| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojan.Generic.4060291 entfernenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
16.09.2010, 13:03
| #1 |
 |  Trojan.Generic.4060291 entfernen Hallo Heute habe ich versehentlich den IE gestartet (sonst nehme ich Opera), worauf mein F-secure sofort einen Virusbefall von sysdat.dll mit trojan.generic.4060291 meldete und ihn auch entfernte. Leider reproduziert sich der Virus selbst und beim erneuten Start des IE wiederholt sich alles. F-secure meldet sich aber nur, wenn der IE geöffnet wird. Weiss jemand Rat, wie ich das System frei kriege? |
|
16.09.2010, 16:36
| #2 |
| | Trojan.Generic.4060291 entfernen Ich hoffe, das ist richtig, dass ich erstmal das OTL logfile Poste:
__________________OTL Logfile: Code:
ATTFilter OTL logfile created on: 16.09.2010 16:42:15 - Run 1 OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 1.023,00 Mb Total Physical Memory | 304,00 Mb Available Physical Memory | 30,00% Memory free 2,00 Gb Paging File | 2,00 Gb Available in Paging File | 73,00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74,52 Gb Total Space | 48,98 Gb Free Space | 65,73% Space Free | Partition Type: NTFS Drive D: | 6,53 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: LAPTOP-GMELIN Current User Name: Dr. Ulrich Gmelin Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010.09.16 16:39:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop\OTL.exe PRC - [2010.08.28 13:17:23 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe PRC - [2010.08.23 19:01:37 | 000,058,024 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe PRC - [2010.08.23 18:53:27 | 000,783,016 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe PRC - [2010.08.23 18:53:27 | 000,492,200 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe PRC - [2010.07.27 02:00:06 | 000,247,808 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe PRC - [2010.07.27 00:41:12 | 000,107,568 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openvpntray.exe PRC - [2010.07.14 16:03:24 | 000,365,248 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe PRC - [2010.06.23 04:48:08 | 000,322,608 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe PRC - [2010.06.23 04:48:00 | 000,348,208 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe PRC - [2009.10.14 15:20:43 | 000,522,848 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\FWES\program\fsdfwd.exe PRC - [2009.07.09 11:34:54 | 000,199,264 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE PRC - [2009.07.09 11:34:54 | 000,186,976 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE PRC - [2009.07.09 11:34:52 | 000,088,672 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\Common\FSHDLL32.EXE PRC - [2009.07.09 11:31:20 | 000,215,648 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe PRC - [2009.04.23 06:47:48 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin PRC - [2009.04.23 06:46:40 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe PRC - [2009.04.20 17:20:40 | 002,327,552 | ---- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe PRC - [2009.04.20 17:20:30 | 000,009,216 | ---- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe PRC - [2009.04.10 18:25:42 | 002,852,200 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe PRC - [2008.04.14 02:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007.12.10 14:43:16 | 002,191,360 | ---- | M] (Zimmer Elektromedizin) -- \\Empfang\d\ZIMMER\TERMIN\Termin.exe PRC - [2005.02.16 16:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe PRC - [2004.05.23 20:15:42 | 000,098,304 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe PRC - [2003.10.01 14:29:48 | 000,376,832 | ---- | M] (Philips Speech Processing) -- C:\WINDOWS\system32\pspcontr.exe PRC - [2002.09.20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe ========== Modules (SafeList) ========== MOD - [2010.09.16 16:39:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop\OTL.exe MOD - [2009.07.09 11:35:14 | 000,256,608 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure Internet Security\Spam Control\fsscoepl.dll MOD - [2009.07.09 11:34:16 | 000,330,336 | ---- | M] () -- \\?\c:\program files\f-secure internet security\hips\fshook32.dll MOD - [2009.04.10 18:28:14 | 000,161,128 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\NaturallySpeaking10\Program\dgniedct.dll MOD - [2009.04.10 18:27:02 | 000,062,824 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\NaturallySpeaking10\Program\nlutmgrhook.dll MOD - [2009.04.10 18:26:22 | 000,193,896 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\NaturallySpeaking10\Program\dd10hook.dll MOD - [2009.04.10 18:26:20 | 000,234,856 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\NaturallySpeaking10\Program\dd10axa.dll MOD - [2009.04.10 18:20:18 | 000,401,462 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Nuance\NaturallySpeaking10\Program\msvcp60.dll MOD - [2008.04.14 02:12:02 | 000,245,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll MOD - [2008.04.14 02:12:02 | 000,142,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\nwprovau.dll MOD - [2008.04.14 02:12:02 | 000,080,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll MOD - [2008.04.14 02:12:02 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll MOD - [2008.04.14 02:12:01 | 000,011,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netrap.dll MOD - [2008.04.14 02:11:52 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll MOD - [2008.04.14 02:11:51 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll MOD - [2008.04.14 02:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx MOD - [2004.05.23 20:15:36 | 000,066,048 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll ========== Win32 Services (SafeList) ========== SRV - [2010.08.23 19:01:37 | 000,058,024 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe -- (FSORSPClient) SRV - [2010.07.27 02:00:06 | 000,247,808 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe -- (HotspotShieldService) SRV - [2010.07.27 00:41:20 | 000,057,640 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Hotspot Shield\bin\HssTrayService.exe -- (HssTrayService) SRV - [2010.06.23 04:48:08 | 000,322,608 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\hsswd.exe -- (HssWd) SRV - [2010.06.23 04:48:00 | 000,348,208 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe -- (HssSrv) SRV - [2009.10.14 15:20:43 | 000,522,848 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe -- (FSDFWD) SRV - [2009.07.09 11:34:54 | 000,186,976 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE -- (FSMA) SRV - [2009.07.09 11:31:20 | 000,215,648 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter) SRV - [2009.04.20 17:20:30 | 000,009,216 | ---- | M] (Vodafone) [Auto | Running] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService) SRV - [2002.09.20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default)) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard) DRV - [2010.08.31 12:00:52 | 000,041,624 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\fsbts.sys -- (fsbts) DRV - [2010.08.03 13:09:03 | 000,124,072 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys -- (F-Secure Gatekeeper) DRV - [2010.06.23 04:48:00 | 000,037,376 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HssDrv.sys -- (HssDrv) DRV - [2010.06.23 04:47:58 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss) DRV - [2010.02.11 14:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6) DRV - [2009.07.09 11:34:18 | 000,068,064 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys -- (F-Secure HIPS) DRV - [2009.07.09 11:33:14 | 000,080,000 | ---- | M] (F-Secure Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\fsdfw.sys -- (FSFW) DRV - [2009.07.09 11:31:24 | 000,039,776 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys -- (F-Secure Filter) DRV - [2009.07.09 11:31:24 | 000,025,184 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys -- (F-Secure Recognizer) DRV - [2009.04.09 13:38:32 | 000,110,592 | R--- | M] (ZTE Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnet.sys -- (ZTEusbnet) DRV - [2009.04.09 13:38:32 | 000,105,344 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zteusbvoice.sys -- (ZTEusbvoice) DRV - [2009.04.09 13:38:32 | 000,105,344 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea) DRV - [2009.04.09 13:38:32 | 000,104,960 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k) DRV - [2009.04.09 13:38:32 | 000,104,960 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k) DRV - [2009.04.09 13:38:32 | 000,007,680 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter) DRV - [2008.04.13 20:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx) DRV - [2008.04.13 20:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm) DRV - [2008.04.13 20:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM) DRV - [2004.06.02 17:07:28 | 001,240,938 | ---- | M] (WIDCOMM, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\btkrnl.sys -- (BTKRNL) DRV - [2004.05.23 20:10:36 | 000,182,720 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP) DRV - [2004.03.19 06:27:34 | 001,657,344 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w22n51.sys -- (w22n51) Intel(R) DRV - [2004.01.18 04:48:08 | 000,669,696 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2003.05.06 19:46:38 | 000,027,008 | ---- | M] (Winbond Electronics Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wbsd.sys -- (WBSD) Winbond Secure Digital Storage (SD/MMC) DRV - [2003.05.03 18:16:00 | 001,170,464 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2003.03.31 21:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb) DRV - [2003.03.31 21:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx) DRV - [2003.03.15 16:00:02 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139) DRV - [2001.08.17 14:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552 IE - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\..\URLSearchHook: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll (Conduit Ltd.) IE - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Firefox\extensions\\litmus-ff@f-secure.com: C:\Program Files\F-Secure Internet Security\NRS\litmus-ff@f-secure.com [2010.09.07 15:49:19 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.03.19 11:02:07 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.03.31 19:59:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2010.09.16 13:35:14 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll (F-Secure Corporation) O2 - BHO: (Hotspot Shield Toolbar) - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll (Conduit Ltd.) O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.) O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll (F-Secure Corporation) O3 - HKLM\..\Toolbar: (Hotspot Shield Toolbar) - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\..\Toolbar\WebBrowser: (Hotspot Shield Toolbar) - {C95A4E8E-816D-4655-8C79-D736DA1ADB6D} - C:\Program Files\Hotspot_Shield\tbHot1.dll (Conduit Ltd.) O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.) O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe () O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.) O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE (F-Secure Corporation) O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe (F-Secure Corporation) O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [MobileConnect] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone) O4 - HKLM..\Run: [PspContr] C:\WINDOWS\System32\pspcontr.exe (Philips Speech Processing) O4 - HKLM..\Run: [PspUsbCf] C:\WINDOWS\System32\pspusbcf.exe (Philips Speech Processing) O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.) O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.) O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions) O4 - HKU\S-1-5-21-1454471165-1957994488-839522115-1003..\Run: [RecordNow!] File not found O4 - HKU\S-1-5-21-1454471165-1957994488-839522115-1003..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation) O4 - Startup: C:\Documents and Settings\Dr. Ulrich Gmelin\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Senden an &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm () O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250188737217 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 91.89.91.89 O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (WIDCOMM, Inc.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 0 O32 - AutoRun File - [2009.08.13 19:26:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{d1e206f2-47ea-11df-9da3-000fb0427036}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found O33 - MountPoints2\F\Shell - "" = AutoRun O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.09.16 16:39:05 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop\OTL.exe [2010.09.16 13:49:24 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2010.09.16 13:34:34 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group [2010.09.16 13:34:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\95431C66CF9A4913BFFF6050785AFB65.TMP [2010.09.16 13:33:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard [2010.09.15 07:46:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\SSH [2010.09.15 07:44:50 | 000,000,000 | ---D | C] -- C:\Program Files\SSH Secure Shell [2010.09.14 21:29:38 | 000,000,000 | ---D | C] -- C:\Program Files\SSHTunnelClient [2010.09.07 20:39:17 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit [2010.09.07 20:39:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Conduit [2010.09.07 20:39:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Hotspot_Shield [2010.09.07 20:39:15 | 000,000,000 | ---D | C] -- C:\Program Files\Hotspot_Shield [2010.09.07 20:36:56 | 000,000,000 | ---D | C] -- C:\Hotspot Shield [2010.09.07 20:36:46 | 000,000,000 | ---D | C] -- C:\Program Files\Hotspot Shield [2010.09.01 10:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Vodafone [2010.09.01 09:59:51 | 000,000,000 | ---D | C] -- C:\Program Files\Vodafone [2010.08.28 21:38:21 | 000,125,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB6DE.DLL [2010.08.28 21:38:21 | 000,089,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB5DB.DLL [2010.08.28 21:38:20 | 000,217,088 | ---- | C] (Dart Communications) -- C:\WINDOWS\System32\DartSock.dll [2010.08.28 21:38:20 | 000,118,784 | ---- | C] (Dart Communications) -- C:\WINDOWS\System32\DartWeb.dll [2010.08.28 21:38:20 | 000,000,000 | ---D | C] -- C:\Program Files\Convar [2010.08.28 21:38:19 | 000,516,784 | R--- | C] (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com) -- C:\WINDOWS\System32\XceedCry.dll [2010.08.28 21:38:19 | 000,140,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\COMDLG32.OCX [2010.08.28 21:31:13 | 000,000,000 | ---D | C] -- C:\Program Files\PC Inspector File Recovery [2010.08.28 19:51:10 | 000,000,000 | ---D | C] -- C:\Program Files\Stellar Phoenix Photo Recovery [7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.09.16 16:39:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop\OTL.exe [2010.09.16 16:25:01 | 000,001,118 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010.09.16 15:37:35 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dragon Medical 10.0.lnk [2010.09.16 15:03:11 | 000,000,067 | ---- | M] () -- C:\WINDOWS\DATA.INI [2010.09.16 14:07:31 | 000,000,202 | ---- | M] () -- C:\WINDOWS\System32\PSLOG [2010.09.16 14:07:30 | 000,001,114 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010.09.16 14:06:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.09.16 14:05:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.09.16 14:05:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.09.16 14:05:45 | 1073,139,712 | -HS- | M] () -- C:\hiberfil.sys [2010.09.16 14:04:42 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\NTUSER.DAT [2010.09.16 14:04:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\ntuser.ini [2010.09.16 09:32:57 | 000,001,235 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\SAS7_000.DAT [2010.09.15 22:45:09 | 000,237,056 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.09.15 21:06:24 | 000,002,259 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BabasChess.lnk [2010.09.15 07:45:13 | 000,001,633 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SSH Secure File Transfer Client.lnk [2010.09.15 07:45:13 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SSH Secure Shell Client.lnk [2010.09.15 03:04:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010.09.14 21:58:11 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\PUTTY.RND [2010.09.14 13:53:44 | 000,011,616 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\My Documents\Renneinstellungen.ods [2010.09.11 13:29:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010.09.09 14:28:00 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk [2010.09.09 14:28:00 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010.09.03 14:00:37 | 000,448,586 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.09.03 14:00:37 | 000,074,638 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.09.03 14:00:36 | 000,532,784 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.09.02 07:27:41 | 005,292,840 | -H-- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\IconCache.db [2010.09.01 10:01:01 | 000,001,986 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vodafone SMS.lnk [2010.09.01 10:01:01 | 000,001,986 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vodafone Mobile Connect.lnk [2010.08.31 12:00:52 | 000,041,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\fsbts.sys [2010.08.29 17:31:19 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk [2010.08.28 21:38:21 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector smart recovery.lnk [2010.08.28 21:31:13 | 000,001,561 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector File Recovery.lnk [2010.08.28 20:55:18 | 000,079,410 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\My Documents\Stellar Phoenix Photo Recovery Scan.DAT [7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.09.15 07:45:13 | 000,001,633 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SSH Secure File Transfer Client.lnk [2010.09.15 07:45:13 | 000,000,743 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SSH Secure Shell Client.lnk [2010.09.14 21:50:27 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\PUTTY.RND [2010.09.02 19:04:48 | 000,011,616 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\My Documents\Renneinstellungen.ods [2010.09.01 10:01:01 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Vodafone SMS.lnk [2010.09.01 10:01:01 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Vodafone Mobile Connect.lnk [2010.08.29 17:31:19 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk [2010.08.28 21:38:20 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll [2010.08.28 21:38:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\DartWeb.oca [2010.08.28 21:38:18 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector smart recovery.lnk [2010.08.28 21:31:17 | 000,006,200 | ---- | C] () -- C:\WINDOWS\System32\INT13EXT.VXD [2010.08.28 21:31:13 | 000,001,561 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector File Recovery.lnk [2010.08.28 20:55:17 | 000,079,410 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\My Documents\Stellar Phoenix Photo Recovery Scan.DAT [2009.12.05 12:22:56 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\burnaware.ini [2009.10.12 10:11:55 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2009.09.23 09:56:46 | 000,000,142 | ---- | C] () -- C:\WINDOWS\ChssBase.ini [2009.09.06 18:45:23 | 000,001,235 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\SAS7_000.DAT [2009.09.06 18:03:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspusblb.ini [2009.09.06 18:03:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspusbct.ini [2009.09.06 18:03:54 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\mcipspct.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspsbext.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspfidrv.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspfbase.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspaudrv.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspapdrv.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\mcipspwa.ini [2009.09.06 18:03:53 | 000,000,220 | ---- | C] () -- C:\WINDOWS\System32\pspwave.ini [2009.09.06 18:03:53 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\pspdss.ini [2009.09.06 18:03:53 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\pspddi.ini [2009.09.06 18:03:38 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\pspprefq.ini [2009.09.06 15:15:35 | 000,237,056 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.09.05 18:53:00 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\fusioncache.dat [2009.08.14 13:50:14 | 000,000,254 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2009.08.14 13:50:13 | 000,006,855 | ---- | C] () -- C:\WINDOWS\UNWISE.INI [2009.08.14 13:49:42 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DATA.INI [2009.08.14 11:17:17 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\Bot.dll [2009.08.14 11:17:16 | 000,000,101 | ---- | C] () -- C:\WINDOWS\PSXLPR.INI [2009.08.13 20:27:09 | 000,041,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys [2009.08.13 19:54:05 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2009.08.13 19:46:43 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll [2009.08.13 19:40:48 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll [2009.04.09 13:44:42 | 000,108,066 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4 [2004.06.02 17:28:30 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll [2004.01.18 04:39:06 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll [2004.01.06 01:22:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2003.03.31 21:00:00 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\sysadt.dll [2002.05.15 23:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest [2001.11.23 18:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest [2001.11.14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll ========== Custom Scans ========== < :OTL > < :files > < C:\Windows\System32\*.tmp > [7 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] < C:\Windows\*.tmp > [5 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] < :Commands > < [purity] > < [EMPTYFLASH] > < [emptytemp] > < [Reboot] > ========== Alternate Data Streams ========== @Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A24211BA < End of report > |
|
16.09.2010, 16:46
| #3 |
| /// Malware-holic   | Trojan.Generic.4060291 entfernen moment ich hab nen fehler gemacht
__________________ootl: Systemscan mit OTL download otl: http://filepony.de/download-otl/ Doppelklick auf die OTL.exe (user von Windows 7 und Vista: Rechtsklick als Administrator ausführen) 1. Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output 2. Hake an "scan all users" 3. Unter "Extra Registry wähle: "Use Safelist" "LOP Check" "Purity Check" 4. Kopiere in die Textbox: netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %ALLUSERSPROFILE%\Application Data\*. %ALLUSERSPROFILE%\Application Data\*.exe /s %APPDATA%\*. %APPDATA%\*.exe /s %SYSTEMDRIVE%\*.exe /md5start userinit.exe eventlog.dll scecli.dll netlogon.dll cngaudit.dll ws2ifsl.sys sceclt.dll ntelogon.dll winlogon.exe logevent.dll user32.DLL iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys /md5stop %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles CREATERESTOREPOINT 5. Klicke "Scan" 6. 2 reporte werden erstellt: OTL.Txt Extras.Txt poste beide logs ich hatte den falschen text kopiert, also vergiss alles von oben. |
|
16.09.2010, 18:42
| #4 |
| | Trojan.Generic.4060291 entfernen Die OTL.txt OTL Logfile: Code:
ATTFilter OTL logfile created on: 16.09.2010 19:30:36 - Run 2 OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 1.023,00 Mb Total Physical Memory | 451,00 Mb Available Physical Memory | 44,00% Memory free 2,00 Gb Paging File | 2,00 Gb Available in Paging File | 79,00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74,52 Gb Total Space | 48,99 Gb Free Space | 65,75% Space Free | Partition Type: NTFS Drive D: | 6,53 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: LAPTOP-GMELIN Current User Name: Dr. Ulrich Gmelin Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Opera\opera.exe (Opera Software) PRC - C:\Program Files\Steam\Steam.exe (Valve Corporation) PRC - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe (F-Secure Corporation) PRC - C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe (F-Secure Corporation) PRC - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe (F-Secure Corporation) PRC - C:\Program Files\Hotspot Shield\bin\openvpnas.exe () PRC - C:\Program Files\Hotspot Shield\bin\openvpntray.exe () PRC - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe (F-Secure Corporation) PRC - C:\Program Files\Hotspot Shield\bin\hsswd.exe () PRC - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe (AnchorFree Inc.) PRC - C:\Program Files\F-Secure Internet Security\FWES\program\fsdfwd.exe (F-Secure Corporation) PRC - C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE (F-Secure Corporation) PRC - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (F-Secure Corporation) PRC - C:\Program Files\F-Secure Internet Security\Common\FSHDLL32.EXE (F-Secure Corporation) PRC - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (F-Secure Corporation) PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org) PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org) PRC - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone) PRC - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation) PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.) PRC - C:\WINDOWS\system32\pspcontr.exe (Philips Speech Processing) PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Program Files\F-Secure Internet Security\Spam Control\fsscoepl.dll (F-Secure Corporation) MOD - \\?\c:\program files\f-secure internet security\hips\fshook32.dll () MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.) ========== Win32 Services (SafeList) ========== SRV - (FSORSPClient) -- C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe (F-Secure Corporation) SRV - (HotspotShieldService) -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe () SRV - (HssTrayService) -- C:\Program Files\Hotspot Shield\bin\HssTrayService.exe () SRV - (HssWd) -- C:\Program Files\Hotspot Shield\bin\hsswd.exe () SRV - (HssSrv) -- C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe (AnchorFree Inc.) SRV - (FSDFWD) -- C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (F-Secure Corporation) SRV - (FSMA) -- C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (F-Secure Corporation) SRV - (F-Secure Gatekeeper Handler Starter) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (F-Secure Corporation) SRV - (VMCService) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone) SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.) ========== Driver Services (SafeList) ========== DRV - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found DRV - (fsbts) -- C:\WINDOWS\system32\Drivers\fsbts.sys () DRV - (F-Secure Gatekeeper) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys () DRV - (HssDrv) -- C:\WINDOWS\system32\drivers\HssDrv.sys (AnchorFree Inc.) DRV - (taphss) -- C:\WINDOWS\system32\drivers\taphss.sys (AnchorFree Inc) DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation) DRV - (F-Secure HIPS) -- C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (F-Secure Corporation) DRV - (FSFW) -- C:\WINDOWS\System32\drivers\fsdfw.sys (F-Secure Corporation) DRV - (F-Secure Filter) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys () DRV - (F-Secure Recognizer) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys () DRV - (ZTEusbnet) -- C:\WINDOWS\system32\drivers\ZTEusbnet.sys (ZTE Corporation) DRV - (ZTEusbvoice) -- C:\WINDOWS\system32\drivers\zteusbvoice.sys (ZTE Incorporated) DRV - (ZTEusbnmea) -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys (ZTE Incorporated) DRV - (ZTEusbser6k) -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys (ZTE Incorporated) DRV - (ZTEusbmdm6k) -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys (ZTE Incorporated) DRV - (massfilter) -- C:\WINDOWS\system32\drivers\massfilter.sys (ZTE Incorporated) DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation) DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (BTKRNL) -- C:\WINDOWS\System32\drivers\btkrnl.sys (WIDCOMM, Inc.) DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.) DRV - (w22n51) Intel(R) -- C:\WINDOWS\system32\drivers\w22n51.sys (Intel® Corporation) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (WBSD) Winbond Secure Digital Storage (SD/MMC) -- C:\WINDOWS\system32\drivers\wbsd.sys (Winbond Electronics Corp.) DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems) DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation) DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation) DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation ) DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552 IE - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\..\URLSearchHook: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll (Conduit Ltd.) IE - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Firefox\extensions\\litmus-ff@f-secure.com: C:\Program Files\F-Secure Internet Security\NRS\litmus-ff@f-secure.com [2010.09.07 15:49:19 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.03.19 11:02:07 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.03.31 19:59:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2010.09.16 13:35:14 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll (F-Secure Corporation) O2 - BHO: (Hotspot Shield Toolbar) - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll (Conduit Ltd.) O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.) O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll (F-Secure Corporation) O3 - HKLM\..\Toolbar: (Hotspot Shield Toolbar) - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\..\Toolbar\WebBrowser: (Hotspot Shield Toolbar) - {C95A4E8E-816D-4655-8C79-D736DA1ADB6D} - C:\Program Files\Hotspot_Shield\tbHot1.dll (Conduit Ltd.) O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.) O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe () O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.) O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE (F-Secure Corporation) O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe (F-Secure Corporation) O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [MobileConnect] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone) O4 - HKLM..\Run: [PspContr] C:\WINDOWS\System32\pspcontr.exe (Philips Speech Processing) O4 - HKLM..\Run: [PspUsbCf] C:\WINDOWS\System32\pspusbcf.exe (Philips Speech Processing) O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.) O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.) O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions) O4 - HKU\S-1-5-21-1454471165-1957994488-839522115-1003..\Run: [RecordNow!] File not found O4 - HKU\S-1-5-21-1454471165-1957994488-839522115-1003..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation) O4 - Startup: C:\Documents and Settings\Dr. Ulrich Gmelin\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1454471165-1957994488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Senden an &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm () O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250188737217 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 91.89.91.89 O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (WIDCOMM, Inc.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 0 O32 - AutoRun File - [2009.08.13 19:26:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{d1e206f2-47ea-11df-9da3-000fb0427036}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found O33 - MountPoints2\F\Shell - "" = AutoRun O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: SCSI Class - Driver Group SafeBootMin: sermouse.sys - Driver SafeBootMin: System Bus Extender - Driver Group SafeBootMin: vds - Service SafeBootMin: vga.sys - Driver SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: nm - C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation) SafeBootNet: nm.sys - C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation) SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: SCSI Class - Driver Group SafeBootNet: sermouse.sys - Driver SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: UploadMgr - Service SafeBootNet: vga.sys - Driver SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML) ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4 ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906) ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7 ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789) ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E78BFA60-5393-4C38-82AB-E8019E464EB4} - .NET Framework ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE Drivers32: MIDI1 - C:\WINDOWS\System32\Syncor11.dll (SoundMAX) Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.) Drivers32: msacm.smlpcbb - C:\WINDOWS\System32\smlpcbb.acm (Philips Speech Processing) Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.) Drivers32: pspctrlc - C:\WINDOWS\System32\pspusbct.dll (Philips Speech Processing) Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll () Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll () CREATERESTOREPOINT Restore point Set: OTL Restore Point (17465059307421696) ========== Files/Folders - Created Within 30 Days ========== [2010.09.16 16:39:05 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop\OTL.exe [2010.09.16 13:49:24 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2010.09.16 13:34:34 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group [2010.09.16 13:34:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\95431C66CF9A4913BFFF6050785AFB65.TMP [2010.09.16 13:33:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard [2010.09.15 07:46:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\SSH [2010.09.15 07:44:50 | 000,000,000 | ---D | C] -- C:\Program Files\SSH Secure Shell [2010.09.14 21:29:38 | 000,000,000 | ---D | C] -- C:\Program Files\SSHTunnelClient [2010.09.07 20:39:17 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit [2010.09.07 20:39:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Conduit [2010.09.07 20:39:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Hotspot_Shield [2010.09.07 20:39:15 | 000,000,000 | ---D | C] -- C:\Program Files\Hotspot_Shield [2010.09.07 20:36:56 | 000,000,000 | ---D | C] -- C:\Hotspot Shield [2010.09.07 20:36:46 | 000,000,000 | ---D | C] -- C:\Program Files\Hotspot Shield [2010.09.01 10:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Vodafone [2010.09.01 09:59:51 | 000,000,000 | ---D | C] -- C:\Program Files\Vodafone [2010.08.28 21:38:21 | 000,125,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB6DE.DLL [2010.08.28 21:38:21 | 000,089,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB5DB.DLL [2010.08.28 21:38:20 | 000,217,088 | ---- | C] (Dart Communications) -- C:\WINDOWS\System32\DartSock.dll [2010.08.28 21:38:20 | 000,118,784 | ---- | C] (Dart Communications) -- C:\WINDOWS\System32\DartWeb.dll [2010.08.28 21:38:20 | 000,000,000 | ---D | C] -- C:\Program Files\Convar [2010.08.28 21:38:19 | 000,516,784 | R--- | C] (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com) -- C:\WINDOWS\System32\XceedCry.dll [2010.08.28 21:38:19 | 000,140,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\COMDLG32.OCX [2010.08.28 21:31:13 | 000,000,000 | ---D | C] -- C:\Program Files\PC Inspector File Recovery [2010.08.28 19:51:10 | 000,000,000 | ---D | C] -- C:\Program Files\Stellar Phoenix Photo Recovery [7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.09.16 19:25:00 | 000,001,118 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010.09.16 16:39:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop\OTL.exe [2010.09.16 15:37:35 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dragon Medical 10.0.lnk [2010.09.16 15:03:11 | 000,000,067 | ---- | M] () -- C:\WINDOWS\DATA.INI [2010.09.16 14:07:31 | 000,000,202 | ---- | M] () -- C:\WINDOWS\System32\PSLOG [2010.09.16 14:07:30 | 000,001,114 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010.09.16 14:06:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.09.16 14:05:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.09.16 14:05:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.09.16 14:05:45 | 1073,139,712 | -HS- | M] () -- C:\hiberfil.sys [2010.09.16 14:04:42 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\NTUSER.DAT [2010.09.16 14:04:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\ntuser.ini [2010.09.16 09:32:57 | 000,001,235 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\SAS7_000.DAT [2010.09.15 22:45:09 | 000,237,056 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.09.15 21:06:24 | 000,002,259 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BabasChess.lnk [2010.09.15 07:45:13 | 000,001,633 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SSH Secure File Transfer Client.lnk [2010.09.15 07:45:13 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SSH Secure Shell Client.lnk [2010.09.15 03:04:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010.09.14 21:58:11 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\PUTTY.RND [2010.09.14 13:53:44 | 000,011,616 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\My Documents\Renneinstellungen.ods [2010.09.11 13:29:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010.09.09 14:28:00 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk [2010.09.09 14:28:00 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010.09.03 14:00:37 | 000,448,586 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.09.03 14:00:37 | 000,074,638 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.09.03 14:00:36 | 000,532,784 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.09.02 07:27:41 | 005,292,840 | -H-- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\IconCache.db [2010.09.01 10:01:01 | 000,001,986 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vodafone SMS.lnk [2010.09.01 10:01:01 | 000,001,986 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vodafone Mobile Connect.lnk [2010.08.31 12:00:52 | 000,041,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\fsbts.sys [2010.08.29 17:31:19 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk [2010.08.28 21:38:21 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector smart recovery.lnk [2010.08.28 21:31:13 | 000,001,561 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector File Recovery.lnk [2010.08.28 20:55:18 | 000,079,410 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\My Documents\Stellar Phoenix Photo Recovery Scan.DAT [7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.09.15 07:45:13 | 000,001,633 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SSH Secure File Transfer Client.lnk [2010.09.15 07:45:13 | 000,000,743 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SSH Secure Shell Client.lnk [2010.09.14 21:50:27 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\PUTTY.RND [2010.09.02 19:04:48 | 000,011,616 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\My Documents\Renneinstellungen.ods [2010.09.01 10:01:01 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Vodafone SMS.lnk [2010.09.01 10:01:01 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Vodafone Mobile Connect.lnk [2010.08.29 17:31:19 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk [2010.08.28 21:38:20 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll [2010.08.28 21:38:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\DartWeb.oca [2010.08.28 21:38:18 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector smart recovery.lnk [2010.08.28 21:31:17 | 000,006,200 | ---- | C] () -- C:\WINDOWS\System32\INT13EXT.VXD [2010.08.28 21:31:13 | 000,001,561 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector File Recovery.lnk [2010.08.28 20:55:17 | 000,079,410 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\My Documents\Stellar Phoenix Photo Recovery Scan.DAT [2009.12.05 12:22:56 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\burnaware.ini [2009.10.12 10:11:55 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2009.09.23 09:56:46 | 000,000,142 | ---- | C] () -- C:\WINDOWS\ChssBase.ini [2009.09.06 18:45:23 | 000,001,235 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\SAS7_000.DAT [2009.09.06 18:03:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspusblb.ini [2009.09.06 18:03:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspusbct.ini [2009.09.06 18:03:54 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\mcipspct.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspsbext.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspfidrv.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspfbase.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspaudrv.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspapdrv.ini [2009.09.06 18:03:53 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\mcipspwa.ini [2009.09.06 18:03:53 | 000,000,220 | ---- | C] () -- C:\WINDOWS\System32\pspwave.ini [2009.09.06 18:03:53 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\pspdss.ini [2009.09.06 18:03:53 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\pspddi.ini [2009.09.06 18:03:38 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\pspprefq.ini [2009.09.06 15:15:35 | 000,237,056 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.09.05 18:53:00 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Local Settings\Application Data\fusioncache.dat [2009.08.14 13:50:14 | 000,000,254 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2009.08.14 13:50:13 | 000,006,855 | ---- | C] () -- C:\WINDOWS\UNWISE.INI [2009.08.14 13:49:42 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DATA.INI [2009.08.14 11:17:17 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\Bot.dll [2009.08.14 11:17:16 | 000,000,101 | ---- | C] () -- C:\WINDOWS\PSXLPR.INI [2009.08.13 20:27:09 | 000,041,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys [2009.08.13 19:54:05 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2009.08.13 19:46:43 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll [2009.08.13 19:40:48 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll [2009.04.09 13:44:42 | 000,108,066 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4 [2004.06.02 17:28:30 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll [2004.01.18 04:39:06 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll [2004.01.06 01:22:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2003.03.31 21:00:00 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\sysadt.dll [2002.05.15 23:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest [2001.11.23 18:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest [2001.11.14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll ========== LOP Check ========== [2010.04.10 10:28:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\elsterformular [2009.08.13 20:18:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\f-secure [2009.09.06 20:02:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fssg [2009.08.14 16:16:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance [2009.08.14 16:18:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft [2010.09.16 15:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2010.09.01 10:00:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone [2010.04.01 21:39:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\ChessBase [2010.04.10 10:28:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\elsterformular [2010.08.28 21:20:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\F-Secure [2009.12.22 08:07:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\GetRightToGo [2009.09.23 09:55:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\InterVideo [2009.08.14 16:22:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Nuance [2009.08.14 13:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\OpenOffice.org [2009.09.14 11:34:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Opera [2010.09.16 06:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\SSH [2009.08.14 07:11:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Thunderbird [2010.05.17 20:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Vodafone [2010.05.17 20:05:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Vodafone ========== Purity Check ========== ========== Custom Scans ========== < %ALLUSERSPROFILE%\Application Data\*. > [2010.01.26 10:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe [2010.03.31 20:01:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple [2010.03.31 20:02:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer [2010.04.10 10:28:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\elsterformular [2009.08.13 20:18:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\f-secure [2010.05.17 20:05:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet [2009.09.06 20:02:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fssg [2009.08.14 16:23:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield [2009.08.13 22:06:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft [2009.08.14 16:16:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance [2009.08.14 16:18:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft [2010.07.24 16:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype [2010.03.31 06:54:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sun [2010.09.16 15:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2010.09.01 10:00:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone [2009.08.13 20:45:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage < %ALLUSERSPROFILE%\Application Data\*.exe /s > [2010.03.04 04:00:34 | 000,079,144 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe [2010.08.07 14:38:21 | 000,072,488 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe [2008.11.17 17:06:20 | 001,021,216 | ---- | M] (Acresso Corporation) -- C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe [2007.03.20 14:25:36 | 000,205,744 | ---- | M] (InstallShield Software Corporation) -- C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\dwusplay.exe [2008.11.17 17:06:22 | 000,279,840 | ---- | M] (Acresso Corporation) -- C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISDM.exe [2008.11.17 17:06:26 | 000,079,136 | ---- | M] (Acresso Corporation) -- C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\issch.exe < %APPDATA%\*. > [2009.09.15 07:10:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Adobe [2010.03.31 20:02:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Apple Computer [2010.04.01 21:39:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\ChessBase [2010.04.10 10:28:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\elsterformular [2010.08.28 21:20:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\F-Secure [2010.05.17 20:18:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\FLEXnet [2009.12.22 08:07:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\GetRightToGo [2010.07.15 13:22:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Google [2010.05.06 17:19:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Help [2009.08.13 19:32:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Identities [2009.09.23 09:55:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\InterVideo [2009.08.13 21:25:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Macromedia [2010.09.16 13:34:42 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Microsoft [2010.03.31 19:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Mozilla [2009.08.14 16:22:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Nuance [2009.08.14 13:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\OpenOffice.org [2009.09.14 11:34:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Opera [2010.07.24 16:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Skype [2010.07.24 15:56:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\skypePM [2009.10.23 16:43:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Sonic [2010.09.16 06:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\SSH [2009.08.13 20:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Sun [2009.08.14 07:12:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Talkback [2009.08.14 07:11:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Thunderbird [2010.08.29 08:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\U3 [2010.05.17 20:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\Vodafone < %APPDATA%\*.exe /s > [2007.10.23 09:27:20 | 000,110,592 | ---- | M] () -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\U3\temp\cleanup.exe [2007.10.23 10:22:56 | 003,350,528 | -H-- | M] (SanDisk Corporation) -- C:\Documents and Settings\Dr. Ulrich Gmelin\Application Data\U3\temp\Launchpad Removal.exe < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2009.08.13 21:34:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2009.08.14 06:54:59 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2009.08.13 21:34:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys [2009.08.14 06:54:59 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004.08.04 08:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys [2004.08.04 08:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\AGP440.SYS < MD5 for: ATAPI.SYS > [2003.03.31 21:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys [2009.08.13 21:34:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2009.08.14 06:54:59 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2009.08.13 21:34:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys [2009.08.14 06:54:59 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004.08.04 07:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys < MD5 for: EVENTLOG.DLL > [2008.04.14 02:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008.04.14 02:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004.08.04 09:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: NETLOGON.DLL > [2008.04.14 02:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008.04.14 02:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2004.08.04 09:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2004.08.04 09:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008.04.14 02:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008.04.14 02:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < MD5 for: USER32.DLL > [2005.03.02 20:19:56 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=1800F293BCCC8EDE8A70E12B88D80036 -- C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\user32.dll [2005.03.02 20:20:03 | 000,561,152 | ---- | M] (Microsoft Corporation) MD5=74202EB1BD67E8BE9509E38C8D2234B0 -- C:\WINDOWS\SoftwareDistribution\Download\58bffe479c581eda56fcf7412cce5cc0\sp1qfe\user32.dll [2005.03.02 20:20:03 | 000,561,152 | ---- | M] (Microsoft Corporation) MD5=74202EB1BD67E8BE9509E38C8D2234B0 -- C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp1qfe\user32.dll [2008.04.14 02:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\ServicePackFiles\i386\user32.dll [2008.04.14 02:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll [2004.08.04 09:56:46 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\WINDOWS\$NtServicePackUninstall$\user32.dll [2005.03.02 20:09:30 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=DE2DB164BBB35DB061AF0997E4499054 -- C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\user32.dll < MD5 for: USERINIT.EXE > [2004.08.04 09:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe [2008.04.14 02:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe [2008.04.14 02:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe < MD5 for: WINLOGON.EXE > [2004.08.04 09:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe [2008.04.14 02:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe [2008.04.14 02:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe < MD5 for: WS2IFSL.SYS > [2003.03.31 21:00:00 | 000,012,032 | ---- | M] (Microsoft Corporation) MD5=6ABE6E225ADB5A751622A9CC3BC19CE8 -- C:\WINDOWS\system32\dllcache\ws2ifsl.sys [2003.03.31 21:00:00 | 000,012,032 | ---- | M] (Microsoft Corporation) MD5=6ABE6E225ADB5A751622A9CC3BC19CE8 -- C:\WINDOWS\system32\drivers\ws2ifsl.sys < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\System32\config\*.sav > [2009.08.13 21:01:31 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav [2009.08.13 21:01:31 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav [2009.08.13 21:01:31 | 000,421,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [2003.03.31 21:00:00 | 000,458,752 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\sysadt.dll [7 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] ========== Alternate Data Streams ========== @Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A24211BA < End of report > |
|
16.09.2010, 18:43
| #5 |
| | Trojan.Generic.4060291 entfernen Extras.txt: OTL EXTRAS Logfile: Code:
ATTFilter OTL Extras logfile created on: 16.09.2010 19:30:36 - Run 2
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Dr. Ulrich Gmelin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
1.023,00 Mb Total Physical Memory | 451,00 Mb Available Physical Memory | 44,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 48,99 Gb Free Space | 65,75% Space Free | Partition Type: NTFS
Drive D: | 6,53 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: LAPTOP-GMELIN
Current User Name: Dr. Ulrich Gmelin
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
[HKEY_USERS\S-1-5-21-1454471165-1957994488-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"13364:UDP" = 13364:UDP:*:Enabled:Print Server Utility
"13621:UDP" = 13621:UDP:*:Enabled:MFP Bot Utility
"13107:UDP" = 13107:UDP:*:Enabled:Print Server Utility
"69:UDP" = 69:UDP:*:Enabled:Print Server Utility
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"13364:UDP" = 13364:UDP:*:Enabled:Print Server Utility
"13621:UDP" = 13621:UDP:*:Enabled:MFP Bot Utility
"13107:UDP" = 13107:UDP:*:Enabled:Print Server Utility
"69:UDP" = 69:UDP:*:Enabled:Print Server Utility
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- File not found
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Steam\SteamApps\common\jedi academy\GameData\jasp.exe" = C:\Program Files\Steam\SteamApps\common\jedi academy\GameData\jasp.exe:*:Enabled:Star Wars Jedi Knight: Jedi Academy -- (Activision Inc)
"C:\Program Files\Steam\SteamApps\common\jedi academy\GameData\jamp.exe" = C:\Program Files\Steam\SteamApps\common\jedi academy\GameData\jamp.exe:*:Enabled:Star Wars Jedi Knight: Jedi Academy -- (Activision Inc)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04830D0F-F980-4EC0-89F1-594F2FD2A1B5}" = ElsterFormular 2008/2009
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0DD140D3-9563-481E-AA75-BA457CBDAEF2}" = PC Inspector File Recovery
"{18E65799-76BD-46EF-9E53-972FE5A40736}" = Opera 10.62
"{26A24AE4-039D-4CA4-87B4-2F83216013F0}" = Java(TM) 6 Update 13
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 21
"{32178A6E-5DE4-443E-AA50-8FFFD7CCC32A}" = Fritz10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A5A427F-BA39-4BF0-9A47-9999FBE60C9F}" = Visual C++ Runtime for Dragon NaturallySpeaking
"{56A20A80-9582-4016-8022-2F103B73A983}" = ASKA SmartMike
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}" = SSH Secure Shell
"{8F5B91A9-164F-4624-AD17-D8A220562544}" = Fritz10
"{90535871-81B9-4D99-8A13-A7EE97F2D7FE}" = Bluetooth by hp
"{93CF9FA6-2A5E-4F8E-923E-F7D8741CB312}" = BabasChess
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = RecordNow!
"{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}" = Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD
"{99E862CC-6F69-4D39-99AA-DBF71BF3B585}" = OpenOffice.org 3.1
"{A053F79A-9618-46F2-AD41-C33C3FB3B6D8}" = PrintServer Utilities
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.4 - Deutsch
"{BDE813B0-BF65-11D2-92B4-0060B0686AFB}" = SpeechMike Application
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2D129C0-7508-11DF-9F1B-005056806466}" = Google Earth
"{C9A87D86-FDFD-418B-BF96-EF09320973B3}" = PC Inspector smart recovery
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD815603-AB71-4CFB-B3AC-522298037ACC}" = W83L518D
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E2E7A0E8-77C4-495F-8FA3-63DAEDAA2DB3}" = F-Secure PSC Prerequisites
"{E3B99F3D-9856-482A-9048-305E28E2510C}" = Vodafone Mobile Connect Lite
"{E7712E53-7A7F-46EB-AA13-70D5987D30F2}" = Dragon NaturallySpeaking 10
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{EAFEF30E-3789-49C7-A6D9-77C12E005BAC}" = Safari
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"ATI Display Driver" = ATI Display Driver
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Driver
"BurnAware Free_is1" = BurnAware Free 2.4.2
"Databuch" = Databuch
"ElsterFormular 11.3.0.4235" = ElsterFormular
"F-Secure Product 444" = F-Secure Internet Security 2010
"Hotspot_Shield Toolbar" = Hotspot_Shield Toolbar
"HotspotShield" = Hotspot Shield 1.49
"IrfanView" = IrfanView (remove only)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PraxisOrganizer" = PraxisOrganizer
"Steam App 6020" = Star Wars Jedi Knight: Jedi Academy
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 09.09.2010 06:18:49 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 06:18:49 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 07:35:36 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 07:35:36 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 08:13:49 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 08:13:49 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 09:14:36 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 09:14:36 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 10:10:49 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.
Error - 09.09.2010 10:10:49 | Computer Name = LAPTOP-GMELIN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.
[ System Events ]
Error - 13.09.2010 12:13:11 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.34.48.32 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.46.87.254 (The DHCP Server
sent a DHCPNACK message).
Error - 14.09.2010 00:42:28 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.46.80.15 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.48.31.254 (The DHCP Server
sent a DHCPNACK message).
Error - 14.09.2010 05:17:55 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.48.24.76 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.2.31.254 (The DHCP Server
sent a DHCPNACK message).
Error - 14.09.2010 06:28:12 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.2.24.80 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.6.63.254 (The DHCP Server
sent a DHCPNACK message).
Error - 14.09.2010 07:55:52 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.6.56.19 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.12.39.254 (The DHCP Server
sent a DHCPNACK message).
Error - 15.09.2010 00:29:45 | Computer Name = LAPTOP-GMELIN | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Windows Internet Explorer 7 for Windows XP.
Error - 15.09.2010 00:59:33 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.12.32.17 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.62.15.254 (The DHCP Server
sent a DHCPNACK message).
Error - 15.09.2010 12:39:41 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.62.8.55 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.14.71.254 (The DHCP Server
sent a DHCPNACK message).
Error - 15.09.2010 14:56:33 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.14.64.4 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.35.23.254 (The DHCP Server
sent a DHCPNACK message).
Error - 16.09.2010 00:52:50 | Computer Name = LAPTOP-GMELIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.35.16.96 for the Network Card with network
address 00FF0AC17DA8 has been denied by the DHCP server 10.51.23.254 (The DHCP Server
sent a DHCPNACK message).
< End of report >
|
|
16.09.2010, 18:52
| #6 |
| /// Malware-holic | Trojan.Generic.4060291 entfernen welche f-secure version nutzt du? bitte erstelle und poste ein combofix log. Ein Leitfaden und Tutorium zur Nutzung von ComboFix |
|
16.09.2010, 19:20
| #7 |
| | Trojan.Generic.4060291 entfernen F secure Internet security 2010 (logfile kommt noch) |
|
16.09.2010, 19:25
| #8 |
| /// Malware-holic | Trojan.Generic.4060291 entfernen ok, da machen wir noch ein upgrade auf die version 2011 |
|
16.09.2010, 20:18
| #9 |
| | Trojan.Generic.4060291 entfernen Hier das combofixlogfile Combofix Logfile: Code:
ATTFilter ComboFix 10-09-16.03 - Dr. Ulrich Gmelin 16.09.2010 20:42:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1033.18.1023.554 [GMT 2:00]
ausgeführt von:: c:\documents and settings\Dr. Ulrich Gmelin\Desktop\ComboFix.exe
AV: F-Secure Internet Security 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\LOG608D.tmp
c:\windows\system\bantam.dll
c:\windows\system\blw32.dll
c:\windows\system\idapi32.dll
c:\windows\system\idodbc32.dll
c:\windows\system\idr20007.dll
c:\windows\system\idr20009.dll
.
((((((((((((((((((((((( Dateien erstellt von 2010-08-16 bis 2010-09-16 ))))))))))))))))))))))))))))))
.
2010-09-16 11:34 . 2010-09-16 11:34 -------- d-----w- c:\program files\Enigma Software Group
2010-09-16 11:34 . 2010-09-16 11:49 -------- d-----w- c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP
2010-09-16 11:33 . 2010-09-16 11:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-15 05:46 . 2010-09-16 04:48 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\SSH
2010-09-15 05:44 . 2010-09-15 05:45 -------- d-----w- c:\program files\SSH Secure Shell
2010-09-15 05:43 . 2010-09-15 05:43 -------- d-----w- c:\documents and settings\DR6590~1~ULR\LOCALS~1
2010-09-15 05:43 . 2010-09-15 05:43 -------- d-----w- c:\documents and settings\DR6590~1~ULR
2010-09-14 19:29 . 2010-09-14 20:04 -------- d-----w- c:\program files\SSHTunnelClient
2010-09-07 18:39 . 2010-09-07 18:39 -------- d-----w- c:\program files\Conduit
2010-09-07 18:39 . 2010-09-07 18:39 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Conduit
2010-09-07 18:39 . 2010-09-16 11:47 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Hotspot_Shield
2010-09-07 18:39 . 2010-09-16 11:48 -------- d-----w- c:\program files\Hotspot_Shield
2010-09-07 18:36 . 2010-09-07 18:39 -------- d-----w- C:\Hotspot Shield
2010-09-07 18:36 . 2010-09-07 18:39 -------- d-----w- c:\program files\Hotspot Shield
2010-09-01 08:00 . 2010-09-01 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Vodafone
2010-09-01 07:59 . 2010-09-01 07:59 -------- d-----w- c:\program files\Vodafone
2010-08-28 19:38 . 2000-10-02 10:27 125712 ----a-w- c:\windows\system32\VB6DE.DLL
2010-08-28 19:38 . 1998-06-17 22:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-08-28 19:38 . 2010-08-28 19:38 -------- d-----w- c:\program files\Convar
2010-08-28 19:38 . 2002-02-28 07:46 217088 ----a-w- c:\windows\system32\DartSock.dll
2010-08-28 19:38 . 2002-02-21 08:12 118784 ----a-w- c:\windows\system32\DartWeb.dll
2010-08-28 19:38 . 1998-06-13 20:53 44544 ----a-w- c:\windows\system32\Gif89.dll
2010-08-28 19:38 . 2003-07-18 11:58 516784 ----a-r- c:\windows\system32\XceedCry.dll
2010-08-28 19:31 . 2010-08-28 19:31 -------- d-----w- c:\program files\PC Inspector File Recovery
2010-08-28 17:51 . 2010-08-28 19:30 -------- d-----w- c:\program files\Stellar Phoenix Photo Recovery
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-16 13:37 . 2009-08-14 14:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-16 12:08 . 2010-07-22 14:04 -------- d-----w- c:\program files\Steam
2010-09-16 11:53 . 2009-08-14 05:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-16 10:26 . 2009-08-14 14:52 1 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-16 07:32 . 2009-09-06 16:45 1235 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\SAS7_000.DAT
2010-09-15 05:45 . 2009-08-13 17:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-09 12:27 . 2009-09-14 09:33 -------- d-----w- c:\program files\Opera
2010-09-01 09:39 . 2010-05-17 18:33 -------- d-----w- c:\program files\MWconn
2010-08-31 10:00 . 2009-08-13 18:27 41624 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-08-29 06:15 . 2010-03-04 16:39 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\U3
2010-08-28 19:20 . 2009-08-13 19:16 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\F-Secure
2010-08-17 13:17 . 2003-03-31 19:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-15 08:10 . 2009-08-13 17:25 87340 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-08-08 09:53 . 2010-08-08 09:53 61440 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7ddcd765-n\decora-sse.dll
2010-08-08 09:53 . 2010-08-08 09:53 503808 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\msvcp71.dll
2010-08-08 09:53 . 2010-08-08 09:53 499712 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\jmc.dll
2010-08-08 09:53 . 2010-08-08 09:53 348160 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\msvcr71.dll
2010-08-08 09:53 . 2010-08-08 09:53 12800 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7ddcd765-n\decora-d3d.dll
2010-08-07 12:42 . 2010-03-31 18:02 -------- d-----w- c:\program files\Safari
2010-08-07 12:38 . 2010-08-07 12:38 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-08-03 05:19 . 2009-08-13 18:27 -------- d-----w- c:\program files\Common Files\Java
2010-08-03 05:19 . 2009-08-13 18:27 -------- d-----w- c:\program files\Java
2010-07-25 16:37 . 2010-04-03 12:50 14776 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-24 14:00 . 2010-03-23 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-24 14:00 . 2010-03-23 14:56 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Skype
2010-07-24 13:56 . 2010-03-23 14:59 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\skypePM
2010-07-22 15:49 . 2003-03-31 19:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-08-14 05:33 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 03:00 . 2010-06-25 05:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2003-03-31 19:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2003-03-31 19:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 02:48 . 2010-06-23 02:48 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2010-06-23 02:47 . 2010-06-23 02:47 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-06-21 15:27 . 2003-03-31 19:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2010-09-16 11:48 2735200 ----a-w- c:\program files\Hotspot_Shield\tbHot1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C95A4E8E-816D-4655-8C79-D736DA1ADB6D}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-08-28 1242448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-03 88267]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-23 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-23 536576]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-02 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2009-07-09 199264]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2009-07-09 2349664]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"PspContr"="PspContr.Exe" [2003-10-01 376832]
"PspUsbCf"="PspUsbCf.exe" [2003-10-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-04-20 2327552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Dr. Ulrich Gmelin\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\jedi academy\\GameData\\jasp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\jedi academy\\GameData\\jamp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13621:UDP"= 13621:UDP:MFP Bot Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [13.08.2009 20:27 41624]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [13.08.2009 20:19 80000]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [13.08.2009 20:18 68064]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [20.04.2009 17:20 9216]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [13.08.2009 20:17 124072]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [13.08.2009 19:48 27008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15.07.2010 13:20 136176]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [13.08.2009 20:18 58024]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17.05.2010 20:05 7680]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [17.05.2010 20:07 110592]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [17.05.2010 20:06 105344]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [13.08.2009 20:17 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [13.08.2009 20:17 25184]
--- Andere Dienste/Treiber im Speicher ---
*Deregistered* - winevvii
.
Inhalt des "geplante Tasks" Ordners
2010-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
2010-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 11:19]
2010-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 11:19]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552
IE: Senden an &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
TCP: {C789C896-85AD-4677-AFA1-B37C64724A90} = 192.168.0.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
HKCU-Run-RecordNow! - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-09-16 20:48
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????4?|H]?|?????? ???B???????????????B? ??????
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'winlogon.exe'(1704)
c:\windows\system32\COMRes.dll
c:\program files\f-secure internet security\hips\fshook32.dll
- - - - - - - > 'lsass.exe'(1760)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
c:\program files\f-secure internet security\hips\fshook32.dll
.
Zeit der Fertigstellung: 2010-09-16 20:50:44
ComboFix-quarantined-files.txt 2010-09-16 18:50
Vor Suchlauf: 52.499.468.288 bytes free
Nach Suchlauf: 54.395.953.152 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 2259CDAF3EEAF7452945E9137CBF17E0
|
|
16.09.2010, 20:22
| #10 |
| /// Malware-holic | Trojan.Generic.4060291 entfernen Lade SystemLook von jpshortstuff herunter und speichere das Tool auf dem Desktop. http://jpshortstuff.247fixes.com/SystemLook.exe Doppelklick auf die SystemLook.exe, um das Tool zu starten. user von windows seven und vista rechtsklick und als admin ausführen. kopiere ein: :filefind sysdat.dll Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten. Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert, diese posten. |
|
16.09.2010, 20:41
| #11 |
| | Trojan.Generic.4060291 entfernen SystemLook 04.09.10 by jpshortstuff Log created at 21:38 on 16/09/2010 by Dr. Ulrich Gmelin Administrator - Elevation successful ========== filefind ========== Searching for "sysdat.dll" No files found. -= EOF =- |
|
17.09.2010, 08:08
| #12 |
| | Trojan.Generic.4060291 entfernen Die sysdat.dll wurde nicht gefunden, auch nicht durch die Windows - Suche. Beim Start des IE wird dennoch weiterhin Alarm geschlagen. |
|
17.09.2010, 08:51
| #13 |
| | Trojan.Generic.4060291 entfernen Mist!!!!! Ich habe Mist gebaut. Die Datei heisst sysadt.dll (ist aber auch link!). Die datei entsteht nach Neustart des Computers immer wieder neu, um dann nach IE-Start von Fsecure wieder gelöscht zu werden. Hier das logfile: SystemLook 04.09.10 by jpshortstuff Log created at 09:47 on 17/09/2010 by Dr. Ulrich Gmelin Administrator - Elevation successful ========== filefind ========== Searching for "sysadt.dll" C:\WINDOWS\system32\sysadt.dll ------- 458752 bytes [19:00 31/03/2003] [19:00 31/03/2003] (Unable to calculate MD5) -= EOF =- |
|
17.09.2010, 10:13
| #14 |
| /// Malware-holic | Trojan.Generic.4060291 entfernen passt schon. start programme zubehör editor, kopiere rein: Killall:: Rootkit:: C:\WINDOWS\system32\sysadt.dll Datei speichern unter, typ alle dateien, speicherort, dort wo sich combofix.exe befindet. name cfscript.txt ziehe cfscript auf combofix, programm startet, log posten. |
|
17.09.2010, 11:49
| #15 |
| | Trojan.Generic.4060291 entfernen Da isses Combofix Logfile: Code:
ATTFilter ComboFix 10-09-16.03 - Dr. Ulrich Gmelin 17.09.2010 12:35:35.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1033.18.1023.716 [GMT 2:00]
ausgeführt von:: c:\documents and settings\Dr. Ulrich Gmelin\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\documents and settings\Dr. Ulrich Gmelin\Desktop\cfscript.txt
AV: F-Secure Internet Security 2011 10.50 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2011 10.50 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
((((((((((((((((((((((( Dateien erstellt von 2010-08-17 bis 2010-09-17 ))))))))))))))))))))))))))))))
.
2010-09-16 11:34 . 2010-09-16 11:34 -------- d-----w- c:\program files\Enigma Software Group
2010-09-16 11:34 . 2010-09-16 11:49 -------- d-----w- c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP
2010-09-16 11:33 . 2010-09-16 11:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-15 05:46 . 2010-09-16 04:48 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\SSH
2010-09-15 05:44 . 2010-09-15 05:45 -------- d-----w- c:\program files\SSH Secure Shell
2010-09-15 05:43 . 2010-09-15 05:43 -------- d-----w- c:\documents and settings\DR6590~1~ULR\LOCALS~1
2010-09-15 05:43 . 2010-09-15 05:43 -------- d-----w- c:\documents and settings\DR6590~1~ULR
2010-09-14 19:29 . 2010-09-14 20:04 -------- d-----w- c:\program files\SSHTunnelClient
2010-09-07 18:39 . 2010-09-07 18:39 -------- d-----w- c:\program files\Conduit
2010-09-07 18:39 . 2010-09-07 18:39 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Conduit
2010-09-07 18:39 . 2010-09-17 05:57 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Hotspot_Shield
2010-09-07 18:39 . 2010-09-16 11:48 -------- d-----w- c:\program files\Hotspot_Shield
2010-09-07 18:36 . 2010-09-07 18:39 -------- d-----w- C:\Hotspot Shield
2010-09-07 18:36 . 2010-09-07 18:39 -------- d-----w- c:\program files\Hotspot Shield
2010-09-01 08:00 . 2010-09-01 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Vodafone
2010-09-01 07:59 . 2010-09-01 07:59 -------- d-----w- c:\program files\Vodafone
2010-08-28 19:38 . 2000-10-02 10:27 125712 ----a-w- c:\windows\system32\VB6DE.DLL
2010-08-28 19:38 . 1998-06-17 22:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-08-28 19:38 . 2010-08-28 19:38 -------- d-----w- c:\program files\Convar
2010-08-28 19:38 . 2002-02-28 07:46 217088 ----a-w- c:\windows\system32\DartSock.dll
2010-08-28 19:38 . 2002-02-21 08:12 118784 ----a-w- c:\windows\system32\DartWeb.dll
2010-08-28 19:38 . 1998-06-13 20:53 44544 ----a-w- c:\windows\system32\Gif89.dll
2010-08-28 19:38 . 2003-07-18 11:58 516784 ----a-r- c:\windows\system32\XceedCry.dll
2010-08-28 19:31 . 2010-08-28 19:31 -------- d-----w- c:\program files\PC Inspector File Recovery
2010-08-28 17:51 . 2010-08-28 19:30 -------- d-----w- c:\program files\Stellar Phoenix Photo Recovery
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 10:42 . 2010-07-22 14:04 -------- d-----w- c:\program files\Steam
2010-09-17 08:48 . 2009-08-14 14:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-17 08:19 . 2009-08-13 18:27 41624 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-09-17 08:15 . 2009-08-13 18:17 -------- d-----w- c:\program files\F-Secure Internet Security
2010-09-17 08:11 . 2009-08-13 18:19 81800 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2010-09-17 08:08 . 2009-08-13 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-09-17 08:03 . 2009-08-14 05:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-17 07:32 . 2009-09-06 16:45 1235 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\SAS7_000.DAT
2010-09-17 07:13 . 2009-08-14 14:52 1 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-15 05:45 . 2009-08-13 17:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-09 12:27 . 2009-09-14 09:33 -------- d-----w- c:\program files\Opera
2010-09-01 09:39 . 2010-05-17 18:33 -------- d-----w- c:\program files\MWconn
2010-08-29 06:15 . 2010-03-04 16:39 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\U3
2010-08-28 19:20 . 2009-08-13 19:16 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\F-Secure
2010-08-17 13:17 . 2003-03-31 19:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-15 08:10 . 2009-08-13 17:25 87340 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-08-08 09:53 . 2010-08-08 09:53 61440 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7ddcd765-n\decora-sse.dll
2010-08-08 09:53 . 2010-08-08 09:53 503808 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\msvcp71.dll
2010-08-08 09:53 . 2010-08-08 09:53 499712 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\jmc.dll
2010-08-08 09:53 . 2010-08-08 09:53 348160 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\msvcr71.dll
2010-08-08 09:53 . 2010-08-08 09:53 12800 ----a-w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7ddcd765-n\decora-d3d.dll
2010-08-07 12:42 . 2010-03-31 18:02 -------- d-----w- c:\program files\Safari
2010-08-07 12:38 . 2010-08-07 12:38 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-08-03 05:19 . 2009-08-13 18:27 -------- d-----w- c:\program files\Common Files\Java
2010-08-03 05:19 . 2009-08-13 18:27 -------- d-----w- c:\program files\Java
2010-07-25 16:37 . 2010-04-03 12:50 14776 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-24 14:00 . 2010-03-23 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-24 14:00 . 2010-03-23 14:56 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Skype
2010-07-24 13:56 . 2010-03-23 14:59 -------- d-----w- c:\documents and settings\Dr. Ulrich Gmelin\Application Data\skypePM
2010-07-22 15:49 . 2003-03-31 19:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-08-14 05:33 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 03:00 . 2010-06-25 05:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2003-03-31 19:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2003-03-31 19:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 02:48 . 2010-06-23 02:48 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2010-06-23 02:47 . 2010-06-23 02:47 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-06-21 15:27 . 2003-03-31 19:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2010-09-16 11:48 2735200 ----a-w- c:\program files\Hotspot_Shield\tbHot1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C95A4E8E-816D-4655-8C79-D736DA1ADB6D}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-08-28 1242448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-03 88267]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-23 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-23 536576]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-02 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2010-09-17 200360]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2010-09-17 1654440]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"PspContr"="PspContr.Exe" [2003-10-01 376832]
"PspUsbCf"="PspUsbCf.exe" [2003-10-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-04-20 2327552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Dr. Ulrich Gmelin\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\jedi academy\\GameData\\jasp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\jedi academy\\GameData\\jamp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13621:UDP"= 13621:UDP:MFP Bot Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [13.08.2009 20:27 41624]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [13.08.2009 20:19 81800]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [13.08.2009 20:18 71496]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [20.04.2009 17:20 9216]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [13.08.2009 20:17 124072]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [13.08.2009 20:18 58024]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [13.08.2009 19:48 27008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15.07.2010 13:20 136176]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17.05.2010 20:05 7680]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [17.05.2010 20:07 110592]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [17.05.2010 20:06 105344]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [13.08.2009 20:17 40872]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [13.08.2009 20:17 26280]
--- Andere Dienste/Treiber im Speicher ---
*Deregistered* - winevvii
.
Inhalt des "geplante Tasks" Ordners
2010-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 11:19]
2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 11:19]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552
IE: Senden an &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
TCP: {C789C896-85AD-4677-AFA1-B37C64724A90} = 192.168.0.1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-09-17 12:41
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?9?4?4??????? ???B???????????????B? ??????
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'lsass.exe'(1744)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
- - - - - - - > 'explorer.exe'(3564)
c:\program files\F-Secure Internet Security\Spam Control\fsscoepl.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\System32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\AGRSMMSG.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
c:\program files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\F-Secure Internet Security\Common\FSHDLL32.EXE
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\windows\system32\PspContr.Exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fssm32.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-09-17 12:46:16 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-09-17 10:46
ComboFix2.txt 2010-09-16 18:50
Vor Suchlauf: 54.130.880.512 bytes free
Nach Suchlauf: 54.116.417.536 bytes free
- - End Of File - - F4D806EBC4A3C675CD25A1848DEF5071
|
|
| Themen zu Trojan.Generic.4060291 entfernen |
| .dll, entfern, entferne, entfernen, erneute, f-secure, gestartet, kriege, melde, opera, sofort, system, troja, trojan.generic., versehentlich, virusbefall, wiederholt |
Linear-Darstellung
