Rechner arbeitet ununterbrochen und Virenscanner schlägt an

dunkelauge · 30.08.2010, 10:44

Hier mein log:HiJackthis Logfile:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:02:15, on 30.08.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\tsnp2uvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dunkelauge\Download\Computer retten\HiJackThis204.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~1\TerraTec\TERRAT~1\THCDES~1.DLL
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [tsnp2uvc] C:\Windows\tsnp2uvc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MDS_Menu] "C:\Program Files\HomeCinema\MediaShow4\MUITransfer\MUIStartMenu.exe" "C:\Program Files\HomeCinema\MediaShow4" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\HomeCinema\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\HomeCinema\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\HomeCinema\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: sysrda32.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-25/4 (file missing)
O9 - Extra 'Tools' menuitem: eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-25/4 (file missing)
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-15/4 (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-15/4 (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Reset Reader (resetWinService) - Unknown owner - C:\Program Files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
 
--
End of file - 9910 bytes

--- --- ---

Irgendwie rechnet der Laptop immer rum (fast 50 % Auslastung). Außerdem hat mein Provider mit geschrieben das über meinen Anschluß Mailserver aufgerufen werden. Ohne mein zutun (woher er das auch immer weiß!?). Avira findet einen virus in der datei fkuzha.sys im Ordner winows/system32/drivers . Die kann ich aber nicht löschen da es sie laut KillBox gar nicht gibt??

P.S. bin ein PC Boon --wie wohl viele Fragesteller hier..

Swisstreasure · 30.08.2010, 11:22

Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.

Bitte arbeite alle Schritte der Reihe nach ab.
Lese die Anleitungen sorgfältig. Sollte es Probleme geben, bitte stoppen und hier so gut es geht beschreiben.
Nur Scanns durchführen zu denen Du von einem Helfer aufgefordert wirst.
Bitte kein Crossposting ( posten in mehreren Foren).
Installiere oder Deinstalliere während der Bereinigung keine Software ausser Du wurdest dazu aufgefordert.
Lese Dir die Anleitung zuerst vollständig durch. Sollte etwas unklar sein, frage bevor Du beginnst.
Poste die Logfiles direkt in deinen Thread. Nicht anhängen ausser ich fordere Dich dazu auf. Erschwert mir nämlich das auswerten.

Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg.
Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis dir jemand vom Team sagt, dass Du clean bist.

Vista und Win7 User
Alle Tools mit Rechtsklick "als Administrator ausführen" starten.

Schritt 1

Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop.

Doppelklick auf die OTL.exe
Vista und Windows 7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen.
Oben findest Du ein Kästchen mit Ausgabe.
Wähle bitte Minimal-Ausgabe
Unter Extra-Registrierung wähle bitte Benutze SafeList.
Mache Häckchen bei LOP- und Purity-Prüfung.
Klicke nun auf Scan links oben.
Wenn der Scan beendet wurde werden zwei Logfiles erstellt.
Du findest die Logfiles auf Deinem Desktop => OTL.txt und Extras.txt
Poste die Logfiles in Code-Tags hier in den Thread.

Schritt 2

Rootkit-Suche mit Gmer

Was sind Rootkits?

Wichtig: Bei jedem Rootkit-Scans soll/en:

Deaktiviere zunächst nach dieser Anleitung evtl. vorhandene CD-Emulatoren wie Alcohol, Daemon-Tools oder ähnliche.
Alle anderen Programme gegen Viren, Spyware, usw. deaktiviert sein,
keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
nichts am Rechner getan werden,
nach jedem Scan der Rechner neu gestartet werden.
Nicht vergessen, nach dem Rootkit-Scan die Security-Programme wieder einzuschalten!

Lade Dir Gmer von dieser Seite herunter
(auf den Button Download EXE drücken) und das Programm auf dem Desktop speichern.

Gmer ist geeignet für => NT/W2K/XP/VISTA (nur 32Bit).
Alle anderen Programme sollen geschlossen sein.
Starte gmer.exe (hat einen willkürlichen Programm-Namen).
Vista-User mit Rechtsklick und als Administrator starten.
Gmer startet automatisch einen ersten Scan.

Sollte sich ein Fenster mit folgender Warnung öffnen:

Code:

ATTFilter

WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity.
Do you want to fully scan your system?

Unbedingt auf "No" klicken,
in dem Fall über den Save-Button das bisherige Resultat auf dem Desktop als gmer_first.log speichern.

.
Falls das nicht der Fall war, wähle nun den Reiter "Rootkit/Malware",
Hake an: System, Sections, Devices, Modules, Processes, Threads, Libraries, Services, Registry und Files.
Wichtig: "Show all" darf nicht angehakt sein!
Starte den Scan durch Drücken des Buttons "Scan".
Mache nichts am Computer während der Scan läuft (unten links wird angezeigt, was gerade gescannt wird).
Wenn der Scan fertig ist, bleibt die Zeile leer.
Kllicke auf "Save" und speichere das Logfile als gmer.log auf dem Desktop.
Mit "Ok" wird GMER beendet.

Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!

Nun das Logfile in Code-Tags posten.

dunkelauge · 30.08.2010, 11:53

Code:

ATTFilter

OTL logfile created on: 30.08.2010 12:39:49 - Run 1
OTL by OldTimer - Version 3.2.11.0     Folder = C:\Users\Dunkelauge\Download\Computer retten
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 61,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 440,37 Gb Total Space | 143,14 Gb Free Space | 32,50% Space Free | Partition Type: NTFS
Drive D: | 25,38 Gb Total Space | 4,24 Gb Free Space | 16,73% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: DUNKELAUGE-PC
Current User Name: Dunkelauge
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Dunkelauge\Download\Computer retten\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\Programme\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
PRC - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE (Microsoft Corporation)
PRC - C:\Programme\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Programme\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Programme\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe ()
PRC - C:\Windows\tsnp2uvc.exe ()
PRC - C:\Programme\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Programme\Microsoft Works\WkCalRem.exe (Microsoft® Corporation)
PRC - C:\Windows\System32\PSIService.exe ()
PRC - C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
PRC - C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Users\Dunkelauge\Download\Computer retten\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (wlidsvc) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (resetWinService) -- C:\Program Files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe ()
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (ProtexisLicensing) -- C:\Windows\System32\PSIService.exe ()
 
 
========== Driver Services (SafeList) ==========
 
DRV - (Trufos) -- C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys File not found
DRV - (Profos) -- C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (hwdatacard) -- C:\Windows\System32\DRIVERS\ewusbmdm.sys File not found
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek                                            )
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (WINIO) -- C:\Windows\System32\WinIo.sys ()
DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (usbaudio) USB-Audiotreiber (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (RTSTOR) -- C:\Windows\System32\drivers\RTSTOR.sys (Realtek Semiconductor Corp.)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics Incorporated)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (SNP2UVC) USB2.0 PC Camera (SNP2UVC) -- C:\Windows\System32\drivers\snp2uvc.sys ()
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (NETw5v32) Intel(R) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (NWUSBPort) -- C:\Windows\System32\drivers\nwusbser.sys (Novatel Wireless Inc.)
DRV - (NWUSBModem) -- C:\Windows\System32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://google.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.08.14 20:45:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.08.28 19:38:22 | 000,000,000 | ---D | M]
 
[2010.01.19 20:59:28 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\mozilla\Extensions
[2010.08.28 19:51:34 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\mozilla\Firefox\Profiles\pbascmpw.default\extensions
[2010.08.25 21:21:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Dunkelauge\AppData\Roaming\mozilla\Firefox\Profiles\pbascmpw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.01.19 20:59:06 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.08.14 20:45:00 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.08.14 20:45:00 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.08.14 20:45:00 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.08.14 20:45:00 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.08.14 20:45:00 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live ID-Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (TerraTec Home Cinema) - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\Programme\TerraTec\TerraTec Home Cinema\ThcDeskBand.dll (TerraTec Electronic GmbH)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Programme\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [MDS_Menu] C:\Program Files\HomeCinema\MediaShow4\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\HomeCinema\PowerDVD8\Language\Language.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Programme\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe File not found
O4 - HKLM..\Run: [tsnp2uvc] C:\Windows\tsnp2uvc.exe ()
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\HomeCinema\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - HKCU..\Run: [ISUSPM] C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Dunkelauge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysrda32.exe ()
O4 - Startup: C:\Users\Dunkelauge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK = C:\Programme\Microsoft Works\WkCalRem.exe (Microsoft® Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} -  File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} -  File not found
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Dunkelauge\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Dunkelauge\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008.08.21 11:50:32 | 000,000,672 | RH-- | M] () - D:\autoexec.bat -- [ FAT32 ]
O33 - MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\Shell\AutoRun\command - "" = fvbrkc.exe
O33 - MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\Shell\explore\Command - "" = fvbrkc.exe
O33 - MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\Shell\open\Command - "" = fvbrkc.exe
O33 - MountPoints2\{3a5c1e22-8da6-11de-971d-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{3a5c1e22-8da6-11de-971d-001f1619d63f}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{3a5c1e3a-8da6-11de-971d-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{3a5c1e3a-8da6-11de-971d-001f1619d63f}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{6971deb4-6479-11de-85a1-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{6971deb4-6479-11de-85a1-001f1619d63f}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{8a1c00c6-6081-11de-9f16-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{8a1c00c6-6081-11de-9f16-001f1619d63f}\Shell\AutoRun\command - "" = G:\starter.exe -- File not found
O33 - MountPoints2\{cd0f9f15-66ff-11de-b812-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{cd0f9f15-66ff-11de-b812-001f1619d63f}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.08.30 11:15:16 | 000,000,000 | ---D | C] -- C:\!KillBox
[2010.08.14 20:49:52 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010.08.14 20:49:51 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010.08.14 20:49:51 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010.08.14 20:49:51 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010.08.14 20:49:51 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010.08.14 20:49:51 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010.08.14 20:49:51 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010.08.14 20:49:50 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010.08.14 20:49:50 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010.08.14 20:49:50 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010.08.14 20:49:50 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010.08.14 20:49:50 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010.08.14 20:49:50 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010.08.14 20:49:50 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010.08.14 20:49:49 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010.08.14 20:49:47 | 000,081,920 | ---- | C] (Radius Inc.) -- C:\Windows\System32\iccvid.dll
[2010.08.14 20:49:38 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rtutils.dll
[2010.08.14 20:49:36 | 003,600,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010.08.14 20:49:36 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010.08.14 20:49:24 | 002,037,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009.02.27 19:17:28 | 000,225,280 | ---- | C] ( ) -- C:\Windows\System32\rsnp2uvc.dll
[2009.02.27 19:17:27 | 000,176,128 | ---- | C] ( ) -- C:\Windows\System32\csnp2uvc.dll
[2004.11.24 20:25:52 | 000,335,872 | ---- | C] ( ) -- C:\Windows\System32\drvc.dll
 
========== Files - Modified Within 30 Days ==========
 
[2010.08.30 12:42:24 | 000,765,952 | ---- | M] () -- C:\Windows\System32\drivers\fkuzha.sys
[2010.08.30 12:41:01 | 002,359,296 | -HS- | M] () -- C:\Users\Dunkelauge\NTUSER.DAT
[2010.08.30 12:38:37 | 000,000,748 | ---- | M] () -- C:\Users\Dunkelauge\Desktop\OTL - Verknüpfung.lnk
[2010.08.30 12:36:35 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010.08.30 12:36:24 | 000,387,244 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010.08.30 12:36:24 | 000,387,244 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010.08.30 12:36:23 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010.08.30 12:36:21 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.08.30 11:33:17 | 001,504,798 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010.08.30 11:33:17 | 000,642,710 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.08.30 11:33:17 | 000,607,668 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.08.30 11:33:17 | 000,132,236 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.08.30 11:33:17 | 000,108,940 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.08.30 11:13:13 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010.08.30 11:13:10 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.08.30 11:13:09 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010.08.30 11:13:09 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010.08.30 11:12:07 | 000,524,288 | -HS- | M] () -- C:\Users\Dunkelauge\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010.08.30 11:12:07 | 000,065,536 | -HS- | M] () -- C:\Users\Dunkelauge\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010.08.30 11:11:58 | 003,721,758 | -H-- | M] () -- C:\Users\Dunkelauge\AppData\Local\IconCache.db
[2010.08.29 00:16:15 | 308,239,576 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010.08.28 23:41:23 | 000,000,016 | ---- | M] () -- C:\Users\Dunkelauge\AppData\Roaming\hngmfc.dat
[2010.08.28 23:41:20 | 000,000,004 | ---- | M] () -- C:\Users\Dunkelauge\AppData\Roaming\avdrn.dat
[2010.08.25 21:16:40 | 000,400,792 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010.08.14 20:59:25 | 000,001,050 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010.08.14 20:58:04 | 000,000,264 | ---- | M] () -- C:\Windows\win.ini
 
========== Files Created - No Company Name ==========
 
[2010.08.30 12:38:37 | 000,000,748 | ---- | C] () -- C:\Users\Dunkelauge\Desktop\OTL - Verknüpfung.lnk
[2010.08.28 23:41:54 | 000,765,952 | ---- | C] () -- C:\Windows\System32\drivers\fkuzha.sys
[2010.08.28 23:41:23 | 000,000,016 | ---- | C] () -- C:\Users\Dunkelauge\AppData\Roaming\hngmfc.dat
[2010.08.28 23:41:20 | 000,000,004 | ---- | C] () -- C:\Users\Dunkelauge\AppData\Roaming\avdrn.dat
[2010.07.26 15:42:29 | 000,000,098 | ---- | C] () -- C:\Users\Dunkelauge\AppData\Local\fusioncache.dat
[2010.04.09 15:38:57 | 000,000,008 | RHS- | C] () -- C:\Windows\System32\E9EA0C8E6F.sys
[2009.12.03 09:27:28 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009.10.29 14:18:32 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009.10.29 10:40:13 | 000,000,781 | ---- | C] () -- C:\Windows\QIII.INI
[2009.08.20 16:06:02 | 000,138,056 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009.08.20 16:06:02 | 000,138,056 | ---- | C] () -- C:\Users\Dunkelauge\AppData\Roaming\PnkBstrK.sys
[2009.08.05 22:59:22 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2009.08.05 22:59:22 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2009.07.30 23:28:12 | 000,009,336 | ---- | C] () -- C:\Windows\System32\WinIo.sys
[2009.06.29 23:29:27 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009.06.29 10:19:50 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.06.22 07:48:06 | 000,000,680 | ---- | C] () -- C:\Users\Dunkelauge\AppData\Local\d3d9caps.dat
[2009.06.20 18:42:49 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2009.06.19 09:08:04 | 000,027,503 | ---- | C] () -- C:\Users\Dunkelauge\AppData\Roaming\UserTile.png
[2009.06.18 22:26:55 | 000,000,950 | ---- | C] () -- C:\Users\Dunkelauge\AppData\Roaming\wklnhst.dat
[2009.06.18 22:06:26 | 000,214,528 | ---- | C] () -- C:\Users\Dunkelauge\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.02.27 19:17:28 | 001,799,808 | ---- | C] () -- C:\Windows\System32\drivers\snp2uvc.sys
[2009.02.27 19:17:28 | 000,028,544 | ---- | C] () -- C:\Windows\System32\drivers\sncduvc.sys
[2009.02.27 19:17:28 | 000,015,497 | ---- | C] () -- C:\Windows\snp2uvc.ini
[2009.02.26 22:09:31 | 000,002,828 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2009.02.26 22:09:31 | 000,000,008 | RHS- | C] () -- C:\Windows\System32\F928A0FA17.sys
[2008.12.19 16:15:58 | 004,338,246 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
[2008.12.17 18:41:18 | 000,884,237 | ---- | C] () -- C:\Windows\System32\ff_x264.dll
[2008.12.17 18:22:58 | 000,093,184 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll
[2008.12.17 18:22:48 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008.12.17 18:17:34 | 000,239,247 | ---- | C] () -- C:\Windows\System32\ff_theora.dll
[2008.12.17 17:59:54 | 000,560,802 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
[2008.12.11 12:27:02 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2004.10.03 18:50:54 | 000,129,024 | ---- | C] () -- C:\Windows\System32\ff_mpeg2enc.dll
[2003.02.20 17:53:42 | 000,005,702 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
 
========== LOP Check ==========
 
[2010.04.20 09:09:05 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\Canon
[2009.10.29 14:26:29 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\DAEMON Tools Lite
[2009.08.06 09:57:59 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\GetRightToGo
[2009.06.18 22:27:07 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\Template
[2009.08.24 20:55:26 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\TerraTec
[2010.07.26 16:34:45 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\Turbine
[2009.08.27 09:39:35 | 000,000,000 | ---D | M] -- C:\Users\Dunkelauge\AppData\Roaming\Ubisoft
[2010.08.30 11:12:03 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
< End of report >

Das ist das erste. Ich hoffe ich habe das mit den Tags richtig gemacht. Bei der Scannung durch OLT kam der Hinweis das in device/harddisk1/dr2 kein Datenträger eingelegt sei....??? keine Ahnung was das seien soll. Ich musste 20 mal weiter klicken damit es weiter ging. Das andere Rootkit Teil kommt noch. thx bis hierhin schonmal

Swisstreasure · 30.08.2010, 12:13

Mach einfach bei GMER weiter

Zudem fehlt noch das zweite Log von OTL. Die Extra.txt Datei.

dunkelauge · 30.08.2010, 12:35

Code:

ATTFilter

OTL Extras logfile created on: 30.08.2010 12:39:49 - Run 1
OTL by OldTimer - Version 3.2.11.0     Folder = C:\Users\Dunkelauge\Download\Computer retten
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 61,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 440,37 Gb Total Space | 143,14 Gb Free Space | 32,50% Space Free | Partition Type: NTFS
Drive D: | 25,38 Gb Total Space | 4,24 Gb Free Space | 16,73% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: DUNKELAUGE-PC
Current User Name: Dunkelauge
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3764859617-661198273-3725510385-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01333330-70D5-437B-B503-74D9DC63B74E}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{079B8D58-1E84-42F3-A41B-E534AC2608C2}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{2392A8AA-02F0-48ED-B048-E06CBCB2390A}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{2F828256-A407-4A9C-8EBA-0045EBB63B5E}" = lport=445 | protocol=6 | dir=in | app=system | 
"{327C65E6-49A1-4537-AD4E-AADE73777077}" = rport=445 | protocol=6 | dir=out | app=system | 
"{32D31E20-98A6-4D9D-912C-192CBB3DFC62}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 
"{3DC69901-4CD6-487D-97C4-CC34B3085791}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{3E34781A-9002-45EA-B2E0-8186D631C105}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{41BB6952-B2E2-4D80-9BD4-7BF345236CF5}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 
"{48D0BBE8-0334-45E2-BE86-82F244179329}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{541F1FD7-B18F-4CDC-80CD-7D06F6D81ED3}" = rport=137 | protocol=17 | dir=out | app=system | 
"{59A58A36-2D16-41A6-9722-1EDA128C9724}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{5BE98124-6C9C-45C8-9768-E798FCCCF02A}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 
"{5FF4815F-F49C-42B0-901F-3B48DF18C0D3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{62DB44D3-55FB-48D0-A784-693A2CAE4D80}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{738E122A-0FB4-4610-87F1-EF6EB53BBFD9}" = lport=139 | protocol=6 | dir=in | app=system | 
"{78EADD69-0E7F-48C7-9A51-4EE2A4430159}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{7E19A8CD-4221-48D7-8680-553FAAABF310}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{825EE2CF-8BA0-4BFB-939A-0C80AF24A0A3}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{85671699-4EC4-49A9-A1E5-3E9AB68532E7}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{8C1BA6B4-50B4-4F77-8318-B49D6039C527}" = rport=2869 | protocol=6 | dir=out | app=system | 
"{91B736F7-B7EC-4CCE-A35E-061A1ADC16AF}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{94EF7593-F742-42C0-8DC7-65D14473B5EA}" = rport=139 | protocol=6 | dir=out | app=system | 
"{A564B61F-492E-4114-ABBD-25131B9652F3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | 
"{A58133DB-6AD3-409D-A191-62397626FF2B}" = lport=138 | protocol=17 | dir=in | app=system | 
"{AEED8DBE-66EF-471E-A439-65104F61BA8F}" = lport=137 | protocol=17 | dir=in | app=system | 
"{B0A9B79B-5A10-4632-875C-878226F7CE0E}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{BC6522EF-BC4E-4B49-AA86-4E91CD54C110}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{BE4054F6-2320-4BB1-8158-5840CCAE1409}" = rport=138 | protocol=17 | dir=out | app=system | 
"{BF840634-038D-444C-BC29-C71FFD053E3C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{C2588011-6A28-4C29-ACB3-888E3E77C628}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{C58907DA-866D-40E9-94F4-0A79D7FE6202}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{C90DE755-AC5A-48CE-9A79-77608B8D396B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=datei- und druckerfreigabe (spoolerdienst - rpc-epmap) | 
"{CC75EACF-EA4A-4175-B5A7-1A5295FECD41}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 
"{E1CECDEF-AD8C-4D9F-B923-CBC3AF851761}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{F75A6947-74AE-4A8C-B187-01CC92AAEAE2}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{FC521FF4-E94A-40B6-BF72-81642B6865F7}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=c:\windows\system32\spoolsv.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{012C2316-BB39-474E-A162-294D1B31AAAC}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\versioncheck\versioncheck.exe | 
"{08ABBACA-BE32-409B-910B-49F47E597E9C}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\cinergydvr.exe | 
"{0FEF4989-76E9-4FDA-841C-B651EA3B8943}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | 
"{1010072B-2998-4041-93A2-45F992F66048}" = protocol=6 | dir=in | app=c:\spiele\hellgate\launcher.exe | 
"{2287277F-56A5-4C8D-866A-B8927A1D3469}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{22B49E40-2019-48C5-8C84-AE2D01B51216}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\versioncheck\versioncheck.exe | 
"{28C15D13-16F3-4324-8BC7-745B8F1F13A7}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | 
"{36561DA4-5EA0-4A5A-8617-074666EA1CE7}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\versioncheck\versioncheck.exe | 
"{36D81714-4454-4340-BAF6-0761F439B91D}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\tvtvsetup\tvtv_wizard.exe | 
"{389B6D87-1457-4303-9BDC-0498C6FA74B8}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\insttool.exe | 
"{38D89F63-AB01-408A-9CD7-C649E3376F65}" = protocol=17 | dir=in | app=c:\spiele\hellgate\launcher.exe | 
"{48D7CD61-BA30-42C6-B8C5-F069BAED46C6}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{494BCAE4-A7B1-439D-8D1D-8A9F111EBA60}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{4A84B039-9ED0-4824-AD1D-8D17A0A677F7}" = protocol=58 | dir=out | name=datei- und druckerfreigabe (echoanforderung - icmpv6 ausgehend) | 
"{4DB4CD89-550E-4313-903F-3F039C4DF492}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\tvtvsetup\tvtv_wizard.exe | 
"{4E4C391B-25A3-4E1A-96B7-ADF232896C7C}" = protocol=17 | dir=in | app=c:\program files\my winpopup express 2009\mywpe.exe | 
"{4FDCEABE-3FC6-4581-87FD-621EAC7F5A4B}" = protocol=6 | dir=out | app=system | 
"{59125384-0046-410A-9E3A-2712CCF9A372}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\insttool.exe | 
"{5C9821E6-7826-4082-9D6B-6820A1A02EA2}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\insttool.exe | 
"{5E6D0C49-70E8-4417-84AC-74AD1D18F721}" = dir=in | app=c:\program files\homecinema\powerdirector\pdr.exe | 
"{692BE51F-D2F4-4FB6-8435-0439AC9CB0C4}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{6B3643C8-0CC5-4349-AD76-91EAABC00A6E}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 | 
"{75B5ADF5-4349-4151-AEBF-8F1258CC9804}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe | 
"{78AD1499-AC13-4FD6-96BF-666602FE31F9}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{7D00DBF5-0A77-4279-B82D-32D24FEEC257}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{7F912898-C366-44B9-AC82-EF948C61652D}" = protocol=1 | dir=out | name=datei- und druckerfreigabe (echoanforderung - icmpv4 ausgehend) | 
"{8469803C-547B-4D6C-9F8D-2C12202F24B6}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe | 
"{87A8B285-A7DF-4C81-9A69-C64092580ABC}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\tvtvsetup\tvtv_wizard.exe | 
"{8BF174F9-7389-431A-B943-E2E01E4CDD39}" = protocol=6 | dir=in | app=c:\spiele\steam\steam.exe | 
"{8F64FCCD-58C5-4919-859C-561589DF9C5D}" = protocol=17 | dir=in | app=c:\spiele\steam\steam.exe | 
"{8F70441F-AF7B-49AB-B983-90FF14E8A29D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{8F74A033-DBEF-4E6E-B0B6-9E1EBB047D72}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{9EDFA0EF-A1F4-4BB2-BAC4-3BEF09F14C2C}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe | 
"{9EE419C5-1423-4801-8006-4183FAE98368}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{A62E1FC5-DDA4-4CE8-AC28-D3FDA5F134B4}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe | 
"{AE17506D-032F-4F66-B086-D0846FD7478D}" = protocol=1 | dir=in | name=datei- und druckerfreigabe (echoanforderung - icmpv4 eingehend) | 
"{AF9FDBA0-22F3-4B80-A595-5368E084689E}" = protocol=58 | dir=in | name=datei- und druckerfreigabe (echoanforderung - icmpv6 eingehend) | 
"{B3E84AB9-8E58-430C-92B0-AACDFCEC1F68}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{B3F66B9D-BDA6-419F-BBBA-48CEBD2BE75E}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\versioncheck\versioncheck.exe | 
"{B61348A2-44F3-4360-9515-FCDD2237DEBD}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\cinergydvr.exe | 
"{B8276A8F-8B82-4686-B463-A4F63BE94BAF}" = dir=in | app=c:\program files\homecinema\powerdvd8\powerdvd8.exe | 
"{BE4EF955-5726-4A07-99AE-A926F9E07E77}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\insttool.exe | 
"{BF2B6BA8-91A2-457F-9088-B909B2BF7439}" = protocol=6 | dir=in | app=c:\program files\my winpopup express 2009\mywpe.exe | 
"{C7B926D9-01A1-404F-8951-5AEDA1E14F58}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\cinergydvr.exe | 
"{CC9CB85B-B06F-4A28-86EE-DE0DAD875748}" = protocol=6 | dir=in | app=c:\program files\terratec\terratec home cinema\cinergydvr.exe | 
"{CDE3302B-FBC7-4CBE-B283-E24A91521F1E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{CEB3F5F3-F251-4156-BB84-38166A7B136F}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\tvtvsetup\tvtv_wizard.exe | 
"{CF009D1B-43EC-4E65-86B1-B1CD9873EC9B}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\cinergydvr.exe | 
"{DB872373-8577-4F9D-AFC4-6F74DEB8096B}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | 
"{E19A2A6C-6B21-4DCD-B6EE-F9E5924986F8}" = protocol=17 | dir=in | app=c:\program files\terratec\terratec home cinema\cinergydvr.exe | 
"{E8DD9389-2F24-487D-949F-4512DE369A83}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | 
"{F3270C14-0F27-4620-A1B2-C5DB35C378D4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{FE10739C-9BEB-4A33-B7CF-3050DE50256E}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"TCP Query User{28027A67-4FB5-4AF1-8F0E-35B3FA748131}C:\spiele\texas hold'em poker 3d - deluxe edition\poker3d.exe" = protocol=6 | dir=in | app=c:\spiele\texas hold'em poker 3d - deluxe edition\poker3d.exe | 
"TCP Query User{30383A3A-4009-4EA4-96EF-EDA38A532F7F}C:\spiele\left for dead2\left4dead2.exe" = protocol=6 | dir=in | app=c:\spiele\left for dead2\left4dead2.exe | 
"TCP Query User{46C53F03-743C-4863-A565-DB4D8A35316C}C:\spiele\battlefied\bfvietnam.exe" = protocol=6 | dir=in | app=c:\spiele\battlefied\bfvietnam.exe | 
"TCP Query User{6D6A7E33-A994-4DA3-922E-45732BEE0197}C:\spiele\quake3\quake3.exe" = protocol=6 | dir=in | app=c:\spiele\quake3\quake3.exe | 
"UDP Query User{05659F05-8229-45CD-8B9F-D4F184700775}C:\spiele\left for dead2\left4dead2.exe" = protocol=17 | dir=in | app=c:\spiele\left for dead2\left4dead2.exe | 
"UDP Query User{32ADB1AA-27B4-4490-A8B8-BE1A6AE8E076}C:\spiele\battlefied\bfvietnam.exe" = protocol=17 | dir=in | app=c:\spiele\battlefied\bfvietnam.exe | 
"UDP Query User{77D47287-75E6-4F11-81F0-60FAEDD57B14}C:\spiele\texas hold'em poker 3d - deluxe edition\poker3d.exe" = protocol=17 | dir=in | app=c:\spiele\texas hold'em poker 3d - deluxe edition\poker3d.exe | 
"UDP Query User{999ACBCD-1DFF-4950-913C-FAF9B679D35D}C:\spiele\quake3\quake3.exe" = protocol=17 | dir=in | app=c:\spiele\quake3\quake3.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0153A77C-A981-4A1F-BAA9-16A80FBC358A}" = Full Spectrum Warrior
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0513EE35-E0FB-4166-B663-BD1AE3A803DE}" = Anno 1404
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID-Anmelde-Assistent
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP560_series" = Canon MP560 series MP Drivers
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 12
"{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = USB Video Device
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{47948554-90C6-4AAC-8CFA-D23CE11C1031}" = Nero 8 Essentials
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{63B9BAB5-F36A-4A3B-9E5C-68A7F212BFB9}" = TerraTec Home Cinema
"{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = 
"{80E158EA-7181-40FE-A701-301CE6BE64AB}" = CyberLink MediaShow
"{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer
"{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync
"{8DC910CD-8EE3-4ffc-A4EB-9B02701059C4}" = Battlefield Heroes
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne
"{A2B4455D-1046-4732-BFBC-0821BEFC07BC}" = Hellgate: London
"{A334F1BA-0A1D-4ED6-B4F9-4066157CA15D}" = DE
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.4 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = CyberLink PowerProducer
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials
"{E35B3C63-E958-4E31-A178-95D22024109A}" = Battlefield Vietnam(TM)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"4f6dcc3b-179d-4b1b-80f0-b6083a0b3ce6_is1" = Der Herr der Ringe Online: Die Belagerung des Düsterwalds v03.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Badaboom" = Badaboom 1.1.1.194
"Canon MP560 series Benutzerregistrierung" = Canon MP560 series Benutzerregistrierung
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"De_Blob_EN" = De Blob (alleen verwijderen)
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup.divx.com" = DivX-Setup
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"GeoGebra" = GeoGebra
"Google Updater" = Google Updater
"Guild Wars" = GUILD WARS
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8
"InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}" = CyberLink MediaShow
"InstallShield_{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = CyberLink PowerProducer
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PKR" = PKR
"PunkBusterSvc" = PunkBuster Services
"Quake III Arena" = Quake III Arena
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"TUGZip_is1" = TUGZip 3.5
"Unlocker" = Unlocker 1.8.7
"VLC media player" = VLC media player 1.0.0
"WinLiveSuite_Wave3" = Windows Live Essentials
"XP Codec Pack" = XP Codec Pack
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 29.08.2010 15:28:53 | Computer Name = Dunkelauge-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 30.08.2010 04:55:43 | Computer Name = Dunkelauge-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 30.08.2010 04:55:43 | Computer Name = Dunkelauge-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 30.08.2010 04:55:48 | Computer Name = Dunkelauge-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 30.08.2010 05:07:24 | Computer Name = Dunkelauge-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 30.08.2010 05:07:24 | Computer Name = Dunkelauge-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 30.08.2010 05:08:08 | Computer Name = Dunkelauge-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 30.08.2010 05:13:54 | Computer Name = Dunkelauge-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 30.08.2010 05:13:54 | Computer Name = Dunkelauge-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 30.08.2010 05:13:56 | Computer Name = Dunkelauge-PC | Source = WinMgmt | ID = 10
Description = 
 
[ System Events ]
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 30.08.2010 06:36:26 | Computer Name = Dunkelauge-PC | Source = Service Control Manager | ID = 7000
Description = 
 
 
< End of report >

und

Code:

ATTFilter

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit quick scan 2010-08-30 13:19:59
Windows 6.0.6002 Service Pack 2
Running: ez5dte2d.exe; Driver: C:\Users\DUNKEL~1\AppData\Local\Temp\kxlyraob.sys


---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                   850E90C8
Device          \FileSystem\Ntfs \Ntfs                   859221F8
Device          \FileSystem\fastfat \Fat                 904271F8

AttachedDevice  \FileSystem\fastfat \Fat                 fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0  Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1  Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service          (*** hidden *** )                       [BOOT] fkuzha                                                             <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Den Scan von GMER kann ich nicht senden da er nicht durchgeht. Wenn unten in der Zeile steht device/Harddisk/VolumeShadowCopy1 stürzt GMER ab.

So weit....

Swisstreasure · 30.08.2010, 12:47

Schritt 1

CD-Emulatoren mit DeFogger deaktivieren

Du hast CD-Emulatoren wie Alcohol, DaemonTools oder ähnliche auf diesem Computer installiert. Da diese Emulatoren mit Rootkit-Technik arbeiten, können sie die Fahndung nach bösartigen Rootkits verfälschen und erschweren. Aus diesem Grund bitte entweder das folgende Tool zum Deaktivieren laufen lassen oder die Software über Systemsteuerung => Software/Programme deinstallieren. Berichte mir, für welche Variante Du Dich entschieden hast. Die Deaktivierung können wir nach der Bereinigung rückgängig machen.

Lade DeFogger herunter und speichere es auf Deinem Desktop.

Doppelklicke DeFogger, um das Tool zu starten.

Es öffnet sich das Programm-Fenster des Tools.
Klick auf den Button Disable, um die CD- Emulation-Treiber zu deaktivieren.
Klicke Ja, um fortzufahren.
Wenn die Nachricht 'Finished!' erscheint,
klicke OK.
DeFogger wird nun einen Reboot erfragen - klicke OK
Poste mir das defogger_disable.log hier in den Thread.

Keinesfalls die Treiber reaktivieren, bevor es angewiesen wird.

Schritt 2

Lade den Avenger herunter und entzippe ihn auf den Desktop. Nicht gezippt direkt als EXE ist der Avenger hier erhältlich.

Starte die avenger.exe durch Doppelklick und akzeptiere mit OK die Nutzungsbedingungen. Füge den Inhalt der folgenden Codebox vollständig und unverändert bei "Input script here" ein und klicke auf "Execute". Beantworte die Frage, ob Du sicher bist, dass das Skript ausgeführt werden soll mit "Ja".

Code:

ATTFilter

Drivers to disable: 
fkuzha

Drivers to delete:
fkuzha

Files to delete:
C:\Windows\System32\drivers\fkuzha.sys

Beantworte die Frage zum Neustart des Rechners (Reboot now?) ebenfalls mit "Ja". Nachdem der Rechner neu gestartet ist (das kann auch zweimal nötig sein und passieren!) und das DOS-Fenster, das der Avenger geöffnet hat, wieder geschlossen ist, öffnet Avenger Deinen Editor mit dem Avengerlog, zu finden auch unter C:\avenger.txt. Den Inhalt bitte posten. Ein Backup der entfernten Objekte wurde als C:\avenger\backup.zip angelegt.

Schritt 3

Fixen mit OTL

Starte die OTL.exe.
Vista und Windows 7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen.
Kopiere folgendes Skript:

Code:

ATTFilter

:OTL
DRV - (Trufos) -- C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys File not found
DRV - (Profos) -- C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (hwdatacard) -- C:\Windows\System32\DRIVERS\ewusbmdm.sys File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O32 - AutoRun File - [2008.08.21 11:50:32 | 000,000,672 | RH-- | M] () - D:\autoexec.bat -- [ FAT32 ]
O33 - MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\Shell\AutoRun\command - "" = fvbrkc.exe
O33 - MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\Shell\explore\Command - "" = fvbrkc.exe
O33 - MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\Shell\open\Command - "" = fvbrkc.exe
O33 - MountPoints2\{3a5c1e22-8da6-11de-971d-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{3a5c1e22-8da6-11de-971d-001f1619d63f}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{3a5c1e3a-8da6-11de-971d-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{3a5c1e3a-8da6-11de-971d-001f1619d63f}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{6971deb4-6479-11de-85a1-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{6971deb4-6479-11de-85a1-001f1619d63f}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{8a1c00c6-6081-11de-9f16-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{8a1c00c6-6081-11de-9f16-001f1619d63f}\Shell\AutoRun\command - "" = G:\starter.exe -- File not found
O33 - MountPoints2\{cd0f9f15-66ff-11de-b812-001f1619d63f}\Shell - "" = AutoRun
O33 - MountPoints2\{cd0f9f15-66ff-11de-b812-001f1619d63f}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
[2010.04.09 15:38:57 | 000,000,008 | RHS- | C] () -- C:\Windows\System32\E9EA0C8E6F.sys
:Commands
[purity]
[emptytemp]

und füge es hier ein:
Schließe alle Programme.
Klicke auf den Fix Button.
Klick auf .
OTL verlangt einen Neustart. Bitte zulassen.
Nach dem Neustart findest Du ein Textdokument.
Kopiere den Inhalt hier in Code-Tags in Deinen Thread.

Schritt 4

Datei-Überprüfung

Folgende Datei/en (siehe Codebox) bei VirusTotal online überprüfen lassen. Dafür musst Du jede Datei einzeln über den Button "Durchsuchen" und "Senden der Datei" nach VirusTotal hochladen und prüfen lassen. Wenn VirusTotal die Datei empfangen hat, wird sie diese mit mehreren Anti-Virus-Scannern prüfen und die Ergebnisse anzeigen. Sollte VirusTotal melden, dass die Datei bereits überpüft wurde, lasse sie trotzdem über den Button "Analysiere die Datei" erneut prüfen.

Wenn das Ergebnis vorliegt, den kleinen Button "Filter" links oberhalb der Ergebnisse drücken, dann das Ergebnis (egal wie es aussieht und dabei auch die Zeilen mit Namen und Größe der Datei, MD5 und SHA1 kopieren) hier posten. Solltest Du die Datei/en nicht finden oder hochladen können, dann teile uns das ebenfalls mit. Solltest Du die Datei/en nicht finden, überprüfe, ob folgende Einstellungen richtig gesetzt sind.

Code:

ATTFilter

c:\windows\System32\F928A0FA17.sys

Schritt 5

MBR mit MBRCheck prüfen

Lade MBRCheck.exe herunter und speichere das Tool auf deinem Desktop (nicht woanders hin).
XP Benutzer: Doppelklick auf die MBRCheck.exe, um das Tool zu starten.
Vista und Windows 7 Benutzer: Rechtsklick auf die MBRCheck.exe und Als Administrator starten wählen.
Es wird sich ein Eingabe-Fenster mit einigen Angaben öffnen.

Wenn der Scan beendet ist, was mit Done! gemeldet wird, klicke Enter, um das Eingabe-Fenster zu schließen.
Poste mir den Inhalt von MBRCheck_<datum>.txt vom Desktop hier in den Thread.

dunkelauge · 30.08.2010, 13:35

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:23 on 30/08/2010 (Dunkelauge)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read fkuzha.sys
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-

Ich wollte Deamon eig. deinstallieren, ging aber nicht da nur Deamon Tools Toolbar angezeigt wird unter Software. Selbst das kann ich nicht deinstallieren da die Datei nicht gefunden wird...hab dann also debugger benutzt.

dunkelauge · 30.08.2010, 13:46

Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

Code:

ATTFilter

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "fkuzha" disabled successfully.
Driver "fkuzha" deleted successfully.
File "C:\Windows\System32\drivers\fkuzha.sys" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Nach dem runterfahren gab es erstmal nen fetten bluescreen...jetzt wir mein Bildschirm von der Meldung von cmd.exe beherrscht: "Es befindet sich kein Datenträger im Laufwerk. Legen Sie einen Datent. in Laufwerk \device\Harddisk1\DR1 ein. " Weitermachen im Programm, also Schritt 3?

dunkelauge · 30.08.2010, 14:07

Code:

ATTFilter

All processes killed
========== OTL ==========
Service Trufos stopped successfully!
Service Trufos deleted successfully!
File  C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys File not found not found.
Service Profos stopped successfully!
Service Profos deleted successfully!
File  C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys File not found not found.
Service NwlnkFwd stopped successfully!
Service NwlnkFwd deleted successfully!
File  C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found not found.
Service NwlnkFlt stopped successfully!
Service NwlnkFlt deleted successfully!
File  C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found not found.
Service IpInIp stopped successfully!
Service IpInIp deleted successfully!
File  C:\Windows\System32\DRIVERS\ipinip.sys File not found not found.
Service hwdatacard stopped successfully!
Service hwdatacard deleted successfully!
File  C:\Windows\System32\DRIVERS\ewusbmdm.sys File not found not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
D:\autoexec.bat moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13da86cc-5efb-11de-8ec2-001f1619d63f}\ not found.
File fvbrkc.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13da86cc-5efb-11de-8ec2-001f1619d63f}\ not found.
File fvbrkc.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{13da86cc-5efb-11de-8ec2-001f1619d63f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13da86cc-5efb-11de-8ec2-001f1619d63f}\ not found.
File fvbrkc.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a5c1e22-8da6-11de-971d-001f1619d63f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3a5c1e22-8da6-11de-971d-001f1619d63f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a5c1e22-8da6-11de-971d-001f1619d63f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3a5c1e22-8da6-11de-971d-001f1619d63f}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a5c1e3a-8da6-11de-971d-001f1619d63f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3a5c1e3a-8da6-11de-971d-001f1619d63f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a5c1e3a-8da6-11de-971d-001f1619d63f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3a5c1e3a-8da6-11de-971d-001f1619d63f}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6971deb4-6479-11de-85a1-001f1619d63f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6971deb4-6479-11de-85a1-001f1619d63f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6971deb4-6479-11de-85a1-001f1619d63f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6971deb4-6479-11de-85a1-001f1619d63f}\ not found.
File H:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a1c00c6-6081-11de-9f16-001f1619d63f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8a1c00c6-6081-11de-9f16-001f1619d63f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a1c00c6-6081-11de-9f16-001f1619d63f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8a1c00c6-6081-11de-9f16-001f1619d63f}\ not found.
File G:\starter.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cd0f9f15-66ff-11de-b812-001f1619d63f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cd0f9f15-66ff-11de-b812-001f1619d63f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cd0f9f15-66ff-11de-b812-001f1619d63f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cd0f9f15-66ff-11de-b812-001f1619d63f}\ not found.
File H:\LaunchU3.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
C:\Windows\System32\E9EA0C8E6F.sys moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Dunkelauge
->Temp folder emptied: 105270130 bytes
->Temporary Internet Files folder emptied: 6820638 bytes
->Java cache emptied: 650631 bytes
->FireFox cache emptied: 49312326 bytes
->Flash cache emptied: 18760 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 30470686 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 184,00 mb
 
 
OTL by OldTimer - Version 3.2.11.0 log created on 08302010_150215

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Muss leider jetzt erst mal weg. bis später, danke schonmal, (is es eig. ein Virus?)

Swisstreasure · 30.08.2010, 14:09

Mach bei Schritt 4 weiter

dunkelauge · 30.08.2010, 16:06

Die Datei F928A0FA17.sys gibt es nicht in meinem sytem32 Ordner

Swisstreasure · 30.08.2010, 17:00

Kannst Du auf Deinem Computer alle Dateien und Datei-Endungen sehen? Falls nein, bitte diese Einstellungen in den Ordneroptionen vornehmen.
Auch so findest Du sie nicht?

Dann mach noch Schritt 5.

dunkelauge · 30.08.2010, 18:42

Soooo..

Code:

ATTFilter

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:			
Windows Version:		Windows Vista Home Premium Edition
Windows Information:		Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer:	MEDION
BIOS Manufacturer:		Phoenix Technologies LTD
System Manufacturer:		MEDION
System Product Name:		P6618
Logical Drives Mask:		0x0000009c

Kernel Drivers (total 145):
  0x82201000 \SystemRoot\system32\ntkrnlpa.exe
  0x825BA000 \SystemRoot\system32\hal.dll
  0x8040C000 \SystemRoot\system32\kdcom.dll
  0x80413000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
  0x80483000 \SystemRoot\system32\PSHED.dll
  0x80494000 \SystemRoot\system32\BOOTVID.dll
  0x8049C000 \SystemRoot\system32\CLFS.SYS
  0x804DD000 \SystemRoot\system32\CI.dll
  0x80608000 \SystemRoot\system32\drivers\Wdf01000.sys
  0x80684000 \SystemRoot\system32\drivers\WDFLDR.SYS
  0x80691000 \SystemRoot\system32\drivers\acpi.sys
  0x806D7000 \SystemRoot\system32\drivers\WMILIB.SYS
  0x806E0000 \SystemRoot\system32\drivers\msisadrv.sys
  0x806E8000 \SystemRoot\system32\drivers\pci.sys
  0x8070F000 \SystemRoot\System32\drivers\partmgr.sys
  0x8071E000 \SystemRoot\system32\DRIVERS\compbatt.sys
  0x80721000 \SystemRoot\system32\DRIVERS\BATTC.SYS
  0x8072B000 \SystemRoot\system32\drivers\volmgr.sys
  0x8073A000 \SystemRoot\System32\drivers\volmgrx.sys
  0x80784000 \SystemRoot\System32\drivers\mountmgr.sys
  0x80794000 \SystemRoot\system32\drivers\atapi.sys
  0x8079C000 \SystemRoot\system32\drivers\ataport.SYS
  0x807BA000 \SystemRoot\system32\drivers\msahci.sys
  0x807C4000 \SystemRoot\system32\drivers\PCIIDEX.SYS
  0x805BD000 \SystemRoot\system32\drivers\fltmgr.sys
  0x807D2000 \SystemRoot\system32\drivers\fileinfo.sys
  0x807E2000 \SystemRoot\System32\Drivers\PxHelp20.sys
  0x8A001000 \SystemRoot\System32\Drivers\ksecdd.sys
  0x8A072000 \SystemRoot\system32\drivers\ndis.sys
  0x8A17D000 \SystemRoot\system32\drivers\msrpc.sys
  0x8A1A8000 \SystemRoot\system32\drivers\NETIO.SYS
  0x8A209000 \SystemRoot\System32\drivers\tcpip.sys
  0x8A2F3000 \SystemRoot\System32\drivers\fwpkclnt.sys
  0x8A404000 \SystemRoot\System32\Drivers\Ntfs.sys
  0x8A514000 \SystemRoot\system32\drivers\volsnap.sys
  0x8A54D000 \SystemRoot\System32\Drivers\spldr.sys
  0x8A555000 \SystemRoot\System32\Drivers\mup.sys
  0x8A564000 \SystemRoot\System32\drivers\ecache.sys
  0x8A58B000 \SystemRoot\system32\drivers\disk.sys
  0x8A59C000 \SystemRoot\system32\drivers\CLASSPNP.SYS
  0x8A5BD000 \SystemRoot\system32\drivers\crcdisk.sys
  0x8A5E8000 \SystemRoot\system32\DRIVERS\tunnel.sys
  0x8A5F3000 \SystemRoot\system32\DRIVERS\tunmp.sys
  0x8A30E000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
  0x8E20F000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
  0x8E942000 \SystemRoot\System32\drivers\dxgkrnl.sys
  0x8E9E3000 \SystemRoot\System32\drivers\watchdog.sys
  0x8E9EF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0x8A317000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0x8E200000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0x8A355000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0x8EA0E000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
  0x8ED95000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
  0x8EDD7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
  0x8EDDB000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0x8EDEE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0x8F000000 \SystemRoot\system32\DRIVERS\SynTP.sys
  0x8F031000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0x8F033000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0x8F03E000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0x8F056000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0x8F065000 \SystemRoot\system32\DRIVERS\msiscsi.sys
  0x8F094000 \SystemRoot\system32\DRIVERS\storport.sys
  0x8F0D5000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0x8F0E0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0x8F0F7000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0x8F102000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0x8F125000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0x8F134000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0x8F148000 \SystemRoot\system32\DRIVERS\rassstp.sys
  0x8F15D000 \SystemRoot\system32\DRIVERS\termdd.sys
  0x8F16D000 \SystemRoot\system32\DRIVERS\swenum.sys
  0x8F16F000 \SystemRoot\system32\DRIVERS\ks.sys
  0x8F199000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0x8F1A3000 \SystemRoot\system32\DRIVERS\umbus.sys
  0x8F1B0000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0x8F1E5000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0x8FC00000 \SystemRoot\system32\drivers\RTKVHDA.sys
  0x8FE20000 \SystemRoot\system32\drivers\portcls.sys
  0x8FE4D000 \SystemRoot\system32\drivers\drmk.sys
  0x8FE72000 \SystemRoot\system32\drivers\nvhda32v.sys
  0x8FE85000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0x8FE8E000 \SystemRoot\System32\Drivers\Null.SYS
  0x8FE95000 \SystemRoot\System32\Drivers\Beep.SYS
  0x8FEA5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0x8FEAC000 \SystemRoot\System32\drivers\vga.sys
  0x8FEB8000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
  0x8FED9000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0x8FEE2000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0x8FEF2000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0x9020B000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
  0x903C3000 \SystemRoot\system32\DRIVERS\STREAM.SYS
  0x903D0000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
  0x903D7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0x903DF000 \SystemRoot\system32\drivers\rdpencdd.sys
  0x903E7000 \SystemRoot\System32\Drivers\Msfs.SYS
  0x903F2000 \SystemRoot\System32\Drivers\Npfs.SYS
  0x90200000 \SystemRoot\System32\DRIVERS\rasacd.sys
  0x8FEFA000 \SystemRoot\system32\DRIVERS\tdx.sys
  0x8FF10000 \SystemRoot\system32\DRIVERS\smb.sys
  0x8FF24000 \SystemRoot\system32\drivers\afd.sys
  0x8FF6C000 \SystemRoot\System32\DRIVERS\netbt.sys
  0x8FF9E000 \SystemRoot\system32\DRIVERS\pacer.sys
  0x8FFB4000 \SystemRoot\system32\DRIVERS\netbios.sys
  0x8FFC2000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0x8FFD5000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
  0x93C08000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0x93C44000 \SystemRoot\system32\drivers\nsiproxy.sys
  0x93C4E000 \SystemRoot\System32\Drivers\dfsc.sys
  0x93C65000 \SystemRoot\system32\DRIVERS\avipbb.sys
  0x93C87000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
  0x93C89000 \SystemRoot\system32\drivers\RTSTOR.SYS
  0x93C9D000 \SystemRoot\System32\Drivers\fastfat.SYS
  0x93CC5000 \SystemRoot\System32\Drivers\crashdmp.sys
  0x93CD2000 \SystemRoot\System32\Drivers\dump_dumpata.sys
  0x93CDD000 \SystemRoot\System32\Drivers\dump_msahci.sys
  0x9BE60000 \SystemRoot\System32\win32k.sys
  0x93CE7000 \SystemRoot\System32\drivers\Dxapi.sys
  0x93CF1000 \SystemRoot\system32\DRIVERS\monitor.sys
  0x9C080000 \SystemRoot\System32\TSDDD.dll
  0x9C0A0000 \SystemRoot\System32\cdd.dll
  0x93D00000 \SystemRoot\system32\drivers\luafv.sys
  0x93D1B000 \SystemRoot\system32\DRIVERS\avgntflt.sys
  0x93D30000 \SystemRoot\system32\drivers\spsys.sys
  0x93DE0000 \SystemRoot\system32\DRIVERS\lltdio.sys
  0xA1404000 \SystemRoot\system32\DRIVERS\nwifi.sys
  0xA142E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xA1438000 \SystemRoot\system32\DRIVERS\rspndr.sys
  0xA144B000 \SystemRoot\system32\drivers\HTTP.sys
  0xA14B8000 \SystemRoot\System32\DRIVERS\srvnet.sys
  0xA14D5000 \SystemRoot\system32\DRIVERS\bowser.sys
  0xA14EE000 \SystemRoot\System32\drivers\mpsdrv.sys
  0xA1503000 \SystemRoot\system32\drivers\mrxdav.sys
  0xA1524000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xA1543000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
  0xA157C000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
  0xA1594000 \SystemRoot\System32\DRIVERS\srv2.sys
  0xA380C000 \SystemRoot\System32\DRIVERS\srv.sys
  0xA3872000 \SystemRoot\system32\drivers\peauth.sys
  0xA3950000 \SystemRoot\System32\Drivers\secdrv.SYS
  0xA395A000 \SystemRoot\System32\drivers\tcpipreg.sys
  0xA3966000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
  0xA397B000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
  0xA398D000 \SystemRoot\system32\DRIVERS\cdfs.sys
  0x77350000 \Windows\System32\ntdll.dll

Processes (total 78):
       0 System Idle Process
       4 System
     496 C:\Windows\System32\smss.exe
     552 csrss.exe
     612 C:\Windows\System32\wininit.exe
     620 csrss.exe
     656 C:\Windows\System32\services.exe
     668 C:\Windows\System32\lsass.exe
     676 C:\Windows\System32\lsm.exe
     832 C:\Windows\System32\svchost.exe
     896 C:\Windows\System32\nvvsvc.exe
     924 C:\Windows\System32\svchost.exe
     976 C:\Windows\System32\svchost.exe
    1012 C:\Windows\System32\svchost.exe
    1044 C:\Windows\System32\svchost.exe
    1064 C:\Windows\System32\svchost.exe
    1144 C:\Windows\System32\audiodg.exe
    1164 C:\Windows\System32\svchost.exe
    1180 C:\Windows\System32\SLsvc.exe
    1216 C:\Windows\System32\svchost.exe
    1332 C:\Windows\System32\winlogon.exe
    1468 C:\Windows\System32\svchost.exe
    1508 C:\Windows\System32\rundll32.exe
    1864 C:\Windows\System32\spoolsv.exe
    1904 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1916 C:\Windows\System32\svchost.exe
    1924 C:\Windows\System32\taskeng.exe
    1964 C:\Windows\System32\dwm.exe
    2040 C:\Windows\explorer.exe
    1632 C:\Windows\System32\taskeng.exe
     348 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    2132 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
    2228 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    2308 C:\Program Files\Windows Defender\MSASCui.exe
    2336 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    2348 C:\Windows\tsnp2uvc.exe
    2380 C:\Windows\System32\rundll32.exe
    2388 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    2464 C:\Windows\System32\IoctlSvc.exe
    2520 C:\Windows\System32\svchost.exe
    2560 C:\Windows\System32\PSIService.exe
    2604 C:\Program Files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe
    2736 C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    2784 C:\Windows\System32\svchost.exe
    2852 C:\Windows\System32\svchost.exe
    2872 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    2904 C:\Windows\System32\SearchIndexer.exe
    3192 C:\Windows\System32\mobsync.exe
    3200 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    3208 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3356 WUDFHost.exe
    3384 C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    3500 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    3548 C:\Program Files\Windows Sidebar\sidebar.exe
    3560 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3592 C:\Windows\ehome\ehtray.exe
    3644 C:\Windows\ehome\ehmsas.exe
    3896 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    3984 C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
    3992 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    4000 C:\Program Files\Windows Media Player\wmpnscfg.exe
    4028 C:\Program Files\Microsoft Works\WkCalRem.exe
    2252 C:\Program Files\Windows Sidebar\sidebar.exe
    1460 C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    3540 C:\Program Files\Windows Media Player\wmpnetwk.exe
     856 C:\Windows\System32\wbem\unsecapp.exe
    2484 C:\Windows\System32\svchost.exe
    3880 WmiPrvSE.exe
    2688 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    4464 C:\Program Files\Internet Explorer\iexplore.exe
    4820 C:\Program Files\Internet Explorer\iexplore.exe
    5792 C:\Program Files\Internet Explorer\iexplore.exe
    5240 C:\Program Files\Internet Explorer\iexplore.exe
    4952 C:\Windows\System32\SearchProtocolHost.exe
    4408 C:\Windows\System32\SearchFilterHost.exe
    4804 C:\Windows\System32\conime.exe
    2152 C:\Users\Dunkelauge\Desktop\MBRCheck.exe
    4500 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000  (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000006e`17e00000  (FAT32)

PhysicalDrive0 Model Number: HitachiHTS545050B9A300, Rev: PB4OC60G

      Size  Device Name          MBR Status
  --------------------------------------------
    465 GB  \\.\PhysicalDrive0   Windows 2008 MBR code detected
            SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

Bitte. (die andere Datei habe ich echt nich habe alles nochmal überprüft!, also die in -system32 sein soll...))

Swisstreasure · 30.08.2010, 18:49

Scanne erneut mit GMER und poste mir das log.

dunkelauge · 30.08.2010, 19:06

Och mann...geht leider nicht. Ist wie bei meinem Post von vorhin. Gmer läuft nicht durch sondern bricht an besagter Stelle ab (device/..etc). Unterschied ist das er nicht schon beim starten meckert, sondern erst wenn ich scanne. Dann aber reagiert er nicht mehr und beendet sich selbstständig...soll ich Avira nochmal drüberlaufen lassen?

30.08.2010, 12:13	#4
Swisstreasure /// Malwareteam	Rechner arbeitet ununterbrochen und Virenscanner schlägt an Mach einfach bei GMER weiter Zudem fehlt noch das zweite Log von OTL. Die Extra.txt Datei.

30.08.2010, 14:09	#10
Swisstreasure /// Malwareteam	Rechner arbeitet ununterbrochen und Virenscanner schlägt an Mach bei Schritt 4 weiter

30.08.2010, 17:00	#12
Swisstreasure /// Malwareteam	Rechner arbeitet ununterbrochen und Virenscanner schlägt an Kannst Du auf Deinem Computer alle Dateien und Datei-Endungen sehen? Falls nein, bitte diese Einstellungen in den Ordneroptionen vornehmen. Auch so findest Du sie nicht? Dann mach noch Schritt 5.

30.08.2010, 18:49	#14
Swisstreasure /// Malwareteam	Rechner arbeitet ununterbrochen und Virenscanner schlägt an Scanne erneut mit GMER und poste mir das log.

Rechner arbeitet ununterbrochen und Virenscanner schlägt an

Log-Analyse und Auswertung: Rechner arbeitet ununterbrochen und Virenscanner schlägt an