Infiziert mit TR/Dldr.Renos.CH und TR/Crypt.XPACK.Gen2

CH-Martin · 12.10.2010, 09:33

Guten Morgen
Offenbar habe ich mir was böses eingefangen, bemerkt habe ich das auf Facebook, als jeder Beitrag den ich schrieb beim Posten zu einem Link wurde, der auf ein Video geht.
Ich habe HijackThis laufen lassen:

HiJackthis Logfile:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:40, on 12.10.2010
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\pdf24\pdf24.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
C:\Users\Studer\wrvoul.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [bphus] C:\Users\Studer\bphus.exe /a
O4 - HKCU\..\Run: [nimit] C:\Users\Studer\nimit.exe /q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [wrvoul] C:\Users\Studer\wrvoul.exe /u
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: Logitech Touch Mouse Server.lnk = C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: An vorhandenes PDF anfügen - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix: 
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 7964 bytes

--- --- ---

Habe leider grad nichts passendes zu meinem Problem gefunden hier, und bitte euch um Hilfe. Besten Dank, und Gruss

Edit: Spybot search&Destroy habe ich deinstalliert

Habe noch Malwarebytes laufen lassen:

Zitat:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4799

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

12.10.2010 10:43:53
mbam-log-2010-10-12 (10-43-53).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 135546
Laufzeit: 5 Minute(n), 32 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 6

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$R3UOEN4.exe (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$RBND7AD.exe (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$REWCNHA.scr (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$RFNKQ0W.exe (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$RH1KD3I.scr (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$RH8H4MF.scr (P2P.Worm) -> Quarantined and deleted successfully.

Chris4You · 12.10.2010, 09:42

Hi,

here we go...

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen! (nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:

Code:

ATTFilter

C:\Program Files\pdf24\pdf24.exe
C:\Users\Studer\wrvoul.exe
C:\Users\Studer\nimit.exe
C:\Users\Studer\bphus.exe
C:\Users\Studer\wrvoul.exe

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Schauen wir mal was MAM dazu sagt ;o):

Malwarebytes Antimalware (MAM)
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html
Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen:
http://filepony.de/download-chameleon/
Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen")
Fullscan und alles bereinigen lassen! Log posten.

OTL
Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop

Doppelklick auf die OTL.exe

Vista/Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen

Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output

Unter Extra Registry, wähle bitte Use SafeList

Klicke nun auf Run Scan links oben

Wenn der Scan beendet wurde werden 2 Logfiles erstellt (OTL.TXT und EXTRAS.TXT)

Poste die Logfiles hier in den Thread

chris

CH-Martin · 12.10.2010, 09:45

Habe noch Malwarebytes laufen lassen:

Zitat:

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Datenbank Version: 4799

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

12.10.2010 10:43:53
mbam-log-2010-10-12 (10-43-53).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 135546
Laufzeit: 5 Minute(n), 32 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 6

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$R3UOEN4.exe (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$RBND7AD.exe (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$REWCNHA.scr (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$RFNKQ0W.exe (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$RH1KD3I.scr (P2P.Worm) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2806580214-3656077282-495966031-1000\$RH8H4MF.scr (P2P.Worm) -> Quarantined and deleted successfully.

Chris4You · 12.10.2010, 09:53

Hi,

lass die angegebenen Dateien bei virustotal prüfen... scheint ein Wurm zu sein...
Will sehen ob die Dateien erkannt werden, sonst schicken wir sie an die AV-Hersteller...
Dann MAM im Fullscan-Modus laufen lassen, Log posten...

Wenn mam sie nicht erkennt fixen wir per hand..

Poste auch noch das OTL-Log...

chris

CH-Martin · 12.10.2010, 12:54

Hallo und danke für die schnelle Hilfe.

Von diesen Dateien die ich mit Virustotal überprüfen sollte, habe ich nur die 1. von Dir angegebene Gefunden, pdf24.
Das Log:

Zitat:

C:\Program Files\pdf24\pdf24.exe:

Antivirus Version Last Update Result
AhnLab-V3 2010.10.12.02 2010.10.12 -
AntiVir 7.10.12.188 2010.10.12 -
Antiy-AVL 2.0.3.7 2010.10.12 -
Authentium 5.2.0.5 2010.10.12 -
Avast 4.8.1351.0 2010.10.12 -
Avast5 5.0.594.0 2010.10.12 -
AVG 9.0.0.851 2010.10.12 -
BitDefender 7.2 2010.10.12 -
CAT-QuickHeal 11.00 2010.10.12 -
ClamAV 0.96.2.0-git 2010.10.12 -
Comodo 6362 2010.10.12 -
DrWeb 5.0.2.03300 2010.10.12 -
Emsisoft 5.0.0.50 2010.10.12 -
eSafe 7.0.17.0 2010.10.11 -
eTrust-Vet 36.1.7906 2010.10.12 -
F-Prot 4.6.2.117 2010.10.11 -
F-Secure 9.0.15370.0 2010.10.12 -
Fortinet 4.2.249.0 2010.10.12 -
GData 21 2010.10.12 -
Ikarus T3.1.1.90.0 2010.10.12 -
Jiangmin 13.0.900 2010.10.12 -
K7AntiVirus 9.65.2724 2010.10.11 -
Kaspersky 7.0.0.125 2010.10.12 -
McAfee 5.400.0.1158 2010.10.12 -
McAfee-GW-Edition 2010.1C 2010.10.12 -
Microsoft 1.6201 2010.10.12 -
NOD32 5523 2010.10.12 -
Norman 6.06.07 2010.10.11 -
nProtect 2010-10-12.01 2010.10.12 -
Panda 10.0.2.7 2010.10.12 -
PCTools 7.0.3.5 2010.10.12 -
Prevx 3.0 2010.10.12 -
Rising 22.69.01.04 2010.10.12 -
Sophos 4.58.0 2010.10.12 -
Sunbelt 7042 2010.10.12 -
SUPERAntiSpyware 4.40.0.1006 2010.10.12 -
Symantec 20101.2.0.161 2010.10.12 -
TheHacker 6.7.0.1.055 2010.10.12 -
TrendMicro 9.120.0.1004 2010.10.12 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.12 -
VBA32 3.12.14.1 2010.10.11 -
ViRobot 2010.9.25.4060 2010.10.12 -
Additional information
Show all
MD5 : 2079a1c85852e2fe56a917df77d53d58
SHA1 : 86d2f838889eb8aa76859a6ef571f2325aca0478
SHA256: 73aeedaf42896173aee75309c08f262131b8f2efc0c04f09a6475ef88e75d35a

Die anderen sehe ich nicht in meinem (Punkt 1, alle Dateien anzeigen hab ich gemacht)

Soll ich mal mit Malwarebytes weitermachen?

Chris4You · 12.10.2010, 13:35

Hi,

warte, wir fahren erst folgende Scripte ab und dann erst MAM mit Fullscann und alles bereinigen lassen...

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:

2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Code:

ATTFilter

Files to delete:
C:\Users\Studer\bphus.exe
C:\Users\Studer\nimit.exe
C:\Users\Studer\wrvoul.exe

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Beim fixen müssen alle Programme geschlossen sein!
(Falls vorhanden, Teatimer von Spyboot wie folgt deaktivieren:
Modus-->Erweiterte Modus-->Ja-->Werkzeuge-->Resident-->Häkchen entfernen aus der "Resident "TeaTimer" (Schutz aller Systemeinstellungen)->exit)

Code:

ATTFilter

O4 - HKCU\..\Run: [bphus] C:\Users\Studer\bphus.exe /a
O4 - HKCU\..\Run: [nimit] C:\Users\Studer\nimit.exe /q
O4 - HKCU\..\Run: [wrvoul] C:\Users\Studer\wrvoul.exe /u

chris

CH-Martin · 12.10.2010, 15:54

Hallo

Avenger Log:

Zitat:

Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\Users\Studer\bphus.exe" not found!
Deletion of file "C:\Users\Studer\bphus.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Users\Studer\nimit.exe" not found!
Deletion of file "C:\Users\Studer\nimit.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Users\Studer\wrvoul.exe" not found!
Deletion of file "C:\Users\Studer\wrvoul.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Die hier:

Zitat:

O4 - HKCU\..\Run: [bphus] C:\Users\Studer\bphus.exe /a
O4 - HKCU\..\Run: [nimit] C:\Users\Studer\nimit.exe /q
O4 - HKCU\..\Run: [wrvoul] C:\Users\Studer\wrvoul.exe /u

habe ich in der Auswahl von HijackThis nicht gefunden

In meinen eigenen Dateien habe ich 3 .exe Dateien die ich net kenne und die nach jedem Neustart wieder da sind:

Infiziert mit TR/Dldr.Renos.CH und TR/Crypt.XPACK.Gen2-eigene-dat..jpg

Gruss

Chris4You · 12.10.2010, 16:00

Hi,

Combofix
Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Antivierenlösung komplett auschalten und zwar so, dass sie sich auch nach einem Reboot NICHT einschaltet!

Achtung: In einigen wenigen Fällen kann es vorkommen, das der Rechner nicht mehr booten kann und Neuaufgesetzt werden muß!

Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report (ComboFix.txt) angezeigt, den bitte kopieren und in deinem Thread einfuegen.

Danach bitte OTL wie beschrieben durchführen und das Log posten...

chris

CH-Martin · 13.10.2010, 08:18

Guten Morgen. Nun denn:

Combofix:
Combofix Logfile:

Code:

ATTFilter

ComboFix 10-10-12.03 - Studer 13.10.2010   8:27.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.41.1031.18.3326.2707 [GMT 2:00]
ausgeführt von:: c:\users\Studer\Desktop\ComboFix.exe
SP: Windows-Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Studer\AUTORUN.INF
c:\users\Studer\bphusx.exe
c:\users\Studer\fspro.exe
c:\users\Studer\muapev.exe
c:\users\Studer\weort.exe
c:\users\Studer\zwix.exe

.
(((((((((((((((((((((((   Dateien erstellt von 2010-09-13 bis 2010-10-13  ))))))))))))))))))))))))))))))
.

2010-10-13 06:33 . 2010-10-13 06:33    --------    d-----w-    c:\users\Default\AppData\Local\temp
2010-10-12 11:09 . 2010-09-09 22:52    6084944    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{9A58BBDF-2883-49AF-8946-EA906E8A8892}\mpengine.dll
2010-10-12 08:36 . 2010-10-12 08:36    --------    d-----w-    c:\users\Studer\AppData\Roaming\Malwarebytes
2010-10-12 08:36 . 2010-04-29 13:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 08:36 . 2010-10-12 08:36    --------    d-----w-    c:\programdata\Malwarebytes
2010-10-12 08:36 . 2010-10-12 08:36    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-10-12 08:36 . 2010-04-29 13:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-10-12 08:04 . 2010-10-12 08:04    --------    d-----w-    c:\program files\Trend Micro
2010-10-12 06:34 . 2010-10-12 08:19    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-10-12 06:34 . 2010-10-12 08:17    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2010-10-11 21:06 . 2010-10-11 21:12    --------    d-----w-    c:\users\Studer\AppData\Local\Microsoft Games
2010-10-11 20:46 . 2010-10-11 20:46    --------    d-----w-    c:\users\Studer\AppData\Roaming\Nero
2010-10-11 20:38 . 2010-10-12 14:45    --------    d-----w-    c:\users\Studer\Programme
2010-10-11 19:35 . 2010-10-11 19:57    --------    d-----w-    c:\program files\Nero
2010-10-11 19:34 . 2010-10-11 19:45    --------    d-----w-    c:\programdata\Nero
2010-10-11 19:34 . 2010-10-11 20:18    --------    d-----w-    c:\program files\Common Files\Nero
2010-10-10 20:03 . 2010-10-10 20:03    --------    d-----w-    c:\program files\iPod
2010-10-10 20:03 . 2010-10-10 20:03    --------    d-----w-    c:\program files\iTunes
2010-10-07 19:48 . 2010-10-07 19:48    --------    d-----w-    c:\program files\Hobbyist Software
2010-10-03 20:16 . 2010-10-03 20:16    --------    d-----w-    c:\program files\Logitech Touch Mouse Server
2010-09-16 16:04 . 2010-09-16 16:04    --------    d-----w-    c:\program files\Hewlett-Packard
2010-09-16 16:04 . 2010-09-16 16:06    --------    d-----w-    c:\program files\Common Files\HP
2010-09-14 07:07 . 2010-09-14 07:32    --------    d-----w-    c:\users\Studer\AppData\Roaming\Usenet.nl
2010-09-14 07:06 . 2010-09-14 07:07    --------    d-----w-    c:\program files\Usenet.nl
2010-09-14 05:39 . 2010-09-14 05:39    --------    d-----w-    c:\program files\MSXML 4.0
2010-09-13 08:38 . 2010-09-16 16:11    --------    d-----w-    c:\users\Studer\AppData\Roaming\Image Zone Express
2010-09-13 08:38 . 2010-09-13 08:38    --------    d-----w-    c:\users\Studer\AppData\Roaming\Printer Info Cache
2010-09-13 08:24 . 2010-09-13 08:25    --------    d-----w-    c:\program files\pdf24
2010-09-13 08:15 . 2010-09-13 08:15    --------    d-----w-    c:\programdata\FLEXnet
2010-09-13 08:14 . 2006-09-29 04:56    28248    ----a-r-    c:\windows\system32\AdobePDF.dll
2010-09-13 07:49 . 2010-09-13 07:49    --------    d-----w-    c:\programdata\WEBREG
2010-09-13 07:49 . 2010-09-16 16:11    --------    d-----w-    c:\users\Studer\AppData\Roaming\HP
2010-09-13 07:46 . 2010-09-13 07:46    --------    d-----w-    c:\program files\Common Files\Hewlett-Packard
2010-09-13 07:43 . 2006-11-02 09:46    89600    ----a-w-    c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
2010-09-13 07:39 . 2010-09-16 16:07    --------    d-----w-    c:\program files\HP
2010-09-13 07:36 . 2010-09-16 16:11    --------    d-----w-    c:\programdata\HP
2010-09-13 07:36 . 2006-12-16 06:19    675840    ----a-w-    c:\windows\system32\hpowiav1.dll
2010-09-13 07:36 . 2006-12-16 06:19    303104    ----a-w-    c:\windows\system32\hpovst01.dll
2010-09-13 07:36 . 2006-12-16 06:19    897024    ----a-w-    c:\windows\system32\hpotiop1.dll

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-20 6144000]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"PDFPrint"="c:\program files\pdf24\pdf24.exe" [2010-09-06 204680]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-09-27 240232]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
.
------- Zusätzlicher Suchlauf -------
.
FF - ProfilePath - c:\users\Studer\AppData\Roaming\Mozilla\Firefox\Profiles\k8egaleq.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
Zeit der Fertigstellung: 2010-10-13  08:37:41
ComboFix-quarantined-files.txt  2010-10-13 06:37

Vor Suchlauf: 6 Verzeichnis(se), 157'765'287'936 Bytes frei
Nach Suchlauf: 10 Verzeichnis(se), 165'917'638'656 Bytes frei

- - End Of File - - 6282044BE882C79763C7435FCE9BA7CD

--- --- ---

OTL:
OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 13.10.2010 08:45:49 - Run 1
OTL by OldTimer - Version 3.2.15.1     Folder = C:\Users\Studer\Desktop
Windows Vista Home Premium Edition  (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16982)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 65.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 154.56 Gb Free Space | 51.85% Space Free | Partition Type: NTFS
Drive D: | 698.63 Gb Total Space | 143.07 Gb Free Space | 20.48% Space Free | Partition Type: NTFS
 
Computer Name: STUDER-PC | User Name: Studer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Studer\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\pdf24\pdf24.exe (Geek Software GmbH)
PRC - C:\Programme\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Users\Studer\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Stereo Service) -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (L1E) -- C:\Windows\System32\drivers\L1E60x86.sys (Atheros Communications, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: firefox@facebook.com:1.5.1
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:3.6
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.10.10 22:01:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.10.12 16:24:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.10.10 22:01:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
 
[2010.09.07 13:02:13 | 000,000,000 | ---D | M] -- C:\Users\Studer\AppData\Roaming\mozilla\Extensions
[2010.09.07 13:02:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Studer\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010.10.12 22:10:45 | 000,000,000 | ---D | M] -- C:\Users\Studer\AppData\Roaming\mozilla\Firefox\Profiles\k8egaleq.default\extensions
[2010.09.08 19:51:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Studer\AppData\Roaming\mozilla\Firefox\Profiles\k8egaleq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.09.19 12:45:01 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Users\Studer\AppData\Roaming\mozilla\Firefox\Profiles\k8egaleq.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2010.09.11 17:43:52 | 000,000,000 | ---D | M] -- C:\Users\Studer\AppData\Roaming\mozilla\Firefox\Profiles\k8egaleq.default\extensions\fastYoutubeDownloader@yevgenyandrov.net
[2010.09.19 11:55:28 | 000,000,000 | ---D | M] -- C:\Users\Studer\AppData\Roaming\mozilla\Firefox\Profiles\k8egaleq.default\extensions\fbdislike@doweb.fr
[2010.10.08 23:12:14 | 000,000,000 | ---D | M] -- C:\Users\Studer\AppData\Roaming\mozilla\Firefox\Profiles\k8egaleq.default\extensions\firefox@facebook.com
[2010.09.06 15:25:04 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.07.23 02:48:56 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.07.23 02:48:56 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.07.23 02:48:56 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.07.23 02:48:56 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.07.23 02:48:56 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2010.10.13 08:33:16 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [PDFPrint] C:\Programme\pdf24\pdf24.exe (Geek Software GmbH)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Studer\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Studer\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.10.13 08:37:45 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010.10.13 08:25:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010.10.13 08:25:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010.10.13 08:25:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010.10.13 08:25:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010.10.13 08:25:13 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010.10.13 08:24:17 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010.10.13 08:23:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.10.12 16:55:01 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Users\Studer\Desktop\OTL.exe
[2010.10.12 14:53:24 | 000,000,000 | ---D | C] -- C:\Avenger
[2010.10.12 10:36:44 | 000,000,000 | ---D | C] -- C:\Users\Studer\AppData\Roaming\Malwarebytes
[2010.10.12 10:36:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.10.12 10:36:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.10.12 10:36:36 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.10.12 10:36:36 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.10.12 10:04:09 | 000,000,000 | ---D | C] -- C:\Programme\Trend Micro
[2010.10.12 08:34:02 | 000,000,000 | ---D | C] -- C:\Programme\Spybot - Search & Destroy
[2010.10.12 08:34:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010.10.11 23:06:57 | 000,000,000 | ---D | C] -- C:\Users\Studer\AppData\Local\Microsoft Games
[2010.10.11 22:46:40 | 000,000,000 | ---D | C] -- C:\Users\Studer\AppData\Roaming\Nero
[2010.10.11 22:38:07 | 000,000,000 | ---D | C] -- C:\Users\Studer\Programme
[2010.10.11 21:35:28 | 000,000,000 | ---D | C] -- C:\Programme\Nero
[2010.10.11 21:34:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero
[2010.10.11 21:34:40 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Nero
[2010.10.11 21:33:17 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll
[2010.10.11 14:29:05 | 000,000,000 | ---D | C] -- C:\Users\Studer\Documents\My Games
[2010.10.10 22:03:20 | 000,000,000 | ---D | C] -- C:\Programme\iPod
[2010.10.10 22:03:18 | 000,000,000 | ---D | C] -- C:\Programme\iTunes
[2010.10.10 22:01:16 | 000,000,000 | ---D | C] -- C:\Programme\QuickTime
[2010.10.07 21:48:15 | 000,000,000 | ---D | C] -- C:\Programme\Hobbyist Software
[2010.10.03 22:16:48 | 000,000,000 | ---D | C] -- C:\Programme\Logitech Touch Mouse Server
[2010.09.16 18:15:23 | 000,000,000 | ---D | C] -- C:\Users\Studer\Documents\Meine Scans
[2010.09.16 18:07:29 | 000,000,000 | ---D | C] -- C:\ProgramData\HPSSUPPLY
[2010.09.16 18:04:36 | 000,000,000 | ---D | C] -- C:\Programme\Hewlett-Packard
[2010.09.16 18:04:16 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\HP
[2010.09.14 09:07:05 | 000,000,000 | ---D | C] -- C:\Users\Studer\Documents\Usenet.nl
[2010.09.14 09:07:05 | 000,000,000 | ---D | C] -- C:\Users\Studer\AppData\Roaming\Usenet.nl
[2010.09.14 09:06:59 | 000,000,000 | ---D | C] -- C:\Programme\Usenet.nl
[2010.09.14 07:39:02 | 000,000,000 | ---D | C] -- C:\Programme\MSXML 4.0
[2010.09.14 00:33:09 | 000,000,000 | ---D | C] -- C:\Users\Studer\Documents\Rechnungen PDF
[2010.09.13 10:57:28 | 000,000,000 | ---D | C] -- C:\Users\Studer\Documents\Scans von Zeugnissen
[2010.09.13 10:38:12 | 000,000,000 | ---D | C] -- C:\Users\Studer\AppData\Roaming\Printer Info Cache
[2010.09.13 10:38:12 | 000,000,000 | ---D | C] -- C:\Users\Studer\AppData\Roaming\Image Zone Express
[2010.09.13 10:34:46 | 000,000,000 | ---D | C] -- C:\Users\Studer\Documents\pdf24
[2010.09.13 10:24:26 | 000,000,000 | ---D | C] -- C:\Programme\pdf24
[2010.09.13 10:21:08 | 000,000,000 | ---D | C] -- C:\Users\Studer\Documents\Scans
[2010.09.13 10:16:56 | 000,000,000 | ---D | C] -- C:\Users\Studer\Documents\Updater5
[2010.09.13 10:15:31 | 000,000,000 | ---D | C] -- C:\ProgramData\FLEXnet
[2010.09.13 10:14:37 | 000,028,248 | R--- | C] (Adobe Systems Incorporated.) -- C:\Windows\System32\AdobePDF.dll
[2010.09.13 09:49:45 | 000,000,000 | ---D | C] -- C:\ProgramData\WEBREG
[2010.09.13 09:49:26 | 000,000,000 | ---D | C] -- C:\Users\Studer\AppData\Roaming\HP
[2010.09.13 09:46:02 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Hewlett-Packard
[2010.09.13 09:39:33 | 000,000,000 | ---D | C] -- C:\Programme\HP
[2010.09.13 09:39:33 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010.09.13 09:36:12 | 000,000,000 | ---D | C] -- C:\ProgramData\HP
[2010.09.13 09:36:07 | 000,897,024 | ---- | C] (Hewlett-Packard Co.) -- C:\Windows\System32\hpotiop1.dll
[2010.09.13 09:36:07 | 000,675,840 | ---- | C] (Hewlett-Packard) -- C:\Windows\System32\hpowiav1.dll
[2010.09.13 09:36:07 | 000,303,104 | ---- | C] (Hewlett-Packard Co.) -- C:\Windows\System32\hpovst01.dll
 
========== Files - Modified Within 30 Days ==========
 
[2010.10.13 08:33:16 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010.10.13 08:24:41 | 003,878,092 | R--- | M] () -- C:\Users\Studer\Desktop\ComboFix.exe
[2010.10.13 08:23:27 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010.10.13 08:23:27 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010.10.13 07:23:29 | 000,162,058 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010.10.13 07:23:27 | 000,162,058 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010.10.13 07:23:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.10.12 22:37:31 | 000,172,032 | ---- | M] () -- C:\Users\Studer\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.10.12 17:25:57 | 000,641,106 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.10.12 17:25:57 | 000,609,944 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.10.12 17:25:57 | 000,116,500 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.10.12 17:25:57 | 000,103,726 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.10.12 17:17:23 | 3488,669,696 | -HS- | M] () -- C:\hiberfil.sys
[2010.10.12 16:55:03 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Studer\Desktop\OTL.exe
[2010.10.12 16:28:31 | 000,248,680 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010.10.12 14:45:49 | 000,731,136 | ---- | M] () -- C:\Users\Studer\Desktop\avenger.exe
[2010.10.12 10:36:40 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.10.12 10:04:09 | 000,001,874 | ---- | M] () -- C:\Users\Studer\Desktop\HijackThis.lnk
[2010.10.11 21:59:36 | 000,004,767 | ---- | M] () -- C:\Windows\Irremote.ini
[2010.10.11 21:44:55 | 000,002,541 | ---- | M] () -- C:\Users\Public\Desktop\Nero StartSmart.lnk
[2010.10.10 22:03:57 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010.09.20 07:10:59 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf
[2010.09.16 18:11:00 | 000,164,291 | ---- | M] () -- C:\Windows\hpoins19.dat
[2010.09.16 18:06:19 | 000,001,204 | ---- | M] () -- C:\Users\Public\Desktop\HP Solution Center.lnk
[2010.09.16 18:05:23 | 000,001,972 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2010.09.16 17:54:22 | 000,030,190 | ---- | M] () -- C:\Users\Studer\Documents\bf.csm_542374600_004.output.reprint.pdf
[2010.09.14 00:31:18 | 000,811,520 | ---- | M] () -- C:\Users\Studer\Documents\Bewerbungsflyer.doc
[2010.09.13 11:05:06 | 002,083,807 | ---- | M] () -- C:\Users\Studer\Documents\Bewerbungsdossier Martin Studer.pdf
[2010.09.13 11:03:22 | 002,029,542 | ---- | M] () -- C:\Users\Studer\Documents\zeugnisse.pdf
[2010.09.13 10:54:35 | 000,062,054 | ---- | M] () -- C:\Users\Studer\Documents\Lebenslauf Martin Studer.pdf
[2010.09.13 10:51:45 | 000,125,440 | ---- | M] () -- C:\Users\Studer\Documents\Lebenslauf Martin Studer.doc
 
========== Files Created - No Company Name ==========
 
[2010.10.13 08:25:17 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010.10.13 08:25:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010.10.13 08:25:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010.10.13 08:25:17 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010.10.13 08:25:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010.10.12 22:17:44 | 003,878,092 | R--- | C] () -- C:\Users\Studer\Desktop\ComboFix.exe
[2010.10.12 14:45:43 | 000,731,136 | ---- | C] () -- C:\Users\Studer\Desktop\avenger.exe
[2010.10.12 10:36:40 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.10.12 10:04:09 | 000,001,874 | ---- | C] () -- C:\Users\Studer\Desktop\HijackThis.lnk
[2010.10.11 21:59:36 | 000,004,767 | ---- | C] () -- C:\Windows\Irremote.ini
[2010.10.11 21:44:55 | 000,002,541 | ---- | C] () -- C:\Users\Public\Desktop\Nero StartSmart.lnk
[2010.10.10 22:03:57 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010.09.16 18:06:19 | 000,001,204 | ---- | C] () -- C:\Users\Public\Desktop\HP Solution Center.lnk
[2010.09.16 18:05:23 | 000,001,972 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2010.09.16 17:58:31 | 000,164,291 | ---- | C] () -- C:\Windows\hpoins19.dat
[2010.09.16 17:58:22 | 000,026,952 | ---- | C] () -- C:\Windows\hpomdl19.dat
[2010.09.16 17:54:22 | 000,030,190 | ---- | C] () -- C:\Users\Studer\Documents\bf.csm_542374600_004.output.reprint.pdf
[2010.09.14 00:31:18 | 000,811,520 | ---- | C] () -- C:\Users\Studer\Documents\Bewerbungsflyer.doc
[2010.09.14 00:18:12 | 000,507,392 | ---- | C] () -- C:\Users\Studer\Desktop\Lebenslauf_KF.doc
[2010.09.13 11:05:00 | 002,083,807 | ---- | C] () -- C:\Users\Studer\Documents\Bewerbungsdossier Martin Studer.pdf
[2010.09.13 11:03:16 | 002,029,542 | ---- | C] () -- C:\Users\Studer\Documents\zeugnisse.pdf
[2010.09.13 10:54:35 | 000,062,054 | ---- | C] () -- C:\Users\Studer\Documents\Lebenslauf Martin Studer.pdf
[2010.09.13 09:56:13 | 000,125,440 | ---- | C] () -- C:\Users\Studer\Documents\Lebenslauf Martin Studer.doc
[2010.09.13 09:37:57 | 000,005,813 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2010.09.08 14:09:51 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2010.09.06 23:02:22 | 000,172,032 | ---- | C] () -- C:\Users\Studer\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.09.06 22:50:20 | 000,162,058 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010.09.06 22:50:20 | 000,162,058 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010.09.06 14:59:53 | 000,026,241 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010.09.06 14:59:53 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2010.09.06 14:58:47 | 000,015,416 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2010.09.06 14:44:05 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2010.09.06 14:32:16 | 000,000,680 | ---- | C] () -- C:\Users\Studer\AppData\Local\d3d9caps.dat
[2009.08.03 00:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009.08.03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009.08.03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

< End of report >

--- --- ---

Extras:
OTL Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 13.10.2010 08:45:49 - Run 1
OTL by OldTimer - Version 3.2.15.1     Folder = C:\Users\Studer\Desktop
Windows Vista Home Premium Edition  (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16982)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 65.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 154.56 Gb Free Space | 51.85% Space Free | Partition Type: NTFS
Drive D: | 698.63 Gb Total Space | 143.07 Gb Free Space | 20.48% Space Free | Partition Type: NTFS
 
Computer Name: STUDER-PC | User Name: Studer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{330C33DB-8802-4176-96F3-08751A046E45}" = rport=445 | protocol=6 | dir=out | app=system | 
"{37050E59-2988-4545-9280-20E0D45D69AE}" = lport=137 | protocol=17 | dir=in | app=system | 
"{5002BB71-9E6B-42BF-B5F2-CB5872CEFEAF}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{8806553D-D86F-46C5-9006-53A57BC41934}" = lport=139 | protocol=6 | dir=in | app=system | 
"{A7372FFB-0B6F-4CCC-B233-128683DC89E3}" = rport=138 | protocol=17 | dir=out | app=system | 
"{A7B850C1-F6B3-45CF-880F-DF964711CBF3}" = lport=445 | protocol=6 | dir=in | app=system | 
"{BE16CF0E-0AD8-490A-A796-E76D6F55C1D9}" = rport=139 | protocol=6 | dir=out | app=system | 
"{D183C01B-D2C9-4B61-BCED-7C03EEB20777}" = lport=61635 | protocol=6 | dir=in | name=bittorrent | 
"{D6963673-9CE6-4FE5-AD8D-405890157EF3}" = lport=138 | protocol=17 | dir=in | app=system | 
"{D8546371-58EC-45D6-B2CB-14B6625D15BB}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{F9F97E97-5258-48F6-97FE-B7631908BBDE}" = rport=137 | protocol=17 | dir=out | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{07D6FB22-D42E-46A4-94F5-5D015183662F}" = protocol=17 | dir=in | app=c:\program files\logitech touch mouse server\itouch-server-win.exe | 
"{08FD7FF6-C7BB-4FC0-8888-99C129779772}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{50A8E896-93C4-4352-AD98-C113D684D19E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{598D8B3B-64FA-4F62-9A83-3909654842FF}" = dir=in | app=c:\program files\itunes\itunes.exe | 
"{662A3EE2-D8AB-46B2-ACAE-B4561436D182}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{A08B0C87-EAE6-42F9-BC2D-45CC32C3CC69}" = protocol=6 | dir=in | app=c:\program files\logitech touch mouse server\itouch-server-win.exe | 
"{C1D8EA35-BBBD-4D7B-9385-CFD5ABFE99BB}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{C1FE9D1C-636D-4152-B700-F57E7AC90AAA}" = protocol=17 | dir=in | app=c:\program files\videolan\vlc\vlc.exe | 
"{C2F15980-178F-4092-996B-F7B9F1355D4B}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{F597CCD4-FA6F-4B58-8A6D-2D7C6D2F34E7}" = protocol=6 | dir=in | app=c:\program files\videolan\vlc\vlc.exe | 
"{FF012DEC-BEA9-4139-AF2A-BFEE96A0C1B0}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"TCP Query User{7E014734-CF0F-4491-824A-C64DEE5D87CC}C:\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe | 
"TCP Query User{A0137602-8475-4744-AEA2-743F68565E58}C:\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe | 
"UDP Query User{245DAC18-3BE3-49E2-ABF7-9404A75EFBBB}C:\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe | 
"UDP Query User{3FBF24EF-F1FB-4927-9570-022C8AAFDA9F}C:\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0711500B-9912-4D60-9A49-C577B4503D42}" = Nero Recode Help
"{07FF7593-9DEA-40B5-9F87-F557E65BBF60}" = Nero Recode
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{1122AAC4-AAAA-43BF-B2D4-3C8C12378952}" = Nero InfoTool
"{11A84FCA-C3C7-4AFD-A797-111DB8569DBC}" = Nero BurningROM
"{12345674-DE9A-677A-CCEE-666356D89777}" = Nero BurnRights
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{1B040683-C390-4711-ABC7-DA8D85E470E7}" = NeroBurningROM
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{2D3455A8-3B15-41A8-99F8-0D4215746463}" = Nero StartSmart
"{3097B151-1F61-4211-A4CC-D70127B226AE}" = SoundTrax
"{3F30CC51-0788-487B-AA83-7214A239C0C0}" = Nero Disc Copy Gadget Help
"{405ABBEB-8DF1-4174-86C0-DCB5E1C78F14}" = NetDeviceManager
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4D42353B-533F-4306-AD0B-7FEF292ADE04}" = Nero CoverDesigner Help
"{4E8C27C2-D727-4C00-A90E-C3F6376EEE70}" = Nero ControlCenter
"{548F99E0-14CC-4D53-A7D6-4A62A5F2C748}" = Nero PhotoSnap
"{56BE5CC9-95E6-4128-ABEA-968414CA9C80}" = DolbyFiles
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5A62A775-A29A-4CE1-BBC2-4A9CD0B211EF}" = Nero Live Help
"{5AE12194-3EAA-40DF-B2BF-FE1D6B78BBF4}" = Nero Vision
"{5C2E8A0F-80E2-4C68-8CC0-D8D16E7196BF}" = Nero RescueAgent Help
"{5C42EAB8-54F9-423A-948C-1CBEF25F8DB4}" = Nero PhotoSnap Help
"{5C9BB0B3-E830-4814-BBA4-D93535E1C7B9}" = Nero Live
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75321954-2589-11DC-DDCC-E98356D81493}" = Nero DriveSpeed
"{753973C4-B961-43BF-B2D4-3C8C92F7216E}" = Nero DriveSpeed
"{78523651-D8B1-11DC-CCEE-741589645873}" = Nero DiscSpeed
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator 2.8.5
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{8C654BD0-1949-43DE-84F2-EC2A1ABB0CB4}" = Nero ShowTime
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{943CC0C0-2253-4FE0-9493-DD386F7857FD}" = Nero Express
"{948FFAAE-C57F-447B-9B07-3721E950BFDC}" = Nero ShowTime
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{961D53EA-40DC-4156-AD74-25684CE05F81}" = Nero Installer
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A875B56-A35C-46BA-A3AA-DF8D03EE9F2F}" = Nero ControlCenter
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{9F3523F8-DAD7-AE52-6DA7-45CDDDF33726}" = Advertising Center
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}" = Copy
"{A73BEC3C-40A0-480E-87EF-EFCD33629088}" = NeroExpress
"{A8399F58-234A-48C6-BA55-30C15738BF3C}" = Nero CoverDesigner
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AAA12554-2589-11DC-92EF-E98356D81493}" = Nero InfoTool
"{AABBCC54-D8B1-11DC-92EF-E98356D81493}" = Nero DiscSpeed
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.4 - Deutsch
"{B2C12C8D-65DC-40BD-B309-5ADB0C6C8D8F}" = Nero WaveEditor
"{B96C2601-52F5-4D5D-816A-63469EA311EF}" = "Nero SoundTrax Help
"{BCD82AB5-670D-4242-90FA-1F97103C16CD}" = Movie Templates - Starter Kit
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{bf52f089-2eaf-45e7-9cdf-0acc967ab4c9}" = Nero 9
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
"{C99C89A3-119A-45E6-B26E-DD5643CAA0C5}" = Menu Templates - Starter Kit
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CD1826A5-CFCC-4C6E-9F9D-E181876162EA}" = Nero Rescue Agent
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7C206B6-1A63-4389-A8B1-8F607D0BFF1F}" = Nero StartSmart Help
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software
"{E4A8DD87-A746-4443-BF25-CAF99CED6767}" = Nero Disc Copy Gadget
"{E60B8506-DDC7-433d-AF9E-999D0F543C4A}" = 2570_Help
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{E86156E5-9859-440D-8876-26CED1349802}" = Nero WaveEditor Help
"{EA7FE7AB-34AE-4e14-84C5-187E6EC0AB9B}" = 2570
"{EA9FFE54-D8B1-11DC-92EF-E98356D81493}" = Nero BurnRights
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F53F6769-AC46-49E3-ABE3-2C8AFD39D0DD}" = Nero Vision
"{F66D5732-C2A6-4f88-B8FE-AEDA10355FBD}" = 2570Trb
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BitTorrent" = BitTorrent
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"Logitech Touch Mouse Server" = Logitech Touch Mouse Server 1.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"Mozilla Thunderbird (3.1.2)" = Mozilla Thunderbird (3.1.2)
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"RAR Password Cracker" = RAR Password Cracker 4.12
"Usenet.nl_is1" = Usenet.nl
"VLC media player" = VLC media player 1.0.5
"VLC Setup Helper_is1" = VLC Setup Helper 3.01
"WinRAR archiver" = WinRAR
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 12.10.2010 21:17:16 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 10031
 
Error - 12.10.2010 21:17:17 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 12.10.2010 21:17:17 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 11045
 
Error - 12.10.2010 21:17:17 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 11045
 
Error - 12.10.2010 21:17:18 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 12.10.2010 21:17:18 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 12044
 
Error - 12.10.2010 21:17:18 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 12044
 
Error - 12.10.2010 21:17:19 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 12.10.2010 21:17:19 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 13151
 
Error - 12.10.2010 21:17:19 | Computer Name = Studer-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 13151
 
[ System Events ]
Error - 12.10.2010 11:16:07 | Computer Name = Studer-PC | Source = DCOM | ID = 10010
Description = 
 
Error - 12.10.2010 11:23:47 | Computer Name = Studer-PC | Source = Service Control Manager | ID = 7022
Description = 
 
Error - 13.10.2010 02:26:26 | Computer Name = Studer-PC | Source = Service Control Manager | ID = 7030
Description = 
 
Error - 13.10.2010 02:33:18 | Computer Name = Studer-PC | Source = Service Control Manager | ID = 7030
Description = 
 
 
< End of report >

--- --- ---

Chris4You · 13.10.2010, 09:19

Hi,

das sieht schon viel besser aus!

Fix für OTL:

Doppelklick auf die OTL.exe, um das Programm auszuführen.

Vista/Win7-User bitte per Rechtsklick und "Ausführen als Administrator" starten.

Kopiere den Inhalt der folgenden Codebox komplett in die OTL-Box unter "Custom Scan/Fixes"

Code:

ATTFilter

:OTL
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

:Commands
[emptytemp]
[Reboot]

Den roten Run Fixes! Button anklicken.

Bitte alles aus dem Ergebnisfenster (Results) herauskopieren.

Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert:

%systemroot%\_OTL

Poste bitte noch das MAM log vom Fullscan..

chris

CH-Martin · 13.10.2010, 11:25

Anbei noch das MAM log:

Zitat:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4809

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

13.10.2010 12:17:47
mbam-log-2010-10-13 (12-17-47).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 265433
Laufzeit: 38 Minute(n), 8 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Qoobox\Quarantine\C\Users\Studer\weort.exe.vir (P2P.Worm) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Studer\zwix.exe.vir (P2P.Worm) -> Quarantined and deleted successfully.

Chris4You · 13.10.2010, 11:30

Hi,

die Funde sind aus der Quarantäne von CF, er hat aber nur 2 gefunden, CF hat mehr "eleminiert"...

Wie verhält sich der Rechner?

Zur Sicherheit noch:
Superantispyware (SASW):
http://www.trojaner-board.de/51871-a...tispyware.html

chris

CH-Martin · 13.10.2010, 11:33

OTL:

Zitat:

All processes killed
========== OTL ==========
Service NwlnkFwd stopped successfully!
Service NwlnkFwd deleted successfully!
File C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found not found.
Service NwlnkFlt stopped successfully!
Service NwlnkFlt deleted successfully!
File C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found not found.
Service IpInIp stopped successfully!
Service IpInIp deleted successfully!
File C:\Windows\System32\DRIVERS\ipinip.sys File not found not found.
Service blbdrive stopped successfully!
Service blbdrive deleted successfully!
File C:\Windows\System32\drivers\blbdrive.sys File not found not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Studer
->Temp folder emptied: 219509 bytes
->Temporary Internet Files folder emptied: 10258353 bytes
->FireFox cache emptied: 101032435 bytes
->Flash cache emptied: 13909 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8136 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 106.00 mb

OTL by OldTimer - Version 3.2.15.1 log created on 10132010_122731

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Das system wurde deutlich schneller, in Facebook kann ich auch wieder Comments posten, eine deutliche Verbesserung.
Führe nun noch SUPERAntiSpyware durch..

CH-Martin · 13.10.2010, 16:01

zu guter Letzt(hoffentlich

)

SuperAntiSpyware:

Zitat:

SUPERAntiSpyware Scann-Protokoll
hxxp://www.superantispyware.com

Generiert 10/13/2010 bei 03:39 PM

Version der Applikation : 4.44.1000

Version der Kern-Datenbank : 5676
Version der Spur-Datenbank : 3488

Scan Art : kompletter Scann
Totale Scann-Zeit : 02:55:56

Gescannte Speicherelemente : 552
Erfasste Speicher-Bedrohungen : 0
Gescannte Register-Elemente : 7232
Erfasste Register-Bedrohungen : 0
Gescannte Datei-Elemente : 316867
Erfasste Datei-Elemente : 0

Also rein Gefühlsmässig tut der Rechner wieder wie er sollte.
Gruss

Chris4You · 13.10.2010, 16:13

Hi,

beobachte den Rechner, falls noch was sein sollte wieder melden...
Dann wäre wir erstmal durch bis auf's aufräumen:

Aufräumen:
Backups von Avenger&Co (falls vorhanden) löschen:
Falls der Rechner einwandfrei läuft, können die Backups der
Bereinigungstools gelöscht werden (soweit vorhanden):

C:\Qoobox - loeschen und Papierkorb leeren (ComboFix Backups)
C:\avenger\backup.zip - loeschen und Papierkorb leeren (Avenger)
C:\VundoFix Backups - loeschen und Papierkorb leeren
C:\RVAXO-results.log -->Papierkorb leeren
Backupfiles von HJ liegen im HJ-Ordner

chris