Company Name ==========
 
[2010.07.31 14:34:55 | 000,339,991 | ---- | C] () -- C:\Users\User\Desktop\RSIT.exe
[2010.07.31 13:24:19 | 000,001,965 | ---- | C] () -- C:\Users\User\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010.07.28 21:57:33 | 000,000,969 | ---- | C] () -- C:\Users\User\Desktop\CCleaner.lnk
[2010.07.28 20:52:45 | 000,767,488 | ---- | C] () -- C:\Windows\System32\drivers\mqjprhau.sys
[2010.07.28 19:47:16 | 000,524,288 | -HS- | C] () -- C:\Users\User\ntuser.dat{240da24e-9a70-11df-97aa-001a4d4ccd7a}.TMContainer00000000000000000002.regtrans-ms
[2010.07.28 19:47:16 | 000,524,288 | -HS- | C] () -- C:\Users\User\ntuser.dat{240da24e-9a70-11df-97aa-001a4d4ccd7a}.TMContainer00000000000000000001.regtrans-ms
[2010.07.28 19:47:16 | 000,065,536 | -HS- | C] () -- C:\Users\User\ntuser.dat{240da24e-9a70-11df-97aa-001a4d4ccd7a}.TM.blf
[2010.07.23 13:10:18 | 000,139,671 | ---- | C] () -- C:\42 Heinlein AZ.pdf
[2010.07.23 13:09:54 | 000,141,481 | ---- | C] () -- C:\Users\User\Documents\42 Heinlein AZ.pdf
[2010.07.16 14:45:00 | 000,034,304 | ---- | C] () -- C:\42 Heinlein AZ.doc
[2010.07.15 16:45:38 | 000,127,484 | ---- | C] () -- C:\sonic.jpg
[2010.07.14 19:45:49 | 000,000,574 | ---- | C] () -- C:\Users\Public\Desktop\Just Cause 2.lnk
[2010.07.14 17:02:45 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2010.07.11 14:11:59 | 000,054,674 | ---- | C] () -- C:\LMC 20 X_ConCeal_AJHorn.jpg
[2010.07.11 14:02:15 | 000,090,236 | ---- | C] () -- C:\W170S_intus170_ajhorn.jpg
[2010.07.09 19:44:05 | 000,050,887 | ---- | C] () -- C:\UE40C6710US_5_Large.jpg
[2010.07.09 18:34:00 | 000,014,476 | ---- | C] () -- C:\Heinlein Ansicht 1.pdf
[2010.07.09 18:34:00 | 000,014,459 | ---- | C] () -- C:\Heinlein Ansicht 2.pdf
[2010.06.01 12:12:40 | 000,056,320 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll
[2010.05.24 23:46:44 | 000,005,120 | ---- | C] () -- C:\Windows\System32\BReWErS.dll
[2010.05.21 16:07:16 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2010.05.20 15:58:11 | 000,000,268 | ---- | C] () -- C:\Windows\game.ini
[2010.05.03 21:37:58 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2010.04.21 21:26:48 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009.12.03 09:27:28 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009.07.14 01:11:15 | 000,000,189 | ---- | C] () -- C:\Windows\System32\rcdb51.ini
 
========== LOP Check ==========
 
[2010.06.28 19:50:46 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\ACD Systems
[2010.06.16 09:04:02 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\calibre
[2010.07.31 13:56:02 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\display32
[2010.07.12 09:07:42 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\elsterformular
[2010.06.04 22:47:53 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\FileZilla
[2010.07.16 23:52:54 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\foobar2000
[2010.07.28 20:45:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\FreeCommander
[2010.07.27 21:00:17 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\ImgBurn
[2010.05.03 11:30:21 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\JAM Software
[2010.05.03 11:53:31 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\MAP&GUIDE
[2010.06.16 09:07:28 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mobipocket
[2010.06.05 00:07:45 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\NewsLeecher
[2010.07.31 11:12:52 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Online Solutions
[2010.04.22 00:18:01 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Opera
[2010.05.11 21:44:27 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Passport Photo Studio
[2010.07.28 20:45:50 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\PhraseExpress
[2010.07.31 13:11:03 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\QuickScan
[2010.05.27 22:01:54 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\TCB Networks
[2010.07.31 14:46:03 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\TeraCopy
[2010.04.28 00:34:08 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\TuneUp Software
[2010.04.29 00:04:09 | 000,000,000 | --SD | M] -- C:\Users\User\AppData\Roaming\Virtual CD v10
[2010.06.27 12:49:43 | 000,032,630 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:D282699C
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >

Code:

ATTFilter

OTL Extras logfile created on: 31.07.2010 14:47:32 - Run 2
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Users\User\Desktop
 Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 71,00% Memory free
7,00 Gb Paging File | 6,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): d:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 29,81 Gb Total Space | 13,85 Gb Free Space | 46,46% Space Free | Partition Type: NTFS
Drive D: | 931,51 Gb Total Space | 490,52 Gb Free Space | 52,66% Space Free | Partition Type: NTFS
Drive E: | 372,61 Gb Total Space | 140,91 Gb Free Space | 37,82% Space Free | Partition Type: NTFS
Drive F: | 186,31 Gb Total Space | 91,43 Gb Free Space | 49,07% Space Free | Partition Type: NTFS
Drive G: | 232,88 Gb Total Space | 134,55 Gb Free Space | 57,77% Space Free | Partition Type: NTFS
Drive H: | 931,51 Gb Total Space | 271,67 Gb Free Space | 29,16% Space Free | Partition Type: NTFS
Drive I: | 1397,26 Gb Total Space | 934,66 Gb Free Space | 66,89% Space Free | Partition Type: NTFS
Drive J: | 279,46 Gb Total Space | 129,85 Gb Free Space | 46,46% Space Free | Partition Type: NTFS
Drive K: | 1397,26 Gb Total Space | 575,32 Gb Free Space | 41,17% Space Free | Partition Type: NTFS
 
Computer Name: BASEX
Current User Name: User
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDSee 10.0.Browse] -- "C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" "%1" (ACD Systems)
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with FastStone] -- "C:\Program Files\FastStone Image Viewer\FSViewer.exe" "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{10C51313-A308-4B40-90E3-B368D5882660}" = Virtual CD v10
"{1374CC63-B520-4f3f-98E8-E9020BF01CFF}" = Windows XP Mode
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20B1B020-DEAE-48D1-9960-D4C3185D758B}" = Phase 5 HTML-Editor
"{254BEB3E-1085-4D66-9CDC-0152C0DC2E93}" = EPSON TWAIN 5
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 21
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{342126E1-173C-4585-BFBE-3EBDD20E3E9E}" = Mobipocket Reader 6.2
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{409ECFF1-9CC7-43A8-B28A-B7F0B7CB04D1}_is1" = Classic Menu for Office 2007 v5.00
"{47609E69-4C5E-48B1-A889-24C6B82B5C04}" = Vista Shortcut Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{7EE873AF-46BB-4B5D-BA6F-CFE4B0566E22}" = TuneUp Utilities Language Pack (de-DE)
"{80F19EAA-44C4-47C2-AE87-1C7628E858D6}" = Logitech Harmony Remote Software 7
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{8B682C1D-A3D4-47AF-A594-C5DCCEAB7AB1}" = map&guide professional 2009
"{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{26454C26-D259-4543-AA60-3189E09C5F76}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00B2-0407-0000-0000000FF1CE}" = Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{97E12F84-C033-4DA2-97D2-F540C3E292EA}" = Installer
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9FF5AB03-89D5-468E-8E01-5A6FCEFAB8B6}" = Mwst-Rechner
"{A7B9AD06-4F8E-4FE0-8EE9-D9C80156EDFB}" = map&guide Kartendaten PTV Europe City Map Premium 3a-2008t - NQ (F:\map&guide pro 2009 v15\maps\EuropePremium.geo)
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.3 - Deutsch
"{B4F3A360-E1E2-479D-ADE7-9BE3B07F4539}" = NVIDIA PhysX
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C441297F-C9F2-4177-9D5F-1B10F0358E32}" = Opera 10.54
"{C7D3522C-8CF7-4D09-8324-CE03E0800938}" = calibre
"{CA2CE23E-6751-4828-AF8B-66EA06E697F6}" = Power Manager
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"{EC1F15E1-F3CC-46EE-B7A5-849A08ED60DC}}_is1" = PantsOff 2.0
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{F8B98EB6-FC06-45BF-87D4-9784E0408611}" = ACDSee 10 Foto-Manager
"{FBBB318F-3769-4B1C-B8B2-AF7ED4DA2272}_is1" = Passport Photo Studio 1.5.1
"7-Zip" = 7-Zip 9.13 beta
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Better File Rename_is1" = Better File Rename 5.5
"Calculator" = Calculator 2009.4.137 
"CCleaner" = CCleaner
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FastStone Image Viewer" = FastStone Image Viewer 4.2
"FileZilla Client" = FileZilla Client 3.3.2.1
"foobar2000" = foobar2000 v1.0.2.1
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 6.1
"FreeCommander_is1" = FreeCommander 2009.02a
"HijackThis" = HijackThis 1.98.2
"Indeo® Software" = Indeo® Software
"InstallShield_{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4
"InstallShield_{97E12F84-C033-4DA2-97D2-F540C3E292EA}" = SWAT 4 - THE STETCHKOV SYNDICATE
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"Just Cause 2_is1" = Just Cause 2
"KLiteCodecPack_is1" = K-Lite Codec Pack 6.2.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"MOBackup-DatensicherungfürOutlook" = MOBackup - Datensicherung für Outlook (Vollversion)
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"myDownloader 1.3" = myDownloader 1.3
"NewsLeecher_is1" = NewsLeecher v4.0 Beta 18 ( using new supersearch engine )
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Password Recovery Bundle 2010_is1" = Password Recovery Bundle 2010
"PhraseExpress_is1" = PhraseExpress v7.0.162
"PocketKnife Peek_is1" = PocketKnife Peek 1.3
"PuTTY_is1" = PuTTY version 0.60
"QuickPar" = QuickPar 0.9
"SMPlayer" = SMPlayer 0.6.9
"Sniper Ghost Warrior_is1" = Sniper Ghost Warrior
"ST4UNST #1" = PowerPoint Batch Converter
"ST4UNST #2" = PowerPoint Batch Converter (C:\Program Files\PowerPoint Batch Converter\)
"StrokeIt" = StrokeIt
"TeraCopy_is1" = TeraCopy 2.12
"Terrorist Takedown 3/DE-German_is1" = Terrorist Takedown 3
"The KMPlayer" = The KMPlayer (remove only)
"TreeSize Free_is1" = TreeSize Free V2.4
"TuneUp Utilities" = TuneUp Utilities
"Unlocker" = Unlocker 1.8.9
"VLC media player" = VLC media player 1.0.5
"VueScan" = VueScan
"WinISD beta" = WinISD beta
"WinRAR archiver" = WinRAR
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== Last 10 Event Log Errors ==========
 
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
 
< End of report >

Ich hab Win7 32bit. GMER ist nur bis Vista geeignet ?
Ich hab GMER heute morgen laufen lassen, hat nichts gefunden.
Soll ich das nochmal ausführen ?

Swisstreasure · 31.07.2010, 14:02

Nein natürlich auch bei WIn7

Ja dann poste mir das Log vom Morgen

KAL · 31.07.2010, 14:07

Habs gerade nochmal durchgejagt.

Code:

ATTFilter

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-07-31 15:04:32
Windows 6.1.7600 
Running: 2oybvpos.exe; Driver: C:\Users\User\AppData\Local\Temp\kgrdqpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E47AF8
INT 0x37        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E47104
INT 0xC1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E473F4
INT 0xD1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E302D8
INT 0xD2        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E2F898
INT 0xDF        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E471DC
INT 0xE1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E47958
INT 0xE3        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E476F8
INT 0xFD        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E47F2C
INT 0xFE        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                   82E481A8

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                                                            82A60599 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                     82A84F52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
?               C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS                                                                             Das System kann die angegebene Datei nicht finden. !
?               C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS                                                                             Das System kann die angegebene Datei nicht finden. !
.text           peauth.sys                                                                                                                 9D13BC9D 28 Bytes  [5E, EE, ED, D3, E6, D9, 17, ...]
.text           peauth.sys                                                                                                                 9D13BCC1 28 Bytes  [5E, EE, ED, D3, E6, D9, 17, ...]
PAGE            peauth.sys                                                                                                                 9D141E20 101 Bytes  [66, 47, AC, AE, 51, 45, 0E, ...]
PAGE            peauth.sys                                                                                                                 9D14202C 102 Bytes  [01, 33, 4E, C5, 8B, 4C, F3, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 4F90                                                                                        9F8C8000 290 Bytes  [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 50B3                                                                                        9F8C8123 629 Bytes  [35, 8C, 9F, FE, 05, 34, 35, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 5329                                                                                        9F8C8399 101 Bytes  [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 538F                                                                                        9F8C83FF 148 Bytes  [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE            spsys.sys!?SPRevision@@3PADA + 543B                                                                                        9F8C84AB 2228 Bytes  [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE            ...                                                                                                                        

---- User code sections - GMER 1.0.15 ----

.text           C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtProtectVirtualMemory                                                     77335380 5 Bytes  JMP 0052000A 
.text           C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtWriteVirtualMemory                                                       77335F00 5 Bytes  JMP 0053000A 
.text           C:\Windows\system32\svchost.exe[1012] ntdll.dll!KiUserExceptionDispatcher                                                  77336448 5 Bytes  JMP 0028000A 
.text           C:\Windows\system32\svchost.exe[1012] ole32.dll!CoCreateInstance                                                           76F657FC 5 Bytes  JMP 00C3000A 
.text           C:\Windows\Explorer.EXE[1988] ntdll.dll!NtProtectVirtualMemory                                                             77335380 5 Bytes  JMP 0025000A 
.text           C:\Windows\Explorer.EXE[1988] ntdll.dll!NtWriteVirtualMemory                                                               77335F00 5 Bytes  JMP 0026000A 
.text           C:\Windows\Explorer.EXE[1988] ntdll.dll!KiUserExceptionDispatcher                                                          77336448 5 Bytes  JMP 0011000A 

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Program Files\PhraseExpress\phraseexpress.exe[2456] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread]        [00467D0C] C:\Program Files\PhraseExpress\phraseexpress.exe (PhraseExpress/Bartels Media GmbH)
IAT             C:\Program Files\PhraseExpress\phraseexpress.exe[2456] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem]  [00467F10] C:\Program Files\PhraseExpress\phraseexpress.exe (PhraseExpress/Bartels Media GmbH)
IAT             C:\Program Files\PhraseExpress\phraseexpress.exe[2456] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread]       [00467D0C] C:\Program Files\PhraseExpress\phraseexpress.exe (PhraseExpress/Bartels Media GmbH)
IAT             C:\Program Files\PhraseExpress\phraseexpress.exe[2456] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem]  [00467F10] C:\Program Files\PhraseExpress\phraseexpress.exe (PhraseExpress/Bartels Media GmbH)
IAT             C:\Program Files\PhraseExpress\phraseexpress.exe[2456] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!CreateThread]       [00467D0C] C:\Program Files\PhraseExpress\phraseexpress.exe (PhraseExpress/Bartels Media GmbH)

---- Devices - GMER 1.0.15 ----

Device          \Driver\ACPI_HAL \Device\00000045                                                                                          halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume6                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume7                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume8                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume9                                                                                     fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk            \Device\Harddisk0\DR0                                                                                                      sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

Swisstreasure · 31.07.2010, 14:15

Schritt 1

Wurde die Host durch Dich so bearbeitet? Hast Du es auch schon versucht diese wieder auf dne Ursprung zu setzen?

Schritt 2

Datei-Überprüfung

Folgende Datei/en (siehe Codebox) bei VirusTotal online überprüfen lassen. Dafür musst Du jede Datei einzeln über den Button "Durchsuchen" und "Senden der Datei" nach VirusTotal hochladen und prüfen lassen. Wenn VirusTotal die Datei empfangen hat, wird sie diese mit mehreren Anti-Virus-Scannern prüfen und die Ergebnisse anzeigen. Sollte VirusTotal melden, dass die Datei bereits überpüft wurde, lasse sie trotzdem über den Button "Analysiere die Datei" erneut prüfen.

Wenn das Ergebnis vorliegt, den kleinen Button "Filter" links oberhalb der Ergebnisse drücken, dann das Ergebnis (egal wie es aussieht und dabei auch die Zeilen mit Namen und Größe der Datei, MD5 und SHA1 kopieren) hier posten. Solltest Du die Datei/en nicht finden oder hochladen können, dann teile uns das ebenfalls mit. Solltest Du die Datei/en nicht finden, überprüfe, ob folgende Einstellungen richtig gesetzt sind.

Code:

ATTFilter

D:\EverythingPortableAlpha\App\Everything\Everything-1.2.1.451a.exe
D:\EverythingPortableAlpha\EverythingPortableAlpha.exe

Schritt 3

Kontrolle mit MBR -t, ob Master Boot Record in Ordnung ist (MBR-Rootkit)

Downloade die MBR.exe von Gmer und
kopiere die Datei mbr.exe in den Ordner C:\Windows\system32.
Falls Du den Ordner nicht sehen kannst, diese Einstellungen in den Ordneroptionen vornehmen.
Start => cmd (bei der Suche unten reinchreiben) => OK
es öffnet sich eine Eingabeaufforderung.

Nach dem Prompt (>_) folgenden Text aus der Codebox manuell eingeben oder alternativ den mit STRG + C ins Clipboard kopieren und einfügen.
Einfügen in der Eingabeaufforderung: in der Titelleiste einen Rechtsklick machen => Bearbeiten => einfügen.
Code:
ATTFilter
```
mbr.exe -t > C:\mbr.log & C:\mbr.log
         
```
(Enter drücken)
Nach kurzer Zeit wird sich Dein Editor öffnen und die Datei C:\mbr.log beinhalten.
Bitte kopiere den Inhalt hier in Deinen Thread.

Schritt 4

MBR mit MBRCheck prüfen

Lade MBRCheck.exe herunter und speichere das Tool auf deinem Desktop (nicht woanders hin).
XP Benutzer: Doppelklick auf die MBRCheck.exe, um das Tool zu starten.
Vista und Windows 7 Benutzer: Rechtsklick auf die MBRCheck.exe und Als Administrator starten wählen.
Es wird sich ein Eingabe-Fenster mit einigen Angaben öffnen.

Wenn der Scan beendet ist, was mit Done! gemeldet wird, klicke Enter, um das Eingabe-Fenster zu schließen.
Poste mir den Inhalt von MBRCheck_<datum>.txt vom Desktop hier in den Thread.

KAL · 31.07.2010, 14:17

geht gleich (in ca. einer Stunde) weiter.
Muss einkaufen.

Swisstreasure · 31.07.2010, 14:52

Ok mach das

Bis später.

KAL · 31.07.2010, 16:10

Die hosts Datei kann man im Web so runterladen.

everything ist eine Dateisuche, die schnellste die ich kenne.

Kein Fund.

Code:

ATTFilter

Datei Everything-1.2.1.451a.exe empfangen 2010.07.31 14:53:25 (UTC)
Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2010.07.31.00	2010.07.30	-
AntiVir	8.2.4.32	2010.07.30	-
Antiy-AVL	2.0.3.7	2010.07.30	-
Authentium	5.2.0.5	2010.07.31	-
Avast	4.8.1351.0	2010.07.31	-
Avast5	5.0.332.0	2010.07.31	-
AVG	9.0.0.851	2010.07.31	-
BitDefender	7.2	2010.07.31	-
CAT-QuickHeal	11.00	2010.07.31	-
ClamAV	0.96.0.3-git	2010.07.30	-
Comodo	5598	2010.07.31	-
DrWeb	5.0.2.03300	2010.07.30	-
Emsisoft	5.0.0.34	2010.07.30	-
eSafe	7.0.17.0	2010.07.29	-
eTrust-Vet	36.1.7753	2010.07.31	-
F-Prot	4.6.1.107	2010.07.31	-
F-Secure	9.0.15370.0	2010.07.31	-
Fortinet	4.1.143.0	2010.07.31	-
GData	21	2010.07.31	-
Ikarus	T3.1.1.84.0	2010.07.31	-
Jiangmin	13.0.900	2010.07.29	-
Kaspersky	7.0.0.125	2010.07.31	-
McAfee	5.400.0.1158	2010.07.31	-
McAfee-GW-Edition	2010.1	2010.07.30	-
Microsoft	1.6004	2010.07.31	-
NOD32	5327	2010.07.30	-
Norman	6.05.11	2010.07.31	-
nProtect	2010-07-31.01	2010.07.31	-
Panda	10.0.2.7	2010.07.31	-
PCTools	7.0.3.5	2010.07.31	-
Prevx	3.0	2010.07.31	-
Rising	22.58.05.04	2010.07.31	-
Sophos	4.56.0	2010.07.31	-
Sunbelt	6667	2010.07.31	-
SUPERAntiSpyware	4.40.0.1006	2010.07.31	-
Symantec	20101.1.1.7	2010.07.31	-
TheHacker	6.5.2.1.328	2010.07.30	-
TrendMicro	9.120.0.1004	2010.07.31	-
TrendMicro-HouseCall	9.120.0.1004	2010.07.31	-
VBA32	3.12.12.7	2010.07.30	-
ViRobot	2010.7.31.3965	2010.07.31	-
VirusBuster	5.0.27.0	2010.07.30	-
weitere Informationen
File size: 760320 bytes
MD5...: 2b6135751acd0dd25bbff82d82f15e56
SHA1..: 8981c9ec8af8dad54e271de41844b642e6a15974
SHA256: 66c8334035a41e4d0c35d0bc90ac7dc9f60ce6087feb3d1aa26b7357e8b9c5f2
ssdeep: 12288:kYIXjN/H9EzqA76J+mkStDssH6Bm5MQrztC+4XY2P6l0mz0TRzNH/OFH7G<br>4g4z3p:00tSxH6Bm5MotV0mYTXOFHBtDArmF4eF<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x8c4b9<br>timedatestamp.....: 0x4b0b906e (Tue Nov 24 07:51:10 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x97a70 0x97c00 6.55 6300573215cbdebe788ffa2c63842312<br>.rdata 0x99000 0x134ca 0x13600 5.58 90064696990dd1aeba5ff4799a353830<br>.data 0xad000 0x5904 0x3200 4.58 8f037e20879815d9028ca2d523954fa6<br>.rsrc 0xb3000 0xb110 0xb200 5.91 312d12981d91f72310dbc7bb9c08bff7<br><br>( 12 imports ) <br>&gt; COMCTL32.dll: ImageList_Create, ImageList_Add, ImageList_DrawEx, ImageList_Destroy, InitCommonControlsEx<br>&gt; WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br>&gt; MSIMG32.dll: AlphaBlend<br>&gt; IMM32.dll: ImmGetVirtualKey<br>&gt; KERNEL32.dll: SetConsoleScreenBufferSize, AllocConsole, GetTimeFormatA, GetDateFormatA, GetLocalTime, FlushFileBuffers, SetFilePointer, GetProcAddress, FreeLibrary, LoadLibraryA, GetSystemDirectoryA, WideCharToMultiByte, FileTimeToSystemTime, FindClose, FindNextFileW, GetSystemTime, FindFirstFileW, ExitProcess, FormatMessageA, GetCommandLineW, GetModuleHandleW, GetCurrentThreadId, CreateMutexA, CreateMutexW, SetLastError, SetThreadPriority, CreateEventA, FreeResource, LockResource, LoadResource, SizeofResource, FindResourceA, GetFileSize, GetSystemDefaultLangID, HeapAlloc, HeapFree, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, GetFileAttributesW, GetFileAttributesA, GetModuleFileNameW, InitializeCriticalSection, CreateFileW, MoveFileW, MoveFileExW, GetSystemTimeAsFileTime, GetFileAttributesExW, CreateDirectoryW, GetComputerNameW, QueryDosDeviceW, SetErrorMode, GetDiskFreeSpaceExW, GetVolumeNameForVolumeMountPointW, SystemTimeToFileTime, GetLongPathNameW, RaiseException, ExpandEnvironmentStringsW, GetTimeFormatW, GetDateFormatW, DeleteCriticalSection, FindVolumeClose, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindFirstVolumeW, LCMapStringA, GetOEMCP, GetACP, GetCPInfo, HeapCreate, HeapDestroy, HeapSize, IsDebuggerPresent, SetUnhandledExceptionFilter, TerminateProcess, UnhandledExceptionFilter, InterlockedDecrement, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetModuleHandleA, GetStartupInfoA, GetVersionExA, GetCommandLineA, HeapReAlloc, CreateThread, ExitThread, RtlUnwind, QueryPerformanceCounter, SetConsoleTextAttribute, GetStdHandle, EnterCriticalSection, WriteConsoleW, LeaveCriticalSection, GetProcessHeap, HeapCompact, GetCurrentProcess, SetProcessWorkingSetSize, Sleep, FindFirstVolumeMountPointW, GetFileInformationByHandle, FindNextVolumeMountPointW, CreateEventW, ResetEvent, WaitForMultipleObjects, GetOverlappedResult, CancelIo, SetEvent, WaitForSingleObject, CloseHandle, GetDriveTypeW, GetVolumeInformationW, GetSystemInfo, VirtualAlloc, DeviceIoControl, VirtualFree, WriteFile, ReadFile, GetLastError, FileTimeToLocalFileTime, QueryPerformanceFrequency, MultiByteToWideChar, LCMapStringW, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetTickCount, GetCurrentProcessId, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CreateFileA, DeleteFileW<br>&gt; USER32.dll: CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, GetSysColorBrush, GetScrollInfo, GetWindowDC, ScrollWindowEx, SetScrollInfo, SetCursorPos, ScreenToClient, TrackMouseEvent, DrawEdge, IsDlgButtonChecked, GetDlgItemInt, InsertMenuW, GetMenuItemID, GetMenuDefaultItem, DrawTextExA, MessageBeep, GetDoubleClickTime, SetDlgItemTextW, GetClassNameW, SetDlgItemInt, IsCharAlphaNumericW, IsIconic, GetKeyState, PostMessageW, GetSysColor, FillRect, GetClassInfoExW, RegisterClassExW, GetNextDlgTabItem, EnableWindow, SetWindowPos, SetWindowTextW, AllowSetForegroundWindow, EnumWindows, IsWindowVisible, DialogBoxIndirectParamW, DrawFrameControl, GetWindowTextLengthW, GetWindowTextW, GetMenuItemCount, CreatePopupMenu, AppendMenuW, RemoveMenu, SetMenuItemInfoW, CallWindowProcW, CreateDialogIndirectParamW, BringWindowToTop, EnumChildWindows, UpdateWindow, InvalidateRgn, GetWindowRect, ClientToScreen, OffsetRect, CopyRect, EnumDisplayMonitors, MonitorFromRect, CheckDlgButton, SendMessageW, CreateWindowExW, GetMonitorInfoW, SystemParametersInfoW, IntersectRect, GetDC, RegisterClipboardFormatW, GetDesktopWindow, DrawTextExW, ReleaseDC, GetSystemMetrics, SetCapture, IsWindow, GetCapture, PtInRect, ReleaseCapture, DestroyIcon, SetWindowsHookExW, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, WaitMessage, CallNextHookEx, IsWindowEnabled, GetFocus, PostQuitMessage, LoadImageW, LoadIconW, GetMenu, GetSubMenu, IsClipboardFormatAvailable, GetMenuItemInfoW, RedrawWindow, GetMessagePos, SetActiveWindow, IsZoomed, MonitorFromWindow, SetMenu, RegisterWindowMessageA, CreateWindowExA, DefWindowProcW, GetCursorPos, CreateMenu, SetMenuDefaultItem, TrackPopupMenu, DestroyMenu, RegisterHotKey, SetFocus, GetDlgItem, SetForegroundWindow, ShowWindow, SendDlgItemMessageW, GetParent, SetTimer, KillTimer, EndDialog, UnregisterHotKey, AdjustWindowRect, DestroyWindow, FindWindowW, FindWindowA, GetWindowThreadProcessId, SendMessageTimeoutW, MessageBoxA, UnregisterDeviceNotification, RegisterDeviceNotificationW, CharLowerW, GetWindowLongW, SetWindowLongW, BeginPaint, LoadBitmapW, GetClientRect, EndPaint, SetCursor, LoadCursorW, InvalidateRect, MessageBoxW<br>&gt; GDI32.dll: GetTextMetricsW, PatBlt, SetBrushOrgEx, CreatePatternBrush, CreateBitmapIndirect, CombineRgn, CreateCompatibleBitmap, CreateBitmap, SetPixel, GetTextExtentPoint32A, RectVisible, GetTextExtentExPointW, GetTextExtentExPointA, GetTextExtentPoint32W, TextOutW, TextOutA, GetBkColor, OffsetClipRgn, StretchBlt, CreateRectRgn, GetRandomRgn, GetDCOrgEx, OffsetRgn, CreateCompatibleDC, BitBlt, ExcludeClipRect, SetTextColor, SetBkMode, GetStockObject, GetObjectW, CreateFontIndirectW, CreateDIBSection, GdiFlush, DeleteDC, SetBkColor, SelectClipRgn, SelectObject, GetTextExtentPointW, CreateSolidBrush, MaskBlt, DeleteObject<br>&gt; comdlg32.dll: GetSaveFileNameW, GetOpenFileNameW<br>&gt; ADVAPI32.dll: RegCreateKeyExW, RegQueryValueExW, RegSetValueExW, RegSetValueExA, RegDeleteValueW, RegOpenKeyExA, RegOpenKeyA, RegQueryValueExA, DeleteService, ControlService, CreateServiceW, OpenSCManagerW, OpenServiceW, CloseServiceHandle, StartServiceW, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerA, SetServiceStatus, RegCloseKey, GetUserNameW, RegOpenKeyExW<br>&gt; SHELL32.dll: SHGetSpecialFolderPathW, -, -, -, DragQueryFileW, SHFileOperationW, -, SHGetDesktopFolder, SHGetMalloc, Shell_NotifyIconW, SHChangeNotify, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoA, ShellExecuteExW, SHGetFileInfoW, ShellExecuteA<br>&gt; ole32.dll: OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance, OleDuplicateData, ReleaseStgMedium, RevokeDragDrop, RegisterDragDrop<br>&gt; SHLWAPI.dll: SHDeleteKeyW, PathIsRelativeW<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)<br>Win32 Executable MS Visual C++ (generic) (26.2%)<br>Win32 Executable Generic (5.9%)<br>Win32 Dynamic Link Library (generic) (5.2%)<br>Generic Win/DOS Executable (1.3%)
sigcheck:<br>publisher....: n/a<br>copyright....: Copyright (C) 2005-2008 David Carpenter<br>product......: Everything<br>description..: Everything<br>original name: Everything.exe<br>internal name: Everything<br>file version.: 1, 2, 1, 451a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2010.07.31.00	2010.07.30	-
AntiVir	8.2.4.32	2010.07.30	-
Antiy-AVL	2.0.3.7	2010.07.30	-
Authentium	5.2.0.5	2010.07.31	-
Avast	4.8.1351.0	2010.07.31	-
Avast5	5.0.332.0	2010.07.31	-
AVG	9.0.0.851	2010.07.31	-
BitDefender	7.2	2010.07.31	-
CAT-QuickHeal	11.00	2010.07.31	-
ClamAV	0.96.0.3-git	2010.07.30	-
Comodo	5598	2010.07.31	-
DrWeb	5.0.2.03300	2010.07.30	-
Emsisoft	5.0.0.34	2010.07.30	-
eSafe	7.0.17.0	2010.07.29	-
eTrust-Vet	36.1.7753	2010.07.31	-
F-Prot	4.6.1.107	2010.07.31	-
F-Secure	9.0.15370.0	2010.07.31	-
Fortinet	4.1.143.0	2010.07.31	-
GData	21	2010.07.31	-
Ikarus	T3.1.1.84.0	2010.07.31	-
Jiangmin	13.0.900	2010.07.29	-
Kaspersky	7.0.0.125	2010.07.31	-
McAfee	5.400.0.1158	2010.07.31	-
McAfee-GW-Edition	2010.1	2010.07.30	-
Microsoft	1.6004	2010.07.31	-
NOD32	5327	2010.07.30	-
Norman	6.05.11	2010.07.31	-
nProtect	2010-07-31.01	2010.07.31	-
Panda	10.0.2.7	2010.07.31	-
PCTools	7.0.3.5	2010.07.31	-
Prevx	3.0	2010.07.31	-
Rising	22.58.05.04	2010.07.31	-
Sophos	4.56.0	2010.07.31	-
Sunbelt	6667	2010.07.31	-
SUPERAntiSpyware	4.40.0.1006	2010.07.31	-
Symantec	20101.1.1.7	2010.07.31	-
TheHacker	6.5.2.1.328	2010.07.30	-
TrendMicro	9.120.0.1004	2010.07.31	-
TrendMicro-HouseCall	9.120.0.1004	2010.07.31	-
VBA32	3.12.12.7	2010.07.30	-
ViRobot	2010.7.31.3965	2010.07.31	-
VirusBuster	5.0.27.0	2010.07.30	-

weitere Informationen
File size: 760320 bytes
MD5...: 2b6135751acd0dd25bbff82d82f15e56
SHA1..: 8981c9ec8af8dad54e271de41844b642e6a15974
SHA256: 66c8334035a41e4d0c35d0bc90ac7dc9f60ce6087feb3d1aa26b7357e8b9c5f2
ssdeep: 12288:kYIXjN/H9EzqA76J+mkStDssH6Bm5MQrztC+4XY2P6l0mz0TRzNH/OFH7G<br>4g4z3p:00tSxH6Bm5MotV0mYTXOFHBtDArmF4eF<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x8c4b9<br>timedatestamp.....: 0x4b0b906e (Tue Nov 24 07:51:10 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name        viradd    virsiz   rawdsiz  ntrpy  md5<br>.text       0x1000   0x97a70   0x97c00   6.55  6300573215cbdebe788ffa2c63842312<br>.rdata     0x99000   0x134ca   0x13600   5.58  90064696990dd1aeba5ff4799a353830<br>.data      0xad000    0x5904    0x3200   4.58  8f037e20879815d9028ca2d523954fa6<br>.rsrc      0xb3000    0xb110    0xb200   5.91  312d12981d91f72310dbc7bb9c08bff7<br><br>( 12 imports )  <br>&gt; COMCTL32.dll: ImageList_Create, ImageList_Add, ImageList_DrawEx, ImageList_Destroy, InitCommonControlsEx<br>&gt; WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br>&gt; MSIMG32.dll: AlphaBlend<br>&gt; IMM32.dll: ImmGetVirtualKey<br>&gt; KERNEL32.dll: SetConsoleScreenBufferSize, AllocConsole, GetTimeFormatA, GetDateFormatA, GetLocalTime, FlushFileBuffers, SetFilePointer, GetProcAddress, FreeLibrary, LoadLibraryA, GetSystemDirectoryA, WideCharToMultiByte, FileTimeToSystemTime, FindClose, FindNextFileW, GetSystemTime, FindFirstFileW, ExitProcess, FormatMessageA, GetCommandLineW, GetModuleHandleW, GetCurrentThreadId, CreateMutexA, CreateMutexW, SetLastError, SetThreadPriority, CreateEventA, FreeResource, LockResource, LoadResource, SizeofResource, FindResourceA, GetFileSize, GetSystemDefaultLangID, HeapAlloc, HeapFree, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, GetFileAttributesW, GetFileAttributesA, GetModuleFileNameW, InitializeCriticalSection, CreateFileW, MoveFileW, MoveFileExW, GetSystemTimeAsFileTime, GetFileAttributesExW, CreateDirectoryW, GetComputerNameW, QueryDosDeviceW, SetErrorMode, GetDiskFreeSpaceExW, GetVolumeNameForVolumeMountPointW, SystemTimeToFileTime, GetLongPathNameW, RaiseException, ExpandEnvironmentStringsW, GetTimeFormatW, GetDateFormatW, DeleteCriticalSection, FindVolumeClose, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindFirstVolumeW, LCMapStringA, GetOEMCP, GetACP, GetCPInfo, HeapCreate, HeapDestroy, HeapSize, IsDebuggerPresent, SetUnhandledExceptionFilter, TerminateProcess, UnhandledExceptionFilter, InterlockedDecrement, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetModuleHandleA, GetStartupInfoA, GetVersionExA, GetCommandLineA, HeapReAlloc, CreateThread, ExitThread, RtlUnwind, QueryPerformanceCounter, SetConsoleTextAttribute, GetStdHandle, EnterCriticalSection, WriteConsoleW, LeaveCriticalSection, GetProcessHeap, HeapCompact, GetCurrentProcess, SetProcessWorkingSetSize, Sleep, FindFirstVolumeMountPointW, GetFileInformationByHandle, FindNextVolumeMountPointW, CreateEventW, ResetEvent, WaitForMultipleObjects, GetOverlappedResult, CancelIo, SetEvent, WaitForSingleObject, CloseHandle, GetDriveTypeW, GetVolumeInformationW, GetSystemInfo, VirtualAlloc, DeviceIoControl, VirtualFree, WriteFile, ReadFile, GetLastError, FileTimeToLocalFileTime, QueryPerformanceFrequency, MultiByteToWideChar, LCMapStringW, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetTickCount, GetCurrentProcessId, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CreateFileA, DeleteFileW<br>&gt; USER32.dll: CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, GetSysColorBrush, GetScrollInfo, GetWindowDC, ScrollWindowEx, SetScrollInfo, SetCursorPos, ScreenToClient, TrackMouseEvent, DrawEdge, IsDlgButtonChecked, GetDlgItemInt, InsertMenuW, GetMenuItemID, GetMenuDefaultItem, DrawTextExA, MessageBeep, GetDoubleClickTime, SetDlgItemTextW, GetClassNameW, SetDlgItemInt, IsCharAlphaNumericW, IsIconic, GetKeyState, PostMessageW, GetSysColor, FillRect, GetClassInfoExW, RegisterClassExW, GetNextDlgTabItem, EnableWindow, SetWindowPos, SetWindowTextW, AllowSetForegroundWindow, EnumWindows, IsWindowVisible, DialogBoxIndirectParamW, DrawFrameControl, GetWindowTextLengthW, GetWindowTextW, GetMenuItemCount, CreatePopupMenu, AppendMenuW, RemoveMenu, SetMenuItemInfoW, CallWindowProcW, CreateDialogIndirectParamW, BringWindowToTop, EnumChildWindows, UpdateWindow, InvalidateRgn, GetWindowRect, ClientToScreen, OffsetRect, CopyRect, EnumDisplayMonitors, MonitorFromRect, CheckDlgButton, SendMessageW, CreateWindowExW, GetMonitorInfoW, SystemParametersInfoW, IntersectRect, GetDC, RegisterClipboardFormatW, GetDesktopWindow, DrawTextExW, ReleaseDC, GetSystemMetrics, SetCapture, IsWindow, GetCapture, PtInRect, ReleaseCapture, DestroyIcon, SetWindowsHookExW, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, WaitMessage, CallNextHookEx, IsWindowEnabled, GetFocus, PostQuitMessage, LoadImageW, LoadIconW, GetMenu, GetSubMenu, IsClipboardFormatAvailable, GetMenuItemInfoW, RedrawWindow, GetMessagePos, SetActiveWindow, IsZoomed, MonitorFromWindow, SetMenu, RegisterWindowMessageA, CreateWindowExA, DefWindowProcW, GetCursorPos, CreateMenu, SetMenuDefaultItem, TrackPopupMenu, DestroyMenu, RegisterHotKey, SetFocus, GetDlgItem, SetForegroundWindow, ShowWindow, SendDlgItemMessageW, GetParent, SetTimer, KillTimer, EndDialog, UnregisterHotKey, AdjustWindowRect, DestroyWindow, FindWindowW, FindWindowA, GetWindowThreadProcessId, SendMessageTimeoutW, MessageBoxA, UnregisterDeviceNotification, RegisterDeviceNotificationW, CharLowerW, GetWindowLongW, SetWindowLongW, BeginPaint, LoadBitmapW, GetClientRect, EndPaint, SetCursor, LoadCursorW, InvalidateRect, MessageBoxW<br>&gt; GDI32.dll: GetTextMetricsW, PatBlt, SetBrushOrgEx, CreatePatternBrush, CreateBitmapIndirect, CombineRgn, CreateCompatibleBitmap, CreateBitmap, SetPixel, GetTextExtentPoint32A, RectVisible, GetTextExtentExPointW, GetTextExtentExPointA, GetTextExtentPoint32W, TextOutW, TextOutA, GetBkColor, OffsetClipRgn, StretchBlt, CreateRectRgn, GetRandomRgn, GetDCOrgEx, OffsetRgn, CreateCompatibleDC, BitBlt, ExcludeClipRect, SetTextColor, SetBkMode, GetStockObject, GetObjectW, CreateFontIndirectW, CreateDIBSection, GdiFlush, DeleteDC, SetBkColor, SelectClipRgn, SelectObject, GetTextExtentPointW, CreateSolidBrush, MaskBlt, DeleteObject<br>&gt; comdlg32.dll: GetSaveFileNameW, GetOpenFileNameW<br>&gt; ADVAPI32.dll: RegCreateKeyExW, RegQueryValueExW, RegSetValueExW, RegSetValueExA, RegDeleteValueW, RegOpenKeyExA, RegOpenKeyA, RegQueryValueExA, DeleteService, ControlService, CreateServiceW, OpenSCManagerW, OpenServiceW, CloseServiceHandle, StartServiceW, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerA, SetServiceStatus, RegCloseKey, GetUserNameW, RegOpenKeyExW<br>&gt; SHELL32.dll: SHGetSpecialFolderPathW, -, -, -, DragQueryFileW, SHFileOperationW, -, SHGetDesktopFolder, SHGetMalloc, Shell_NotifyIconW, SHChangeNotify, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoA, ShellExecuteExW, SHGetFileInfoW, ShellExecuteA<br>&gt; ole32.dll: OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance, OleDuplicateData, ReleaseStgMedium, RevokeDragDrop, RegisterDragDrop<br>&gt; SHLWAPI.dll: SHDeleteKeyW, PathIsRelativeW<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)<br>Win32 Executable MS Visual C++ (generic) (26.2%)<br>Win32 Executable Generic (5.9%)<br>Win32 Dynamic Link Library (generic) (5.2%)<br>Generic Win/DOS Executable (1.3%)
sigcheck:<br>publisher....: n/a<br>copyright....: Copyright (C) 2005-2008 David Carpenter<br>product......: Everything<br>description..: Everything<br>original name: Everything.exe<br>internal name: Everything<br>file version.: 1, 2, 1, 451a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

Code:

ATTFilter

Datei EverythingPortableAlpha.exe empfangen 2010.07.31 14:58:57 (UTC)
Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2010.07.31.00	2010.07.30	-
AntiVir	8.2.4.32	2010.07.30	-
Antiy-AVL	2.0.3.7	2010.07.30	-
Authentium	5.2.0.5	2010.07.31	-
Avast	4.8.1351.0	2010.07.31	-
Avast5	5.0.332.0	2010.07.31	-
AVG	9.0.0.851	2010.07.31	-
BitDefender	7.2	2010.07.31	-
CAT-QuickHeal	11.00	2010.07.31	-
ClamAV	0.96.0.3-git	2010.07.30	-
Comodo	5598	2010.07.31	-
DrWeb	5.0.2.03300	2010.07.30	-
Emsisoft	5.0.0.34	2010.07.30	-
eSafe	7.0.17.0	2010.07.29	-
eTrust-Vet	36.1.7753	2010.07.31	-
F-Prot	4.6.1.107	2010.07.31	-
F-Secure	9.0.15370.0	2010.07.31	-
Fortinet	4.1.143.0	2010.07.31	-
GData	21	2010.07.31	-
Ikarus	T3.1.1.84.0	2010.07.31	-
Jiangmin	13.0.900	2010.07.29	-
Kaspersky	7.0.0.125	2010.07.31	-
McAfee	5.400.0.1158	2010.07.31	-
McAfee-GW-Edition	2010.1	2010.07.30	-
Microsoft	1.6004	2010.07.31	-
NOD32	5327	2010.07.30	-
Norman	6.05.11	2010.07.31	-
nProtect	2010-07-31.01	2010.07.31	-
Panda	10.0.2.7	2010.07.31	-
PCTools	7.0.3.5	2010.07.31	-
Prevx	3.0	2010.07.31	-
Rising	22.58.05.04	2010.07.31	-
Sophos	4.56.0	2010.07.31	-
Sunbelt	6667	2010.07.31	-
Symantec	20101.1.1.7	2010.07.31	-
TheHacker	6.5.2.1.328	2010.07.30	-
TrendMicro	9.120.0.1004	2010.07.31	-
TrendMicro-HouseCall	9.120.0.1004	2010.07.31	-
VBA32	3.12.12.7	2010.07.30	-
ViRobot	2010.7.31.3965	2010.07.31	-
VirusBuster	5.0.27.0	2010.07.30	-
weitere Informationen
File size: 94645 bytes
MD5...: c34dd8273c60695042e061b05090b641
SHA1..: 1c6fa345276c64324c47e00b8ca1fb5a67aedb26
SHA256: d049d025837c2a92bf5f4b4ec8d660c9c043924dfb1b073d9fcdfe83e3f42e85
ssdeep: 1536:7QpQ5EP0ijnRTXJN0ssk6OqEqHtgcOMKwE1STIjShUrqaCRt639qJriHX/+<br>W:7QIURTXJ4jOMKw1TIjShjRt2weX/R<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x323c<br>timedatestamp.....: 0x4a2ae2a2 (Sat Jun 06 21:41:54 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x5a5a 0x5c00 6.42 0bc2ffd32265a08d72b795b18265828d<br>.rdata 0x7000 0x1190 0x1200 5.18 f179218a059068529bdb4637ef5fa28e<br>.data 0x9000 0x1af98 0x400 4.71 975304d6dd6c4a4f076b15511e2bbbc0<br>.ndata 0x24000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x2f000 0x5110 0x5200 4.47 ce29eb4cf66db7912ac2394fd8894631<br><br>( 8 imports ) <br>&gt; KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA<br>&gt; USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow<br>&gt; GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject<br>&gt; SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation<br>&gt; ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA<br>&gt; COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create<br>&gt; ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance<br>&gt; VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
sigcheck:<br>publisher....: PortableApps.com<br>copyright....: PortableApps.com _ Contributors<br>product......: Everything Portable Alpha<br>description..: Everything Portable Alpha<br>original name: EverythingPortableAlpha.exe<br>internal name: Everything Portable Alpha<br>file version.: 1.2.1.451a<br>comments.....: Allows Everything to be run from a removable drive. For additional details, visit PortableApps.com/EverythingPortableAlpha<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
packers (F-Prot): NSIS

Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2010.07.31.00	2010.07.30	-
AntiVir	8.2.4.32	2010.07.30	-
Antiy-AVL	2.0.3.7	2010.07.30	-
Authentium	5.2.0.5	2010.07.31	-
Avast	4.8.1351.0	2010.07.31	-
Avast5	5.0.332.0	2010.07.31	-
AVG	9.0.0.851	2010.07.31	-
BitDefender	7.2	2010.07.31	-
CAT-QuickHeal	11.00	2010.07.31	-
ClamAV	0.96.0.3-git	2010.07.30	-
Comodo	5598	2010.07.31	-
DrWeb	5.0.2.03300	2010.07.30	-
Emsisoft	5.0.0.34	2010.07.30	-
eSafe	7.0.17.0	2010.07.29	-
eTrust-Vet	36.1.7753	2010.07.31	-
F-Prot	4.6.1.107	2010.07.31	-
F-Secure	9.0.15370.0	2010.07.31	-
Fortinet	4.1.143.0	2010.07.31	-
GData	21	2010.07.31	-
Ikarus	T3.1.1.84.0	2010.07.31	-
Jiangmin	13.0.900	2010.07.29	-
Kaspersky	7.0.0.125	2010.07.31	-
McAfee	5.400.0.1158	2010.07.31	-
McAfee-GW-Edition	2010.1	2010.07.30	-
Microsoft	1.6004	2010.07.31	-
NOD32	5327	2010.07.30	-
Norman	6.05.11	2010.07.31	-
nProtect	2010-07-31.01	2010.07.31	-
Panda	10.0.2.7	2010.07.31	-
PCTools	7.0.3.5	2010.07.31	-
Prevx	3.0	2010.07.31	-
Rising	22.58.05.04	2010.07.31	-
Sophos	4.56.0	2010.07.31	-
Sunbelt	6667	2010.07.31	-
Symantec	20101.1.1.7	2010.07.31	-
TheHacker	6.5.2.1.328	2010.07.30	-
TrendMicro	9.120.0.1004	2010.07.31	-
TrendMicro-HouseCall	9.120.0.1004	2010.07.31	-
VBA32	3.12.12.7	2010.07.30	-
ViRobot	2010.7.31.3965	2010.07.31	-
VirusBuster	5.0.27.0	2010.07.30	-

weitere Informationen
File size: 94645 bytes
MD5...: c34dd8273c60695042e061b05090b641
SHA1..: 1c6fa345276c64324c47e00b8ca1fb5a67aedb26
SHA256: d049d025837c2a92bf5f4b4ec8d660c9c043924dfb1b073d9fcdfe83e3f42e85
ssdeep: 1536:7QpQ5EP0ijnRTXJN0ssk6OqEqHtgcOMKwE1STIjShUrqaCRt639qJriHX/+<br>W:7QIURTXJ4jOMKw1TIjShjRt2weX/R<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x323c<br>timedatestamp.....: 0x4a2ae2a2 (Sat Jun 06 21:41:54 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name        viradd    virsiz   rawdsiz  ntrpy  md5<br>.text       0x1000    0x5a5a    0x5c00   6.42  0bc2ffd32265a08d72b795b18265828d<br>.rdata      0x7000    0x1190    0x1200   5.18  f179218a059068529bdb4637ef5fa28e<br>.data       0x9000   0x1af98     0x400   4.71  975304d6dd6c4a4f076b15511e2bbbc0<br>.ndata     0x24000    0xb000       0x0   0.00  d41d8cd98f00b204e9800998ecf8427e<br>.rsrc      0x2f000    0x5110    0x5200   4.47  ce29eb4cf66db7912ac2394fd8894631<br><br>( 8 imports )  <br>&gt; KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA<br>&gt; USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow<br>&gt; GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject<br>&gt; SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation<br>&gt; ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA<br>&gt; COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create<br>&gt; ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance<br>&gt; VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
sigcheck:<br>publisher....: PortableApps.com<br>copyright....: PortableApps.com _ Contributors<br>product......: Everything Portable Alpha<br>description..: Everything Portable Alpha<br>original name: EverythingPortableAlpha.exe<br>internal name: Everything Portable Alpha<br>file version.: 1.2.1.451a<br>comments.....: Allows Everything to be run from a removable drive.  For additional details, visit PortableApps.com/EverythingPortableAlpha<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
packers (F-Prot): NSIS

mbr.exe von GMER

Code:

ATTFilter

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys 
kernel: MBR read successfully
user & kernel MBR OK 
copy of MBR has been found in sector 62 !

mbrcheck

Code:

ATTFilter

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive1

\\.\D: --> \\.\PhysicalDrive2

\\.\E: --> \\.\PhysicalDrive5

\\.\F: --> \\.\PhysicalDrive6

\\.\G: --> \\.\PhysicalDrive8

\\.\H: --> \\.\PhysicalDrive4

\\.\I: --> \\.\PhysicalDrive7

\\.\J: --> \\.\PhysicalDrive0

\\.\K: --> \\.\PhysicalDrive3



      Size  Device Name          MBR Status

  --------------------------------------------

     29 GB  \\.\PhysicalDrive1   Windows 7 MBR code detected

    931 GB  \\.\PhysicalDrive2   Windows XP MBR code detected

    372 GB  \\.\PhysicalDrive5   Unknown MBR code

    186 GB  \\.\PhysicalDrive6   Unknown MBR code

    232 GB  \\.\PhysicalDrive8   Windows XP MBR code detected

    931 GB  \\.\PhysicalDrive4   Windows XP MBR code detected

   1397 GB  \\.\PhysicalDrive7   Windows XP MBR code detected

    279 GB  \\.\PhysicalDrive0   Windows XP MBR code detected

   1397 GB  \\.\PhysicalDrive3   Windows 7 MBR code detected





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 



Done!  Press ENTER to exit...

aha, zwei MBRs nicht koscher. Aber das sind keine Bootplatten...

Swisstreasure · 31.07.2010, 16:33

Zitat:

372 GB \\.\PhysicalDrive5 Unknown MBR code

186 GB \\.\PhysicalDrive6 Unknown MBR code

Was sind das denn für Drives?
Nutzt Du Linux?

KAL · 31.07.2010, 16:45

Drive 6 war mal ne XP Bootplatte.

Drive 5 ist schon immer eine Datenplatte gewesen.

Einige HDDs sind noch zu XP Zeiten mit NTFS formatiert worden, einige
kamen erst unter Win7 dazu.
Linux nutze ich nicht (auf diesem PC).

Swisstreasure · 31.07.2010, 16:47

Du hast am Anfang geschrieben das MBAM, OSAM, SuperAntispyware, Bitdefender nicht gebracht haben. Wurde aber denoch Malware gefunden? Mich würde das Log von MBAM interessieren, falls da was gefunden wurde.

KAL · 31.07.2010, 17:15

soll ich mbam nochmal durchlaufen lassen oder speichert es
die Logs von den Scans irgendwo ?

Swisstreasure · 31.07.2010, 19:12

Die werde abgespeichert.
Wenn Du MBAM öffnest findest Du es
unter Scan-Berichte.

KAL · 31.07.2010, 19:36

zwei Logs mit Funden

28.07.

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4363

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

28.07.2010 20:58:07
mbam-log-2010-07-28 (20-58-07).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 82796
Laufzeit: 10 Minute(n), 50 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 6

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Users\User\AppData\Local\Temp\IXP000.TMP\ppi.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Temp\IXP001.TMP\crypt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Temp\IXP002.TMP\crypt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Temp\IXP003.TMP\crypt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Temp\IXP004.TMP\ppi.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Temp\IXP005.TMP\crypt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

und nochmal

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4363

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

28.07.2010 21:37:12
mbam-log-2010-07-28 (21-37-12).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 82675
Laufzeit: 6 Minute(n), 59 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ECNGO8GY\sjnvpnidk[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N03O1XNB\aaidkfmhfa[1].htm (Adware.BHO) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W5EPK2ZU\imhbjepxrz[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

31.07.2010, 14:02	#4
Swisstreasure /// Malwareteam	Google Hijack - ich bekomm es nicht gelöscht Nein natürlich auch bei WIn7 Ja dann poste mir das Log vom Morgen

31.07.2010, 14:52	#8
Swisstreasure /// Malwareteam	Google Hijack - ich bekomm es nicht gelöscht Ok mach das Bis später.

31.07.2010, 16:47	#12
Swisstreasure /// Malwareteam	Google Hijack - ich bekomm es nicht gelöscht Du hast am Anfang geschrieben das MBAM, OSAM, SuperAntispyware, Bitdefender nicht gebracht haben. Wurde aber denoch Malware gefunden? Mich würde das Log von MBAM interessieren, falls da was gefunden wurde.

31.07.2010, 19:12	#14
Swisstreasure /// Malwareteam	Google Hijack - ich bekomm es nicht gelöscht Die werde abgespeichert. Wenn Du MBAM öffnest findest Du es unter Scan-Berichte.

Google Hijack - ich bekomm es nicht gelöscht

Plagegeister aller Art und deren Bekämpfung: Google Hijack - ich bekomm es nicht gelöscht