Trojaner-Board - GEMA Trojaner / sbcvvhost

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - GEMA Trojaner / sbcvvhost_win86 (https://www.trojaner-board.de/106909-gema-trojaner-sbcvvhost_win86.html)

GEMA Trojaner / sbcvvhost_win86

Hallo,

ich habe auf einem PC das gleiche Problem, was auch von anderen schon beschrieben wurde. Der Rechner startet; nach dem Start ist der Taskmanager gesperrt und es ist nur ein Hinweis mit einer Zahlungsaufforderung an die Gema zu sehen.

Es handelt sich um ein Windows Vista 32 Bit System.

Viele Grüße
\Lars

:hallo:

Mein Name ist Daniel und ich werde dir mit deinem Malware Relevanten Problemen helfen.

Bevor wir uns an die Arbeit machen, möchte ich dich bitten, folgende Punkte vollständig und aufmerksam zu lesen.

Lies dir meine Anleitungen erst einmal durch. Sollte irgendetwas unklar sein, Frage bevor du beginnst.
Solltest du bei einem Schritt Probleme haben, stoppe dort und beschreib mir das Problem so gut du kannst. Manchmal erfordert ein Schritt den vorhergehenden
Sollte ich innerhalb der nächsten 3 Tage keine Antwort von dir erhalten, werde ich das Thema aus meinen Abonnements löschen.
Nur Scanns durchführen zu denen Du von einem Helfer aufgefordert wirst und Installiere / Deinstalliere keine Software ohne Aufforderung.
Poste die Logfiles direkt in deinen Thread und nicht als Anhang, ausser du wurdest dazu aufgefordert. Erschwert mir das Auswerten.

Vista und Win7 User
Alle Tools mit Rechtsklick "als Administrator ausführen" starten.

Downloade dir bitte Farbar's Recovery Scan Tool und speichere diese auf einen USB Stick.

Schließe den USB Stick an das infizierte System an

Du musst das System nun in die System Reparatur Option booten.

Über den Boot Manager

Starte den Rechner neu auf.
Während dem Hochfahren drücke mehrmals die F8 Taste
Wähle nun Computer reparieren.
Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Mit Windows CD/DVD

Lege die Windows CD in dein Laufwerk.
Starte den Rechner neu auf und starte von der CD
Wähle die Spracheinstellungen und klicke "Weiter".
Klicke auf Computerreparaturoptionen !!
Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Wähle in den Reparaturoptionen Eingabeaufforderung

Gib nun bitte notepad ein und drücke Enter.
Im öffnenden Textdokument --> Datei --> Speichern unter und wähle Computer
Hier wird dir der Laufwerksbuchstabe deines USB Sticks angezeigt.
Schließe Notepad wieder
Gib nun bitte folgenden Befehl ein.
e:\frst.exe
Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks. Gegebenfalls anpassen.
Akzeptiere den Disclaimer mit Yes und klicke Scan

Das Tool erstellt eine FRST.txt auf deinem USB Stick. Poste den Inhalt bitte hier.

Bitte poste in deiner nächsten Antwort
FRST.txt

Hallo Daniel,

der Reparaturmodus war nach dem Drücken von F8 nicht verfügbar, ich habe dann im abgesicherten Modus mit Eingabeaufforderung gearbeitet. Hier die Ausgabe des FRST Scans:

Code:

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.0

Ran by ***** at 2011-12-26 19:22:17

Running from E:\MBAM

  Service Pack 2 (X86) OS Language: German Standard 

Attention: Could not load system hive.FEHLER: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
 

========================== Registry (Whitelisted) =============
 

HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]

HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]

HKLM\...\Winlogon: [Userinit]  [x]

HKLM\...\Winlogon: [Shell] 
 

================================ Services (Whitelisted) ==================
 
 

========================== Drivers (Whitelisted) =============
 
 

========================== NetSvcs (Whitelisted) ===========
 

============ One Month Created Files and Folders ==============
 

2011-12-26 19:22 - 2011-12-26 19:22 - 0000000 ____D C:\FRST

2011-12-26 13:44 - 2011-12-26 13:44 - 0000906 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Users\*****\AppData\Roaming\Malwarebytes

2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Users\All Users\Malwarebytes

2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\ProgramData\Malwarebytes

2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2011-12-26 13:44 - 2011-08-31 17:00 - 0022216 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2011-12-24 19:54 - 2011-12-26 19:21 - 0423370 ____A C:\Windows\ntbtlog.txt

2011-12-22 17:15 - 2011-12-22 17:15 - 0095744 ____A (Kassl GmbH) C:\Users\*****\AppData\Roaming\dwlGina3.dll

2011-12-22 17:10 - 2011-12-26 14:57 - 0000000 ____D C:\Users\*****\AppData\Roaming\Ifsur

2011-12-22 17:10 - 2011-12-22 17:11 - 0000000 ____D C:\Users\*****\AppData\Roaming\Akky

2011-12-22 17:10 - 2011-12-22 17:10 - 0327680 ____A (vKJZdfXv) C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe

2011-12-16 03:02 - 2011-11-04 00:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2011-12-16 03:02 - 2011-11-03 23:47 - 1798144 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2011-12-16 03:02 - 2011-11-03 23:46 - 9705472 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2011-12-16 03:02 - 2011-11-03 23:40 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2011-12-16 03:02 - 2011-11-03 23:40 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2011-12-16 03:02 - 2011-11-03 23:39 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2011-12-16 03:02 - 2011-11-03 23:38 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2011-12-16 03:02 - 2011-11-03 23:37 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2011-12-16 03:02 - 2011-11-03 23:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2011-12-16 03:02 - 2011-11-03 23:32 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2011-12-16 03:02 - 2011-11-03 23:32 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2011-12-16 03:02 - 2011-11-03 23:31 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2011-12-16 03:02 - 2011-11-03 23:28 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2011-12-15 13:05 - 2011-10-27 09:01 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2011-12-15 13:05 - 2011-10-27 09:01 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2011-12-15 13:05 - 2011-10-14 17:02 - 0429056 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll

2011-12-15 13:04 - 2011-11-23 14:37 - 2043904 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2011-12-15 13:04 - 2011-11-08 15:42 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2011-12-15 13:04 - 2011-10-25 16:56 - 0049152 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll

2011-12-08 19:56 - 2011-12-08 19:56 - 0000000 ____D C:\Users\*****\Documents\Neuer Ordner
 

============ 3 Months Modified Files and Folders ===============
 

2011-12-26 19:21 - 2011-12-24 19:54 - 0423370 ____A C:\Windows\ntbtlog.txt

2011-12-26 15:06 - 2006-11-02 11:33 - 1445116 ____A C:\Windows\System32\PerfStringBackup.INI

2011-12-26 14:59 - 2006-11-02 12:18 - 0000000 ____D C:\Windows\IME

2011-12-26 14:57 - 2011-12-22 17:10 - 0000000 ____D C:\Users\*****\AppData\Roaming\Ifsur

2011-12-26 13:44 - 2011-12-26 13:44 - 0000906 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Users\*****\AppData\Roaming\Malwarebytes

2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Users\All Users\Malwarebytes

2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\ProgramData\Malwarebytes

2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2011-12-26 13:09 - 2006-11-02 13:52 - 1368360 ____A C:\Windows\WindowsUpdate.log

2011-12-24 19:46 - 2006-11-02 14:01 - 0032632 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2011-12-24 19:46 - 2006-11-02 14:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT

2011-12-24 19:46 - 2006-11-02 13:47 - 0004048 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2011-12-24 19:46 - 2006-11-02 13:47 - 0004048 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2011-12-24 19:42 - 2006-11-02 13:37 - 0000000 ___RD C:\Users\Public\Recorded TV

2011-12-24 19:40 - 2010-12-05 11:21 - 0001108 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2011-12-22 17:15 - 2011-12-22 17:15 - 0095744 ____A (Kassl GmbH) C:\Users\*****\AppData\Roaming\dwlGina3.dll

2011-12-22 17:12 - 2010-12-05 11:21 - 0001112 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2011-12-22 17:11 - 2011-12-22 17:10 - 0000000 ____D C:\Users\*****\AppData\Roaming\Akky

2011-12-22 17:10 - 2011-12-22 17:10 - 0327680 ____A (vKJZdfXv) C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe

2011-12-20 10:10 - 2010-10-13 09:11 - 0001887 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk

2011-12-18 11:17 - 2010-12-04 17:17 - 0014805 ____A C:\Users\*****\Documents\Hilfe f¸r die Tafeln.odt

2011-12-16 03:38 - 2006-11-02 12:18 - 0000000 ____D C:\Windows\rescache

2011-12-16 03:23 - 2006-11-02 13:47 - 0247328 ____A C:\Windows\System32\FNTCACHE.DAT

2011-12-16 03:03 - 2006-11-02 11:24 - 52988224 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2011-12-16 03:02 - 2006-11-02 12:18 - 0000000 ____D C:\Windows\System32\de-DE

2011-12-10 13:01 - 2008-09-10 09:46 - 0000000 ____D C:\Users\*****\AppData\Roaming\Canon

2011-12-08 19:56 - 2011-12-08 19:56 - 0000000 ____D C:\Users\*****\Documents\Neuer Ordner

2011-12-08 17:06 - 2008-08-14 19:53 - 0000000 ____D C:\Program Files\Mozilla Thunderbird

2011-11-30 17:16 - 2008-08-14 19:52 - 0000000 ____D C:\Program Files\Mozilla Firefox

2011-11-23 14:37 - 2011-12-15 13:04 - 2043904 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2011-11-13 11:43 - 2010-12-05 11:20 - 0000000 ____D C:\Program Files\Google

2011-11-10 03:01 - 2006-11-02 12:18 - 0000000 ____D C:\Program Files\Common Files\System

2011-11-08 15:42 - 2011-12-15 13:04 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2011-11-04 00:02 - 2011-12-16 03:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2011-11-03 23:47 - 2011-12-16 03:02 - 1798144 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2011-11-03 23:46 - 2011-12-16 03:02 - 9705472 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2011-11-03 23:40 - 2011-12-16 03:02 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2011-11-03 23:40 - 2011-12-16 03:02 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2011-11-03 23:39 - 2011-12-16 03:02 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2011-11-03 23:38 - 2011-12-16 03:02 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2011-11-03 23:37 - 2011-12-16 03:02 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2011-11-03 23:34 - 2011-12-16 03:02 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2011-11-03 23:32 - 2011-12-16 03:02 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2011-11-03 23:32 - 2011-12-16 03:02 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2011-11-03 23:31 - 2011-12-16 03:02 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2011-11-03 23:28 - 2011-12-16 03:02 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2011-10-27 09:01 - 2011-12-15 13:05 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2011-10-27 09:01 - 2011-12-15 13:05 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2011-10-25 16:56 - 2011-12-15 13:04 - 0049152 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll

2011-10-24 09:53 - 2011-10-24 09:53 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2011-10-14 17:02 - 2011-12-15 13:05 - 0429056 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll

2011-10-14 02:43 - 2006-11-02 12:18 - 0000000 ____D C:\Windows\Microsoft.NET

2011-10-14 02:30 - 2009-03-29 15:26 - 0000000 ____D C:\Program Files\Microsoft Silverlight
 
 

========================= Known DLLs (Whitelisted) ============
 
 

========================= Bamital & volsnap Check ============
 

C:\Windows\explorer.exe => MD5 is legit
 

C:\Windows\System32\winlogon.exe => MD5 is legit
 

C:\Windows\System32\wininit.exe => MD5 is legit
 

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 

========================= Memory info ======================
 

Percentage of memory in use: 30%

Total physical RAM: 1022.58 MB

Available physical RAM: 713.49 MB

Total Pagefile: 2303.75 MB

Available Pagefile: 2112.63 MB

Total Virtual: 2047.88 MB

Available Virtual: 1964.05 MB
 

======================= Partitions =========================
 

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:153.8 GB) NTFS ==>[Drive with boot components]

3 Drive e: () (Removable) (Total:15.25 GB) (Free:8.3 GB) FAT32
 

  Datentr ###  Status      Grî·e    Frei     Dyn  GPT

  --------  ----------  -------  -------  ---  ---

       0    Online       233 GB      0 B         

       1    Online        15 GB      0 B         
 

DatentrÑgerpartitionierung wird beendet...
 
 

==========================================================
 

Last Boot: 2011-12-26 13:07
 

======================= End Of Log ==========================

Viele Grüße
\Lars

Hallo Daniel,

ich habe jetzt nachträglich am Logfile gesehen, dass der "liebe PC Eigentümer" vorher schon mit Tools bei dem Rechner dabei war :headbang:. Daher bekommst du hier auch noch die daraus resultierenden Logs. Vielleicht hilft das auch noch weiter:

OTL.txt
[code]*****OTL Logfile:

Code:

OTL logfile created on: 26.12.2011 15:03:32 - Run 1

OTL by OldTimer - Version 3.2.31.0     Folder = E:\MBAM

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

1022,58 Mb Total Physical Memory | 673,63 Mb Available Physical Memory | 65,88% Memory free

2,25 Gb Paging File | 2,03 Gb Available in Paging File | 90,18% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 232,88 Gb Total Space | 153,80 Gb Free Space | 66,04% Space Free | Partition Type: NTFS

Drive E: | 15,25 Gb Total Space | 8,30 Gb Free Space | 54,44% Space Free | Partition Type: FAT32

 

Computer Name: **********-PC | User Name: ***** | Logged in as Administrator.

Boot Mode: SafeMode | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Processes (SafeList) ==========

 

PRC - [2011.12.26 12:25:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- E:\MBAM\OTL.exe

PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008.01.19 08:33:04 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe

 

 
 ========== Modules (No Company Name) ==========

 

 
 ========== Win32 Services (SafeList) ==========

 

SRV - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2011.07.07 19:31:08 | 000,195,336 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)

SRV - [2011.06.15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)

SRV - [2011.04.22 13:21:10 | 000,092,592 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)

SRV - [2008.01.19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)

 

 
 ========== Driver Services (SafeList) ==========

 

DRV - [2011.08.31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2010.05.27 19:37:09 | 000,223,440 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)

DRV - [2007.12.04 18:55:50 | 000,554,240 | ---- | M] (DiBcom SA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mod7700.sys -- (mod7700)

DRV - [2007.07.11 17:06:22 | 000,013,824 | ---- | M] (DiBcom S.A.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\modrc.sys -- (MODRC)

DRV - [2006.11.02 08:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)

DRV - [2006.10.14 04:04:33 | 004,422,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

 

 
 ========== Standard Registry (SafeList) ==========

 

 
 ========== Internet Explorer ==========

 

IE - HKLM\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://de.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.live.com/ [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.live.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.live.com/ [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D A6 F3 CA C6 04 CC 01  [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 
 ========== FireFox ==========

 

FF - prefs.js..browser.search.selectedEngine: "Bing"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "hxxp://go.microsoft.com/fwlink/?LinkId=69157"

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

 

 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=3.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]

FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

 

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.11.30 17:16:23 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.12.08 17:06:49 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]

 

[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions

[2010.09.14 16:26:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\home2@tomtom.com

[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions

[2010.05.16 16:25:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2010.01.28 16:38:22 | 000,002,163 | ---- | M] () -- C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\searchplugins\bing.xml

[2011.12.08 17:40:44 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions

[2011.11.30 17:16:22 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2011.05.04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2011.10.23 15:22:24 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml

[2011.10.23 15:22:24 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2011.10.23 15:22:24 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml

[2011.10.23 15:22:24 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml

[2009.03.04 15:02:37 | 000,000,897 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.png

[2009.03.04 15:02:37 | 000,001,015 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.src

[2011.10.23 15:22:24 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml

[2011.10.23 15:22:24 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

 

O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost

O1 - Hosts: ::1             localhost

O2 - BHO: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (oldieradio Toolbar) - {27AF7ECC-B892-4D54-BA3F-7DED7DD856B9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O4 - HKLM..\Run: []  File not found

O4 - HKLM..\Run: [IATSKY] C:\Programme\i@Sky WIC\iatsky.exe ()

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found

O4 - HKCU..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks File not found

O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

O4 - HKCU..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)

O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)

O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StarOffice 9.lnk = C:\Programme\Sun\StarOffice 9\program\quickstart.exe ()

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0

O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O13 - gopher Prefix: missing

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} hxxp://download.microsoft.com/download/2/2/0/220618B3-3606-4E70-B625-231BF31E1085/VirtualEarth3D.cab (SentinelProxy Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{305DF18F-832F-408A-B8B0-5A4F3A4E9C51}: DhcpNameServer = 192.168.2.1

O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O31 - SafeBoot: UseAlternatShell - 1

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 
 ========== Files/Folders - Created Within 30 Days ==========

 

[2011.12.26 13:44:44 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Malwarebytes

[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2011.12.26 13:44:05 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2011.12.26 13:44:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011.12.22 17:15:50 | 000,095,744 | ---- | C] (Kassl GmbH) -- C:\Users\*****\AppData\Roaming\dwlGina3.dll

[2011.12.22 17:10:28 | 000,327,680 | ---- | C] (vKJZdfXv) -- C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe

[2011.12.22 17:10:13 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Ifsur

[2011.12.22 17:10:13 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Akky

[2011.12.16 03:02:28 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2011.12.16 03:02:27 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll

[2011.12.16 03:02:27 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll

[2011.12.16 03:02:26 | 001,798,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll

[2011.12.16 03:02:26 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2011.12.16 03:02:23 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl

[2011.12.15 13:05:04 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe

[2011.12.15 13:05:04 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe

[2011.12.15 13:05:03 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll

[2011.12.15 13:04:54 | 002,043,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2011.12.15 13:04:51 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll

[2011.12.15 13:04:47 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll

[2011.12.08 19:56:35 | 000,000,000 | ---D | C] -- C:\Users\*****\Documents\Neuer Ordner

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 
 ========== Files - Modified Within 30 Days ==========

 

[2011.12.26 15:00:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011.12.26 13:44:09 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011.12.26 13:42:15 | 000,627,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat

[2011.12.26 13:42:15 | 000,595,386 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2011.12.26 13:42:15 | 000,125,676 | ---- | M] () -- C:\Windows\System32\perfc007.dat

[2011.12.26 13:42:15 | 000,103,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2011.12.24 19:46:39 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011.12.24 19:46:38 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011.12.24 19:40:08 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011.12.22 17:15:50 | 000,095,744 | ---- | M] (Kassl GmbH) -- C:\Users\*****\AppData\Roaming\dwlGina3.dll

[2011.12.22 17:12:29 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011.12.22 17:10:07 | 000,327,680 | ---- | M] (vKJZdfXv) -- C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe

[2011.12.20 10:10:03 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

[2011.12.18 11:17:09 | 000,014,805 | ---- | M] () -- C:\Users\*****\Documents\Hilfe für die Tafeln.odt

[2011.12.16 03:23:03 | 000,247,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 
 ========== Files Created - No Company Name ==========

 

[2011.12.26 13:44:09 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011.12.08 17:06:50 | 000,001,895 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk

[2010.01.11 10:53:33 | 000,023,689 | ---- | C] () -- C:\Windows\hpqins15.dat

[2009.12.09 15:57:15 | 000,078,213 | ---- | C] () -- C:\Windows\hpqins05.dat

[2009.10.19 10:25:05 | 000,166,714 | ---- | C] () -- C:\Windows\hphins28.dat

[2009.09.24 15:56:48 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2009.09.24 15:56:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009.01.04 22:30:34 | 000,000,939 | ---- | C] () -- C:\Windows\hphmdl28.dat

[2008.10.26 11:44:55 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2008.08.14 19:53:24 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat

[2008.08.07 09:38:45 | 000,040,960 | ---- | C] () -- C:\Users\*****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007.04.27 09:43:58 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll

[2006.11.02 16:33:31 | 000,627,756 | ---- | C] () -- C:\Windows\System32\perfh007.dat

[2006.11.02 16:33:31 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat

[2006.11.02 16:33:31 | 000,125,676 | ---- | C] () -- C:\Windows\System32\perfc007.dat

[2006.11.02 16:33:31 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat

[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2006.11.02 13:47:37 | 000,247,328 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006.11.02 11:33:01 | 000,595,386 | ---- | C] () -- C:\Windows\System32\perfh009.dat

[2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006.11.02 11:33:01 | 000,103,460 | ---- | C] () -- C:\Windows\System32\perfc009.dat

[2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
 

< End of report >

--- --- ---

Extras.txt
[code]*****OTL Logfile:

Code:

OTL Extras logfile created on: 26.12.2011 15:03:32 - Run 1

OTL by OldTimer - Version 3.2.31.0     Folder = E:\MBAM

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

1022,58 Mb Total Physical Memory | 673,63 Mb Available Physical Memory | 65,88% Memory free

2,25 Gb Paging File | 2,03 Gb Available in Paging File | 90,18% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 232,88 Gb Total Space | 153,80 Gb Free Space | 66,04% Space Free | Partition Type: NTFS

Drive E: | 15,25 Gb Total Space | 8,30 Gb Free Space | 54,44% Space Free | Partition Type: FAT32

 

Computer Name: **********-PC | User Name: ***** | Logged in as Administrator.

Boot Mode: SafeMode | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Extra Registry (SafeList) ==========

 

 
 ========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

 
 ========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- Reg Error: Key error.

htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 
 ========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"oobe_av" = 1

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

 
 ========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

"DoNotAllowExceptions" = 1

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

 
 ========== Authorized Applications List ==========

 

 
 ========== Vista Active Open Ports Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{17C14F61-0F2B-49EC-A322-074EF844F1B2}" = rport=445 | protocol=6 | dir=out | app=system | 

"{1C9D236D-8EC3-48FB-BC08-11F5EF56A01C}" = rport=137 | protocol=17 | dir=out | app=system | 

"{477CD86D-32EF-4AB4-8918-A1C5F474C4C9}" = lport=138 | protocol=17 | dir=in | app=system | 

"{924EF069-4563-48EF-8494-96040CC0B0CC}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 

"{AFF5653B-116E-4E1A-99BB-3BB36E6E0D0B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 

"{BC9596A3-ECB4-43FF-992F-F29DFB7CD235}" = lport=445 | protocol=6 | dir=in | app=system | 

"{C3C9ABB9-C12C-481E-AAFC-CBD40420C987}" = rport=138 | protocol=17 | dir=out | app=system | 

"{C5209DAB-A2C2-4AA2-8164-4CA4C842054C}" = rport=139 | protocol=6 | dir=out | app=system | 

"{C54ED09C-754A-4E45-BCDF-70EA461AB808}" = lport=137 | protocol=17 | dir=in | app=system | 

"{D4153DE5-5564-45BF-AEF3-AF525ED1D1C1}" = lport=139 | protocol=6 | dir=in | app=system | 

 
 ========== Vista Active Application Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{1A8572B5-7404-4676-9890-B45F349CEAE6}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 

"{1C9FBDB3-13B6-4288-B8E2-72AF685553E5}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 

"{2BFC9ABA-5FF1-4897-9DD0-760864561709}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\videospin.exe | 

"{3A5F845A-98AB-41DF-8F7B-917F3551C51E}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe | 

"{4212881F-FAD3-47C5-A0B9-50DF4A5F4EBD}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe | 

"{4A010968-4CB3-435D-B683-FC987F8282F8}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\pmsregisterfile.exe | 

"{4CD67718-DBD4-4972-B812-A28C1046F4B4}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\rm.exe | 

"{516908AA-CAD2-45F2-87E2-C22BC1907B27}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\umi.exe | 

"{63233D3C-FE1E-4BAD-AD63-B04F35E403A9}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe | 

"{69CA36D7-B3D4-4E42-BDE4-5B9C20FF5CB6}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe | 

"{79CC9096-DA97-49C8-8FF2-355786A23224}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe | 

"{84EBA8D5-2F52-41A5-AEB6-74F119723051}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\videospin.exe | 

"{904DE6D0-E395-41D6-903F-DC28E213E4FE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe | 

"{963866C4-18C0-491E-B9FD-8EF867089093}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\pmsregisterfile.exe | 

"{A4084200-BB83-4765-B5DB-2F18546E0892}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 

"{A60D3F24-13AB-4681-B8DE-9B473A679004}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqsudi.exe | 

"{AD4329DC-BFE4-46FF-BC7C-EC406772ED67}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe | 

"{B1A5EBCE-9495-4BDF-AE18-6F2324BD3BE2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe | 

"{BE5C8B59-9ABE-47E5-BF9B-8658C558F8E1}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe | 

"{C4489853-F862-48BB-847D-210B11775917}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe | 

"{C6B8ED21-7450-47F4-B5C9-DB0CF3FE4805}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 

"{D0745ECA-E966-43BF-A8CD-71056172E7A5}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe | 

"{D15FCDCB-1F1D-4F05-90AC-5268786624DA}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe | 

"{D75CF46D-8290-4047-A886-5BA13FE48195}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\umi.exe | 

"{EF7ACF3A-866F-4C8E-A431-7C801FCBD982}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\rm.exe | 

"{F85C1478-9F0A-4F49-A515-B6DCFAA692C8}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe | 

"TCP Query User{3B2BFD05-5ECF-4AC9-92FD-00045513F031}C:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe" = protocol=6 | dir=in | app=c:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe | 

"UDP Query User{4462429D-E8E2-4CF3-8640-CF72DAB35BB0}C:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe" = protocol=17 | dir=in | app=c:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe | 

 
 ========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status

"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu

"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg

"{0E37765E-45AE-4830-A12C-E5DADD758472}" = HP Photosmart D5400 Printer Driver Software 12.0 Rel .3

"{16D0F2D2-242C-4885-BEF1-4B1655C141AE}" = Bing Bar

"{18613ADB-2125-4C71-BBD7-D56136683509}" = MAGIX Audio Cleaning Lab 17 deluxe

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool

"{20EFC9AA-BBC1-4DFD-81FF-99654F71CBF8}" = HPPhotoSmartDiscLabel_PrintOnDisc

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 26

"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in

"{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch

"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D

"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm

"{304D416E-CCA6-A949-A728-19702A085FC1}" = simfy

"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7

"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter

"{4D304678-738E-42a0-931A-2B022F49DEB8}" = TrayApp

"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport

"{54C7CFA4-9DDD-40c7-A58F-AF0E7916848C}" = HPPhotoGadget

"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2

"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1

"{6EED4269-588D-45b8-A80C-26A9CA62EE4E}" = HPSSupply

"{70AA9B4F-64F7-4B0D-ADD8-05802D61AF72}" = Windows Live Toolbar

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert

"{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)

"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update

"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules

"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting

"{915B97D7-585F-48DE-9E62-47F916514854}" = D5400

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox

"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.7 - Deutsch

"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9

"{B28635AB-1DF3-4F07-BFEA-975D911B549B}" = hpphotosmartdisclabelplugin

"{BCE46757-7674-4416-BEDB-68205A60409E}" = CanoScan Toolbox Ver4.1

"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)

"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant

"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail

"{C5E4D0D0-EACC-4013-B48D-C3F104F21DCD}" = StarOffice 9

"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials

"{CDC7F188-3A08-45C3-8C3C-99BE32911949}" = Photo Transport

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential

"{D9D8F2CF-FE2D-4644-9762-01F916FE90A9}" = HPPhotoSmartDiscLabel_PaperLabel

"{DD133F7D-E484-45B7-BBB9-828FCA45BBDB}" = i@Sky WIC

"{DDD5104F-1C44-49EB-9E6B-29EC5D27658B}" = HP Update

"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer

"{E192A201-E9B4-406A-82D5-7886F3BB63D5}" = PS_SF_03_D5400_Software_Min

"{EFCEF949-9821-4759-A573-3EB8C857DF46}" = Windows Live Family Safety

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}" = Pinnacle TVCenter Pro

"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack

"{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery

"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR

"{FF34AF1C-705B-424A-A850-1A1F61D6EB71}" = MAGIX Speed 2 (MSI)

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11

"AVIConverter" = AVIConverter 4.0.1

"HP Imaging Device Functions" = HP Imaging Device Functions 12.0

"HP Photosmart Essential" = HP Photosmart Essential 3.5

"HP Smart Web Printing" = HP Smart Web Printing 4.60

"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0

"HPExtendedCapabilities" = HP Customer Participation Program 12.0

"i@Sky WIC" = i@Sky WIC

"MAGIX_MSI_mclab_17dlx" = MAGIX Audio Cleaning Lab 17 deluxe

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.2.1300

"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack

"Mozilla Firefox 8.0.1 (x86 de)" = Mozilla Firefox 8.0.1 (x86 de)

"Mozilla Thunderbird (8.0)" = Mozilla Thunderbird (8.0)

"oldieradio Toolbar" = oldieradio Toolbar

"Shop for HP Supplies" = Shop for HP Supplies

"Simfy" = simfy

"TomTom HOME" = TomTom HOME 2.8.2.2264

"TrueCrypt" = TrueCrypt

"WinLiveSuite_Wave3" = Windows Live Essentials

 
 ========== Last 10 Event Log Errors ==========

 

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

 

< End of report >

--- --- ---

Und auch noch eine mbam-log Datei:

Code:

*****Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org
 

Datenbank Version: 7622
 

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 9.0.8112.16421
 

26.12.2011 14:57:30

mbam-log-2011-12-26 (14-57-17).txt
 

Art des Suchlaufs: Vollst‰ndiger Suchlauf (C:\|)

Durchsuchte Objekte: 381917

Laufzeit: 1 Stunde(n), 4 Minute(n), 17 Sekunde(n)
 

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschl¸ssel: 0

Infizierte Registrierungswerte: 2

Infizierte Dateiobjekte der Registrierung: 4

Infizierte Verzeichnisse: 0

Infizierte Dateien: 4
 

Infizierte Speicherprozesse:

(Keine bˆsartigen Objekte gefunden)
 

Infizierte Speichermodule:

(Keine bˆsartigen Objekte gefunden)
 

Infizierte Registrierungsschl¸ssel:

(Keine bˆsartigen Objekte gefunden)
 

Infizierte Registrierungswerte:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0D1ECAC7-DF2C-9647-D654-AF583AD277D4} (Trojan.Zbot.CBCGen) -> Value: {0D1ECAC7-DF2C-9647-D654-AF583AD277D4} -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> No action taken.
 

Infizierte Dateiobjekte der Registrierung:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad: (C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe) Good: (Explorer.exe) -> No action taken.
 

Infizierte Verzeichnisse:

(Keine bˆsartigen Objekte gefunden)
 

Infizierte Dateien:

c:\Users\*****\AppData\Roaming\Ifsur\kuba.exe (Trojan.Zbot.CBCGen) -> No action taken.

c:\Users\*****\AppData\LocalLow\Sun\Java\deployment\cache\6.0\27\5177e1db-58ec10ca (Trojan.Zbot.CBCGen) -> No action taken.

c:\Windows.old\Users\User\AppData\Local\Temp\c12iihle.exe (Rogue.Installer) -> No action taken.

c:\Users\*****\AppData\Local\Temp\0.11391611854232775.exe (Exploit.Drop.2) -> No action taken.

Ich hoffe, dass das evtl. Verwirrungen beseitigt.

Viele Grüße
\Lars

Zitat:

Solltest du bei einem Schritt Probleme haben, stoppe dort und beschreib mir das Problem so gut du kannst. Manchmal erfordert ein Schritt den vorhergehenden

Schön langsam verlier ich hier die Nerven. Niemand liest was man schreibt >.>

Zitat:

O4 - HKLM..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe

Ich kann mit zensierte Logfiles nichts anfangen.

Lass MBAM nochmal laufen und entferne alle Funde und poste das Logfile hier.

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Starte bitte die OTL.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die http://larusso.trojaner-board.de/Images/otlfix.jpg Textbox.

Code:

activex

netsvcs

msconfig

%SYSTEMDRIVE%\*.

%PROGRAMFILES%\*.exe

%LOCALAPPDATA%\*.exe

%systemroot%\*. /mp /s

%systemroot%\system32\*.manifest /3

/md5start

explorer.exe

regedit.exe

winlogon.exe

wininit.exe

userinit.exe

/md5stop

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

CREATERESTOREPOINT

Schliesse bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Quick Scan Button.
Wenn der Scan beendet wurde, wird sich ein Textdokument öffnen.
Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread

Hallo Daniel,

das Problem mit dem Reparaturmodus ist folgendes, er wird im Windows Boot Menu nicht angezeigt, ergo kann er nicht aufgerufen werden.

Was die Zensur der Logs betrifft, da ist leider der Klarname als User drin, und das möchte ich dem Nutzer dann doch ersparen. Die fünf Sterne stehen also wie in der Anleitung angegeben, für den Klarnamen des Nutzers. Sorry.

Hier das Logfile von MBAM:

Code:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org
 

Datenbank Version: 7622
 

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 9.0.8112.16421
 

26.12.2011 14:57:30

mbam-log-2011-12-26 (14-57-17).txt
 

Art des Suchlaufs: Vollst‰ndiger Suchlauf (C:\|)

Durchsuchte Objekte: 381917

Laufzeit: 1 Stunde(n), 4 Minute(n), 17 Sekunde(n)
 

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschl¸ssel: 0

Infizierte Registrierungswerte: 2

Infizierte Dateiobjekte der Registrierung: 4

Infizierte Verzeichnisse: 0

Infizierte Dateien: 4
 

Infizierte Speicherprozesse:

(Keine bˆsartigen Objekte gefunden)
 

Infizierte Speichermodule:

(Keine bˆsartigen Objekte gefunden)
 

Infizierte Registrierungsschl¸ssel:

(Keine bˆsartigen Objekte gefunden)
 

Infizierte Registrierungswerte:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0D1ECAC7-DF2C-9647-D654-AF583AD277D4} (Trojan.Zbot.CBCGen) -> Value: {0D1ECAC7-DF2C-9647-D654-AF583AD277D4} -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> No action taken.
 

Infizierte Dateiobjekte der Registrierung:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad: (C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe) Good: (Explorer.exe) -> No action taken.
 

Infizierte Verzeichnisse:

(Keine bˆsartigen Objekte gefunden)
 

Infizierte Dateien:

c:\Users\*****\AppData\Roaming\Ifsur\kuba.exe (Trojan.Zbot.CBCGen) -> No action taken.

c:\Users\*****\AppData\LocalLow\Sun\Java\deployment\cache\6.0\27\5177e1db-58ec10ca (Trojan.Zbot.CBCGen) -> No action taken.

c:\Windows.old\Users\User\AppData\Local\Temp\c12iihle.exe (Rogue.Installer) -> No action taken.

c:\Users\*****\AppData\Local\Temp\0.11391611854232775.exe (Exploit.Drop.2) -> No action taken.

Die infizierten Dateien sind von MBAM entfernt worden, bzw. die Funktion zum entfernen ist ausgewählt und ausgeführt worden. Vielen Dank schon mal vorab! :-)

Viele Grüße
\Lars

Hallo Daniel,

ich habe wie gewünscht den Quick Scan mit OTL durchgeführt. Leider ist als Ergebnis nur die OTL.Txt erzeugt worden, eine Extra.txt gab es nicht.

OTL.txt

Code:

OTL logfile created on: 27.12.2011 12:41:22 - Run 2

OTL by OldTimer - Version 3.2.31.0     Folder = E:\MBAM

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

1022,58 Mb Total Physical Memory | 660,75 Mb Available Physical Memory | 64,62% Memory free

2,25 Gb Paging File | 2,02 Gb Available in Paging File | 89,68% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 232,88 Gb Total Space | 153,79 Gb Free Space | 66,04% Space Free | Partition Type: NTFS

Drive E: | 15,25 Gb Total Space | 8,30 Gb Free Space | 54,43% Space Free | Partition Type: FAT32

 

Computer Name: **********-PC | User Name: ***** | Logged in as Administrator.

Boot Mode: SafeMode | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Processes (SafeList) ==========

 

PRC - [2011.12.26 12:25:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- E:\MBAM\OTL.exe

PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008.01.19 08:33:11 | 000,498,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\HelpPane.exe

PRC - [2008.01.19 08:33:04 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe

 

 
 ========== Modules (No Company Name) ==========

 

 
 ========== Win32 Services (SafeList) ==========

 

SRV - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2011.07.07 19:31:08 | 000,195,336 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)

SRV - [2011.06.15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)

SRV - [2011.04.22 13:21:10 | 000,092,592 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)

SRV - [2008.01.19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)

 

 
 ========== Driver Services (SafeList) ==========

 

DRV - [2011.08.31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2010.05.27 19:37:09 | 000,223,440 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)

DRV - [2007.12.04 18:55:50 | 000,554,240 | ---- | M] (DiBcom SA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mod7700.sys -- (mod7700)

DRV - [2007.07.11 17:06:22 | 000,013,824 | ---- | M] (DiBcom S.A.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\modrc.sys -- (MODRC)

DRV - [2006.11.02 08:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)

DRV - [2006.10.14 04:04:33 | 004,422,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

 

 
 ========== Standard Registry (SafeList) ==========

 

 
 ========== Internet Explorer ==========

 

IE - HKLM\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://de.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.live.com/ [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.live.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.live.com/ [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D A6 F3 CA C6 04 CC 01  [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 
 ========== FireFox ==========

 

FF - prefs.js..browser.search.selectedEngine: "Bing"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "hxxp://go.microsoft.com/fwlink/?LinkId=69157"

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

 

 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=3.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]

FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

 

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.11.30 17:16:23 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.12.08 17:06:49 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]

 

[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions

[2010.09.14 16:26:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\home2@tomtom.com

[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions

[2010.05.16 16:25:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2010.01.28 16:38:22 | 000,002,163 | ---- | M] () -- C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\searchplugins\bing.xml

[2011.12.08 17:40:44 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions

[2011.11.30 17:16:22 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2011.05.04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2011.10.23 15:22:24 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml

[2011.10.23 15:22:24 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2011.10.23 15:22:24 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml

[2011.10.23 15:22:24 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml

[2009.03.04 15:02:37 | 000,000,897 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.png

[2009.03.04 15:02:37 | 000,001,015 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.src

[2011.10.23 15:22:24 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml

[2011.10.23 15:22:24 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

 

O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost

O1 - Hosts: ::1             localhost

O2 - BHO: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (oldieradio Toolbar) - {27AF7ECC-B892-4D54-BA3F-7DED7DD856B9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O4 - HKLM..\Run: []  File not found

O4 - HKLM..\Run: [IATSKY] C:\Programme\i@Sky WIC\iatsky.exe ()

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found

O4 - HKCU..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks File not found

O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

O4 - HKCU..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)

O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)

O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StarOffice 9.lnk = C:\Programme\Sun\StarOffice 9\program\quickstart.exe ()

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0

O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O13 - gopher Prefix: missing

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} hxxp://download.microsoft.com/download/2/2/0/220618B3-3606-4E70-B625-231BF31E1085/VirtualEarth3D.cab (SentinelProxy Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{305DF18F-832F-408A-B8B0-5A4F3A4E9C51}: DhcpNameServer = 192.168.2.1

O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O31 - SafeBoot: UseAlternatShell - 1

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)

ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - 

ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0

ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0

ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework

ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0

ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack

ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework

ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE

ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - 

ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx

ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help

ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6

ActiveX: {5CA109D3-A084-47E8-A9CB-D497322E3F50} - MSN Toolbar 3.0 & Silverlight 2.0

ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools

ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements

ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player

ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access

ActiveX: {6ScJzIf0-kevt-RkjF-pr7R-UIAZ3ihJ5KXN} - 

ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7

ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework

ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll

ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings

ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install

ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding

ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts

ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1

ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player

ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help

ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface

ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP

ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig

ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - 

ActiveX: >{b4db1911-e061-4cc6-aab1-6fe12ea65eac} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

NetSvcs: FastUserSwitchingCompatibility -  File not found

NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla -  File not found

NetSvcs: Ntmssvc -  File not found

NetSvcs: NWCWorkstation -  File not found

NetSvcs: Nwsapagent -  File not found

NetSvcs: SRService -  File not found

NetSvcs: WmdmPmSp -  File not found

NetSvcs: LogonHours -  File not found

NetSvcs: PCAudit -  File not found

NetSvcs: helpsvc -  File not found

NetSvcs: uploadmgr -  File not found

 

 

CREATERESTOREPOINT
 

Error creating restore point.

 
 ========== Files/Folders - Created Within 30 Days ==========

 

[2011.12.26 19:22:07 | 000,000,000 | ---D | C] -- C:\FRST

[2011.12.26 13:44:44 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Malwarebytes

[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2011.12.26 13:44:05 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2011.12.26 13:44:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011.12.22 17:15:50 | 000,095,744 | ---- | C] (Kassl GmbH) -- C:\Users\*****\AppData\Roaming\dwlGina3.dll

[2011.12.22 17:10:28 | 000,327,680 | ---- | C] (vKJZdfXv) -- C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe

[2011.12.22 17:10:13 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Ifsur

[2011.12.22 17:10:13 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Akky

[2011.12.08 19:56:35 | 000,000,000 | ---D | C] -- C:\Users\*****\Documents\Neuer Ordner

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 
 ========== Files - Modified Within 30 Days ==========

 

[2011.12.27 12:40:52 | 000,627,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat

[2011.12.27 12:40:52 | 000,595,386 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2011.12.27 12:40:52 | 000,125,676 | ---- | M] () -- C:\Windows\System32\perfc007.dat

[2011.12.27 12:40:52 | 000,103,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2011.12.27 12:36:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011.12.26 13:44:09 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011.12.24 19:46:39 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011.12.24 19:46:38 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011.12.24 19:40:08 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011.12.22 17:15:50 | 000,095,744 | ---- | M] (Kassl GmbH) -- C:\Users\*****\AppData\Roaming\dwlGina3.dll

[2011.12.22 17:12:29 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011.12.22 17:10:07 | 000,327,680 | ---- | M] (vKJZdfXv) -- C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe

[2011.12.20 10:10:03 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

[2011.12.18 11:17:09 | 000,014,805 | ---- | M] () -- C:\Users\*****\Documents\Hilfe für die Tafeln.odt

[2011.12.16 03:23:03 | 000,247,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 
 ========== Files Created - No Company Name ==========

 

[2011.12.26 13:44:09 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011.12.08 17:06:50 | 000,001,895 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk

[2010.01.11 10:53:33 | 000,023,689 | ---- | C] () -- C:\Windows\hpqins15.dat

[2009.12.09 15:57:15 | 000,078,213 | ---- | C] () -- C:\Windows\hpqins05.dat

[2009.10.19 10:25:05 | 000,166,714 | ---- | C] () -- C:\Windows\hphins28.dat

[2009.09.24 15:56:48 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2009.09.24 15:56:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009.01.04 22:30:34 | 000,000,939 | ---- | C] () -- C:\Windows\hphmdl28.dat

[2008.10.26 11:44:55 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2008.08.14 19:53:24 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat

[2008.08.07 09:38:45 | 000,040,960 | ---- | C] () -- C:\Users\*****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007.04.27 09:43:58 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll

[2006.11.02 16:33:31 | 000,627,756 | ---- | C] () -- C:\Windows\System32\perfh007.dat

[2006.11.02 16:33:31 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat

[2006.11.02 16:33:31 | 000,125,676 | ---- | C] () -- C:\Windows\System32\perfc007.dat

[2006.11.02 16:33:31 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat

[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2006.11.02 13:47:37 | 000,247,328 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006.11.02 11:33:01 | 000,595,386 | ---- | C] () -- C:\Windows\System32\perfh009.dat

[2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006.11.02 11:33:01 | 000,103,460 | ---- | C] () -- C:\Windows\System32\perfc009.dat

[2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

 
 ========== LOP Check ==========

 

[2011.12.22 17:11:54 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Akky

[2011.12.10 13:01:29 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Canon

[2011.12.26 14:57:37 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Ifsur

[2011.07.21 14:39:31 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\MAGIX

[2011.06.23 14:18:26 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Simfy

[2008.11.10 13:40:01 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\StarOffice

[2010.09.14 16:26:43 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Thunderbird

[2010.11.09 16:15:02 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\TomTom

[2010.05.27 19:38:16 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\TrueCrypt

[2011.12.24 19:46:35 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

 
 ========== Purity Check ==========

 

 

 
 ========== Custom Scans ==========

 

 
 < %SYSTEMDRIVE%\*.
 

 >

[2008.08.07 09:09:32 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin

[2009.10.01 10:55:56 | 000,000,000 | -HSD | M] -- C:\Boot

[2008.04.13 12:59:15 | 000,000,000 | -H-D | M] -- C:\CanoScan

[2006.11.02 14:02:03 | 000,000,000 | -HSD | M] -- C:\Documents and Settings

[2007.02.22 13:53:42 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen

[2011.12.26 19:22:38 | 000,000,000 | ---D | M] -- C:\FRST

[2008.10.24 14:52:12 | 000,000,000 | ---D | M] -- C:\PerfLogs

[2011.12.26 13:44:05 | 000,000,000 | R--D | M] -- C:\Program Files

[2011.12.26 13:44:08 | 000,000,000 | -H-D | M] -- C:\ProgramData

[2007.02.22 13:53:42 | 000,000,000 | -HSD | M] -- C:\Programme

[2007.03.03 13:40:18 | 000,000,000 | ---D | M] -- C:\Software

[2011.12.24 19:45:37 | 000,000,000 | -HSD | M] -- C:\System Volume Information

[2008.08.07 09:08:52 | 000,000,000 | R--D | M] -- C:\Users

[2011.12.24 19:54:51 | 000,000,000 | ---D | M] -- C:\Windows

[2008.08.07 09:22:00 | 000,000,000 | ---D | M] -- C:\Windows.old

 
 < %PROGRAMFILES%\*.exe
 

 >

 
 < %LOCALAPPDATA%\*.exe

 >

 
 < %systemroot%\*. /mp /s

 >

 
 < %systemroot%\system32\*.manifest /3
 

 >

 

 
 < MD5 for: EXPLORER.EXE  >

[2008.10.29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe

[2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe

[2008.10.30 04:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

[2007.11.15 16:26:44 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows.old\Windows\explorer.exe

[2007.11.15 16:26:44 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe

[2008.08.07 11:19:33 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe

[2007.11.15 16:26:44 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe

[2008.08.07 11:19:33 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe

[2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe

[2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe

[2008.10.28 03:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe

[2006.11.02 10:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[2006.11.02 10:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[2008.01.19 08:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

[2008.01.19 08:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

 
 < MD5 for: REGEDIT.EXE  >

[2008.01.19 08:33:24 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe

[2008.01.19 08:33:24 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\regedit.exe

[2008.01.19 08:33:24 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe

[2006.11.02 10:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows.old\Windows\regedit.exe

[2006.11.02 10:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6000.16386_none_f1f7f368deed95c3\regedit.exe

[2006.11.02 10:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6000.16386_none_f1f7f368deed95c3\regedit.exe

 
 < MD5 for: USERINIT.EXE  >

[2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

[2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe

[2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

[2006.11.02 10:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows.old\Windows\System32\userinit.exe

[2006.11.02 10:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

[2006.11.02 10:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

 
 < MD5 for: WININIT.EXE  >

[2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

[2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe

[2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

[2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows.old\Windows\System32\wininit.exe

[2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe

[2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe

 
 < MD5 for: WINLOGON.EXE  >

[2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe

[2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe

[2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows.old\Windows\System32\winlogon.exe

[2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe

[2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe

[2008.01.19 08:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

[2008.01.19 08:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

 
 < HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs
 

 >

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Required: DebugWindows [binary data]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Windows: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

 
 < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

 >

 
 < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
 

 >

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-12-24 18:46:10
 

< End of report >

Ich hoffe, das Ergebnis führt trotz der fehlenden Extra.txt weiter.

Viele Grüße
\Lars

Zitat:

O4 - HKLM..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)

Wie gesagt, ich kann mit zensierten Logfiles keine fixes schreiben. Enthält das wirklich deinen vollständigen Namen, dann mach ich mir die Arbeit

Hallo Daniel,

ja, der Username ist identisch mit dem Namen des Eigentümers. Schlimmer noch, da das nicht ich selber bin, würde ich das gerne schon deshalb vermeiden.

Bei irgendeinem Rechnernamen hätte ich das so gelassen. Sonst bliebe nur die Möglichkeit das per PM zu machen, aber das soll ja eigentlich nicht so sein. Ich kann die Stellen auch gerne anders markieren, aber das ist m.E. auch nicht hilfreich.

Vielen Dank für deine Mühe!

Viele Grüße
\Lars

Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Downloade dir bitte Combofix von einem dieser Downloadspiegel

Link 1
Link 2

WICHTIG - Speichere Combofix auf deinem Desktop

Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

Bitte poste in deiner nächsten Antwort
Combofix.txt

Hallo Daniel,

hier nun der Output vom Combofix:

Combofix.txt

Code:

ComboFix 11-12-22.04 - ***** 28.12.2011   8:47.1.1 - x86 MINIMAL

MicrosoftÆ Windows Vistaô Home Premium   6.0.6002.2.1252.49.1031.18.1023.635 [GMT 1:00]

ausgef¸hrt von:: c:\users\*****\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

- REDUZIERTER FUNKTIONALITƒTSMODUS -

.

.

((((((((((((((((((((((((((((((((((((   Weitere Lˆschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\*****\AppData\Roaming\dwlGina3.dll

c:\users\*****\AppData\Roaming\sbcvvhost_win86.exe

.

.

(((((((((((((((((((((((   Dateien erstellt von 2011-11-28 bis 2011-12-28  ))))))))))))))))))))))))))))))

.

.

2011-12-28 07:50 . 2011-12-28 07:50        --------        d-----w-        c:\users\*****\AppData\Local\temp

2011-12-28 07:50 . 2011-12-28 07:50        --------        d-----w-        c:\users\Default\AppData\Local\temp

2011-12-28 07:40 . 2011-12-28 07:40        56200        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD648DD5-67E9-4EA1-A7DB-2BE89EA8B416}\offreg.dll

2011-12-26 18:22 . 2011-12-26 18:22        --------        d-----w-        C:\FRST

2011-12-26 12:44 . 2011-12-26 12:44        --------        d-----w-        c:\users\*****\AppData\Roaming\Malwarebytes

2011-12-26 12:44 . 2011-12-26 12:44        --------        d-----w-        c:\programdata\Malwarebytes

2011-12-26 12:44 . 2011-12-26 12:44        --------        d-----w-        c:\program files\Malwarebytes' Anti-Malware

2011-12-26 12:44 . 2011-08-31 16:00        22216        ----a-w-        c:\windows\system32\drivers\mbam.sys

2011-12-24 18:45 . 2011-11-21 10:47        6823496        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD648DD5-67E9-4EA1-A7DB-2BE89EA8B416}\mpengine.dll

2011-12-22 16:10 . 2011-12-26 13:57        --------        d-----w-        c:\users\*****\AppData\Roaming\Ifsur

2011-12-22 16:10 . 2011-12-22 16:11        --------        d-----w-        c:\users\*****\AppData\Roaming\Akky

2011-12-20 09:07 . 2011-12-20 09:07        1207568        ----a-w-        c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2011-12-15 12:05 . 2011-10-27 08:01        3602816        ----a-w-        c:\windows\system32\ntkrnlpa.exe

2011-12-15 12:05 . 2011-10-27 08:01        3550080        ----a-w-        c:\windows\system32\ntoskrnl.exe

2011-12-15 12:05 . 2011-10-14 16:02        429056        ----a-w-        c:\windows\system32\EncDec.dll

2011-12-15 12:04 . 2011-11-23 13:37        2043904        ----a-w-        c:\windows\system32\win32k.sys

2011-12-15 12:04 . 2011-11-08 12:10        2409784        ----a-w-        c:\program files\Windows Mail\OESpamFilter.dat

2011-12-15 12:04 . 2011-10-25 15:56        49152        ----a-w-        c:\windows\system32\csrsrv.dll

2011-12-15 12:04 . 2011-11-08 14:42        2048        ----a-w-        c:\windows\system32\tzres.dll

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-24 08:53 . 2011-10-24 08:53        414368        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-30 16:16 . 2011-05-28 11:04        134104        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Eintr‰ge & legitime Standardeintr‰ge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]

2011-05-09 09:49        176936        ----a-w-        c:\program files\oldieradio\prxtboldi.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{27AF7ECC-B892-4D54-BA3F-7DED7DD856B9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"IATSKY"="c:\program files\i@Sky WIC\iatsky.exe" [2011-07-25 335872]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

StarOffice 9.lnk - c:\program files\Sun\StarOffice 9\program\quickstart.exe [2008-9-12 113152]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 136176]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]

R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 136176]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\DRIVERS\modrc.sys [2007-07-11 13824]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12        REG_MULTI_SZ           Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt        REG_MULTI_SZ           hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation        REG_MULTI_SZ           FontCache

.

Inhalt des "geplante Tasks" Ordners

.

2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 10:20]

.

2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 10:20]

.

.

------- Zus‰tzlicher Suchlauf -------

.

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - Entfernte verwaiste Registrierungseintr‰ge - - - -

.

HKCU-Run-PMCLoader - c:\program files\Pinnacle\TVCenter Pro\PMCLoader.exe

HKCU-Run-WBhXTAWuFpmNyON - c:\users\*****\AppData\Roaming\sbcvvhost_win86.exe

HKLM-Run-WBhXTAWuFpmNyON - c:\users\*****\AppData\Roaming\sbcvvhost_win86.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net

Rootkit scan 2011-12-28 08:50

Windows 6.0.6002 Service Pack 2 NTFS

.

Scanne versteckte Prozesse... 

.

Scanne versteckte Autostarteintr‰ge... 

.

Scanne versteckte Dateien... 

.

Scan erfolgreich abgeschlossen

versteckte Dateien: 0

.

**************************************************************************

.

Zeit der Fertigstellung: 2011-12-28  08:53:03

ComboFix-quarantined-files.txt  2011-12-28 07:52

.

Vor Suchlauf: 8 Verzeichnis(se), 165.150.273.536 Bytes frei

Nach Suchlauf: 12 Verzeichnis(se), 167.733.764.096 Bytes frei

.

- - End Of File - - FA5DCFA113C2ABC07BEA63EFF011FE29

Die Ausgabe am Bildschirm sah recht vielversprechend aus. :-)

Viele Grüße
\Lars

Hy

Du musst die **** im Skript ersetzen

Hinweis für Mitleser:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, dass kann andere Systeme nachhaltig schädigen!

Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von einem der folgenden Download-Spiegel neu herunter:

BleepingComputer.com - ForoSpyware.com

und speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!

Drücke die http://larusso.trojaner-board.de/Images/windows.jpg + R Taste --> Notepad (hinein schreiben) --> OK

Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.

Code:

Folder::

c:\users\*****\AppData\Roaming\Ifsur

c:\users\*****\AppData\Roaming\Akky
 

ClearJavaCache::

Speichere dies als CFScript.txt auf deinem Desktop.
Wichtig:

Stelle deine Anti Viren Software temporär ab. Dies kann ComboFix nämlich bei der Arbeit behindern. Danach wieder anstellen nicht vergessen!
Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein. Dies kann dazu führen, dass ComboFix sich aufhängt.
Schließe alle laufenden Programme. Gehe sicher, dass ComboFix ungehindert arbeiten kann.
Mache nichts am PC solange ComboFix läuft.

http://i266.photobucket.com/albums/i.../CFScriptB.gif

In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.

Bitte poste in deiner nächsten Antwort
Combofix.txt
Berichte, wie der Rechner läuft

Hallo Daniel,

hier die Ausgabe des Combofix Tools:

Code:

ComboFix 11-12-27.01 - ***** 28.12.2011  21:41:19.1.1 - x86

MicrosoftÆ Windows Vistaô Home Premium   6.0.6002.2.1252.49.1031.18.1023.485 [GMT 1:00]

ausgef¸hrt von:: c:\users\*****\Desktop\ComboFix.exe

Benutzte Befehlsschalter :: c:\users\*****\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((   Weitere Lˆschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\*****\AppData\Roaming\Akky

c:\users\*****\AppData\Roaming\Ifsur

c:\users\Public\1031.MST

.

.

(((((((((((((((((((((((   Dateien erstellt von 2011-11-28 bis 2011-12-28  ))))))))))))))))))))))))))))))

.

.

2011-12-28 20:48 . 2011-12-28 20:48        --------        d-----w-        c:\users\*****\AppData\Local\temp

2011-12-28 20:48 . 2011-12-28 20:48        --------        d-----w-        c:\users\Default\AppData\Local\temp

2011-12-28 08:06 . 2011-12-28 08:06        56200        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{83E23BEA-E3FD-4C36-A965-E3FAFAF3C471}\offreg.dll

2011-12-28 08:06 . 2011-11-21 10:47        6823496        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{83E23BEA-E3FD-4C36-A965-E3FAFAF3C471}\mpengine.dll

2011-12-28 08:01 . 2011-12-28 08:01        --------        d-----w-        c:\program files\ESET

2011-12-26 18:22 . 2011-12-26 18:22        --------        d-----w-        C:\FRST

2011-12-26 12:44 . 2011-12-26 12:44        --------        d-----w-        c:\users\*****\AppData\Roaming\Malwarebytes

2011-12-26 12:44 . 2011-12-26 12:44        --------        d-----w-        c:\programdata\Malwarebytes

2011-12-26 12:44 . 2011-12-26 12:44        --------        d-----w-        c:\program files\Malwarebytes' Anti-Malware

2011-12-26 12:44 . 2011-08-31 16:00        22216        ----a-w-        c:\windows\system32\drivers\mbam.sys

2011-12-20 09:07 . 2011-12-20 09:07        1207568        ----a-w-        c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2011-12-15 12:05 . 2011-10-27 08:01        3602816        ----a-w-        c:\windows\system32\ntkrnlpa.exe

2011-12-15 12:05 . 2011-10-27 08:01        3550080        ----a-w-        c:\windows\system32\ntoskrnl.exe

2011-12-15 12:05 . 2011-10-14 16:02        429056        ----a-w-        c:\windows\system32\EncDec.dll

2011-12-15 12:04 . 2011-11-23 13:37        2043904        ----a-w-        c:\windows\system32\win32k.sys

2011-12-15 12:04 . 2011-11-08 12:10        2409784        ----a-w-        c:\program files\Windows Mail\OESpamFilter.dat

2011-12-15 12:04 . 2011-10-25 15:56        49152        ----a-w-        c:\windows\system32\csrsrv.dll

2011-12-15 12:04 . 2011-11-08 14:42        2048        ----a-w-        c:\windows\system32\tzres.dll

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-24 08:53 . 2011-10-24 08:53        414368        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-30 16:16 . 2011-05-28 11:04        134104        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Eintr‰ge & legitime Standardeintr‰ge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]

2011-05-09 09:49        176936        ----a-w-        c:\program files\oldieradio\prxtboldi.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{27AF7ECC-B892-4D54-BA3F-7DED7DD856B9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"IATSKY"="c:\program files\i@Sky WIC\iatsky.exe" [2011-07-25 335872]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

StarOffice 9.lnk - c:\program files\Sun\StarOffice 9\program\quickstart.exe [2008-9-12 113152]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 136176]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]

R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 136176]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]

S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\DRIVERS\modrc.sys [2007-07-11 13824]

.

.

--- Andere Dienste/Treiber im Speicher ---

.

*NewlyCreated* - MBAMPROTECTOR

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12        REG_MULTI_SZ           Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt        REG_MULTI_SZ           hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation        REG_MULTI_SZ           FontCache

.

Inhalt des "geplante Tasks" Ordners

.

2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 10:20]

.

2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 10:20]

.

.

------- Zus‰tzlicher Suchlauf -------

.

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net

Rootkit scan 2011-12-28 21:48

Windows 6.0.6002 Service Pack 2 NTFS

.

Scanne versteckte Prozesse... 

.

Scanne versteckte Autostarteintr‰ge... 

.

Scanne versteckte Dateien... 

.

Scan erfolgreich abgeschlossen

versteckte Dateien: 0

.

**************************************************************************

.

Zeit der Fertigstellung: 2011-12-28  21:51:56

ComboFix-quarantined-files.txt  2011-12-28 20:51

ComboFix2.txt  2011-12-28 07:53

.

Vor Suchlauf: 11 Verzeichnis(se), 165.835.059.200 Bytes frei

Nach Suchlauf: 12 Verzeichnis(se), 165.856.579.584 Bytes frei

.

- - End Of File - - 8827A8D8834880E88CAEDDFC3562F974

Ich habe das System danach neu gestartet und bisher läuft der Rechner gut. Jetzt werde ich die Virenscanner wieder aktivieren, aber da bin ich ganz optimistisch.

Nochmals ganz vielen Dank bis hierhin! :-)

Viele Grüße
\Lars

Update bitte Malwarebytes und lass einen Quick Scan laufen.

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

Starte bitte DDS und poste die dds.txt und attach.txt

Bitte poste in deiner nächsten Antwort
MBAM Log
log.txt
dds.txt
attach.txt

Hallo Daniel,

eine Frage zu deinem letzten Post: was ist DDS? Mir sagt das Programm leider nichts... :-)

Viele Grüße
\Lars

Ach sorry, bin auf vielen Foren unterwegs, wo ich das verwende xD

Starte bitte OTL.exe.
Wähle unter
Extra Registrierung: Benutze Safe List und klicke auf den Scan Button.
Poste die OTL.txt und die Extras.txt hier in deinen Thread.

Hallo Daniel,

hier die gewünschten Dateien:

OTL.txt

Code:

OTL logfile created on: 29.12.2011 09:04:43 - Run 3

OTL by OldTimer - Version 3.2.31.0     Folder = C:\Users\*****\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

1022,58 Mb Total Physical Memory | 312,77 Mb Available Physical Memory | 30,59% Memory free

2,26 Gb Paging File | 1,31 Gb Available in Paging File | 57,96% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 232,88 Gb Total Space | 166,14 Gb Free Space | 71,34% Space Free | Partition Type: NTFS

 

Computer Name: **********-PC | User Name: ***** | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Processes (SafeList) ==========

 

PRC - [2011.12.26 12:25:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\*****\Desktop\OTL.exe

PRC - [2011.12.24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2011.12.24 17:50:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2011.09.22 12:03:30 | 000,974,944 | ---- | M] (ESET) -- C:\Programme\ESET\ESET NOD32 Antivirus\ekrn.exe

PRC - [2011.09.22 12:03:02 | 003,080,264 | ---- | M] (ESET) -- C:\Programme\ESET\ESET NOD32 Antivirus\egui.exe

PRC - [2011.06.15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft\BingBar\SeaPort.EXE

PRC - [2011.04.22 13:21:10 | 000,247,728 | ---- | M] (TomTom) -- C:\Programme\TomTom HOME 2\TomTomHOMERunner.exe

PRC - [2011.04.22 13:21:10 | 000,092,592 | ---- | M] (TomTom) -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe

PRC - [2009.04.11 07:28:15 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE

PRC - [2009.04.11 07:28:03 | 001,233,920 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Sidebar\sidebar.exe

PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008.09.30 20:57:02 | 007,513,088 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Sun\StarOffice 9\program\soffice.bin

PRC - [2008.09.30 20:55:58 | 007,517,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Sun\StarOffice 9\program\soffice.exe

PRC - [2008.01.19 08:33:39 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe

PRC - [2008.01.19 08:33:39 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe

 

 
 ========== Modules (No Company Name) ==========

 

MOD - [2008.07.29 14:55:14 | 000,969,728 | ---- | M] () -- C:\Programme\Sun\StarOffice 9\program\libxml2.dll

 

 
 ========== Win32 Services (SafeList) ==========

 

SRV - [2011.12.24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2011.09.22 12:03:30 | 000,974,944 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)

SRV - [2011.07.07 19:31:08 | 000,195,336 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)

SRV - [2011.06.15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)

SRV - [2011.04.22 13:21:10 | 000,092,592 | ---- | M] (TomTom) [Auto | Running] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)

SRV - [2008.01.19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)

 

 
 ========== Driver Services (SafeList) ==========

 

DRV - [2011.12.10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2011.08.09 14:24:52 | 000,163,424 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)

DRV - [2011.08.04 09:20:38 | 000,103,112 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfpr.sys -- (epfwwfpr)

DRV - [2011.08.04 09:20:36 | 000,118,104 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)

DRV - [2010.05.27 19:37:09 | 000,223,440 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)

DRV - [2007.12.04 18:55:50 | 000,554,240 | ---- | M] (DiBcom SA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mod7700.sys -- (mod7700)

DRV - [2007.07.11 17:06:22 | 000,013,824 | ---- | M] (DiBcom S.A.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\modrc.sys -- (MODRC)

DRV - [2006.11.02 08:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)

DRV - [2006.10.14 04:04:33 | 004,422,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

 

 
 ========== Standard Registry (SafeList) ==========

 

 
 ========== Internet Explorer ==========

 

IE - HKLM\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.live.com/ [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D A6 F3 CA C6 04 CC 01  [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 
 ========== FireFox ==========

 

FF - prefs.js..browser.search.selectedEngine: "Bing"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "hxxp://go.microsoft.com/fwlink/?LinkId=69157"

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

 

 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=3.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]

FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

 

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.11.30 17:16:23 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.12.08 17:06:49 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2011.12.28 22:09:53 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]

 

[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions

[2010.09.14 16:26:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\home2@tomtom.com

[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions

[2010.05.16 16:25:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2010.01.28 16:38:22 | 000,002,163 | ---- | M] () -- C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\searchplugins\bing.xml

[2011.12.08 17:40:44 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions

[2011.11.30 17:16:22 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2011.05.04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2011.10.23 15:22:24 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml

[2011.10.23 15:22:24 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2011.10.23 15:22:24 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml

[2011.10.23 15:22:24 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml

[2009.03.04 15:02:37 | 000,000,897 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.png

[2009.03.04 15:02:37 | 000,001,015 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.src

[2011.10.23 15:22:24 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml

[2011.10.23 15:22:24 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

 

O1 HOSTS File: ([2011.12.28 21:48:45 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost

O2 - BHO: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (oldieradio Toolbar) - {27AF7ECC-B892-4D54-BA3F-7DED7DD856B9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)

O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)

O4 - HKLM..\Run: [IATSKY] C:\Programme\i@Sky WIC\iatsky.exe ()

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript File not found

O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)

O4 - Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StarOffice 9.lnk = C:\Programme\Sun\StarOffice 9\program\quickstart.exe ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} hxxp://download.microsoft.com/download/2/2/0/220618B3-3606-4E70-B625-231BF31E1085/VirtualEarth3D.cab (SentinelProxy Class)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{305DF18F-832F-408A-B8B0-5A4F3A4E9C51}: DhcpNameServer = 192.168.2.1

O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 
 ========== Files/Folders - Created Within 30 Days ==========

 

[2011.12.29 08:52:38 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\*****\Desktop\OTL.exe

[2011.12.28 22:09:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET

[2011.12.28 22:09:26 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET

[2011.12.28 21:52:29 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2011.12.28 21:51:58 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Local\temp

[2011.12.28 21:48:44 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2011.12.28 21:39:08 | 000,000,000 | ---D | C] -- C:\ComboFix

[2011.12.28 09:01:12 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2011.12.28 08:44:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2011.12.28 08:44:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2011.12.28 08:44:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2011.12.28 08:43:28 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2011.12.28 08:43:25 | 000,000,000 | ---D | C] -- C:\Qoobox

[2011.12.26 19:22:07 | 000,000,000 | ---D | C] -- C:\FRST

[2011.12.26 13:44:44 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Malwarebytes

[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2011.12.26 13:44:05 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2011.12.26 13:44:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011.12.16 03:02:28 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2011.12.16 03:02:27 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll

[2011.12.16 03:02:27 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll

[2011.12.16 03:02:26 | 001,798,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll

[2011.12.16 03:02:26 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2011.12.16 03:02:23 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl

[2011.12.15 13:05:04 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe

[2011.12.15 13:05:04 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe

[2011.12.15 13:05:03 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll

[2011.12.15 13:04:54 | 002,043,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2011.12.15 13:04:51 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll

[2011.12.15 13:04:47 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll

[2011.12.08 19:56:35 | 000,000,000 | ---D | C] -- C:\Users\*****\Documents\Neuer Ordner

[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 
 ========== Files - Modified Within 30 Days ==========

 

[2011.12.29 09:06:14 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2011.12.29 09:06:13 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat

[2011.12.29 09:06:13 | 000,126,054 | ---- | M] () -- C:\Windows\System32\perfc007.dat

[2011.12.29 09:06:13 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2011.12.29 08:58:51 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011.12.29 08:58:42 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011.12.29 08:58:41 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011.12.29 08:58:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011.12.29 08:58:26 | 1073,012,736 | -HS- | M] () -- C:\hiberfil.sys

[2011.12.28 23:12:01 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011.12.28 21:48:45 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2011.12.26 12:25:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\*****\Desktop\OTL.exe

[2011.12.20 10:10:03 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

[2011.12.18 11:17:09 | 000,014,805 | ---- | M] () -- C:\Users\*****\Documents\Hilfe für die Tafeln.odt

[2011.12.16 03:23:03 | 000,247,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2011.12.10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 
 ========== Files Created - No Company Name ==========

 

[2011.12.28 08:56:08 | 1073,012,736 | -HS- | C] () -- C:\hiberfil.sys

[2011.12.28 08:44:09 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2011.12.28 08:44:09 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2011.12.28 08:44:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2011.12.28 08:44:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2011.12.28 08:44:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2011.12.08 17:06:50 | 000,001,895 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk

[2010.01.11 10:53:33 | 000,023,689 | ---- | C] () -- C:\Windows\hpqins15.dat

[2009.12.09 15:57:15 | 000,078,213 | ---- | C] () -- C:\Windows\hpqins05.dat

[2009.10.19 10:25:05 | 000,166,714 | ---- | C] () -- C:\Windows\hphins28.dat

[2009.09.24 15:56:48 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2009.09.24 15:56:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009.01.04 22:30:34 | 000,000,939 | ---- | C] () -- C:\Windows\hphmdl28.dat

[2008.10.26 11:44:55 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2008.08.14 19:53:24 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat

[2008.08.07 09:38:45 | 000,040,960 | ---- | C] () -- C:\Users\*****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007.04.27 09:43:58 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll

[2006.11.02 16:33:31 | 000,628,504 | ---- | C] () -- C:\Windows\System32\perfh007.dat

[2006.11.02 16:33:31 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat

[2006.11.02 16:33:31 | 000,126,054 | ---- | C] () -- C:\Windows\System32\perfc007.dat

[2006.11.02 16:33:31 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat

[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2006.11.02 13:47:37 | 000,247,328 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006.11.02 11:33:01 | 000,595,798 | ---- | C] () -- C:\Windows\System32\perfh009.dat

[2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006.11.02 11:33:01 | 000,103,872 | ---- | C] () -- C:\Windows\System32\perfc009.dat

[2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
 

< End of report >

Extra.txt

Code:

OTL Extras logfile created on: 29.12.2011 09:04:43 - Run 3

OTL by OldTimer - Version 3.2.31.0     Folder = C:\Users\*****\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

1022,58 Mb Total Physical Memory | 312,77 Mb Available Physical Memory | 30,59% Memory free

2,26 Gb Paging File | 1,31 Gb Available in Paging File | 57,96% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 232,88 Gb Total Space | 166,14 Gb Free Space | 71,34% Space Free | Partition Type: NTFS

 

Computer Name: **********-PC | User Name: ***** | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Extra Registry (SafeList) ==========

 

 
 ========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

 
 ========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 
 ========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"UpdatesDisableNotify" = 0

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

 
 ========== System Restore Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

 
 ========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

"DoNotAllowExceptions" = 1

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

 
 ========== Authorized Applications List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

 

 
 ========== Vista Active Open Ports Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{17C14F61-0F2B-49EC-A322-074EF844F1B2}" = rport=445 | protocol=6 | dir=out | app=system | 

"{1C9D236D-8EC3-48FB-BC08-11F5EF56A01C}" = rport=137 | protocol=17 | dir=out | app=system | 

"{477CD86D-32EF-4AB4-8918-A1C5F474C4C9}" = lport=138 | protocol=17 | dir=in | app=system | 

"{924EF069-4563-48EF-8494-96040CC0B0CC}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 

"{AFF5653B-116E-4E1A-99BB-3BB36E6E0D0B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 

"{BC9596A3-ECB4-43FF-992F-F29DFB7CD235}" = lport=445 | protocol=6 | dir=in | app=system | 

"{C3C9ABB9-C12C-481E-AAFC-CBD40420C987}" = rport=138 | protocol=17 | dir=out | app=system | 

"{C5209DAB-A2C2-4AA2-8164-4CA4C842054C}" = rport=139 | protocol=6 | dir=out | app=system | 

"{C54ED09C-754A-4E45-BCDF-70EA461AB808}" = lport=137 | protocol=17 | dir=in | app=system | 

"{D4153DE5-5564-45BF-AEF3-AF525ED1D1C1}" = lport=139 | protocol=6 | dir=in | app=system | 

 
 ========== Vista Active Application Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{1A8572B5-7404-4676-9890-B45F349CEAE6}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 

"{1C9FBDB3-13B6-4288-B8E2-72AF685553E5}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 

"{2BFC9ABA-5FF1-4897-9DD0-760864561709}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\videospin.exe | 

"{3A5F845A-98AB-41DF-8F7B-917F3551C51E}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe | 

"{4212881F-FAD3-47C5-A0B9-50DF4A5F4EBD}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe | 

"{4A010968-4CB3-435D-B683-FC987F8282F8}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\pmsregisterfile.exe | 

"{4CD67718-DBD4-4972-B812-A28C1046F4B4}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\rm.exe | 

"{516908AA-CAD2-45F2-87E2-C22BC1907B27}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\umi.exe | 

"{63233D3C-FE1E-4BAD-AD63-B04F35E403A9}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe | 

"{69CA36D7-B3D4-4E42-BDE4-5B9C20FF5CB6}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe | 

"{79CC9096-DA97-49C8-8FF2-355786A23224}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe | 

"{84EBA8D5-2F52-41A5-AEB6-74F119723051}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\videospin.exe | 

"{904DE6D0-E395-41D6-903F-DC28E213E4FE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe | 

"{963866C4-18C0-491E-B9FD-8EF867089093}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\pmsregisterfile.exe | 

"{A4084200-BB83-4765-B5DB-2F18546E0892}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 

"{A60D3F24-13AB-4681-B8DE-9B473A679004}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqsudi.exe | 

"{AD4329DC-BFE4-46FF-BC7C-EC406772ED67}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe | 

"{B1A5EBCE-9495-4BDF-AE18-6F2324BD3BE2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe | 

"{BE5C8B59-9ABE-47E5-BF9B-8658C558F8E1}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe | 

"{C4489853-F862-48BB-847D-210B11775917}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe | 

"{C6B8ED21-7450-47F4-B5C9-DB0CF3FE4805}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 

"{D0745ECA-E966-43BF-A8CD-71056172E7A5}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe | 

"{D15FCDCB-1F1D-4F05-90AC-5268786624DA}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe | 

"{D75CF46D-8290-4047-A886-5BA13FE48195}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\umi.exe | 

"{EF7ACF3A-866F-4C8E-A431-7C801FCBD982}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\rm.exe | 

"{F85C1478-9F0A-4F49-A515-B6DCFAA692C8}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe | 

"TCP Query User{3B2BFD05-5ECF-4AC9-92FD-00045513F031}C:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe" = protocol=6 | dir=in | app=c:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe | 

"UDP Query User{4462429D-E8E2-4CF3-8640-CF72DAB35BB0}C:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe" = protocol=17 | dir=in | app=c:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe | 

 
 ========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status

"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu

"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg

"{0E37765E-45AE-4830-A12C-E5DADD758472}" = HP Photosmart D5400 Printer Driver Software 12.0 Rel .3

"{16D0F2D2-242C-4885-BEF1-4B1655C141AE}" = Bing Bar

"{18613ADB-2125-4C71-BBD7-D56136683509}" = MAGIX Audio Cleaning Lab 17 deluxe

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool

"{20EFC9AA-BBC1-4DFD-81FF-99654F71CBF8}" = HPPhotoSmartDiscLabel_PrintOnDisc

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 26

"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in

"{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch

"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D

"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm

"{304D416E-CCA6-A949-A728-19702A085FC1}" = simfy

"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7

"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter

"{4D304678-738E-42a0-931A-2B022F49DEB8}" = TrayApp

"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport

"{54C7CFA4-9DDD-40c7-A58F-AF0E7916848C}" = HPPhotoGadget

"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2

"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1

"{6EED4269-588D-45b8-A80C-26A9CA62EE4E}" = HPSSupply

"{70AA9B4F-64F7-4B0D-ADD8-05802D61AF72}" = Windows Live Toolbar

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert

"{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)

"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update

"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules

"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting

"{915B97D7-585F-48DE-9E62-47F916514854}" = D5400

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox

"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.7 - Deutsch

"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9

"{B28635AB-1DF3-4F07-BFEA-975D911B549B}" = hpphotosmartdisclabelplugin

"{BCE46757-7674-4416-BEDB-68205A60409E}" = CanoScan Toolbox Ver4.1

"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)

"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant

"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail

"{C5E4D0D0-EACC-4013-B48D-C3F104F21DCD}" = StarOffice 9

"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials

"{CDC7F188-3A08-45C3-8C3C-99BE32911949}" = Photo Transport

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential

"{D9D8F2CF-FE2D-4644-9762-01F916FE90A9}" = HPPhotoSmartDiscLabel_PaperLabel

"{DD133F7D-E484-45B7-BBB9-828FCA45BBDB}" = i@Sky WIC

"{DDD5104F-1C44-49EB-9E6B-29EC5D27658B}" = HP Update

"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer

"{E192A201-E9B4-406A-82D5-7886F3BB63D5}" = PS_SF_03_D5400_Software_Min

"{EFCEF949-9821-4759-A573-3EB8C857DF46}" = Windows Live Family Safety

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}" = Pinnacle TVCenter Pro

"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack

"{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery

"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR

"{FF34AF1C-705B-424A-A850-1A1F61D6EB71}" = MAGIX Speed 2 (MSI)

"{FF872023-6648-42AF-9A07-1E6F55FE7291}" = ESET NOD32 Antivirus

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11

"AVIConverter" = AVIConverter 4.0.1

"ESET Online Scanner" = ESET Online Scanner v3

"HP Imaging Device Functions" = HP Imaging Device Functions 12.0

"HP Photosmart Essential" = HP Photosmart Essential 3.5

"HP Smart Web Printing" = HP Smart Web Printing 4.60

"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0

"HPExtendedCapabilities" = HP Customer Participation Program 12.0

"i@Sky WIC" = i@Sky WIC

"MAGIX_MSI_mclab_17dlx" = MAGIX Audio Cleaning Lab 17 deluxe

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.60.0.1800

"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack

"Mozilla Firefox 8.0.1 (x86 de)" = Mozilla Firefox 8.0.1 (x86 de)

"Mozilla Thunderbird (8.0)" = Mozilla Thunderbird (8.0)

"oldieradio Toolbar" = oldieradio Toolbar

"Shop for HP Supplies" = Shop for HP Supplies

"Simfy" = simfy

"TomTom HOME" = TomTom HOME 2.8.2.2264

"TrueCrypt" = TrueCrypt

"WinLiveSuite_Wave3" = Windows Live Essentials

 
 ========== Last 10 Event Log Errors ==========

 

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

 

< End of report >

MBAM.log

Code:

Malwarebytes Anti-Malware (Test) 1.60.0.1800

www.malwarebytes.org
 

Datenbank Version: v2011.12.29.01
 

Windows Vista Service Pack 2 x86 FAT32

Internet Explorer 9.0.8112.16421

***** :: *****-PC [Administrator]
 

Schutz: Aktiviert
 

29.12.2011 09:19:05

mbam-log-2011-12-29 (09-19-05).txt
 

Art des Suchlaufs: Quick-Scan

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 173236

Laufzeit: 4 Minute(n), 26 Sekunde(n)
 

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)
 

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungsschlüssel: 0

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateiobjekte der Registrierung: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|HideIcons (PUM.Hidden.Desktop) -> Bösartig: (1) Gut: (0) -> Erfolgreich ersetzt und in Quarantäne gestellt.
 

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateien: 0

(Keine bösartigen Objekte gefunden)
 

(Ende)

Das Ergebnis von ESET kann ich heute leider noch nicht posten, da ich den Scan heute nicht mehr durchführen kann. Der Rechner läuft auch nach weiterer Beobachtung sehr gut. Vielen Dank!

Viele Grüße
\Lars

Hallo Daniel,

so, nachdem ich von meiner Dienstreise zurück bin, das Logfile des Eset Online Scanners:

log.txt

Code:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=48b92997e3bf4642ab21f15da6350dc2

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-12-31 12:06:30

# local_time=2011-12-31 01:06:30 (+0100, Mitteleurop‰ische Zeit)

# country="Germany"

# lang=1031

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=5892 16776573 100 100 6278 162861474 0 0

# compatibility_mode=8204 39157181 100 85 46438 8639512 0 0

# scanned=131459

# found=0

# cleaned=0

# scan_time=4443

# nod_component=V3 Build:0x30000000

Er hat keine Merkwürdigkeiten mehr gefunden. :abklatsch: Nochmals vielen Dank und dir einen guten Rutsch ins neue Jahr!

Viele Grüße
\Lars

Well done. Bitte folge diesen letzten paar Schritten.

Deinstalliere bitte deine aktuelle Version von Adobe Reader
Start--> Systemsteuerung--> Software--> Adobe Reader
und lade dir die neue Version von Hier herunter-
Entferne den Hacken für den McAfee SecurityScan bzw. Google Chrome.

Dein Java ist nicht mehr aktuell. Älter Versionen enthalten Sicherheitslücken, die von Malware missbraucht werden können.

Downloade dir bitte die neueste Java-Version von hier
Speichere die jxpiinstall.exe
Schließe alle laufenden Programme. Speziell deinen Browser.
Starte die jxpiinstall.exe. Diese wird den Installer für die neueste Java Version ( Java 6 Update 30 ) herunter laden.
Wenn die installation beendet wurde
Start --> Systemsteuerung --> Programme und deinstalliere alle älteren Java Versionen.
Starte deinen Rechner neu sobald alle älteren Versionen deinstalliert wurden.

Nach dem Neustart

Öffne erneut die Systemsteuerung --> Programme und klicke auf das Java Symbol.
Im Reiter Allgemein, klicke unter Temporäre Internetdateien auf Einstellungen.
Klicke auf Dateien löschen....
Gehe sicher das überall ein Hacken gesetzt ist und klicke OK.
Klicke erneut OK.

Bitte vor der folgenden Aktion wieder temporär Antivirus-Programm, evtl. vorhandenes Skript-Blocking und Anti-Malware Programme deaktivieren.

Windows-Taste + R drücke. Kopiere nun folgende Zeile in die Kommandozeile und klicke OK.

Code:

Combofix /Uninstall

http://larusso.trojaner-board.de/Images/CFuninstall.jpg

Damit wird Combofix komplett entfernt und der Cache der Systemwiederherstellung geleert, damit auch aus dieser die Schädlinge verschwinden.

Nun die eben deaktivierten Programme wieder aktivieren.

Starte bitte OTL und klicke auf Bereinigung.
Dies wird die meisten Tools entfernen, die wir zur Bereinigung benötigt haben. Sollte etwas bestehen bleiben, bitte mit Rechtsklick --> Löschen entfernen.

Hier noch ein paar Tipps zur Absicherung deines Systems.

Ich kann garnicht zu oft erwähnen, wie wichtig es ist, dass dein System Up to Date ist.

Bitte überprüfe ob dein System Windows Updates automatisch herunter lädt
Windows Updates
- Windows XP: Start --> Systemsteuerung --> Doppelklick auf Automatische Updates
- Windows Vista / 7: Start --> Systemsteuerung --> System und Sicherheit --> Automatische Updates aktivieren oder deaktivieren
Gehe sicher das die automatischen Updates aktiviert sind.
Software Updates
Installierte Software kann ebenfalls Sicherheitslücken haben, welche Malware nutzen kann, um dein System zu infizieren.
Um deine Installierte Software up to date zu halten, empfehle ich dir Secunia Online Software.

Anti- Viren Software

Gehe sicher immer eine Anti Viren Software installiert zu haben und das diese auch up to date ist. Es ist nämlich nutzlos wenn diese out of date sind.

Zusätzlicher Schutz

MalwareBytes Anti Malware
Dies ist eines der besten Anti-Malware Tools auf dem Markt. Es ist ein On- Demond Scan Tool welches viele aktuelle Malware erkennt und auch entfernt.
Update das Tool und lass es einmal in der Woche laufen. Die Kaufversion biete zudem noch einen Hintergrundwächter.
Ein Tutorial zur Verwendung findest Du hier.
WinPatrol
Diese Software macht einen Snapshot deines Systems und warnt dich vor eventuellen Änderungen. Downloade dir die Freeware Version von hier.

Sicheres Browsen

SpywareBlaster
Eine kurze Einführung findest du Hier
MVPs hosts file
Ein Tutorial findest Du hier. Leider habe ich bis jetzt kein deutschsprachiges gefunden.
WOT (Web of trust)
Dieses AddOn warnt Dich bevor Du eine als schädlich gemeldete Seite besuchst.

Alternative Browser

Andere Browser tendieren zu etwas mehr Sicherheit als der IE, da diese keine Active X Elemente verwenden. Diese können von Spyware zur Infektion deines Systems missbraucht werden.

Opera
Mozilla Firefox.
- Hinweis: Für diesen Browser habe ich hier ein paar nützliche Add Ons
- NoScript
  Dieses AddOn blockt JavaScript, Java and Flash und andere Plugins. Sie werden nur dann ausgeführt wenn Du es bestätigst.
- AdblockPlus
  Dieses AddOn blockt die meisten Werbung von selbst. Ein Rechtsklick auf den Banner um diesen zu AdBlockPlus hinzu zu fügen reicht und dieser wird nicht mehr geladen.
  Es spart ausserdem Downloadkapazität.

Performance
Bereinige regelmäßig deine Temp Files. Ich empfehle hierzu TFC
Halte dich fern von jedlichen Registry Cleanern.
Diese Schaden deinem System mehr als sie helfen. Hier ein paar ( englishe ) Links
Miekemoes Blogspot ( MVP )
Bill Castner ( MVP )

Don'ts

Klicke nicht auf alles nur weil es Dich dazu auffordert und schön bunt ist.
verwende keine peer to peer oder Filesharing Software (Emule, uTorrent,..)
Lass die Finger von Cracks, Keygens, Serials oder anderer illegaler Software.
Öffne keine Anhänge von Dir nicht bekannten Emails. Achte vor allem auf die Dateiendung wie zb deinFoto.jpg.exe

Nun bleibt mir nur noch dir viel Spass beim sicheren Surfen zu wünschen.

Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so das ich diesen Thread aus meinen Abos löschen kann.

Hallo Daniel,

ich habe die abschließenden Schritte heute auf dem Rechner durchgeführt und alles hat wunderbar geklappt! :-)

Dir nochmal ganz vielen Dank für deine Unterstützung! Ich hoffe, dass ich das System einigermaßen aktuell halten kann, da ich nur alle paar Wochen einmal einen kurzen Blick auf den Rechner werfen kann.

Viele Grüße
\Lars

Froh das wir helfen konnten :abklatsch:

Dieses Thema scheint erledigt und wird aus meinen Abos gelöscht. Solltest Du das Thema erneut brauchen schicke mir bitte eine PM.

Jeder andere bitte hier klicken und einen eigenen Thread erstellen