Trojaner-Board - Logfile nach Infizierung durch Microsoft Security Essentials Alert und soo -.-

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Logfile nach Infizierung durch Microsoft Security Essentials Alert und soo -.- (https://www.trojaner-board.de/92140-logfile-infizierung-microsoft-security-essentials-alert-soo.html)

Logfile nach Infizierung durch Microsoft Security Essentials Alert und soo -.-

soo.. hoffe das man mir helfen kann ohne mir dazu zu raten meine partitionen zu loeschen und windows neu draufzupacken :)

otl sagt: OTL Logfile:

Code:

OTL Extras logfile created on: 23.10.2010 15:29:21 - Run 1

OTL by OldTimer - Version 3.2.16.0     Folder = C:\Users\Cao\Desktop

 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 48,00% Memory free

6,00 Gb Paging File | 4,00 Gb Available in Paging File | 69,00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 424,66 Gb Total Space | 315,43 Gb Free Space | 74,28% Space Free | Partition Type: NTFS

Drive D: | 40,00 Gb Total Space | 30,14 Gb Free Space | 75,36% Space Free | Partition Type: NTFS

 

Computer Name: CAOTHIENNHAN-PC | User Name: Cao | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Extra Registry (SafeList) ==========

 

 
 ========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

 
 ========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htafile [open] -- "%1" %*

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 
 ========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

 
 ========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 
 ========== Authorized Applications List ==========

 

 
 ========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"_{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3

"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam

"{192A107E-C6B9-41B9-BDBF-38E3AA226054}" = OpenOffice.org 3.2

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18

"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime

"{2BA722D1-48D1-406E-9123-8AE5431D63EF}" = Windows Live Fotogalerie

"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver

"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works

"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform

"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology

"{3E6F0CAD-EE38-42A5-9EEA-AE17A55BF2D4}" = Firebird SQL Server - MAGIX Edition

"{3EFEF049-23D4-4B46-8903-4592FEA51018}" = Windows Live Movie Maker

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go

"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack

"{5185FD77-6CE7-4D20-BC53-70A029E52C6E}" = Brother HL-2035

"{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module

"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent

"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3

"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes

"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053

"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call

"{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module

"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components

"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{70B7A167-0B88-445D-A3EA-97C73AA88CAC}" = Windows Live Toolbar

"{76618402-179D-4699-A66B-D351C59436BC}" = Windows Live Sync

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{80E158EA-7181-40FE-A701-301CE6BE64AB}" = CyberLink MediaShow

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{88EB38EF-4D2C-436D-ABD3-56B232674062}" = ICQ7

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour

"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)

"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007

"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007

"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007

"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007

"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007

"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System

"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007

"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007

"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007

"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9D3D8C60-A55F-4fed-B2B9-173F09590E16}" = REALTEK Wireless LAN Driver

"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support

"{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne

"{A334F1BA-0A1D-4ED6-B4F9-4066157CA15D}" = DE

"{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9

"{AB770FDE-8087-4C98-9A85-BD64262C104C}" = Medion Home Cinema

"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch

"{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = CyberLink PowerProducer

"{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU]

"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)

"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update

"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail

"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint

"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector

"{D0846526-66DD-4DC9-A02C-98F9A2806812}" = Launch Manager V1.5.0.8

"{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow

"{D6C9AF27-9414-46C8-B9D8-D878BA041031}" = Nero 8

"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer

"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update

"{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy

"{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager

"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials

"7-Zip" = 7-Zip 4.65

"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Photoshop 7.0" = Adobe Photoshop 7.0

"ALDI Foto Service D" = ALDI Foto Service

"ALDI Nord Foto Manager Free D" = ALDI Nord Foto Manager Free

"Aldi Nord Fotoservice_is1" = Aldi Nord Fotoservice

"ALDI Nord Online Druck Service D" = ALDI Nord Online Druck Service

"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

"Belarc Advisor" = Belarc Advisor 8.1

"BullGuard" = BullGuard 9.0

"CCleaner" = CCleaner

"ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.96.2.1

"DivX Setup.divx.com" = DivX-Setup

"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.7

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"ICQToolbar" = ICQ Toolbar

"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam

"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go

"InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}" = CyberLink MediaShow

"InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9

"InstallShield_{AB770FDE-8087-4C98-9A85-BD64262C104C}" = Medion Home Cinema

"InstallShield_{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = CyberLink PowerProducer

"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint

"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector

"InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow

"IrfanView" = IrfanView (remove only)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MEDION Fotos auf CD & DVD SE Nord D" = MEDION Fotos auf CD & DVD SE Nord

"NVIDIA Drivers" = NVIDIA Drivers

"SUPER ©" = SUPER © Version 2010.bld.38 (May 2, 2010)

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"TVWiz" = Intel(R) TV Wizard

"Uninstall_is1" = Uninstall 1.0.0.1

"Virtual DJ - Atomix Productions" = Virtual DJ - Atomix Productions

"WinLiveSuite_Wave3" = Windows Live Essentials

"Yahoo! Companion" = Yahoo! Toolbar

"Yahoo! Messenger" = Yahoo! Messenger

"Yahoo! Software Update" = Yahoo! Software Update

 
 ========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 22.10.2010 21:19:34 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 06:18:57 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 06:18:57 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 06:19:07 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 08:51:21 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 08:51:21 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 08:51:32 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 09:14:59 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 09:14:59 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

Error - 23.10.2010 09:15:26 | Computer Name = CaoThienNhan-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107

Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen

 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.

 Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum

 gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.

.

 

[ System Events ]

Error - 22.10.2010 03:46:32 | Computer Name = CaoThienNhan-PC | Source = Service Control Manager | ID = 7000

Description = Der Dienst "BullGuard scanning service" wurde aufgrund folgenden Fehlers

 nicht gestartet:   %%1053

 

Error - 22.10.2010 03:46:51 | Computer Name = CaoThienNhan-PC | Source = Service Control Manager | ID = 7022

Description = Der Dienst "Windows Update" wurde nicht richtig gestartet.

 

Error - 22.10.2010 21:25:31 | Computer Name = CaoThienNhan-PC | Source = Service Control Manager | ID = 7009

Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst

 BullGuard scanning service erreicht.

 

Error - 22.10.2010 21:25:31 | Computer Name = CaoThienNhan-PC | Source = Service Control Manager | ID = 7000

Description = Der Dienst "BullGuard scanning service" wurde aufgrund folgenden Fehlers

 nicht gestartet:   %%1053

 

Error - 22.10.2010 21:25:33 | Computer Name = CaoThienNhan-PC | Source = Service Control Manager | ID = 7022

Description = Der Dienst "Windows Update" wurde nicht richtig gestartet.

 

Error - 23.10.2010 06:25:08 | Computer Name = CaoThienNhan-PC | Source = Service Control Manager | ID = 7022

Description = Der Dienst "Windows Update" wurde nicht richtig gestartet.

 

Error - 23.10.2010 08:43:32 | Computer Name = CaoThienNhan-PC | Source = Service Control Manager | ID = 7000

Description = Der Dienst "OHCI-konformer 1394-Hostcontroller" wurde aufgrund folgenden

 Fehlers nicht gestartet:   %%31

 

Error - 23.10.2010 08:45:29 | Computer Name = CaoThienNhan-PC | Source = DCOM | ID = 10010

Description = 

 

Error - 23.10.2010 09:14:48 | Computer Name = CaoThienNhan-PC | Source = EventLog | ID = 6008

Description = Das System wurde zuvor am ?23.?10.?2010 um 15:13:00 unerwartet heruntergefahren.

 

Error - 23.10.2010 09:15:01 | Computer Name = CaoThienNhan-PC | Source = BugCheck | ID = 1001

Description = 

 

 

< End of report >

--- --- ---

und: OTL Logfile:

Code:

OTL logfile created on: 23.10.2010 15:29:21 - Run 1

OTL by OldTimer - Version 3.2.16.0     Folder = C:\Users\Cao\Desktop

 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 48,00% Memory free

6,00 Gb Paging File | 4,00 Gb Available in Paging File | 69,00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 424,66 Gb Total Space | 315,43 Gb Free Space | 74,28% Space Free | Partition Type: NTFS

Drive D: | 40,00 Gb Total Space | 30,14 Gb Free Space | 75,36% Space Free | Partition Type: NTFS

 

Computer Name: CAOTHIENNHAN-PC | User Name: Cao | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Processes (SafeList) ==========

 

PRC - [2010.10.23 15:28:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Cao\Desktop\OTL.exe

PRC - [2010.10.23 14:44:14 | 000,274,432 | ---- | M] (Trend Micro Inc.) -- C:\Users\Nhan\AppData\Local\Temp\Ofl.exe

PRC - [2010.09.22 14:37:46 | 000,355,720 | ---- | M] (BullGuard Ltd.) -- C:\Programme\BullGuard Ltd\BullGuard\BullGuardUpdate.exe

PRC - [2010.08.20 01:22:32 | 000,086,016 | ---- | M] (alch) -- C:\Programme\ClamWin\bin\ClamTray.exe

PRC - [2010.07.09 18:34:17 | 000,231,888 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil10h_ActiveX.exe

PRC - [2010.06.03 02:50:58 | 001,144,104 | ---- | M] () -- C:\Programme\DivX\DivX Update\DivXUpdate.exe

PRC - [2010.04.29 12:19:18 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbam.exe

PRC - [2010.04.16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Programme\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010.04.06 11:13:24 | 002,069,840 | ---- | M] (BullGuard Ltd.) -- C:\Programme\BullGuard Ltd\BullGuard\BullGuard.exe

PRC - [2010.04.01 13:33:15 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe

PRC - [2010.03.03 22:07:04 | 000,297,808 | ---- | M] (BullGuard Ltd.) -- C:\Programme\BullGuard Ltd\BullGuard\BullGuardScanner.exe

PRC - [2010.03.02 11:28:23 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe

PRC - [2010.02.24 10:28:01 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe

PRC - [2010.01.14 22:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe

PRC - [2010.01.13 11:18:30 | 000,413,696 | ---- | M] (Wistron Corp.) -- C:\Programme\Launch Manager\WButton.exe

PRC - [2010.01.12 19:23:38 | 008,423,968 | ---- | M] (Realtek Semiconductor) -- C:\Programme\Realtek\Audio\HDA\RtHDVCpl.exe

PRC - [2010.01.12 19:23:38 | 000,678,432 | ---- | M] (Realtek Semiconductor) -- C:\Programme\Realtek\Audio\HDA\RtHDVBg.exe

PRC - [2010.01.03 18:07:48 | 000,246,520 | ---- | M] () -- C:\Programme\ICQ6Toolbar\ICQ Service.exe

PRC - [2009.12.14 12:25:00 | 000,200,704 | ---- | M] (Wistron) -- C:\Programme\Launch Manager\HotkeyApp.exe

PRC - [2009.12.11 16:18:16 | 000,348,960 | ---- | M] (Wistron Corp.) -- C:\Programme\Launch Manager\OSD.exe

PRC - [2009.12.10 09:48:26 | 002,320,920 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

PRC - [2009.12.10 09:48:24 | 000,268,824 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel(R) Management Engine Components\LMS\LMS.exe

PRC - [2009.11.02 15:21:26 | 000,103,720 | ---- | M] (CyberLink) -- C:\Programme\CyberLink\Power2Go\CLMLSvc.exe

PRC - [2009.10.22 18:05:40 | 000,118,560 | ---- | M] (Wistron Corp.) -- C:\Programme\Launch Manager\WisLMSvc.exe

PRC - [2009.10.02 14:26:12 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe

PRC - [2009.10.02 14:26:10 | 000,284,696 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe

PRC - [2009.08.03 07:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2009.07.14 03:17:29 | 000,673,048 | ---- | M] (Microsoft Corporation) -- C:\Programme\Internet Explorer\iexplore.exe

PRC - [2009.07.14 03:14:47 | 001,121,280 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe

PRC - [2009.07.14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe

PRC - [2009.07.14 03:14:38 | 001,173,504 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Sidebar\sidebar.exe

PRC - [2009.07.14 03:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe

PRC - [2009.05.19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

PRC - [2009.02.03 15:53:00 | 001,155,072 | ---- | M] (MAGIX AG) -- C:\Programme\Common Files\MAGIX Services\Database\bin\FABS.exe

PRC - [2009.01.26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy\SDWinSec.exe

PRC - [2008.11.09 22:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Programme\Yahoo!\SoftwareUpdate\YahooAUService.exe

PRC - [2008.06.24 16:06:06 | 001,840,424 | ---- | M] (Nero AG) -- C:\Programme\Common Files\Nero\Lib\NMIndexStoreSvr.exe

PRC - [2008.06.08 09:31:04 | 002,221,352 | ---- | M] (Nero AG) -- C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

PRC - [2007.06.05 14:20:32 | 000,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe

 

 
 ========== Modules (SafeList) ==========

 

MOD - [2010.10.23 15:28:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Cao\Desktop\OTL.exe

MOD - [2010.01.14 23:05:24 | 000,088,168 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvinit.dll

MOD - [2009.07.14 03:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll

MOD - [2009.07.14 03:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll

MOD - [2009.07.14 03:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll

MOD - [2009.07.14 03:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll

MOD - [2009.07.14 03:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll

MOD - [2009.07.14 03:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll

MOD - [2009.07.14 03:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll

MOD - [2009.07.14 03:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll

MOD - [2009.07.14 03:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx

MOD - [2009.07.14 03:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

 

 
 ========== Win32 Services (SafeList) ==========

 

SRV - [2010.09.22 14:37:46 | 000,355,720 | ---- | M] (BullGuard Ltd.) [Auto | Running] -- C:\Programme\BullGuard Ltd\BullGuard\BullGuardUpdate.exe -- (BsUpdate)

SRV - [2010.04.16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010.04.09 09:31:20 | 000,158,544 | ---- | M] (BullGuard Ltd.) [Auto | Running] -- C:\Programme\BullGuard Ltd\BullGuard\BsMain.dll -- (BsMain)

SRV - [2010.04.06 11:13:24 | 000,377,680 | ---- | M] (BullGuard Ltd.) [Auto | Running] -- C:\Programme\BullGuard Ltd\BullGuard\BsFire.dll -- (BsFire)

SRV - [2010.04.06 11:13:24 | 000,249,168 | ---- | M] (BullGuard Ltd.) [Auto | Running] -- C:\Programme\BullGuard Ltd\BullGuard\BsFileScan.dll -- (BsFileScan)

SRV - [2010.04.01 13:33:15 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2010.03.08 08:26:08 | 000,053,584 | ---- | M] (BullGuard Ltd.) [Auto | Running] -- C:\Programme\BullGuard Ltd\BullGuard\BsBrowser.dll -- (BsBrowser)

SRV - [2010.03.05 10:34:30 | 000,133,456 | ---- | M] (BullGuard Ltd.) [Auto | Running] -- C:\Programme\BullGuard Ltd\BullGuard\BsMailProxy\BsMailProxy.dll -- (BsMailProxy)

SRV - [2010.03.03 22:07:16 | 000,120,144 | ---- | M] (BullGuard Ltd.) [On_Demand | Stopped] -- C:\Program Files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe -- (BgRaSvc)

SRV - [2010.03.03 22:07:04 | 000,297,808 | ---- | M] (BullGuard Ltd.) [On_Demand | Running] -- C:\Programme\BullGuard Ltd\BullGuard\BullGuardScanner.exe -- (BsScanner)

SRV - [2010.02.24 10:28:01 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2010.01.03 18:07:48 | 000,246,520 | ---- | M] () [Auto | Running] -- C:\Programme\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service)

SRV - [2009.12.10 09:48:26 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)

SRV - [2009.12.10 09:48:24 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)

SRV - [2009.10.22 18:05:40 | 000,118,560 | ---- | M] (Wistron Corp.) [On_Demand | Running] -- C:\Program Files\Launch Manager\WisLMSvc.exe -- (WisLMSvc)

SRV - [2009.10.02 14:26:12 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)

SRV - [2009.07.14 03:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)

SRV - [2009.07.14 03:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)

SRV - [2009.07.14 03:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)

SRV - [2009.07.14 03:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)

SRV - [2009.07.14 03:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)

SRV - [2009.07.14 03:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)

SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)

SRV - [2009.07.14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)

SRV - [2009.07.14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)

SRV - [2009.07.14 03:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)

SRV - [2009.07.14 03:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)

SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2009.07.14 03:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)

SRV - [2009.07.14 03:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)

SRV - [2009.07.14 03:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)

SRV - [2009.07.14 03:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)

SRV - [2009.07.14 03:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)

SRV - [2009.07.14 03:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX-Installer (AxInstSV)

SRV - [2009.07.14 03:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)

SRV - [2009.07.14 03:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)

SRV - [2009.05.19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)

SRV - [2009.02.03 15:53:00 | 001,155,072 | ---- | M] (MAGIX AG) [Unknown | Running] -- C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs)

SRV - [2009.01.26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Programme\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)

SRV - [2008.11.09 22:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)

SRV - [2008.08.07 11:10:02 | 003,276,800 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)

SRV - [2007.06.05 14:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)

 

 
 ========== Driver Services (SafeList) ==========

 

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\RtsUCcid.sys -- (USBCCID)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\Rts516xIR.sys -- (RtsUIR)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)

DRV - [2010.04.29 12:19:24 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)

DRV - [2010.03.12 11:34:50 | 000,055,888 | ---- | M] (BullGuard Ltd.) [File_System | System | Running] -- C:\Windows\System32\drivers\BdSpy.sys -- (BdSpy)

DRV - [2010.03.01 10:05:19 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)

DRV - [2010.02.16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2010.01.14 23:05:24 | 009,957,576 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2010.01.12 19:13:02 | 002,988,640 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2009.12.16 11:14:14 | 000,991,776 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8192se.sys -- (rtl8192se)

DRV - [2009.12.10 20:25:12 | 000,231,600 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\system32\DRIVERS\SynTP.sys -- (SynTP)

DRV - [2009.12.04 12:00:14 | 000,318,488 | ---- | M] (Agnitum Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afwcore.sys -- (afwcore)

DRV - [2009.12.04 12:00:14 | 000,029,208 | ---- | M] (Agnitum Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\afw.sys -- (AFW)

DRV - [2009.12.04 11:59:52 | 000,014,720 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Stopped] -- C:\Programme\BullGuard Ltd\BullGuard\Antirootkit\profos.sys -- (Profos)

DRV - [2009.11.21 17:24:58 | 006,232,576 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)

DRV - [2009.11.13 18:47:50 | 000,058,368 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C)

DRV - [2009.10.30 07:55:30 | 000,209,920 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)

DRV - [2009.10.26 13:39:04 | 000,125,696 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\system32\DRIVERS\Impcd.sys -- (Impcd)

DRV - [2009.10.02 13:40:50 | 000,432,664 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)

DRV - [2009.09.18 05:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\system32\DRIVERS\HECI.sys -- (HECI) Intel(R)

DRV - [2009.07.30 18:45:22 | 000,171,520 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\RtsUStor.sys -- (RSUSBSTOR)

DRV - [2009.07.14 03:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)

DRV - [2009.07.14 03:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)

DRV - [2009.07.14 03:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)

DRV - [2009.07.14 03:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)

DRV - [2009.07.14 03:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)

DRV - [2009.07.14 03:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)

DRV - [2009.07.14 03:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)

DRV - [2009.07.14 03:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)

DRV - [2009.07.14 03:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)

DRV - [2009.07.14 03:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)

DRV - [2009.07.14 03:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)

DRV - [2009.07.14 03:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)

DRV - [2009.07.14 03:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)

DRV - [2009.07.14 03:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)

DRV - [2009.07.14 03:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)

DRV - [2009.07.14 03:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)

DRV - [2009.07.14 03:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)

DRV - [2009.07.14 03:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)

DRV - [2009.07.14 03:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)

DRV - [2009.07.14 03:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)

DRV - [2009.07.14 03:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)

DRV - [2009.07.14 03:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)

DRV - [2009.07.14 03:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)

DRV - [2009.07.14 03:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)

DRV - [2009.07.14 03:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)

DRV - [2009.07.14 03:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)

DRV - [2009.07.14 03:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)

DRV - [2009.07.14 03:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)

DRV - [2009.07.14 03:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)

DRV - [2009.07.14 03:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)

DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)

DRV - [2009.07.14 03:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)

DRV - [2009.07.14 03:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)

DRV - [2009.07.14 03:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)

DRV - [2009.07.14 03:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)

DRV - [2009.07.14 03:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)

DRV - [2009.07.14 03:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)

DRV - [2009.07.14 03:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)

DRV - [2009.07.14 03:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)

DRV - [2009.07.14 03:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)

DRV - [2009.07.14 02:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC-Seriellschnittstellentreiber (WDM)

DRV - [2009.07.14 02:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)

DRV - [2009.07.14 02:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)

DRV - [2009.07.14 01:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)

DRV - [2009.07.14 01:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)

DRV - [2009.07.14 01:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)

DRV - [2009.07.14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)

DRV - [2009.07.14 01:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)

DRV - [2009.07.14 01:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)

DRV - [2009.07.14 01:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)

DRV - [2009.07.14 01:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)

DRV - [2009.07.14 01:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)

DRV - [2009.07.14 01:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)

DRV - [2009.07.14 01:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)

DRV - [2009.07.14 01:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\system32\DRIVERS\CompositeBus.sys -- (CompositeBus)

DRV - [2009.07.14 01:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)

DRV - [2009.07.14 01:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)

DRV - [2009.07.14 01:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)

DRV - [2009.07.14 01:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)

DRV - [2009.07.14 01:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)

DRV - [2009.07.14 00:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)

DRV - [2009.07.14 00:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm) Brother MFC-nur-Fax-Modem (USB)

DRV - [2009.07.14 00:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer) Brother MFC-WDM-Treiber (USB,seriell)

DRV - [2009.07.14 00:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm) Brother WDM-Treiber (seriell)

DRV - [2009.07.14 00:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)

DRV - [2009.07.14 00:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)

DRV - [2009.07.14 00:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)

DRV - [2009.07.14 00:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)

DRV - [2009.07.14 00:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)

DRV - [2009.05.11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)

 

 
 ========== Standard Registry (SafeList) ==========

 

 
 ========== Internet Explorer ==========

 

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://medion.msn.com [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://medion.msn.com [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aldi.com

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 

FF - HKLM\software\mozilla\Firefox\Extensions\\antiphishing@bullguard: C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\FF\antiphishing@bullguard\ [2010.06.07 17:40:22 | 000,000,000 | ---D | M]

 

 

O1 HOSTS File: ([2010.08.27 16:50:10 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)

O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O2 - BHO: (BGAntiphishingBHO Class) - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - C:\Programme\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIEBHO.dll (BullGuard Ltd.)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)

O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [BullGuard] C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe (BullGuard Ltd.)

O4 - HKLM..\Run: [ClamWin] C:\Program Files\ClamWin\bin\ClamTray.exe (alch)

O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)

O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()

O4 - HKLM..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe (Wistron)

O4 - HKLM..\Run: [IAStorIcon] C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)

O4 - HKLM..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe File not found

O4 - HKLM..\Run: [LMgrVolOSD] C:\Program Files\Launch Manager\OSD.exe (Wistron Corp.)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [PDVD9LanguageShortcut] C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe (CyberLink Corp.)

O4 - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [Wbutton] C:\Program Files\Launch Manager\Wbutton.exe (Wistron Corp.)

O4 - HKCU..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)

O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} -  File not found

O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} -  File not found

O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: BullGuard - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - C:\Programme\BullGuard Ltd\BullGuard\Antiphishing\IE\BgAntiphishingIE.dll (BullGuard Ltd.)

O9 - Extra Button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.)

O9 - Extra 'Tools' menuitem : ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\BGLsp.dll (BullGuard Ltd.)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Programme\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)

O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - AppInit_DLLs: (C:\Windows\system32\nvinit.dll) - C:\Windows\System32\nvinit.dll (NVIDIA Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) -  File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 
 ========== Files/Folders - Created Within 30 Days ==========

 

[2010.10.23 15:28:20 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Cao\Desktop\OTL.exe

[2010.10.23 15:14:53 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2010.10.23 15:12:59 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Users\Cao\Desktop\OTH.scr

[2010.10.23 14:46:56 | 000,000,000 | ---D | C] -- C:\Programme\RegCleaner

[2010.01.18 04:08:30 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 
 ========== Files - Modified Within 30 Days ==========

 

[2010.10.23 15:38:24 | 000,000,282 | -H-- | M] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

[2010.10.23 15:37:14 | 000,764,416 | ---- | M] () -- C:\Windows\System32\drivers\oxwdeebg.sys

[2010.10.23 15:36:01 | 000,001,114 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1539451478-733840103-1462338374-1000UA.job

[2010.10.23 15:31:05 | 000,000,282 | -H-- | M] () -- C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

[2010.10.23 15:28:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Cao\Desktop\OTL.exe

[2010.10.23 15:22:29 | 000,009,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2010.10.23 15:22:29 | 000,009,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2010.10.23 15:20:59 | 000,002,824 | ---- | M] () -- C:\Users\Cao\Desktop\systemrestore.reg

[2010.10.23 15:20:45 | 000,002,404 | ---- | M] () -- C:\Users\Cao\Desktop\sysrestoreenable.reg

[2010.10.23 15:20:26 | 000,000,228 | ---- | M] () -- C:\Users\Cao\Desktop\shell.reg

[2010.10.23 15:14:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010.10.23 15:14:45 | 426,792,533 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2010.10.23 15:14:40 | 2559,467,520 | -HS- | M] () -- C:\hiberfil.sys

[2010.10.23 15:13:49 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Users\Cao\Desktop\OTH.scr

[2010.10.23 14:58:07 | 000,024,790 | ---- | M] () -- C:\Users\Cao\Desktop\puzzle.gif

[2010.10.23 14:46:58 | 000,000,932 | ---- | M] () -- C:\Users\Cao\Desktop\RegCleaner.lnk

[2010.10.22 22:41:52 | 000,643,866 | ---- | M] () -- C:\Windows\System32\perfh007.dat

[2010.10.22 22:41:52 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2010.10.22 22:41:52 | 000,126,394 | ---- | M] () -- C:\Windows\System32\perfc007.dat

[2010.10.22 22:41:52 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2010.10.22 13:17:50 | 000,000,270 | ---- | M] () -- C:\Windows\Brownie.ini

[2010.10.18 06:36:00 | 000,001,062 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1539451478-733840103-1462338374-1000Core.job

[2010.10.16 11:23:21 | 000,003,288 | ---- | M] () -- C:\bootsqm.dat

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 
 ========== Files Created - No Company Name ==========

 

[2010.10.23 15:20:55 | 000,002,824 | ---- | C] () -- C:\Users\Cao\Desktop\systemrestore.reg

[2010.10.23 15:20:42 | 000,002,404 | ---- | C] () -- C:\Users\Cao\Desktop\sysrestoreenable.reg

[2010.10.23 15:20:21 | 000,000,228 | ---- | C] () -- C:\Users\Cao\Desktop\shell.reg

[2010.10.23 15:14:45 | 426,792,533 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2010.10.23 14:59:04 | 000,024,790 | ---- | C] () -- C:\Users\Cao\Desktop\puzzle.gif

[2010.10.23 14:48:23 | 000,000,282 | -H-- | C] () -- C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

[2010.10.23 14:46:58 | 000,000,932 | ---- | C] () -- C:\Users\Cao\Desktop\RegCleaner.lnk

[2010.10.23 14:44:16 | 000,000,282 | -H-- | C] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

[2010.10.23 14:43:28 | 000,764,416 | ---- | C] () -- C:\Windows\System32\drivers\oxwdeebg.sys

[2010.10.16 11:23:21 | 000,003,288 | ---- | C] () -- C:\bootsqm.dat

[2010.05.19 14:04:08 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll

[2010.04.29 18:36:47 | 000,000,416 | ---- | C] () -- C:\Windows\BRWMARK.INI

[2010.04.29 18:31:28 | 000,000,145 | ---- | C] () -- C:\Windows\BRVIDEO.INI

[2010.04.29 18:31:28 | 000,000,000 | ---- | C] () -- C:\Windows\brmx2001.ini

[2010.04.29 18:31:05 | 000,000,114 | ---- | C] () -- C:\Windows\System32\brlmw03a.ini

[2010.04.29 18:31:03 | 000,009,030 | ---- | C] () -- C:\Windows\HL-2030.INI

[2010.04.29 18:27:56 | 000,000,270 | ---- | C] () -- C:\Windows\Brownie.ini

[2010.04.13 19:48:34 | 000,000,338 | ---- | C] () -- C:\Windows\disney.ini

[2010.02.02 21:19:20 | 000,453,024 | ---- | C] () -- C:\Programme\setup.exe

[2010.02.02 21:18:14 | 010,182,144 | ---- | C] () -- C:\Programme\openofficeorg32.msi

[2010.02.02 21:18:10 | 146,492,804 | ---- | C] () -- C:\Programme\openofficeorg1.cab

[2010.02.02 01:28:52 | 000,000,290 | ---- | C] () -- C:\Programme\setup.ini

[2010.01.19 18:15:43 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll

[2010.01.18 04:24:44 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll

[2010.01.14 06:31:04 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll

[2010.01.14 06:31:04 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll

[2009.08.03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll

[2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll

[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll

 
 ========== LOP Check ==========

 

[2010.06.08 06:42:22 | 000,000,000 | ---D | M] -- C:\Users\Cao\AppData\Roaming\BullGuard

[2010.07.03 22:01:42 | 000,000,000 | ---D | M] -- C:\Users\Cao\AppData\Roaming\ICQ

[2010.09.05 18:53:55 | 000,000,000 | ---D | M] -- C:\Users\Cao\AppData\Roaming\IrfanView

[2010.10.07 15:17:38 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2010.10.23 15:38:24 | 000,000,282 | -H-- | M] () -- C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

[2010.10.23 15:31:05 | 000,000,282 | -H-- | M] () -- C:\Windows\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

 
 ========== Purity Check ==========

 

 
 

< End of report >

--- --- ---

danke :)
achja vielleicht sollte ich noch erwaehnen dass ich mich gerade in nem anderen benutzerkonto befinde mein main konto laesst sich nicht mehr abrufen sobald ich mein kennwort eingegeben hab erscheint nur thinkpoint und wenn ich im taskmanager den hotfile.exe prozess beende ist mein bildschirm einfach nur schwarz

Zitat:

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

Wurde das schon ausgeführt? Wenn ja, wo sind die Logs? Bitte alle posten.

bin dabei..

habe noch ne andere komische fehlermeldung und zwar

Durch die Internetsicherheitseinstellungen wurde verhindert, dass eine oder mehrere dateien geöffnet wurden

c:\windows\system32\gfxui.exe

ach und noch etwas..

habe gerade mal dat hijackthis programm gestartet und was erscheint...
http://img37.imageshack.us/img37/3461/unbenannttkq.png

Vergiss Hijackthis, das brauchen wir nicht!

okay

und weisste schon was fuer ein fehler/virus was weiss ich hier: c:\windows\system32\gfxui.exe zugrunde liegt?

Nein. Anhand eines Dateinames kann man keinen Virus bestimmen. Mach bitte den Vollscan mit malwarebytes und poste das Log.

kann sich nur noch um 30 40 minuten handeln.. hoffe ich.. bis ichs posten kann

ok dauert wohl noch ein bisschen ich geb die files und so morgen rein

sooo..

hier ist erstmal die mbam file:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4925

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

24.10.10 13:03:04
mbam-log-2010-10-24 (13-03-04).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Durchsuchte Objekte: 282020
Laufzeit: 1 Stunde(n), 55 Minute(n), 24 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 5
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\X3EKEPXJP2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koo9rv9k4z (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metropolis (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

otl files kommen noch..

hier sind nun endlich die beiden logfiles nachm mbam full scan:

OTL.Txt hxxp://www.mediafire.com/?5sahibtyi4fmy5s

Extras.Txt hxxp://www.mediafire.com/?eemut4v3791cub1

falls ich noch etwas tun muss bitte sag bescheid

Mit den OTL-Logs hab ich Probleme. Kannst Du nicht einfach bei Logs in eine Datei zippen und hier im nächsten Postings anhängen?
Edit1: Ah jetzt ging der Download beider Logs doch :wtf:

Edit2: Irgendwas stimmt mit den Logs nicht, da fehlen einige Zeichen! Zip mal bitte beide Logs und häng sie hier an.

Auch da fehlen die Zeichen :balla:
Mach mal ein neues Log auf diese Art:

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Starte bitte die OTL.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die http://billy-oneal.com/Canned%20Spee.../customFix.png Textbox.

Code:

netsvcs

msconfig

safebootminimal

safebootnetwork

activex

drivers32

%ALLUSERSPROFILE%\Application Data\*.

%ALLUSERSPROFILE%\Application Data\*.exe /s

%APPDATA%\*.

%APPDATA%\*.exe /s

%SYSTEMDRIVE%\*.exe

/md5start

wininit.exe

userinit.exe

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

ws2ifsl.sys

sceclt.dll

ntelogon.dll

winlogon.exe

logevent.dll

user32.DLL

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

nvstor32.sys

ahcix86s.sys

/md5stop

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\System32\config\*.sav

%systemroot%\*. /mp /s

%systemroot%\system32\*.dll /lockedfiles

CREATERESTOREPOINT

Schliesse bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Quick Scan Button.
Klick auf http://billy-oneal.com/Canned%20Spee.../OTL/btnOK.png.
Kopiere nun den Inhalt aus OTL.txt hier in Deinen Thread

Merkwürdig. Nur das 1. Log hat alle Zeichen. hast Du Dir OTL.exe neu heruntergeladen? Hast Du die alte OTL noch, mit der das erste Log erstellt wurde?

Ich mach mal den Fix basierend auf das erste Log:

Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Hinweis: Falls Du Deinen Benutzernamen unkenntlich gemacht hast, musst Du das Ausgesternte in Deinen richtigen Benutzernamen wieder verwandeln, sonst funktioniert das Script nicht!!

Code:

:OTL

[2010.10.23 15:38:24 | 000,000,282 | -H-- | M] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

[2010.10.23 15:37:14 | 000,764,416 | ---- | M] () -- C:\Windows\System32\drivers\oxwdeebg.sys

[2010.10.23 15:31:05 | 000,000,282 | -H-- | M] () -- C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

:Commands

[purity]

[resethosts]

[emptytemp]

Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

ok wird morgen alles erledigt ich weiss nicht was du genau vermisst aber vllt haengt das damit zusammen dass ich bei ausgabe minimal ausgabe angekreuzt hab^^

ok schaff es heute und die naechsten tage wahrscheinlich auch nicht aber ende der woche sicherlich!!

Ist ok, lass Dir Zeit.

ok tut mir leid hat alles etwas gedauert aber habe soeben diesen fix durchgefuehrt.. mein pc ist nach 3-4 sekunden abgestuerzt es erschien ein blauer bildschirm der mir sagte um weiteren schaden zu verhindern wird der pc jez neu gestartet.. so in etwa

soll ichs nochmal probieren ?? und nachm neustart meldet sich mein spybot - destroy und search die ganze zeit zu wort.. iwelche registrierungsdatenbank-eintraege wurden gaendert oder so.. soll ichs verweigern oder erlauben?? hoffe du bringst meinen pc wieder auf vordermann^^

Zitat:

iwelche registrierungsdatenbank-eintraege wurden gaendert oder so.. soll ichs verweigern oder erlauben??

Liegt an diesem dämlichen Teatimer von Spybot. Deinstallier das, denn offensichtlich bist du damit überfordert oder willst du jeden Tag nachfragen wenn der Teatimer sich wg irgendeinem Registrywert sich meldet? :D

Versuch den Fix mit OTL bitte nochmal. OTL vorher per Rechtsklick als Admin ausführen.

ok gut danke

habs jez als admin ausgefuehrt.. same problem..

Versuchs mal mit diesem OTL-Script:

Zitat:

:OTL
[2010.10.23 15:38:24 | 000,000,282 | -H-- | M] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010.10.23 15:37:14 | 000,764,416 | ---- | M] () -- C:\Windows\System32\drivers\oxwdeebg.sys
[2010.10.23 15:31:05 | 000,000,282 | -H-- | M] () -- C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
:Commands
[emptytemp]

ok das klappt auch nicht.. bevor mein pc abstuerzt steht beim otl fenster unten links immer killing process.. oder so

Dann bitte jetzt CF ausführen, lassen wir den OTL fix mal weg.

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

http://saved.im/mtm0nzyzmzd5/cofi.jpg

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

der hinweis hoert sich aber nicht sehr toll an xD auch wenn ich alles richtig ausfuehre kann es trotzdem zu ernsthaften schaeden an meinem pc kommen?^^

Zitat:

richtig ausfuehre kann es trotzdem zu ernsthaften schaeden an meinem pc kommen?^^

Ist minimal das Risiko ;)

ok benutze im mom chrome kann den combofix dateinamen daher beim downloaden nicht umaendern und noch ne frage wenn ich ccleaner ausfuehre was wird alles geloescht? gespeicherte pws? lesezeichen? history?

Rechtsklick auf den Link => Ziel speichern unter
Notfalls anderen Browser (IE, Firefox) nehmen

muss ich denn meinen verlauf im ie unbedingt loeschen??^^

Nein, Verlauf etc. kannst du behalten. Aber die temp. Dateien solltest du löschen.

hmm ok ccleaner hab ich jez laufen lassen es sind aber zwischendurch virenmeldungen von meinem antivir erschienen Oo ich mach jez mal mit cofi weiter

oh gott so langsam schwindet meine zuversicht ^^ hier das naechste prob ich lad nen screenshot hoch http://img571.imageshack.us/img571/4651/unbenanntwq.png

achja habs auch als admin ausfuehren lassen!!

Hast du an den IE-Settings geschraubt? Diese Meldung ist mir bei CF neu.
Stell mal bitte alles im IE in den Internetoptionen auf Standard zurück, alternativ mal auf den Link in der Meldung anklicken und den Anweisungen folgen. ("Warum können die Dateien nicht geöffnet werden?")

oje oje klappt alles nicht ich kopier dir mal nen auszug aus dem text der erscheint wenn ich auf "warum koennen .."

Warum kann ich keine Dateien aus dem Internet öffnen oder kopieren?

Dies ist vermutlich darauf zurückzuführen, dass die Website, von der die Datei stammt, von Windows als potenziell gefährlich eingestuft wird. Von Windows wird anhand von Sicherheitszonen bestimmt, ob eine Website vertrauenswürdig ist. Weitere Informationen zu Vertrauenswürdigkeit und Internet finden Sie unter Wann kann ich einer Website vertrauen.

Von Windows werden alle Websites einer von vier verschiedenen Sicherheitszonen zugewiesen: Internet, Lokales Intranet, Vertrauenswürdige Sites und Eingeschränkte Sites. Die Sicherheitseinstellungen für eine Website werden anhand der Zone festgelegt, der die Website zugewiesen ist.

-.-

diese meldungen sind aber erst erschienen als mein pc infiziert wurde!! bzw als ich versucht habe es zu desinfizieren^^

Wie gesagt, setz mal alle IE-Einstellungen auf Standard zurück.

Erstell dir doch mal über die Systemsteuerung mal einen neuen Benutzer mit Adminrechten.
Log dich aus und mit dem neuen Benutzer ein. Probier den Lauf mit CF dann nochmal.

ok problem ist jez das cofi mir anzeigt das ich noch nen programm im background laufen lasse obwohl ich das programm gestern schon geloescht habe!! was tun?? es handelt sich um spybot, das wobei du mir geraten hast es zu deinstallieren

http://img600.imageshack.us/img600/8429/unbenanntks.png

Wenn es deinstalliert ist, kannst du die meldung ignorieren und einfach weitermachen

ok auf deine verantwortung ^^

habs geschafft hier ist das logfile

Combofix Logfile:

Code:

ComboFix 10-12-06.04 - renshen 07.12.2010  20:39:56.1.4 - x86

Microsoft Windows 7 Home Premium   6.1.7600.0.1252.49.1031.18.3255.1894 [GMT 1:00]

ausgeführt von:: c:\users\renshen\Desktop\cofi.exe

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

.
 

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\jdsfjsdijf.exe

c:\jdsfjsdijf.exe\config.bin

C:\ONWERETExx.exe

c:\onweretexx.exe\config.bin

c:\onweretexx.exe\ONWERETExx.exe

c:\program files\\setup.exe

c:\program files\Setup.exe

c:\users\Nhan\AppData\Roaming\install
 

.

(((((((((((((((((((((((   Dateien erstellt von 2010-11-07 bis 2010-12-07  ))))))))))))))))))))))))))))))

.
 

2010-12-07 19:45 . 2010-12-07 19:45        --------        d-----w-        c:\users\Nhan\AppData\Local\temp

2010-12-07 19:45 . 2010-12-07 19:45        --------        d-----w-        c:\users\Default\AppData\Local\temp

2010-12-07 19:45 . 2010-12-07 19:45        --------        d-----w-        c:\users\Cao\AppData\Local\temp

2010-12-04 09:07 . 2010-12-04 09:08        --------        d-----w-        c:\users\renshen

2010-12-02 15:04 . 2010-12-02 15:04        --------        d-----w-        c:\program files\CCleaner

2010-11-28 19:48 . 2010-11-28 19:48        --------        d-----r-        c:\users\Nhan\AppData\Roaming\Brother

2010-11-22 20:43 . 2010-11-22 20:43        --------        d-----w-        c:\windows\Sun
 

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 14:06 . 2010-08-27 16:24        61960        ----a-w-        c:\windows\system32\drivers\avgntflt.sys

2010-11-29 14:06 . 2010-08-27 16:24        126856        ----a-w-        c:\windows\system32\drivers\avipbb.sys

2010-10-23 20:10 . 2010-10-23 20:10        388096        ----a-r-        c:\users\Nhan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-10-23 12:42 . 2010-10-23 12:42        173        ----a-w-        c:\users\Nhan\AppData\Roaming\20193.bat

2010-02-02 19:18 . 2010-02-02 19:18        10182144        ----a-w-        c:\program files\openofficeorg32.msi

2006-05-03 09:06        163328        --sh--r-        c:\windows\System32\flvDX.dll

2007-02-21 10:47        31232        --sh--r-        c:\windows\System32\msfDX.dll

2008-03-16 12:30        216064        --sh--r-        c:\windows\System32\nbDX.dll

.
 

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2009-12-14 200704]

"LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2009-12-11 348960]

"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2010-01-13 413696]

"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-11-02 103720]

"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-01-12 8423968]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RtHDVBg.exe" [2010-01-12 678432]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-24 175640]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-24 166936]

"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-14 14817896]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2010-04-06 2069840]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-08-19 86016]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-29 281768]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
 

c:\users\Nhan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-5-3 110592]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\nvinit.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsMain]

@="Service"
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner]

@="Service"
 

R3 BgRaSvc;BgRaSvc;c:\program files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe [2010-03-03 120144]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-07-30 171520]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

S1 AFW;Agnitum Firewall Driver;c:\windows\system32\DRIVERS\afw.sys [2009-12-04 29208]

S1 BdSpy;BdSpy;c:\windows\system32\DRIVERS\BdSpy.sys [2010-03-12 55888]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-29 135336]

S2 BsBrowser;BullGuard antiphishing service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsFileScan;BullGuard on-access service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsFire;BullGuard firewall service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsMain;BullGuard main service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsUpdate;BullGuard update service;c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2010-09-22 355720]

S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-02-03 1155072]

S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]

S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]

S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-12-10 2320920]

S3 afwcore;afwcore;c:\windows\system32\DRIVERS\afwcore.sys [2009-12-04 318488]

S3 BsScanner;BullGuard scanning service;c:\program files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [2010-03-03 297808]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]

S3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 209920]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2009-11-13 58368]

S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-12-16 991776]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2009-10-22 118560]
 
 

--- Andere Dienste/Treiber im Speicher ---
 

*Deregistered* - oxwdeebg
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

BullGuard_Main        REG_MULTI_SZ           BsMain

BullGuard        REG_MULTI_SZ           BsFileScan BsMailProxy BsFire

BullGuard_LowPriv        REG_MULTI_SZ           BsBrowser

iissvcs        REG_MULTI_SZ           w3svc was

apphost        REG_MULTI_SZ           apphostsvc

.

Inhalt des "geplante Tasks" Ordners
 

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1539451478-733840103-1462338374-1000Core.job

- c:\users\Nhan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-22 17:08]
 

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1539451478-733840103-1462338374-1000UA.job

- c:\users\Nhan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-22 17:08]
 

2010-12-07 c:\windows\Tasks\RegistryBooster.job

- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-10-24 11:18]

.

.

------- Zusätzlicher Suchlauf -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: {{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4

LSP: c:\windows\system32\BGLsp.dll

FF - ProfilePath - c:\users\renshen\AppData\Roaming\Mozilla\Firefox\Profiles\qmb644nl.default\

FF - component: c:\program files\BullGuard Ltd\BullGuard\Antiphishing\FF\antiphishing@bullguard\components\BGFFComponent.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: BullGuard Antiphishing Toolbar: antiphishing@bullguard - c:\program files\BullGuard Ltd\BullGuard\Antiphishing\FF\antiphishing@bullguard

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -
 

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

AddRemove-_{ADDBE07D-95B8-4789-9C76-187FFF9624B4} - c:\program files\Corel\CorelDRAW Essential Edition 3\Programs\MSILauncher {ADDBE07D-95B8-4789-9C76-187FFF9624B4}
 
 
 

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\oxwdeebg]
 

.

--------------------- Gesperrte Registrierungsschluessel ---------------------
 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"
 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"
 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"
 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Zeit der Fertigstellung: 2010-12-07  20:47:58

ComboFix-quarantined-files.txt  2010-12-07 19:47
 

Vor Suchlauf: 9 Verzeichnis(se), 316.963.495.936 Bytes frei

Nach Suchlauf: 14 Verzeichnis(se), 316.852.244.480 Bytes frei
 

- - End Of File - - 14CFDDD5ECC46CB6F0299485E69FD8EE

--- --- ---

Combofix - Scripten

1. Starte das Notepad (Start / Ausführen / notepad[Enter])

2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein.

Code:

File::

c:\users\Nhan\AppData\Roaming\20193.bat
 

Registry::

[-HKEY_LOCAL_MACHINE\system\ControlSet001\services\oxwdeebg]

3. Speichere im Notepad als CFScript.txt auf dem Desktop.

4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
(Auch Guards von Ad-, Spyware Programmen und den Tea Timer (wenn vorhanden) !)

5. Dann ziehe die CFScript.txt auf die cofi.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif

6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien:
Combofix.txt

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!

also ich soll meine windows firewall deaktivieren??

ja mach mal vorübergehend

ok.. hier..

Combofix Logfile:

Code:

ComboFix 10-12-07.06 - renshen 08.12.2010  23:38:39.2.4 - x86

Microsoft Windows 7 Home Premium   6.1.7600.0.1252.49.1031.18.3255.1979 [GMT 1:00]

ausgeführt von:: c:\users\renshen\Desktop\cofi.exe

Benutzte Befehlsschalter :: c:\users\renshen\Desktop\CFScript.txt

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
 

FILE ::

"c:\users\Nhan\AppData\Roaming\20193.bat"

.
 

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.
 

c:\users\Nhan\AppData\Roaming\20193.bat
 

.

(((((((((((((((((((((((   Dateien erstellt von 2010-11-08 bis 2010-12-08  ))))))))))))))))))))))))))))))

.
 

2010-12-08 22:43 . 2010-12-08 22:43        --------        d-----w-        c:\users\Nhan\AppData\Local\temp

2010-12-08 22:43 . 2010-12-08 22:43        --------        d-----w-        c:\users\Default\AppData\Local\temp

2010-12-08 22:43 . 2010-12-08 22:43        --------        d-----w-        c:\users\Cao\AppData\Local\temp

2010-12-07 19:02 . 2010-12-07 19:02        --------        d-----w-        c:\program files\Microsoft Visual Studio 8

2010-12-07 18:59 . 2010-12-07 18:59        --------        d-----w-        c:\windows\system32\BestPractices

2010-12-07 18:59 . 2010-12-07 18:59        --------        d-----w-        C:\inetpub

2010-12-04 09:07 . 2010-12-04 09:08        --------        d-----w-        c:\users\renshen

2010-12-02 15:04 . 2010-12-02 15:04        --------        d-----w-        c:\program files\CCleaner

2010-11-28 19:48 . 2010-11-28 19:48        --------        d-----r-        c:\users\Nhan\AppData\Roaming\Brother

2010-11-22 20:43 . 2010-11-22 20:43        --------        d-----w-        c:\windows\Sun
 

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 14:06 . 2010-08-27 16:24        61960        ----a-w-        c:\windows\system32\drivers\avgntflt.sys

2010-11-29 14:06 . 2010-08-27 16:24        126856        ----a-w-        c:\windows\system32\drivers\avipbb.sys

2010-10-23 20:10 . 2010-10-23 20:10        388096        ----a-r-        c:\users\Nhan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-02-02 19:18 . 2010-02-02 19:18        10182144        ----a-w-        c:\program files\openofficeorg32.msi

2006-05-03 09:06        163328        --sh--r-        c:\windows\System32\flvDX.dll

2007-02-21 10:47        31232        --sh--r-        c:\windows\System32\msfDX.dll

2008-03-16 12:30        216064        --sh--r-        c:\windows\System32\nbDX.dll

.
 

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2009-12-14 200704]

"LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2009-12-11 348960]

"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2010-01-13 413696]

"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-11-02 103720]

"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-01-12 8423968]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RtHDVBg.exe" [2010-01-12 678432]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-24 175640]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-24 166936]

"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-14 14817896]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2010-04-06 2069840]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-08-19 86016]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-29 281768]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
 

c:\users\Nhan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
 

c:\users\renshen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-5-3 110592]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\nvinit.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsMain]

@="Service"
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner]

@="Service"
 

R3 BgRaSvc;BgRaSvc;c:\program files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe [2010-03-03 120144]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-07-30 171520]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

S1 AFW;Agnitum Firewall Driver;c:\windows\system32\DRIVERS\afw.sys [2009-12-04 29208]

S1 BdSpy;BdSpy;c:\windows\system32\DRIVERS\BdSpy.sys [2010-03-12 55888]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-29 135336]

S2 BsBrowser;BullGuard antiphishing service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsFileScan;BullGuard on-access service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsFire;BullGuard firewall service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsMain;BullGuard main service;c:\windows\System32\SvcHost.exe [2009-07-14 20992]

S2 BsUpdate;BullGuard update service;c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2010-09-22 355720]

S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-02-03 1155072]

S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]

S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]

S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-12-10 2320920]

S3 afwcore;afwcore;c:\windows\system32\DRIVERS\afwcore.sys [2009-12-04 318488]

S3 BsScanner;BullGuard scanning service;c:\program files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [2010-03-03 297808]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]

S3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 209920]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2009-11-13 58368]

S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-12-16 991776]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2009-10-22 118560]
 
 

--- Andere Dienste/Treiber im Speicher ---
 

*Deregistered* - oxwdeebg
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

BullGuard_Main        REG_MULTI_SZ           BsMain

BullGuard        REG_MULTI_SZ           BsFileScan BsMailProxy BsFire

BullGuard_LowPriv        REG_MULTI_SZ           BsBrowser

iissvcs        REG_MULTI_SZ           w3svc was

apphost        REG_MULTI_SZ           apphostsvc

.

Inhalt des "geplante Tasks" Ordners
 

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1539451478-733840103-1462338374-1000Core.job

- c:\users\Nhan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-22 17:08]
 

2010-12-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1539451478-733840103-1462338374-1000UA.job

- c:\users\Nhan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-22 17:08]
 

2010-12-08 c:\windows\Tasks\RegistryBooster.job

- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-10-24 11:18]

.

.

------- Zusätzlicher Suchlauf -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: {{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4

LSP: c:\windows\system32\BGLsp.dll

FF - ProfilePath - c:\users\renshen\AppData\Roaming\Mozilla\Firefox\Profiles\qmb644nl.default\

FF - component: c:\program files\BullGuard Ltd\BullGuard\Antiphishing\FF\antiphishing@bullguard\components\BGFFComponent.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: BullGuard Antiphishing Toolbar: antiphishing@bullguard - c:\program files\BullGuard Ltd\BullGuard\Antiphishing\FF\antiphishing@bullguard

.
 

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\oxwdeebg]
 

.

--------------------- Gesperrte Registrierungsschluessel ---------------------
 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"
 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"
 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"
 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Zeit der Fertigstellung: 2010-12-08  23:44:47

ComboFix-quarantined-files.txt  2010-12-08 22:44

ComboFix2.txt  2010-12-07 19:47
 

Vor Suchlauf: 13 Verzeichnis(se), 314.907.357.184 Bytes frei

Nach Suchlauf: 14 Verzeichnis(se), 314.847.870.976 Bytes frei
 

- - End Of File - - 3204E88EF315AF04C44B8AD987E3F359

--- --- ---

achja ich hab keine neustart anfrage erhalten ne!!

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.

Doppelklick auf die MBRCheck.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Das Tool braucht nur eine Sekunde.
Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.

Poste mir bitte den Inhalt des .txt Dokumentes

ok muss ich iwas ausschalten oder die programme und die firewall einfach an lassen?

Folge einfach den Anleitungen :)

hab jez am ende des gmer scans die warnung erhalten dass iwelche rootkits gefunden wurden die mein system blablabla.. konnte aber nur auf ok und nicht auf ja ode nein klicken

hier ist jez das log

GMER Logfile:

Code:

GMER 1.0.15.15530 - hxxp://www.gmer.net

Rootkit scan 2010-12-11 11:48:00

Windows 6.1.7600  Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0

Running: f4tty8qp.exe; Driver: C:\Users\renshen\AppData\Local\Temp\pwkyikob.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                                                                   83048579 1 Byte  [06]

.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                            8306CF52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

?               System32\Drivers\oxwdeebg.sys                                                                                                     Ein an das System angeschlossenes Gerät funktioniert nicht. !

.text           peauth.sys                                                                                                                        AD950C9D 28 Bytes  CALL 214868C3 

.text           peauth.sys                                                                                                                        AD950CC1 28 Bytes  CALL 214868E7 
 

---- User code sections - GMER 1.0.15 ----
 

?               C:\Windows\System32\svchost.exe[4624]                                                                                             image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll

?               C:\Windows\System32\svchost.exe[4820]                                                                                             image checksum mismatch; time/date stamp mismatch; 
 

---- Kernel IAT/EAT - GMER 1.0.15 ----
 

IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter]                                                                [9170D0C2] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter]                                                               [9170D0C2] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter]                                                                [9170D0C2] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
 

---- User IAT/EAT - GMER 1.0.15 ----
 

IAT             C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2536] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]   [758F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2536] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]     [758F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2536] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]    [758F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2536] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]  [758F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2536] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]   [758F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs]                               017AC7E9

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit]                                        11E3E800

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter]                                  8A0F0000

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit]                                         00004019

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm]                                    F766E828

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit]                                   8AB7AFC7

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr]                             8056FF46

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy]                                       39F5A5FC

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp]                                   66D830CC

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common]                      737FC2F7

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ]                            60FFC683

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type]                               E2BA0F66

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode]                                   EC839C07

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode]                                 90870FD8

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit]                                       04000040

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc]                                 17B8E91C

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle]                                04890000

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook]                       7C896024

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress]                             0EE91C24

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError]                               6600000C

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary]                                2FF1A30F

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange]                 000338E8

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA]                             CDE9B800

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange]                        600000A7

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep]                                      00102BE8

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter]                B28C0F00

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA]                           52000017

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter]                    60005DDC

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount]                               24648D9C

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime]                    03DEE928

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter]                   4CE80000

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx]                           9C00000E

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW]                             88242488

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx]                             44892404

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW]                                   081CE824

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegCloseKey]                                9D302474

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegOpenKeyExW]                              08247C88

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation]                         3424648D

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW]                                  0003B3E9

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW]                                   40AFE800

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW]                               60600000

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegQueryValueExW]                           0000F2E8

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx]                              38148B00

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW]                              000A74E9

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW]                  ED839C00

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW]                            40A4E902

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess]                                BC0F0000

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode]               F0C02FC4

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegDisablePredefinedCacheEx]                00458B06

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap]                             044D8A8B

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode]                               11B2E8F9

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObjectEx]              6BE80000

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree]                                  9C000002

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree]                                   0012A6E9

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte]                        90C2F700

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap]                               00156CE8

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid]                          00000000

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid]                            0F4BE900

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid]                              9C980001

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid]                                    C3B60F66

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid]                       E904458B

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection]                  0000089F

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical]                       24448F9C

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader]                              F3E99C28

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter]                   E9000000

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventWrite]                                 00000999

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventEnabled]                               BDC3E9CB

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventRegister]                              648D0001

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap]                                   8E0F2424

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize]                    8DC42404

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status]                          E9302464

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf]                        000002E8

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen]                      68C33166

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening]                   143C84A8

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx]                      FF02ED83

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf]                          66042474

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW]                       C6004589

IAT             C:\Windows\System32\svchost.exe[4624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen]                              66772404

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs]                               51EC8B55

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit]                                        1845DB51

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter]                                  F855DD56

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit]                                         E8084DDC

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm]                                    000004D2

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit]                                   FF184589

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr]                             40515C15

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy]                                       F845DD00

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp]                                   8B104DDC

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common]                      1865DAF0

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ]                            0004B9E8

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type]                               8BC88B00

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode]                                   F74199C6

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode]                                 C28B5EF9

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit]                                       C9184503

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc]                                 40515C15

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle]                                244C8B00

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook]                       748D9908

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress]                             FEF70109

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError]                               2BC28B5E

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary]                                244403C1

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange]                 15FFC308

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA]                             [0040515C] C:\Windows\System32\svchost.exe (Hostprozess für Windows-Dienste/Microsoft Corporation)

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange]                        04244C8B

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep]                                      F9F74199

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter]                FFC3C28B

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA]                           40515C15

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter]                    646A9900

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount]                               33F9F759

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime]                    24543BC0

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter]                   C09C0F04

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx]                           EC8B55C3

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW]                             0204EC81

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx]                             68560000

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW]                                   515415FF

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegCloseKey]                                00FFB8F0

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegOpenKeyExW]                              8D500000

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation]                         FFFEFC8D

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW]                                  C93351FF

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW]                                   558D5151

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW]                               8D5052FC

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegQueryValueExW]                           FFFDFC85

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx]                              FF5150FF

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW]                              40504415

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW]                  56216A00

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW]                            FFFC75FF

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess]                                40515815

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode]               0CC48300

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegDisablePredefinedCacheEx]                C01BD8F7

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap]                             EC8B55C3

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode]                               458B5151

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObjectEx]              33565308

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree]                                  57C88BF6

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree]                                   33FC7589

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte]                        01518DFF

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap]                               802974CA

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid]                          7420063C

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid]                            [75FF850A] C:\Windows\system32\iertutil.dll (Run time utility for Internet Explorer/Microsoft Corporation)

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid]                              45FF470C

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid]                                    8506EBFC

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid]                       330274FF

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection]                  46C88BFF

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical]                       8A01518D

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader]                              DB844119

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter]                   CA2BF975

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventWrite]                                 D772F13B

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventEnabled]                               5FFC458B

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventRegister]                              C3C95B5E

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap]                                   83EC8B55

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize]                    FF0A7500

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status]                          45C7F845

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf]                        000001FC

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen]                      0C4D8B00

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening]                   F84D3941

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx]                      016A3275

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf]                          15FF5750

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW]                       [00405150] C:\Windows\System32\svchost.exe (Hostprozess für Windows-Dienste/Microsoft Corporation)

IAT             C:\Windows\System32\svchost.exe[4820] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen]                              EB0CC483
 

---- Devices - GMER 1.0.15 ----
 

Device          \FileSystem\Ntfs \Ntfs                                                                                                            88BCAA98
 

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                                           Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                                           Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
 

Device          \Driver\ACPI_HAL \Device\00000048                                                                                                 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
 

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                                            fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                                            fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                                            fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                                                            fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
 

Device          \Driver\nsiproxy \Device\Nsi                                                                                                      afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
 

---- Services - GMER 1.0.15 ----
 

Service          (*** hidden *** )                                                                                                                [BOOT] oxwdeebg                                                                                                                                       <-- ROOTKIT !!!
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SYSTEM\CurrentControlSet\services\oxwdeebg@orjezo                                                                            -766984395

Reg             HKLM\SYSTEM\CurrentControlSet\services\oxwdeebg@Type                                                                              1

Reg             HKLM\SYSTEM\CurrentControlSet\services\oxwdeebg@Start                                                                             0

Reg             HKLM\SYSTEM\CurrentControlSet\services\oxwdeebg@ErrorControl                                                                      0

Reg             HKLM\SYSTEM\CurrentControlSet\services\oxwdeebg@Group                                                                             Boot Bus Extender

Reg             HKLM\SYSTEM\ControlSet002\services\oxwdeebg@orjezo                                                                                -766984395

Reg             HKLM\SYSTEM\ControlSet002\services\oxwdeebg@Type                                                                                  1

Reg             HKLM\SYSTEM\ControlSet002\services\oxwdeebg@Start                                                                                 0

Reg             HKLM\SYSTEM\ControlSet002\services\oxwdeebg@ErrorControl                                                                          0

Reg             HKLM\SYSTEM\ControlSet002\services\oxwdeebg@Group                                                                                 Boot Bus Extender
 

---- EOF - GMER 1.0.15 ----

--- --- ---

beim osam scan erscheint nach dem abfragen der online datenbank diese meldung

http://img403.imageshack.us/img403/6...benanntgqa.png

was soll ich tun

Klick bitte auf Skip

ok

OSAM Logfile:

Code:

Report of OSAM: Autorun Manager v5.0.11926.0

hxxp://www.online-solutions.ru/en/

Saved at 16:39:58 on 11.12.2010
 

OS: Windows 7 Home Premium Edition (Build 7600), 32-bit

Default Browser: Mozilla Corporation Firefox 3.6.13
 

Scanner Settings

[x] Rootkits detection (hidden registry)

[x] Rootkits detection (hidden files)

[x] Retrieve files information

[x] Check Microsoft signatures
 

Filters

[ ] Trusted entries

[ ] Empty entries

[x] Hidden registry entries (rootkit activity)

[x] Exclusively opened files

[x] Not found files

[x] Files without detailed information

[x] Existing files

[ ] Non-startable services

[ ] Non-startable drivers

[x] Active entries

[x] Disabled entries
 
 

[Common]

-----( %SystemRoot%\Tasks )-----

"GoogleUpdateTaskUserS-1-5-21-1539451478-733840103-1462338374-1000Core.job" - "Google Inc." - C:\Users\Nhan\AppData\Local\Google\Update\GoogleUpdate.exe

"GoogleUpdateTaskUserS-1-5-21-1539451478-733840103-1462338374-1000UA.job" - "Google Inc." - C:\Users\Nhan\AppData\Local\Google\Update\GoogleUpdate.exe

"RegistryBooster.job" - "Uniblue Systems Limited" - C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
 

[Control Panel Objects]

-----( %SystemRoot%\system32 )-----

"DivXControlPanelApplet.cpl" - "DivX, Inc." - C:\Windows\system32\DivXControlPanelApplet.cpl

"ISUSPM.cpl" - "Macrovision Corporation" - C:\Windows\system32\ISUSPM.cpl

"nvcpl.cpl" - "NVIDIA Corporation" - C:\Windows\system32\nvcpl.cpl

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----

"mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\MLCFG32.CPL

"Nero BurnRights" - "Nero AG" - C:\Program Files\Nero\Nero8\Nero Toolkit\NeroBurnRights.cpl

"QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl
 

[Drivers]

-----( HKLM\SYSTEM\CurrentControlSet\Services )-----

"afwcore" (afwcore) - "Agnitum Ltd." - C:\Windows\System32\DRIVERS\afwcore.sys

"Agnitum Firewall Driver" (AFW) - "Agnitum Ltd." - C:\Windows\System32\DRIVERS\afw.sys

"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys

"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys

"BdSpy" (BdSpy) - "BullGuard Ltd." - C:\Windows\System32\DRIVERS\BdSpy.sys

"catchme" (catchme) - ? - C:\Users\renshen\AppData\Local\Temp\catchme.sys  (File not found)

"esgiguard" (esgiguard) - ? - C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys  (File not found)

"oxwdeebg" (oxwdeebg) - ? - C:\Windows\system32\drivers\oxwdeebg.sys  (Hidden registry entry, rootkit activity | File not found)

"Profos" (Profos) - "BitDefender S.R.L." - C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys

"Realtek IR Driver" (RtsUIR) - ? - C:\Windows\System32\DRIVERS\Rts516xIR.sys  (File not found)

"Realtek Smartcard Reader Driver" (USBCCID) - ? - C:\Windows\System32\DRIVERS\RtsUCcid.sys  (File not found)

"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
 

[Explorer]

-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----

{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll

{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll

-----( HKLM\Software\Classes\Protocols\Filter )-----

{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

-----( HKLM\Software\Classes\Protocols\Handler )-----

{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL

{88FED34C-F0CA-4636-A375-3CB6248B04CD} "Local Groove Web Services Protocol" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GRA32A~1.DLL

{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll

{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL

{6318E0AB-2E93-11D1-B8ED-00608CC9A71F} "VoilaXctl Class" - "Belarc, Inc." - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll

{03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----

{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? -   (File not found | COM-object registry key not found)

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----

{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll

{9458E603-FF43-4134-9036-04B4C71791E3} "BackupCopyHook Class" - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BackupShellHook.dll

{1F25C6E4-E60D-421A-863F-D0C76F6AB211} "BullGuard Online-Laufwerk" - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BackupShellNamespace.dll

{D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\VISSHE.DLL

{0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll

 "CorelDRAW Shell Extension Component" - ? -   (File not found | COM-object registry key not found)

{A70C977A-BF00-412C-90B7-034C51DA2439} "DesktopContext Class" - "NVIDIA Corporation" - C:\Windows\system32\nvcpl.dll

{E81FFB23-40E2-431C-A041-76AEA0E4B04C} "Enterprise-Projekte" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\NAMEEXT.DLL

{99FD978C-D287-4F50-827F-B2C658EDA8E7} "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "Groove Explorer Icon Overlay 2 (GFS Stub)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{920E6DB1-9907-4370-B3A0-BAFC03D81399} "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{16F3DD56-1AF5-4347-846D-7C10C4192619} "Groove Explorer Icon Overlay 3 (GFS Folder)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "Groove Folder Synchronization" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{6C467336-8281-4E60-8204-430CED96822D} "Groove GFS Context Menu Handler" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{A449600E-1DC6-4232-B948-9BD794D62056} "Groove GFS Stub Icon Handler" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{387E725D-DC16-4D76-B310-2C93ED4752A0} "Groove XML Icon Handler" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\VISSHE.DLL

{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll

{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll

{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll

{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL

{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL

{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll

{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll

{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll

{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll

{A929C4CE-FD36-4270-B4F5-34ECAC5BD63C} "NvAppShExt Class" - "NVIDIA Corporation" - C:\Windows\system32\Nv3DAppShExt.dll

{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} "NVIDIA CPL Context Menu Extension" - "NVIDIA Corporation" - C:\Windows\system32\nvshext.dll

{FFB699E0-306A-11d3-8BD1-00104B6F7516} "NVIDIA CPL Extension" - "NVIDIA Corporation" - C:\Windows\system32\nvcpl.dll

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll

{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll

{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll

{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll

{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL

{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll

{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe

{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe

{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

{00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

{00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

{00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe

{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

{06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe
 

[Internet Explorer]

-----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----

"eBay - Der weltweite Online-Marktplatz" - ? - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4  (HTTP value)

-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----

<binary data> "&Windows Live Toolbar" - "Microsoft Corporation" - C:\Program Files\Windows Live\Toolbar\wltcore.dll

ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)

<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)

<binary data> "ITBarLayout" - ? -   (File not found | COM-object registry key not found)

-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----

{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----

{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

{27FD17FB-CF63-486b-B2BE-8D8781CBEA01} "BullGuard" - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIE.dll

"eBay - Der weltweite Online-Marktplatz" - ? - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4  (HTTP value)

"ICQ7" - "ICQ, LLC." - C:\Program Files\ICQ7.0\ICQ.exe

{5F7B1267-94A9-47F5-98DB-E99415F33AEC} "In Blog veröffentlichen" - "Microsoft Corporation" - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----

<binary data> "&Windows Live Toolbar" - "Microsoft Corporation" - C:\Program Files\Windows Live\Toolbar\wltcore.dll

{855F3B16-6D32-4FE6-8A56-BBB695989046} "ICQToolBar" - "ICQ" - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll

<binary data> "Yahoo! Toolbar" - "Yahoo! Inc." - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----

{02478D38-C3F9-4efb-9B51-7695ECA05670} "&Yahoo! Toolbar Helper" - "Yahoo! Inc." - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

{FC872B94-35E3-4B94-B028-184A2A1C7CCE} "BGAntiphishingBHO Class" - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIEBHO.dll

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL

{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll

{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} "Search Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} "SingleInstance Class" - "Yahoo! Inc" - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Program Files\Windows Live\Toolbar\wltcore.dll

{5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" - ? -   (File not found | COM-object registry key not found)
 

[Logon]

-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----

"OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE  (Shortcut exists | File exists)

"desktop.ini" - ? - C:\Users\renshen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----

"Adobe Gamma Loader.lnk" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe  (Shortcut exists | File exists)

"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----

"StartupPrograms" - ? - rdpclip  (File not found)

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----

"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

"BullGuard" - "BullGuard Ltd." - "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe" -boot

"ClamWin" - "alch" - "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

"CLMLServer" - "CyberLink" - "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

"DivXUpdate" - ? - "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

"GrooveMonitor" - "Microsoft Corporation" - "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

"HotkeyApp" - "Wistron" - "C:\Program Files\Launch Manager\HotkeyApp.exe"

"IAStorIcon" - "Intel Corporation" - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe

"iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe"

"LMgrVolOSD" - "Wistron Corp." - "C:\Program Files\Launch Manager\OSD.exe"

"Malwarebytes Anti-Malware (reboot)" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

"NBKeyScan" - "Nero AG" - "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

"NvCplDaemon" - "NVIDIA Corporation" - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

"PDVD9LanguageShortcut" - "CyberLink Corp." - "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"

"QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime

"UCam_Menu" - "CyberLink Corp." - "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\3.0"

"Wbutton" - "Wistron Corp." - "C:\Program Files\Launch Manager\Wbutton.exe"
 

[Print Monitors]

-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----

"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\Windows\system32\mdimon.dll

"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll
 

[Services]

-----( HKLM\SYSTEM\CurrentControlSet\Services )-----

"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe

"BgRaSvc" (BgRaSvc) - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe

"BullGuard antiphishing service" (BsBrowser) - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BsBrowser.dll

"BullGuard e-mail monitoring service" (BsMailProxy) - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BsMailProxy\BsMailProxy.dll

"BullGuard firewall service" (BsFire) - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BsFire.dll

"BullGuard main service" (BsMain) - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BsMain.dll

"BullGuard on-access service" (BsFileScan) - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BsFileScan.dll

"BullGuard scanning service" (BsScanner) - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe

"BullGuard update service" (BsUpdate) - "BullGuard Ltd." - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe

"Cyberlink RichVideo Service(CRVS)" (RichVideo) - ? - C:\Program Files\CyberLink\Shared files\RichVideo.exe

"Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe

"FABS - Helping agent for MAGIX media database" (Fabs) - "MAGIX AG" - C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe

"Firebird Server - MAGIX Instance" (FirebirdServerMAGIXInstance) - "MAGIX®" - C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe

"ICQ Service" (ICQ Service) - ? - C:\Program Files\ICQ6Toolbar\ICQ Service.exe

"Intel(R) Management & Security Application User Notification Service" (UNS) - "Intel Corporation" - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

"Intel(R) Management and Security Application Local Management Service" (LMS) - "Intel Corporation" - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe

"Intel(R) Rapid Storage Technology" (IAStorDataMgrSvc) - "Intel Corporation" - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe

"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe

"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE

"Microsoft Office Groove Audit Service" (Microsoft Office Groove Audit Service) - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe

"Nero BackItUp Scheduler 3" (Nero BackItUp Scheduler 3) - "Nero AG" - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

"NMIndexingService" (NMIndexingService) - "Nero AG" - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

"NVIDIA Display Driver Service" (nvsvc) - "NVIDIA Corporation" - C:\Windows\system32\nvvsvc.exe

"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"PLFlash DeviceIoControl Service" (PLFlash DeviceIoControl Service) - "Prolific Technology Inc." - C:\Windows\system32\IoctlSvc.exe

"ProtexisLicensing" (ProtexisLicensing) - ? - C:\Windows\system32\PSIService.exe

"SeaPort" (SeaPort) - "Microsoft Corporation" - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

"WisLMSvc" (WisLMSvc) - "Wistron Corp." - C:\Program Files\Launch Manager\WisLMSvc.exe

"Yahoo! Updater" (YahooAUService) - "Yahoo! Inc." - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
 

[Winsock Providers]

-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----

"mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll

-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries )-----

"BGLsp" - "BullGuard Ltd." - C:\Windows\system32\BGLsp.dll
 

===[ Logfile end ]=========================================[ Logfile end ]===

--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Zitat:

"oxwdeebg" (oxwdeebg) - ? - C:\Windows\system32\drivers\oxwdeebg.sys (Hidden registry entry, rootkit activity | File not found)

Bitte mit Hilfe der OSAM Anleitung deaktivieren und löschen.
Poste danach neue Logs von GMER und OSAM, denk auch an das Log von mbrcheck.

komisch nachdem ich alles nach anweisung gemacht habe ist osam nachm neustart nicht wieder automatisch gestartet hab daher auch keinen report den ich hier reinposten kann.. es ist naemlich auch ein fenster erschienen das glaub ihc nicht erscheinen sollte als ich ich auf apply geklickt habe
hier:
die meldung die ich meine sah so aehnlich aus wie diese aufm bild die mir erschienen ist als ich osam nach dem neustarten selbst gestartet hab
http://img585.imageshack.us/img585/8486/unbenannt1b.png

und das "oxwdeebg" dingsda ist immer noch bei den entries zufinden aber ohne haekchen

Bitte mal den Avenger anwenden:

1.) Lade Dir von hier Avenger:
Swandog46's Public Anti-Malware Tools (Download, linksseitig)

2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:

http://mitglied.lycos.de/efunction/tb123/avenger.png

3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld:

Code:

Registry keys to delete:

HKLM\SYSTEM\CurrentControlSet\services\oxwdeebg

HKLM\SYSTEM\ControlSet002\services\oxwdeebg
 

Files to delete:

C:\Windows\system32\drivers\oxwdeebg.sys
 

Drivers to delete:

oxwdeebg

oxwdeebg.sys

4.) Geh in "The Avenger" nun oben auf "Load Script", dort auf "Paste from Clipboard".

5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein.

6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso.

7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier.

8.) Die Datei c:\avenger\backup.zip bei File-Upload.net hochladen und hier verlinken

hab windows neu draufgepackt hoffe dat die probleme behoben worden sind!! und es niemehr welche gibt:)