"wtr loader funktioniert nicht" "TR/Kazy.mekml.1"

chrisirhc · 28.04.2011, 20:43

Hallo Helfer!

Wie mir scheint, muss ich mich in die lange Liste der Leute mit dem gleichen Problem einreihen... Da hier davon abgeraten wird Hilfen einfach "blind nachzuspielen", habe ich ein eigenes Thema eröffnet.

Bisher ist folgendes geschehen:

-Antivir hatte vor 3 Tagen den "TR/Kazy.mekml.1" gefunden, habe ich mit Antivir gelöscht
-Beim nächsten Hochfahren des Computers war der Desktop schwarz und die meisten Symbole/Ordner verschwunden. Dazu kam die Meldung "wtr loader funktioniert nicht", eine weitere Meldung bzgl. des RAM-Speichers und eine Meldung aus der Taskleiste mit unverständlichen Symbolen
-auf gut Glück versucht, Problem durch Wiederherstellung eines früheren Zeitpunktes zu beheben- Wiederherstellung war nicht möglich
-Habe mich im Forum eingelesen, Malewarbytes Antimalware installiert und vollständig gescant, alle Funde in die Quarantäne verschoben, anschließend eine Datei aus der Quarantäne versehentlich wiederhergestellt und daher den Scan nochmal wiederholt (darum die beiden logfiles unten)- Die Meldungen sind seitdem verschwunden, der Desktop ist unverändert.
-Heute Scan mit OTL durchgeführt.

Da ich von Computern leider nicht viel Ahnung habe, wäre ich für Hilfe echt dankbar!

P.S.: Kann ich die Dateien in der Quarantäne von Antimalware egtl endgültig löschen?

anbei die logfiles:

Antimalware 1:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6459

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18828

27.04.2011 22:05:38
mbam-log-2011-04-27 (22-05-38).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 276680
Laufzeit: 49 Minute(n), 58 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 7
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 1
Infizierte Dateien: 8

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
c:\program files\common files\Spigot\wtxpcom\components\widgitoolbarff.dll (Adware.WidgiToolbar) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055FD26D-3A88-4e15-963D-DC8493744B1D} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055FD26D-3A88-4e15-963D-DC8493744B1D} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{77D6DDFA-7834-4541-B2B3-A8B0FB0E3924} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ToolBand.XTTBPos00.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ToolBand.XTTBPos00 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{055FD26D-3A88-4E15-963D-DC8493744B1D} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{055FD26D-3A88-4E15-963D-DC8493744B1D} (Trojan.BHO) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\COMMON FILES\SPIGOT\WTXPCOM\COMPONENTS\WIDGITOOLBARFF.DLL (Adware.WidgiToolbar) -> Value: WIDGITOOLBARFF.DLL -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vKECjCxHfiQS (Trojan.FakeAlert) -> Value: vKECjCxHfiQS -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSxWcWRakP (Trojan.FakeAlert) -> Value: RSxWcWRakP -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
c:\Recycle.Bin (Trojan.Spyeyes) -> Quarantined and deleted successfully.

Infizierte Dateien:
c:\program files\common files\Spigot\wtxpcom\components\widgitoolbarff.dll (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
c:\programdata\vkecjcxhfiqs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\programdata\rsxwcwrakp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\user\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\7O2J20N5\calc[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\user\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\7O2J20N5\calc[2].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
d:\programme\winrar\winrar.3.x.universal.patch.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Recycle.Bin\config.bin (Trojan.Spyeyes) -> Quarantined and deleted successfully.
c:\programme\icqtoolbar\toolbaru.dll (Trojan.BHO) -> Quarantined and deleted successfully.

Antimalware 2:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6459

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18828

28.04.2011 06:16:13
mbam-log-2011-04-28 (06-16-13).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 275070
Laufzeit: 57 Minute(n), 28 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
d:\programme\winrar\winrar.3.x.universal.patch.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

OTL:

OTL logfile created on: 28.04.2011 19:52:33 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\user\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 64,00% Memory free
6,00 Gb Paging File | 4,00 Gb Available in Paging File | 76,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144,29 Gb Total Space | 98,50 Gb Free Space | 68,26% Space Free | Partition Type: NTFS
Drive D: | 144,04 Gb Total Space | 92,89 Gb Free Space | 64,49% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\user\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Windows\System32\drivers\CDAC11BA.EXE (Macrovision)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
PRC - C:\Program Files\Application Updater\ApplicationUpdater.exe (Spigot, Inc.)
PRC - C:\Program Files\ICQ7.2\ICQ.exe (ICQ, LLC.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\ICQ6Toolbar\ICQ Service.exe ()
PRC - C:\Program Files\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Windows\System32\ieconfig_1und1_svc.exe (mquadr.at softwareengineering und consulting gmbh)
PRC - C:\Program Files\GMX\LiveUpdate\m2LUTray.exe ()
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Users\user\AppData\Local\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
PRC - C:\Acer\Empowering Technology\eNet\eNMTray.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\eNet\eNet Service.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
PRC - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
PRC - C:\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
PRC - C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe (CyberLink Corp.)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Acer\Mobility Center\MobilityService.exe ()
PRC - C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
PRC - C:\Acer\Empowering Technology\eAudio\eAudio.exe (CyberLink)
PRC - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (acer)
PRC - C:\Acer\ALaunch\ALaunchSvc.exe ()
PRC - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
PRC - C:\Windows\System32\slserv.exe ( )

========== Modules (SafeList) ==========

MOD - C:\Users\user\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (C-DillaCdaC11BA) -- C:\Windows\System32\drivers\CDAC11BA.EXE (Macrovision)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (Application Updater) -- C:\Program Files\Application Updater\ApplicationUpdater.exe (Spigot, Inc.)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (ICQ Service) -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe ()
SRV - (serviceIEConfig) -- C:\Windows\System32\ieconfig_1und1_svc.exe (mquadr.at softwareengineering und consulting gmbh)
SRV - (WinHttpAutoProxySvc) -- winhttp.dll (Microsoft Corporation)
SRV - (eNet Service) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe (Acer Inc.)
SRV - (eDataSecurity Service) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (eSettingsService) -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
SRV - (MobilityService) -- C:\Acer\Mobility Center\MobilityService.exe ()
SRV - (eLockService) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (Acer Inc.)
SRV - (WMIService) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (acer)
SRV - (ALaunchService) -- C:\Acer\ALaunch\ALaunchSvc.exe ()
SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
SRV - (SLService) -- slserv.exe ( )

========== Driver Services (SafeList) ==========

DRV - (CdaC15BA) -- C:\Windows\System32\drivers\CDAC15BA.SYS (Macrovision Europe Ltd)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (USBCCID) -- C:\Windows\System32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796}) -- C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl (Cyberlink Corp.)
DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys (Acer, Inc.)
DRV - (enecir) -- C:\Windows\System32\drivers\enecir.sys (ENE TECHNOLOGY INC.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (DritekPortIO) -- C:\Program Files\Launch Manager\DPortIO.sys (Dritek System Inc.)
DRV - (WSVD) -- C:\Windows\System32\drivers\WSVD.sys (Wasay)
DRV - (Mtlstrm) -- C:\Windows\System32\drivers\mtlstrm.sys ( )
DRV - (Mtlmnt5) -- C:\Windows\System32\drivers\mtlmnt5.sys ( )
DRV - (Slnt7554) -- C:\Windows\System32\drivers\slnt7554.sys ( )
DRV - (SlNtHal) -- C:\Windows\System32\drivers\slnthal.sys ( )
DRV - (RecAgent) -- C:\Windows\system32\DRIVERS\RecAgent.sys ( )
DRV - (SlWdmSup) -- C:\Windows\System32\drivers\slwdmsup.sys ( )

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://de.intl.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.intl.acer.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.gmx.net/home
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://go.gmx.net/tab2 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://google.icq.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://google.de/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.1und1.de/links/home
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKCU\..\URLSearchHook: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\4.3\pdfforgeToolbarIE.dll (Spigot, Inc.)
IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: pdfforge@mybrowserbar.com:4.3
FF - prefs.js..extensions.enabledItems: wtxpcom@mybrowserbar.com:4.3

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.04.01 18:23:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.04.01 18:23:44 | 000,000,000 | ---D | M]

[2011.02.14 20:15:59 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\user\AppData\Roaming\mozilla\Extensions
[2011.02.14 20:15:59 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\t056xyhy.default\extensions
[2011.02.17 22:30:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011.02.17 22:30:02 | 000,000,000 | ---D | M] (Widgi Toolbar Platform) -- C:\PROGRAM FILES\COMMON FILES\SPIGOT\WTXPCOM
[2011.02.17 22:30:02 | 000,000,000 | ---D | M] (pdfforge Toolbar) -- C:\PROGRAM FILES\PDFFORGE TOOLBAR\FF
[2011.03.30 20:05:50 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2011.03.30 20:05:50 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml
[2011.03.30 20:05:50 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2011.03.30 20:05:50 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2011.03.30 20:05:50 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\4.3\pdfforgeToolbarIE.dll (Spigot, Inc.)
O2 - BHO: (GMX Browser Configuration by mquadr.at) - {D48FF4B4-E68F-47D1-8E25-81A0F0EEB341} - C:\Windows\System32\ieconfig_1und1.dll (mquadr.at softwareengineering und consulting gmbh)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKLM\..\Toolbar: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\4.3\pdfforgeToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKCU\..\Toolbar\WebBrowser: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acer Tour Reminder] File not found
O4 - HKLM..\Run: [ALaunch] File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [eAudio] C:\Acer\Empowering Technology\eAudio\eAudio.exe (CyberLink)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [GMX Update] C:\Program Files\GMX\LiveUpdate\m2LUTray.exe ()
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] D:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PlayMovie] C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
O4 - HKLM..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe (Acer Incorporated)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ICQ] C:\Program Files\ICQ7.2\ICQ.exe (ICQ, LLC.)
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - D:\Programme\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Programme\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - File not found
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - File not found
O13 - gopher Prefix: missing
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.186.33 83.169.186.97
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O29 - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.04.27 21:12:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\Malwarebytes
[2011.04.27 21:11:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011.04.27 21:11:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011.04.27 21:11:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011.04.27 21:11:52 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011.04.26 07:18:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2011.04.26 07:18:28 | 000,012,464 | ---- | C] (Macrovision Europe Ltd) -- C:\Windows\System32\drivers\CDAC15BA.SYS
[2011.04.26 07:18:27 | 000,054,784 | ---- | C] (Macrovision) -- C:\Windows\System32\drivers\CDAC11BA.EXE
[2011.04.26 07:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\AnswerWorks 4.0
[2011.04.26 07:17:19 | 000,000,000 | ---D | C] -- C:\Windows\System32\Common Files
[2011.04.26 07:17:19 | 000,000,000 | ---D | C] -- C:\Windows\System32\1031
[2011.04.26 07:16:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Autodesk Shared
[2011.04.25 15:56:20 | 000,000,000 | -H-D | C] -- C:\ProgramData\WindowsSearch
[2011.04.24 18:42:40 | 000,000,000 | -H-D | C] -- C:\Users\user\AppData\Roaming\HpUpdate
[2011.04.24 18:42:37 | 000,000,000 | ---D | C] -- C:\Windows\Hewlett-Packard
[2011.04.14 21:45:24 | 000,000,000 | -H-D | C] -- C:\Users\user\Desktop\stick
[2009.09.13 18:27:33 | 000,712,704 | ---- | C] ( ) -- C:\Program Files\dtdr3260.dll
[2009.09.13 18:27:33 | 000,014,336 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\wmdmhelper.dll
[2009.09.13 18:27:32 | 000,651,264 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rjbres.dll
[2009.09.13 18:27:32 | 000,352,256 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rjdlg.dll
[2009.09.13 18:27:32 | 000,139,264 | ---- | C] (Inner Media, Inc.) -- C:\Program Files\DUNZIP32.dll
[2009.09.13 18:27:32 | 000,036,352 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\ierjplug.dll
[2009.09.13 18:27:32 | 000,019,456 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\tnetdtct.dll
[2009.09.13 18:27:32 | 000,019,456 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rjprog.dll
[2009.09.13 18:27:32 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\fixrjb.exe
[2009.09.13 18:27:31 | 000,081,920 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\tsasdk.dll
[2009.09.13 18:27:31 | 000,057,344 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\tpasdk.dll
[2009.09.13 18:27:31 | 000,041,472 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\mmcdda32.dll
[2009.09.13 18:27:30 | 000,719,360 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dbghelp.dll
[2009.09.13 18:27:30 | 000,329,312 | ---- | C] (RealPlayer) -- C:\Program Files\rpbrowserrecordplugin.dll
[2009.09.13 18:27:30 | 000,198,208 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RecordingManager.exe
[2009.09.13 18:27:30 | 000,043,056 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rpshellsearch.dll
[2009.09.13 18:27:30 | 000,032,768 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rpwa3260.dll
[2009.09.13 18:27:29 | 000,065,536 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rjwmapln.dll
[2009.09.13 18:27:28 | 000,053,248 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rpau3260.dll
[2009.09.13 18:27:24 | 000,112,168 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rdsf3260.dll
[2009.09.13 18:27:24 | 000,086,016 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rpplugprot.dll
[2009.09.13 18:27:24 | 000,063,016 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rpshell.dll
[2009.09.13 18:27:23 | 000,009,216 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\rphelperapp.exe
[2009.09.13 18:27:23 | 000,007,168 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\realjbox.exe
[2009.09.13 18:27:10 | 000,222,728 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\realplay.exe
[2008.08.18 16:11:34 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[2004.11.29 18:16:18 | 001,396,048 | ---- | C] ( ) -- C:\Windows\System32\drivers\mtlstrm.sys
[2004.11.29 18:16:18 | 000,229,720 | ---- | C] ( ) -- C:\Windows\System32\drivers\mtlmnt5.sys
[2004.11.29 18:16:18 | 000,224,888 | ---- | C] ( ) -- C:\Windows\System32\drivers\slnt7554.sys
[2004.11.29 18:16:18 | 000,100,176 | ---- | C] ( ) -- C:\Windows\System32\drivers\slnthal.sys
[2004.11.29 18:16:18 | 000,057,344 | ---- | C] ( ) -- C:\Windows\System32\slserv.exe
[2004.11.29 18:16:18 | 000,014,520 | ---- | C] ( ) -- C:\Windows\System32\drivers\RecAgent.sys
[2004.11.29 18:16:18 | 000,013,216 | ---- | C] ( ) -- C:\Windows\System32\drivers\slwdmsup.sys
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\user\AppData\Local\*.tmp files -> C:\Users\user\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.04.28 19:40:45 | 000,618,442 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.04.28 19:40:45 | 000,587,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.04.28 19:40:45 | 000,122,842 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.04.28 19:40:45 | 000,101,250 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.04.28 19:34:43 | 000,001,090 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.04.28 19:34:40 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.04.28 19:34:40 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.04.28 19:34:29 | 000,067,584 | ---- | M] () -- C:\Windows\bootstat.dat
[2011.04.28 11:05:10 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.04.27 21:11:57 | 000,000,688 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.04.26 20:46:34 | 000,378,312 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011.04.26 07:18:28 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) -- C:\Windows\System32\drivers\CDAC15BA.SYS
[2011.04.26 07:18:27 | 000,054,784 | ---- | M] (Macrovision) -- C:\Windows\System32\drivers\CDAC11BA.EXE
[2011.04.25 14:45:29 | 000,054,932 | -H-- | M] () -- C:\Users\user\AppData\Roaming\nvModes.001
[2011.04.25 08:26:15 | 000,054,932 | -H-- | M] () -- C:\Users\user\AppData\Roaming\nvModes.dat
[2011.04.19 22:17:59 | 000,148,432 | -H-- | M] () -- C:\Users\user\Desktop\Unbenannt.jpg
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\user\AppData\Local\*.tmp files -> C:\Users\user\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.04.27 21:11:57 | 000,000,688 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.04.19 22:17:59 | 000,148,432 | -H-- | C] () -- C:\Users\user\Desktop\Unbenannt.jpg
[2010.10.17 17:13:10 | 000,164,247 | ---- | C] () -- C:\Windows\hpoins19.dat
[2010.10.17 17:12:56 | 000,026,952 | ---- | C] () -- C:\Windows\hpomdl19.dat
[2010.08.29 14:35:46 | 000,210,944 | ---- | C] () -- C:\Windows\System32\MSVCRT10.DLL
[2010.08.29 14:35:46 | 000,000,036 | ---- | C] () -- C:\Windows\kpcms.ini
[2010.07.30 21:59:31 | 000,000,321 | ---- | C] () -- C:\Windows\ulead32.ini
[2010.07.01 10:09:17 | 000,004,096 | -H-- | C] () -- C:\Users\user\AppData\Local\keyfile3.drm
[2010.05.22 12:26:44 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2009.09.13 18:27:32 | 000,002,851 | ---- | C] () -- C:\Program Files\cdroms.cfg
[2009.09.13 18:27:30 | 000,119,808 | ---- | C] () -- C:\Program Files\waiting.avi
[2009.09.13 18:27:30 | 000,067,473 | ---- | C] () -- C:\Program Files\realplay.chm
[2009.09.13 18:27:30 | 000,057,762 | ---- | C] () -- C:\Program Files\howto.chm
[2009.09.13 18:27:30 | 000,027,278 | ---- | C] () -- C:\Program Files\frw.bmp
[2009.09.13 18:27:30 | 000,016,296 | ---- | C] () -- C:\Program Files\realtfon.fon
[2009.09.13 18:27:30 | 000,001,209 | ---- | C] () -- C:\Program Files\flvplay.swf
[2009.09.13 18:27:28 | 000,053,098 | ---- | C] () -- C:\Program Files\presets.rnx
[2009.09.13 18:27:28 | 000,052,829 | ---- | C] () -- C:\Program Files\RealNetworks License.html
[2009.09.13 18:27:28 | 000,052,829 | ---- | C] () -- C:\Program Files\playrlic.html
[2009.09.13 18:27:28 | 000,000,480 | ---- | C] () -- C:\Program Files\keys.dat
[2009.09.13 18:27:27 | 000,849,634 | ---- | C] () -- C:\Program Files\normal.vs
[2009.09.13 18:27:27 | 000,061,495 | ---- | C] () -- C:\Program Files\ssimages.vs
[2009.09.13 18:27:24 | 000,102,400 | ---- | C] () -- C:\Program Files\HXAudioDeviceHook.dll
[2009.09.13 18:27:23 | 000,001,161 | ---- | C] () -- C:\Program Files\autoplaylist.dat
[2009.09.13 18:27:23 | 000,000,043 | ---- | C] () -- C:\Program Files\strs23.dat
[2009.09.13 18:27:23 | 000,000,013 | ---- | C] () -- C:\Program Files\strs26.dat
[2009.09.13 18:27:10 | 000,017,846 | ---- | C] () -- C:\Program Files\videotest.rm
[2009.09.13 18:27:10 | 000,000,221 | ---- | C] () -- C:\Program Files\subscription.rnx
[2009.09.13 18:27:10 | 000,000,177 | ---- | C] () -- C:\Program Files\freeoffers.rnx
[2009.07.01 20:06:09 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.07.01 20:05:40 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009.07.01 20:05:40 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009.04.16 21:56:30 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2009.02.06 20:35:17 | 000,000,532 | ---- | C] () -- C:\Windows\eReg.dat
[2009.01.13 05:41:35 | 000,684,916 | ---- | C] () -- C:\Windows\unins000.exe
[2009.01.13 05:41:35 | 000,012,451 | ---- | C] () -- C:\Windows\unins000.dat
[2008.12.18 19:29:58 | 000,000,000 | -H-- | C] () -- C:\Users\user\AppData\Roaming\wklnhst.dat
[2008.12.06 16:05:13 | 000,054,932 | -H-- | C] () -- C:\Users\user\AppData\Roaming\nvModes.001
[2008.12.05 19:12:07 | 000,054,932 | -H-- | C] () -- C:\Users\user\AppData\Roaming\nvModes.dat
[2008.11.27 02:26:34 | 000,083,456 | -H-- | C] () -- C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.08.19 01:48:32 | 000,000,030 | ---- | C] () -- C:\Windows\SETPANEL.INI
[2008.08.19 01:48:31 | 000,000,092 | ---- | C] () -- C:\Windows\CLEANUP.INI
[2008.08.18 16:11:34 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2008.04.04 04:59:21 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008.04.03 18:31:05 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2008.04.03 18:30:15 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2008.04.03 18:04:40 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008.04.03 17:52:51 | 000,003,636 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008.01.21 09:15:58 | 000,618,442 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2008.01.21 09:15:58 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2008.01.21 09:15:58 | 000,122,842 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2008.01.21 09:15:58 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2006.11.02 14:57:28 | 000,067,584 | ---- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 14:47:37 | 000,378,312 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 12:33:01 | 000,587,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 12:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 12:33:01 | 000,101,250 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 12:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 12:25:26 | 000,557,568 | ---- | C] () -- C:\Windows\System32\hpotscl1.dll
[2006.11.02 12:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 10:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 10:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 09:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2004.11.29 18:16:18 | 000,212,992 | ---- | C] () -- C:\Windows\System32\slextspk.dll
[2004.11.29 18:16:18 | 000,180,224 | ---- | C] () -- C:\Windows\System32\slgen.dll
[2004.11.29 18:16:18 | 000,061,440 | ---- | C] () -- C:\Windows\System32\coinst.dll
[2004.11.29 18:16:18 | 000,036,864 | ---- | C] () -- C:\Windows\slrundll.exe
[2001.12.26 15:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001.09.03 22:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001.07.30 15:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001.07.23 21:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll
[1997.06.14 13:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:FEBEC560
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:F2721624
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:8AB6C1D7

< End of report >

OTL Extra:

OTL Extras logfile created on: 28.04.2011 19:52:33 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\user\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 64,00% Memory free
6,00 Gb Paging File | 4,00 Gb Available in Paging File | 76,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144,29 Gb Total Space | 98,50 Gb Free Space | 68,26% Space Free | Partition Type: NTFS
Drive D: | 144,04 Gb Total Space | 92,89 Gb Free Space | 64,49% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "D:\Programme\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "D:\Programme\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "D:\Programme\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Programme\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{25B5B32F-9B1C-45BC-AE58-A1F8FD0FA45B}" = protocol=6 | dir=in | app=d:\spiele\battlefield2\bf2.exe |
"{38CE6FD4-5CF6-484C-9A49-56086941AA15}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{40BB15F3-06BA-43C6-87F7-65D70CD2BF8E}" = dir=in | app=c:\program files\acer arcade deluxe\play movie\playmovie.exe |
"{489AF5F2-2E34-49CD-BF7D-0766DBA4E20B}" = protocol=17 | dir=in | app=d:\spiele\battlefield2\bf2.exe |
"{521D98A0-56ED-4747-8FF8-93BFCA7BE2E8}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{599BE3EF-7BB7-4E58-B7C1-0E94BF4F693B}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{5A2F9BB5-B60A-493A-A47E-F31CE977710D}" = dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\acer arcade deluxe.exe |
"{5A9D50B0-D8A1-4315-B89F-4139867EA5D7}" = protocol=17 | dir=in | app=d:\spiele\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"{63F7C045-97BE-4405-BEC9-9EA36C745476}" = dir=in | app=c:\program files\acer arcade deluxe\play movie\pmvservice.exe |
"{6DE1E2F9-8933-4741-83FB-EA84D5544C5E}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{9D80ED3E-2C05-4307-B928-9F004D32EBE7}" = protocol=6 | dir=in | app=d:\spiele\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
"{A1C952DB-615F-4BB1-A6A4-0D594EEB10C4}" = dir=in | app=c:\program files\acer arcade deluxe\videomagician\videomagician.exe |
"{B501C151-4ACE-4EB1-95A9-323A87664AD3}" = dir=in | app=c:\program files\acer arcade deluxe\homemedia\homemedia.exe |
"{B51A604F-3A49-458A-8C2D-91002083FB66}" = dir=in | app=c:\program files\acer arcade deluxe\dvdivine\dvdivine.exe |
"{B92D811F-E7AA-4E57-A2EB-76918E343BEE}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{BC978694-226A-490F-A1C2-1CEEF30B6B22}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{C14789FA-25D9-4126-B77E-DFAC759C1D5E}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{C2344DD1-818C-4849-9525-46EE0291070E}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{CDA041B1-F8CE-4F23-9CF7-0B4C47F39413}" = dir=in | app=c:\program files\acer arcade deluxe\dv wizard\dv wizard.exe |
"{DB5BE753-A4AF-445E-9B9A-BA18234A28F6}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{DEA819A4-F4A6-46A2-8D26-57169E460362}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{E1673E5F-5D7D-42D3-823A-9D5E952F7E76}" = protocol=17 | dir=in | app=d:\spiele\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
"{EB8CCFDB-5123-4F05-960C-7896687D7909}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{F23C3ED3-A725-4626-94C7-6F8B06763A45}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{F5C58B07-BF86-4FE9-AC43-025826832286}" = protocol=6 | dir=in | app=d:\spiele\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"TCP Query User{02E862B4-7EAA-4122-B4D3-CAFBB6A11171}D:\spiele\elite force\stvoyhm.exe" = protocol=6 | dir=in | app=d:\spiele\elite force\stvoyhm.exe |
"TCP Query User{25D33D0E-5DE0-41CA-B51C-9E4D61DFB9F4}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{2DFD64A1-6D68-412B-8086-C2970B23A48C}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{2E8903FD-9BBF-4F10-A44B-00C25E379BBE}C:\program files\icq6\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6\icq.exe |
"TCP Query User{33C6EB43-75AA-428A-8463-516666192A64}D:\spiele\battlefield\bf1942.exe" = protocol=6 | dir=in | app=d:\spiele\battlefield\bf1942.exe |
"TCP Query User{47A956D0-E4B1-47A7-A30D-741737B21764}C:\program files\miranda im\miranda32.exe" = protocol=6 | dir=in | app=c:\program files\miranda im\miranda32.exe |
"TCP Query User{504C96E2-AD18-4FE2-886F-6E127BD723A5}D:\spiele\age2_x1\age2_x1.exe" = protocol=6 | dir=in | app=d:\spiele\age2_x1\age2_x1.exe |
"TCP Query User{6865711C-457F-45F1-A06C-035AC65D3DB6}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe |
"TCP Query User{79154C3B-D2C7-469C-A6E8-660F5C8A3ABD}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe |
"TCP Query User{8D54CE4D-6CB3-4893-BA8D-66BE80D3771C}D:\programme\tb\easybrowse2k2.exe" = protocol=6 | dir=in | app=d:\programme\tb\easybrowse2k2.exe |
"TCP Query User{9086F035-A0F0-45BD-86DB-0D4D043609FE}D:\programme\tb\easybrowse2k2.exe" = protocol=6 | dir=in | app=d:\programme\tb\easybrowse2k2.exe |
"TCP Query User{960E1839-E735-4764-A21E-52298FBDCB72}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{9A0AA53D-4EF6-467E-86C5-42308111C49B}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{B030FAE5-E32D-4B39-9EA7-6D96D5D42F10}D:\spiele\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe" = protocol=6 | dir=in | app=d:\spiele\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"TCP Query User{B4F69CCF-D774-4C2E-83A8-70D91D5098A7}D:\spiele\battlefield2\bf2.exe" = protocol=6 | dir=in | app=d:\spiele\battlefield2\bf2.exe |
"TCP Query User{D0DAE0E6-37CC-4E5F-9532-970F6EE84FAD}D:\spiele\battlefield\bf1942_w32ded.exe" = protocol=6 | dir=in | app=d:\spiele\battlefield\bf1942_w32ded.exe |
"TCP Query User{F87C1891-9C59-44B2-8719-12A4790D5F91}C:\program files\ea games\battlefield 1942\bf1942.exe" = protocol=6 | dir=in | app=c:\program files\ea games\battlefield 1942\bf1942.exe |
"UDP Query User{2A52F39A-3C76-40FD-BB4E-DA34974BD00D}D:\programme\tb\easybrowse2k2.exe" = protocol=17 | dir=in | app=d:\programme\tb\easybrowse2k2.exe |
"UDP Query User{3E9FF769-8F67-4CF2-B48D-78C384C79A2A}C:\program files\miranda im\miranda32.exe" = protocol=17 | dir=in | app=c:\program files\miranda im\miranda32.exe |
"UDP Query User{4AC6E8D1-7C91-400B-83F9-12D2B4D95A7F}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe |
"UDP Query User{578A5B09-6154-411E-8A12-03287D56BFBC}C:\program files\icq6\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6\icq.exe |
"UDP Query User{5B9E7D20-A79C-4ECC-8AE8-78B693AEF468}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{7163DB94-0FB4-4F10-B9E3-548F2D735761}C:\program files\ea games\battlefield 1942\bf1942.exe" = protocol=17 | dir=in | app=c:\program files\ea games\battlefield 1942\bf1942.exe |
"UDP Query User{9CCF0B5D-66A5-4553-BDD3-404895BD0233}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{B7E5267D-4812-4264-A13A-7020FC555E6B}D:\spiele\age2_x1\age2_x1.exe" = protocol=17 | dir=in | app=d:\spiele\age2_x1\age2_x1.exe |
"UDP Query User{BA145A68-E512-47A9-B87B-1835810ABA07}D:\programme\tb\easybrowse2k2.exe" = protocol=17 | dir=in | app=d:\programme\tb\easybrowse2k2.exe |
"UDP Query User{BB0B7C50-BFB4-4C2C-924E-F339CDBCB305}D:\spiele\battlefield2\bf2.exe" = protocol=17 | dir=in | app=d:\spiele\battlefield2\bf2.exe |
"UDP Query User{C88239AC-452F-4373-86CE-4C73D1332973}D:\spiele\elite force\stvoyhm.exe" = protocol=17 | dir=in | app=d:\spiele\elite force\stvoyhm.exe |
"UDP Query User{C95C1785-3826-42BE-9671-D42D9D397D60}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe |
"UDP Query User{E61FA357-3C7A-4F13-A337-65902B49A9CA}D:\spiele\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe" = protocol=17 | dir=in | app=d:\spiele\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"UDP Query User{E7C7CD0D-62A7-4B13-B7CD-67B08D98FFC8}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{E9912C31-05B1-43C1-9DC0-2DD7C2D49315}D:\spiele\battlefield\bf1942_w32ded.exe" = protocol=17 | dir=in | app=d:\spiele\battlefield\bf1942_w32ded.exe |
"UDP Query User{F12CF610-E05D-4550-A485-3A001D6B98E2}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{FB407440-4D24-4691-A21A-080AB6DFA75B}D:\spiele\battlefield\bf1942.exe" = protocol=17 | dir=in | app=d:\spiele\battlefield\bf1942.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2(TM)
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{0F5C38CB-DCA7-44E0-A654-26121331557A}" = GMX Update
"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = LizardTech DjVu Control
"{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In
"{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}" = Acer eLock Management
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{22DD005D-0EF1-4E3E-92F8-49D89E31479A}" = 1400
"{2D7C3E18-E696-4B67-8B5D-45CD3BE6B27E}" = SweetIM for Messenger 3.0
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4EA2F95F-A537-4d17-9E7F-6B3FF8D9BBE3}" = Microsoft Works
"{50D4CB89-AF34-4978-96DC-C3034062E901}" = Battlefield 2: Special Forces
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57265292-228A-41FA-9AEC-4620CBCC2739}" = Acer eAudio Management
"{5783F2D7-0201-0407-0002-0060B0CE6BBA}" = AutoCAD 2004
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{6A3C2391-BCE2-4D28-A336-73B953B4502F}" = 1400Trb
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{6FBE200D-1F00-40B7-BF48-FEB265AADE94}" = 1400_Help
"{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{7A27764B-5434-4DAA-BD43-3ACF4FFCD7FE}" = SweetIM Toolbar for Internet Explorer 3.8
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700}" = Zuma Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11029123}" = Bricks of Egypt
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110322783}" = Big Kahuna Reef
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110411970}" = Chuzzle
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111118433}" = Mystery Case Files - Huntsville
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111199750}" = Cake Mania
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743}" = Mahjong Escape Ancient China
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111324990}" = Kick N Rush
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111543617}" = Backspin Billiards
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111692950}" = Mahjongg Artifacts
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111771833}" = Jewel Quest Solitaire
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111796363}" = Mystery Solitaire - Secret Island
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111872660}" = Diner Dash Flo on the Go
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112531267}" = Chicken Invaders 3
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112615863}" = Agatha Christie Death on the Nile
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113009953}" = Turbo Pizza
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113080210}" = Azada
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{876682c8-dc3b-4751-9b80-6fafecfbbacb}" = Nero 9 Lite
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A0B139A7-E8D5-49E8-A7BF-12421E652208}" = pdfforge Toolbar v4.3
"{A30EE8A6-6B9F-4973-B5ED-2A60B40576E4}_is1" = StudNET Login Client
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}" = Copy
"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC1ACE88-C471-494E-B5FA-0B7C21F22E4F}" = Orion
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{BF839132-BD43-4056-ACBF-4377F4A88E2A}" = Acer ePresentation Management
"{C06554A1-2C1E-4D20-B613-EE62C79927CC}" = Acer eNet Management
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C81A2FE0-3574-00A9-CED4-BDAA334CBE8E}" = Nero Online Upgrade
"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}" = Ulead Photo Explorer 8.0 SE Basic
"{DDD5104F-1C44-49EB-9E6B-29EC5D27658B}" = HP Update
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}" = Acer Arcade Deluxe
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"7-Zip" = 7-Zip 4.64
"Acer GameZone Console_is1" = Acer GameZone Console 2.0.1.1
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"Autodesk Express Viewer" = Autodesk Express Viewer
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BF2SP64" = BF2SP64
"CdaC13Ba" = SafeCast Shared Components
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.4
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.9
"GMX Update" = GMX Update
"GridVista" = Acer GridVista
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"ICQToolbar" = ICQ Toolbar
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 12.0" = RealPlayer
"S.T.A.L.K.E.R. - Shadow of Chernobyl_is1" = S.T.A.L.K.E.R. - Shadow of Chernobyl
"Stab2D" = Stab2D
"Technische Baubestimmungen_is1" = Technische Baubestimmungen 05-2010
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VLC media player 0.9.9
"WinRAR archiver" = WinRAR Archivierer

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 28.04.2011 00:18:51 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28.04.2011 00:18:51 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28.04.2011 02:57:21 | Computer Name = user-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung CompileMOF.exe, Version 3.0.2000.0, Zeitstempel
0x474a325e, fehlerhaftes Modul CompileMOF.exe, Version 3.0.2000.0, Zeitstempel
0x474a325e, Ausnahmecode 0xc000000d, Fehleroffset 0x00002a7f, Prozess-ID 0x850, Anwendungsstartzeit
01cc0571852cb167.

Error - 28.04.2011 02:57:32 | Computer Name = user-PC | Source = WinMgmt | ID = 10
Description =

Error - 28.04.2011 02:57:51 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28.04.2011 02:57:51 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28.04.2011 13:34:50 | Computer Name = user-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung CompileMOF.exe, Version 3.0.2000.0, Zeitstempel
0x474a325e, fehlerhaftes Modul CompileMOF.exe, Version 3.0.2000.0, Zeitstempel
0x474a325e, Ausnahmecode 0xc000000d, Fehleroffset 0x00002a7f, Prozess-ID 0x990, Anwendungsstartzeit
01cc05ca9336d0f4.

Error - 28.04.2011 13:34:54 | Computer Name = user-PC | Source = WinMgmt | ID = 10
Description =

Error - 28.04.2011 13:35:07 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28.04.2011 13:35:07 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ System Events ]
Error - 26.04.2011 16:15:48 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 26.04.2011 16:19:36 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 27.04.2011 13:54:32 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 27.04.2011 14:32:57 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 27.04.2011 14:47:33 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 27.04.2011 16:11:02 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 27.04.2011 16:44:24 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 28.04.2011 00:18:45 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 28.04.2011 02:57:32 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 28.04.2011 13:34:55 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description =

< End of report >

mit besten Grüßen

chrisirhc

markusg · 29.04.2011, 09:30

machst du onlinebanking einkäufe oder sonst was wichtiges mit dem gerät?
bitte erstelle und poste ein combofix log.
Ein Leitfaden und Tutorium zur Nutzung von ComboFix

chrisirhc · 29.04.2011, 19:00

Hallo und erstmal danke, dass du dich meines Problemes annimmst!

Ja, normalerweise benutze ich den Rechner schon für sowas, natürlich nicht mehr seit dem Trojanerfund...

So, combofix ist durchgelaufen. Desktop sieht jetzt soweit schon wieder ganz gut aus. Es fehlen lediglich ein paar Icons, aber die meisten Icons und alle Ordner sind wieder da.

Beim Starten fiehl mir jetzt noch folgende Meldung auf:

"Einige Autostartprogramme wurden geblockt. Programme, die eine Berechtigung zur Ausführung beim Windowsstart erfordern, werden von Windows geblockt..."

Alles wieder gut?

anbei die Auswertung:

Combofix Logfile:

Code:

ATTFilter

ComboFix 11-04-28.03 - user 29.04.2011  19:20:12.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.2814.1855 [GMT 2:00]
ausgeführt von:: c:\users\user\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\pdfforge Toolbar\IE\4.3\pdFForgetoolbarie.dll
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\***\Favorites\Games.url
c:\users\user\AppData\Roaming\.#
c:\users\user\AppData\Roaming\.#\MBX@140C@1B62990.###
c:\users\user\AppData\Roaming\.#\MBX@140C@1B629C0.###
c:\users\user\AppData\Roaming\.#\MBX@140C@1B629F0.###
.
----- BITS: Eventuell infizierte Webseiten -----
.
hxxp://139.18.143.201
.
(((((((((((((((((((((((   Dateien erstellt von 2011-03-28 bis 2011-04-29  ))))))))))))))))))))))))))))))
.
.
2011-04-29 17:27 . 2011-04-29 17:27	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-04-29 17:27 . 2011-04-29 17:27	--------	d-----w-	c:\users\***\AppData\Local\temp
2011-04-29 17:02 . 2011-04-11 07:04	7071056	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{50478EDA-F15E-4A09-85E7-D824121DDC58}\mpengine.dll
2011-04-27 19:12 . 2011-04-27 19:12	--------	d-----w-	c:\users\user\AppData\Roaming\Malwarebytes
2011-04-27 19:11 . 2010-12-20 16:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 19:11 . 2011-04-27 19:11	--------	d-----w-	c:\programdata\Malwarebytes
2011-04-27 19:11 . 2010-12-20 16:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-04-26 20:20 . 2011-04-26 20:21	--------	d-----w-	c:\users\***
2011-04-26 20:18 . 2011-04-26 20:18	0	---ha-w-	c:\users\user\AppData\Local\BITCB3F.tmp
2011-04-26 05:18 . 2011-04-26 05:18	--------	d-----w-	c:\program files\Common Files\Macrovision Shared
2011-04-26 05:18 . 2011-04-26 05:18	12464	----a-w-	c:\windows\system32\drivers\CDAC15BA.SYS
2011-04-26 05:18 . 2011-04-26 05:18	54784	----a-w-	c:\windows\system32\drivers\CDAC11BA.EXE
2011-04-26 05:17 . 2011-04-26 05:17	--------	d-----w-	c:\program files\AnswerWorks 4.0
2011-04-26 05:17 . 2011-04-26 05:17	--------	d-----w-	c:\windows\system32\1031
2011-04-26 05:17 . 2011-04-26 05:17	--------	d-----w-	c:\windows\system32\Common Files
2011-04-26 05:16 . 2011-04-26 05:17	--------	d-----w-	c:\program files\Common Files\Autodesk Shared
2011-04-25 13:56 . 2011-04-25 13:56	--------	d--h--w-	c:\programdata\WindowsSearch
2011-04-24 16:42 . 2011-04-24 16:45	--------	d--h--w-	c:\users\user\AppData\Roaming\HpUpdate
2011-04-24 16:42 . 2011-04-24 16:42	--------	d-----w-	c:\windows\Hewlett-Packard
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-17 19:19 . 2010-01-28 18:56	137656	----a-w-	c:\windows\system32\drivers\avipbb.sys
2011-02-02 16:11 . 2009-10-04 16:03	222080	------w-	c:\windows\system32\MpSigStub.exe
2009-09-13 16:27 . 2009-09-13 16:27	712704	----a-w-	c:\program files\dtdr3260.dll
2009-09-13 16:27 . 2009-09-13 16:27	14336	----a-w-	c:\program files\wmdmhelper.dll
2009-09-13 16:27 . 2009-09-13 16:27	6656	----a-w-	c:\program files\fixrjb.exe
2009-09-13 16:27 . 2009-09-13 16:27	651264	----a-w-	c:\program files\rjbres.dll
2009-09-13 16:27 . 2009-09-13 16:27	36352	----a-w-	c:\program files\ierjplug.dll
2009-09-13 16:27 . 2009-09-13 16:27	352256	----a-w-	c:\program files\rjdlg.dll
2009-09-13 16:27 . 2009-09-13 16:27	19456	----a-w-	c:\program files\tnetdtct.dll
2009-09-13 16:27 . 2009-09-13 16:27	19456	----a-w-	c:\program files\rjprog.dll
2009-09-13 16:27 . 2009-09-13 16:27	139264	----a-w-	c:\program files\DUNZIP32.dll
2009-09-13 16:27 . 2009-09-13 16:27	81920	----a-w-	c:\program files\tsasdk.dll
2009-09-13 16:27 . 2009-09-13 16:27	57344	----a-w-	c:\program files\tpasdk.dll
2009-09-13 16:27 . 2009-09-13 16:27	41472	----a-w-	c:\program files\mmcdda32.dll
2009-09-13 16:27 . 2009-09-13 16:27	719360	----a-w-	c:\program files\dbghelp.dll
2009-09-13 16:27 . 2009-09-13 16:27	43056	----a-w-	c:\program files\rpshellsearch.dll
2009-09-13 16:27 . 2009-09-13 16:27	329312	----a-w-	c:\program files\rpbrowserrecordplugin.dll
2009-09-13 16:27 . 2009-09-13 16:27	32768	----a-w-	c:\program files\rpwa3260.dll
2009-09-13 16:27 . 2009-09-13 16:27	198208	----a-w-	c:\program files\RecordingManager.exe
2009-09-13 16:27 . 2009-09-13 16:27	16296	----a-w-	c:\program files\realtfon.fon
2009-09-13 16:27 . 2009-09-13 16:27	65536	----a-w-	c:\program files\rjwmapln.dll
2009-09-13 16:27 . 2009-09-13 16:27	53248	----a-w-	c:\program files\rpau3260.dll
2009-09-13 16:27 . 2009-09-13 16:27	86016	----a-w-	c:\program files\rpplugprot.dll
2009-09-13 16:27 . 2009-09-13 16:27	63016	----a-w-	c:\program files\rpshell.dll
2009-09-13 16:27 . 2009-09-13 16:27	112168	----a-w-	c:\program files\rdsf3260.dll
2009-09-13 16:27 . 2009-09-13 16:27	102400	----a-w-	c:\program files\HXAudioDeviceHook.dll
2009-09-13 16:27 . 2009-09-13 16:27	9216	----a-w-	c:\program files\rphelperapp.exe
2009-09-13 16:27 . 2009-09-13 16:27	7168	----a-w-	c:\program files\realjbox.exe
2009-09-13 16:27 . 2009-09-13 16:27	222728	----a-w-	c:\program files\realplay.exe
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2010-03-18 187192]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2010-03-18 14:06	1361208	----a-r-	c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2010-03-18 1361208]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2010-03-18 1361208]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 00:00	39472	---ha-w-	c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-12-05 4710400]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 525360]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 768520]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-13 198160]
"GMX Update"="c:\program files\GMX\LiveUpdate\m2LUTray.exe" [2009-10-16 2229632]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2010-03-17 106496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-01-28 526336]
"Malwarebytes' Anti-Malware (reboot)"="d:\programme\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-4-3 535336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 135664]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 135664]
R3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\DRIVERS\slnt7554.sys [2004-11-29 224888]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2006-09-19 80744]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2008-01-04 41456]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-09-19 51200]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-04 135336]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2011-01-28 387072]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2010-06-02 246520]
S2 serviceIEConfig;IEConfig 1und1/WEB.DE/GMX Edition;c:\windows\System32\ieconfig_1und1_svc.exe [2009-11-04 662416]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2007-05-16 32256]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Inhalt des "geplante Tasks" Ordners
.
2011-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 12:49]
.
2011-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 12:49]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://go.1und1.de/links/home
mStart Page = hxxp://de.intl.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://go.1und1.de/suchbox/1und1suche?su=%s
IE: Nach Microsoft &Excel exportieren - d:\progra~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\t056xyhy.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
------- Dateityp-Verknüpfung -------
.
.scr=AutoCADScriptFile
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-ICQ - ~c:\program files\ICQ7.2\ICQ.exe
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKLM-Run-eRecoveryService - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-04-29 19:27
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse... 
.
Scanne versteckte Autostarteinträge... 
.
Scanne versteckte Dateien... 
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\serviceIEConfig]
"ImagePath"="c:\windows\System32\ieconfig_1und1_svc.exe /startedbyscm:016FE01B-40E31F2D-serviceIEConfig"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2011-04-29  19:31:21
ComboFix-quarantined-files.txt  2011-04-29 17:31
.
Vor Suchlauf: 6 Verzeichnis(se), 105.553.350.656 Bytes frei
Nach Suchlauf: 16 Verzeichnis(se), 106.527.039.488 Bytes frei
.
- - End Of File - - E8031D523A1B01F1DDD7A40D66FFD545

--- --- ---

markusg · 29.04.2011, 19:50

1. sofort die bank anrufen, notfall nummer:
116 116
lasse onlinebanking sperren, grund spyeye trojaner
2. da dieser trojaner dem angreifer umfassenden zugang und möglichkeiten bietet enderungen vorzunehmen können wir nicht für ein sauberes system garantiern, was nötig ist.
deswegen:
- daten sichern
- formatieren.
- absichern, tipps kannst du bekommen wenn du willst.
danach passwörter endern

chrisirhc · 29.04.2011, 20:57

Klingt ja garnicht gut...

Onlinebanking ist erstmal gesperrt.

Gut, dann werd ich wohl mal alles neu machen müssen. Die angebotenen Tipps würde ich da gern annehmen... ;-)

Wenn man für ein sauberes System nicht garantieren kann, besteht dann nicht die Gefahr, dass ich den Trojaner quasi "mitschleppe", wenn ich meine Daten extern sichere?

markusg · 30.04.2011, 09:14

naja diese trojaner befallen keine anderen daten, wenn du alles aus legalen quellen sicherst, keine keygens etc, dann ist die gefahr eig gegen 0
garantieren kann man natürlich für gar nichts im leben, aber hab da noch nie von problemen gehört.
wenn fertig bescheid sagen, heut nachmittag bin ich wieder da

chrisirhc · 02.05.2011, 18:59

sorry, hat bissel gedauert...

Habe die wichtigen Daten jetzt extern gespeichert.

29.04.2011, 09:30	#2
markusg /// Malware-holic	"wtr loader funktioniert nicht" "TR/Kazy.mekml.1" machst du onlinebanking einkäufe oder sonst was wichtiges mit dem gerät? bitte erstelle und poste ein combofix log. Ein Leitfaden und Tutorium zur Nutzung von ComboFix __________________ __________________

"wtr loader funktioniert nicht" "TR/Kazy.mekml.1"

Log-Analyse und Auswertung: "wtr loader funktioniert nicht" "TR/Kazy.mekml.1"