Trojaner-Board - Umleitung von Googleergebnissen und neue Tabs zu Gomeo, Ask.com etc

Soweit erstmal:

Code:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org
 

Datenbank Version: 6233
 

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19019
 

01.04.2011 11:09:26

mbam-log-2011-04-01 (11-09-26).txt
 

Art des Suchlaufs: Quick-Scan

Durchsuchte Objekte: 151973

Laufzeit: 6 Minute(n), 46 Sekunde(n)
 

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschlüssel: 0

Infizierte Registrierungswerte: 0

Infizierte Dateiobjekte der Registrierung: 0

Infizierte Verzeichnisse: 0

Infizierte Dateien: 10
 

Infizierte Speicherprozesse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Speichermodule:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungsschlüssel:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungswerte:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateiobjekte der Registrierung:

(Keine bösartigen Objekte gefunden)
 

Infizierte Verzeichnisse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateien:

c:\Users\XXX\AppData\Local\Temp\setup1431040.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\setup1381849792.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\DE37.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\nrsmcowxae.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\setup1476921600.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\setup2497090432.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\setup2633228608.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\setup265072768.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\setup3971165568.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\XXX\AppData\Local\Temp\setup4202406592.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

Code:

OTL logfile created on: 04.04.2011 01:40:45 - Run 1

OTL by OldTimer - Version 3.2.22.3     Folder = C:\Users\XXX\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19019)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 56,00% Memory free

4,00 Gb Paging File | 3,00 Gb Available in Paging File | 76,00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 146,48 Gb Total Space | 83,75 Gb Free Space | 57,18% Space Free | Partition Type: NTFS

Drive D: | 151,60 Gb Total Space | 151,51 Gb Free Space | 99,94% Space Free | Partition Type: NTFS

 

Computer Name: XXX-PC | User Name: XXX | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Processes (SafeList) ==========

 

PRC - [2011.04.04 01:30:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\XXX\Desktop\OTL.exe

PRC - [2011.03.24 01:26:17 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe

PRC - [2011.02.15 03:32:52 | 001,230,704 | ---- | M] () -- C:\Programme\DivX\DivX Update\DivXUpdate.exe

PRC - [2010.11.30 14:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\msseces.exe

PRC - [2010.11.11 13:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\Antimalware\NisSrv.exe

PRC - [2010.11.11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\Antimalware\MsMpEng.exe

PRC - [2010.10.14 23:33:52 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Users\XXX\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe

PRC - [2009.04.11 08:28:03 | 001,233,920 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Sidebar\sidebar.exe

PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe

PRC - [2008.03.11 01:00:00 | 005,296,128 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe

PRC - [2007.05.17 23:22:06 | 000,049,152 | ---- | M] (Bison Inc.) -- C:\Windows\BisonCam\BisonAPP.exe

 

 
 ========== Modules (SafeList) ==========

 

MOD - [2011.04.04 01:30:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\XXX\Desktop\OTL.exe

MOD - [2010.08.31 17:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll

MOD - [2010.05.04 21:13:07 | 000,231,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msshsq.dll

MOD - [2009.04.11 08:28:24 | 000,380,416 | ---- | M] (Microsoft Corporation) -- C:\Programme\Common Files\microsoft shared\ink\tiptsf.dll

MOD - [2008.01.19 09:34:07 | 000,183,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\duser.dll

 

 
 ========== Win32 Services (SafeList) ==========

 

SRV - [2011.03.30 22:48:05 | 003,229,784 | ---- | M] () [Auto | Running] -- c:\Programme\Common Files\Akamai\netsession_win_a35e6b9.dll -- (Akamai)

SRV - [2010.11.11 13:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)

SRV - [2010.11.11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)

SRV - [2008.01.19 09:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)

 

 
 ========== Driver Services (SafeList) ==========

 

DRV - [2011.04.04 01:33:41 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{046E1B82-B8CF-443C-9503-E9CD6B50597C}\MpKsl4b81517a.sys -- (MpKsl4b81517a)

DRV - [2011.04.04 01:22:04 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{046E1B82-B8CF-443C-9503-E9CD6B50597C}\MpKsl45c48279.sys -- (MpKsl45c48279)

DRV - [2010.10.24 22:25:38 | 000,054,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)

DRV - [2010.10.24 22:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)

DRV - [2009.09.05 15:25:36 | 001,183,744 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)

DRV - [2007.09.04 19:51:12 | 000,114,208 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)

DRV - [2007.08.24 03:16:46 | 000,783,272 | ---- | M] (Bison Electronics. Inc. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BisonCam.sys -- (Cam5603D)

DRV - [2007.07.19 02:31:00 | 007,599,776 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2007.05.15 22:50:36 | 000,157,696 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)

DRV - [2007.03.15 18:46:24 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)

DRV - [2007.02.16 01:00:00 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)

DRV - [2007.01.01 01:20:10 | 001,059,112 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)

 

 
 ========== Standard Registry (SafeList) ==========

 

 
 ========== Internet Explorer ==========

 

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E0 6B D0 29 D9 E5 CB 01  [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = hxxp://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.google.com/ie

IE - HKCU\..\URLSearchHook:  - Reg Error: Key error. File not found

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

 
 ========== FireFox ==========

 

FF - prefs.js..browser.search.defaultenginename: "ICQ Search"

FF - prefs.js..browser.search.selectedEngine: "Search"

FF - prefs.js..browser.startup.homepage: "google.de"

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1

FF - prefs.js..extensions.enabledItems: wikilook@testpilot:2.5.5

FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.1.94

FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.1.94

FF - prefs.js..extensions.enabledItems: {de5809e0-2b07-11dd-bd0b-0800200c9a66}:1.2.0

FF - prefs.js..extensions.enabledItems: djziggy@gmail.com:1.1.0

FF - prefs.js..extensions.enabledItems: silvermel@pardal.de:1.3.2

FF - prefs.js..keyword.URL: "hxxp://www.slaago.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=ARcv4EGY&q="

 

FF - user.js..browser.search.selectedEngine: "Search"

FF - user.js..keyword.URL: "hxxp://www.slaago.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=ARcv4EGY&q="

 

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011.03.20 15:32:28 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011.03.20 15:32:28 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.03.24 01:26:20 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.03.28 09:49:17 | 000,000,000 | ---D | M]

 

[2010.02.25 18:34:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Extensions

[2011.04.03 22:48:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions

[2010.02.26 15:02:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}

[2011.03.30 15:40:20 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

[2010.02.26 14:47:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

[2010.07.22 11:04:38 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010.07.22 11:04:36 | 000,000,000 | ---D | M] (Gradient iCool) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}

[2010.02.26 15:07:18 | 000,000,000 | ---D | M] (LavaFox V1-Blue) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\djziggy@gmail.com

[2010.02.26 14:53:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\fastYoutubeDownloader@yevgenyandrov.net

[2010.02.26 14:52:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\nasanightlaunch@example.com

[2010.02.26 15:06:55 | 000,000,000 | ---D | M] (Silvermel) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\silvermel@pardal.de

[2011.03.30 15:40:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\staged-xpis

[2010.02.26 14:57:36 | 000,000,000 | ---D | M] (WikiLook) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\raofpejg.default\extensions\wikilook@testpilot

[2011.03.16 20:18:56 | 000,002,198 | ---- | M] () -- C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\raofpejg.default\searchplugins\google-search.xml

[2011.03.29 15:53:53 | 000,000,950 | ---- | M] () -- C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\raofpejg.default\searchplugins\icqplugin-1.xml

[2010.03.01 22:04:47 | 000,000,950 | ---- | M] () -- C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\raofpejg.default\searchplugins\icqplugin-2.xml

[2008.07.10 14:07:28 | 000,000,944 | ---- | M] () -- C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\raofpejg.default\searchplugins\icqplugin.xml

[2010.11.17 00:47:14 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions

[2010.02.26 14:40:45 | 000,000,000 | ---D | M] ("ICQ Toolbar") -- C:\Programme\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}

[2010.06.07 08:30:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010.11.17 00:47:15 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

[2011.03.20 15:32:28 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO

[2011.03.20 15:32:28 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA

[2010.02.27 13:15:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

[2010.09.15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll

[2010.10.24 19:51:45 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml

[2010.10.24 19:51:45 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml

[2010.10.24 19:51:45 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml

[2010.10.24 19:51:45 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml

[2010.10.24 19:51:45 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

 

O1 HOSTS File: ([2011.04.03 23:14:49 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost

O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Programme\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Programme\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [BisonAPP] C:\Windows\BisonCam\BisonAPP.exe (Bison Inc.)

O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()

O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NeroFilterCheck] C:\Programme\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)

O9 - Extra Button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.)

O9 - Extra 'Tools' menuitem : ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Programme\ICQ7.0\ICQ.exe (ICQ, LLC.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)

O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg

O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) -  File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

NetSvcs: FastUserSwitchingCompatibility -  File not found

NetSvcs: Ias -  File not found

NetSvcs: Nla -  File not found

NetSvcs: Ntmssvc -  File not found

NetSvcs: NWCWorkstation -  File not found

NetSvcs: Nwsapagent -  File not found

NetSvcs: SRService -  File not found

NetSvcs: WmdmPmSp -  File not found

NetSvcs: LogonHours -  File not found

NetSvcs: PCAudit -  File not found

NetSvcs: helpsvc -  File not found

NetSvcs: uploadmgr -  File not found

 

 

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

 
 ========== Files/Folders - Created Within 30 Days ==========

 

[2011.04.04 01:37:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

[2011.04.04 01:37:56 | 000,000,000 | ---D | C] -- C:\Programme\ERUNT

[2011.04.04 01:30:36 | 000,791,393 | ---- | C] (Lars Hederer                                                ) -- C:\Users\XXX\Desktop\Erunt-setup.exe

[2011.04.04 01:30:36 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\XXX\Desktop\OTL.exe

[2011.04.04 01:30:36 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\XXX\Desktop\TFC.exe

[2011.04.04 00:48:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner

[2011.04.04 00:48:19 | 000,000,000 | ---D | C] -- C:\Programme\CCleaner

[2011.04.04 00:33:12 | 000,000,000 | ---D | C] -- C:\Users\XXX\Desktop\Programme

[2011.04.04 00:14:51 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW

[2011.04.03 23:26:14 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2011.04.03 23:12:06 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Local\temp

[2011.04.03 23:12:04 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2011.04.03 22:58:34 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2011.04.03 22:52:03 | 000,000,000 | ---D | C] -- C:\Users\XXX\Desktop\Documents\Simply Super Software

[2011.04.01 14:03:03 | 000,000,000 | ---D | C] -- C:\Windows\Sun

[2011.04.01 11:00:02 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\Malwarebytes

[2011.04.01 10:59:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011.04.01 10:59:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2011.04.01 10:59:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2011.04.01 10:59:52 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2011.04.01 10:59:51 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware

[2011.03.22 22:14:21 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\Media Player Classic

[2011.03.21 23:45:38 | 000,000,000 | ---D | C] -- C:\Programme\Yuna Software

[2011.03.20 15:37:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DivX

[2011.03.20 15:33:15 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Local\DDMSettings

[2011.03.10 14:20:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

[2011.03.10 14:19:37 | 000,000,000 | ---D | C] -- C:\Programme\iPod

[2011.03.10 14:19:35 | 000,000,000 | ---D | C] -- C:\Programme\iTunes

[2011.03.10 14:13:55 | 000,000,000 | ---D | C] -- C:\Programme\Bonjour

[2011.03.05 14:33:30 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\MCE Logs

 
 ========== Files - Modified Within 30 Days ==========

 

[2011.04.04 01:38:00 | 000,001,134 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-328560254-4191133697-2808687225-1000UA.job

[2011.04.04 01:37:58 | 000,000,739 | ---- | M] () -- C:\Users\XXX\Desktop\NTREGOPT.lnk

[2011.04.04 01:37:58 | 000,000,720 | ---- | M] () -- C:\Users\XXX\Desktop\ERUNT.lnk

[2011.04.04 01:35:41 | 000,000,000 | ---- | M] () -- C:\Users\XXX\defogger_reenable

[2011.04.04 01:33:29 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011.04.04 01:33:27 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011.04.04 01:33:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011.04.04 01:33:10 | 2146,328,576 | -HS- | M] () -- C:\hiberfil.sys

[2011.04.04 01:30:47 | 000,301,568 | ---- | M] () -- C:\Users\XXX\Desktop\g2m3e4r.exe

[2011.04.04 01:30:45 | 000,791,393 | ---- | M] (Lars Hederer                                                ) -- C:\Users\XXX\Desktop\Erunt-setup.exe

[2011.04.04 01:30:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\XXX\Desktop\OTL.exe

[2011.04.04 01:30:43 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\XXX\Desktop\TFC.exe

[2011.04.04 01:15:41 | 000,050,477 | ---- | M] () -- C:\Users\XXX\Desktop\Defogger.exe

[2011.04.04 01:09:41 | 003,603,600 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2011.04.04 00:48:21 | 000,000,810 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk

[2011.04.04 00:32:28 | 000,000,680 | ---- | M] () -- C:\Users\XXX\AppData\Local\d3d9caps.dat

[2011.04.03 23:38:00 | 000,001,082 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-328560254-4191133697-2808687225-1000Core.job

[2011.04.03 23:14:49 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2011.04.01 10:59:58 | 000,000,912 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011.04.01 08:31:03 | 000,027,715 | ---- | M] () -- C:\Users\XXX\AppData\Roaming\nvModes.dat

[2011.04.01 08:31:02 | 000,027,715 | ---- | M] () -- C:\Users\XXX\AppData\Roaming\nvModes.001

[2011.03.31 17:14:19 | 000,630,842 | ---- | M] () -- C:\Windows\System32\perfh007.dat

[2011.03.31 17:14:19 | 000,598,096 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2011.03.31 17:14:19 | 000,127,260 | ---- | M] () -- C:\Windows\System32\perfc007.dat

[2011.03.31 17:14:19 | 000,105,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2011.03.31 17:05:30 | 000,002,560 | ---- | M] () -- C:\Windows\_MSRSTRT.EXE

[2011.03.31 16:40:42 | 051,435,480 | ---- | M] () -- C:\Users\XXX\Desktop\Documents\avira_antivir_635personal_de.exe

[2011.03.30 15:21:45 | 000,010,383 | ---- | M] () -- C:\Users\XXX\Desktop\Documents\Unbenannt 1.odt

[2011.03.27 05:38:33 | 000,002,068 | ---- | M] () -- C:\Users\XXX\Desktop\Google Chrome.lnk

[2011.03.22 03:22:12 | 000,043,520 | ---- | M] () -- C:\Users\XXX\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011.03.20 18:46:33 | 000,049,595 | ---- | M] () -- C:\Windows\KernelMessage

[2011.03.14 21:08:06 | 000,009,065 | ---- | M] () -- C:\Users\XXX\Desktop\Documents\Pädagogik.odt

[2011.03.13 13:36:01 | 000,009,241 | ---- | M] () -- C:\Users\XXX\Desktop\Anleitung.html

[2011.03.10 23:04:58 | 000,018,627 | ---- | M] () -- C:\Users\XXX\Desktop\Documents\Praktikumsbericht.odt

[2011.03.10 14:20:44 | 000,001,670 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2011.03.10 14:14:21 | 000,001,854 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk

[2011.03.08 14:56:43 | 000,008,206 | ---- | M] () -- C:\Users\XXX\Desktop\Documents\remy.odt

[2011.03.07 23:48:04 | 000,024,398 | ---- | M] () -- C:\Users\XXX\Desktop\Documents\Handout Sturm und Drang.odt

 
 ========== Files Created - No Company Name ==========

 

[2011.04.04 01:37:58 | 000,000,739 | ---- | C] () -- C:\Users\XXX\Desktop\NTREGOPT.lnk

[2011.04.04 01:37:58 | 000,000,720 | ---- | C] () -- C:\Users\XXX\Desktop\ERUNT.lnk

[2011.04.04 01:35:41 | 000,000,000 | ---- | C] () -- C:\Users\XXX\Hof\defogger_reenable

[2011.04.04 01:30:36 | 000,301,568 | ---- | C] () -- C:\Users\XXX\Desktop\g2m3e4r.exe

[2011.04.04 01:15:40 | 000,050,477 | ---- | C] () -- C:\Users\XXX\Desktop\Defogger.exe

[2011.04.04 00:48:21 | 000,000,810 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk

[2011.04.03 22:51:46 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll

[2011.04.03 22:51:46 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll

[2011.04.03 22:51:46 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll

[2011.04.03 22:51:46 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll

[2011.04.01 10:59:58 | 000,000,912 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011.03.31 17:05:27 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE

[2011.03.31 16:40:02 | 051,435,480 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\avira_antivir_635personal_de.exe

[2011.03.30 15:21:43 | 000,010,383 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\Unbenannt 1.odt

[2011.03.20 15:52:20 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll

[2011.03.14 21:08:04 | 000,009,065 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\Pädagogik.odt

[2011.03.13 13:41:20 | 000,009,241 | ---- | C] () -- C:\Users\XXX\Desktop\Anleitung.html

[2011.03.10 16:08:28 | 000,140,168 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\Lebenslauf.odt

[2011.03.10 16:08:28 | 000,096,360 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\Stundenprotokoll.odt

[2011.03.10 16:08:28 | 000,012,885 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\Kurze Zusammenfassung.odt

[2011.03.10 16:08:23 | 110,068,396 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\He's alltime around whereever you are.wmv

[2011.03.10 16:08:22 | 001,598,454 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\bild2.bmp

[2011.03.10 16:08:22 | 001,012,022 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\bild1.bmp

[2011.03.10 16:08:22 | 000,019,495 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\Bewerbung Schule.odt

[2011.03.10 14:20:44 | 000,001,670 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk

[2011.03.08 14:56:41 | 000,008,206 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\remy.odt

[2011.03.07 23:48:02 | 000,024,398 | ---- | C] () -- C:\Users\XXX\Desktop\Documents\Handout Sturm und Drang.odt

[2010.05.29 13:59:33 | 000,173,911 | ---- | C] () -- C:\Windows\hpwins12.dat

[2010.05.29 13:57:49 | 000,009,842 | ---- | C] () -- C:\Windows\hpwscr12.dat

[2010.05.29 13:57:49 | 000,000,981 | ---- | C] () -- C:\Windows\hpwmdl12.dat

[2010.03.08 23:09:00 | 000,043,520 | ---- | C] () -- C:\Users\XXX\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010.03.08 16:39:11 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2010.03.07 17:52:31 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2010.03.07 17:52:31 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2010.02.26 13:39:06 | 000,027,715 | ---- | C] () -- C:\Users\XXX\AppData\Roaming\nvModes.001

[2010.02.26 12:54:53 | 000,027,715 | ---- | C] () -- C:\Users\XXX\AppData\Roaming\nvModes.dat

[2007.01.04 02:18:59 | 000,000,680 | ---- | C] () -- C:\Users\XXX\AppData\Local\d3d9caps.dat

[2007.01.01 01:50:19 | 000,000,588 | ---- | C] () -- C:\Windows\System32\drivers\RtMicAr.dat

[2007.01.01 01:43:52 | 000,015,190 | ---- | C] () -- C:\Windows\M2000Twn.ini

[2007.01.01 01:21:43 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

[2007.01.01 01:21:31 | 000,001,732 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin

[2006.11.02 17:33:31 | 000,630,842 | ---- | C] () -- C:\Windows\System32\perfh007.dat

[2006.11.02 17:33:31 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat

[2006.11.02 17:33:31 | 000,127,260 | ---- | C] () -- C:\Windows\System32\perfc007.dat

[2006.11.02 17:33:31 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat

[2006.11.02 14:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2006.11.02 14:47:37 | 003,603,600 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006.11.02 12:33:01 | 000,598,096 | ---- | C] () -- C:\Windows\System32\perfh009.dat

[2006.11.02 12:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006.11.02 12:33:01 | 000,105,070 | ---- | C] () -- C:\Windows\System32\perfc009.dat

[2006.11.02 12:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006.11.02 12:25:26 | 000,557,568 | ---- | C] () -- C:\Windows\System32\hpotscl1.dll

[2006.11.02 12:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006.11.02 10:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006.11.02 10:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006.11.02 09:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

[2006.07.27 19:28:42 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll

[2006.07.12 01:40:17 | 000,520,192 | ---- | C] () -- C:\Windows\System32\DivXsm.exe

[2006.07.12 00:33:49 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll

 
 ========== LOP Check ==========

 

[2011.04.03 23:12:54 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\ICQ

[2010.04.17 02:32:06 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\OpenOffice.org

[2011.04.04 01:32:37 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2010.12.16 04:22:33 | 000,000,426 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{DC8EB48D-A24C-4C61-9BBD-0479931BD5C4}.job

 
 ========== Purity Check ==========

 

 

 
 ========== Custom Scans ==========

 

 
 < %SYSTEMDRIVE%\*. >

[2011.04.03 23:26:14 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN

[2011.04.04 00:14:55 | 000,000,000 | ---D | M] -- C:\32788R22FWJFW

[2010.03.17 10:03:36 | 000,000,000 | ---D | M] -- C:\Boot

[2011.03.31 16:41:57 | 000,000,000 | ---D | M] -- C:\Config.Msi

[2006.11.02 15:02:03 | 000,000,000 | -HSD | M] -- C:\Documents and Settings

[2007.01.04 02:16:51 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen

[2007.01.01 01:38:25 | 000,000,000 | ---D | M] -- C:\NVIDIA

[2010.03.07 13:27:24 | 000,000,000 | ---D | M] -- C:\PerfLogs

[2011.04.04 01:37:56 | 000,000,000 | R--D | M] -- C:\Programme

[2011.04.03 23:20:45 | 000,000,000 | ---D | M] -- C:\ProgramData

[2007.01.04 02:16:51 | 000,000,000 | -HSD | M] -- C:\Programme

[2011.04.04 01:41:39 | 000,000,000 | -HSD | M] -- C:\System Volume Information

[2007.01.04 02:18:57 | 000,000,000 | R--D | M] -- C:\Users

[2011.04.04 01:08:50 | 000,000,000 | ---D | M] -- C:\Windows

 
 < %PROGRAMFILES%\*.exe >

 
 < %LOCALAPPDATA%\*.exe >

 
 < %systemroot%\*. /mp /s >

 

 
 < MD5 for: EXPLORER.EXE  >

[2010.02.26 13:07:05 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe

[2010.02.26 13:07:04 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe

[2010.02.26 13:07:04 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

[2010.02.26 15:34:04 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe

[2010.02.26 15:34:04 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe

[2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\ERDNT\cache\explorer.exe

[2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe

[2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe

[2010.02.26 13:07:04 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe

[2006.11.02 11:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[2008.01.19 09:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

 
 < MD5 for: USERINIT.EXE  >

[2008.01.19 09:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe

[2008.01.19 09:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe

[2008.01.19 09:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

[2006.11.02 11:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

 
 < MD5 for: WININIT.EXE  >

[2008.01.19 09:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\ERDNT\cache\wininit.exe

[2008.01.19 09:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe

[2008.01.19 09:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

[2006.11.02 11:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe

 
 < MD5 for: WINLOGON.EXE  >

[2009.04.11 08:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe

[2009.04.11 08:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe

[2009.04.11 08:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe

[2006.11.02 11:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe

[2008.01.19 09:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

 
 < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

 
 < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-03-24 18:42:11

 
 ========== Alternate Data Streams ==========

 

@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:C895616B
 

< End of report >

Code:

OTL Extras logfile created on: 04.04.2011 01:40:45 - Run 1

OTL by OldTimer - Version 3.2.22.3     Folder = C:\Users\XXX\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19019)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 56,00% Memory free

4,00 Gb Paging File | 3,00 Gb Available in Paging File | 76,00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 146,48 Gb Total Space | 83,75 Gb Free Space | 57,18% Space Free | Partition Type: NTFS

Drive D: | 151,60 Gb Total Space | 151,51 Gb Free Space | 99,94% Space Free | Partition Type: NTFS

 

Computer Name: XXX | User Name: XXX | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

 
 ========== Extra Registry (SafeList) ==========

 

 
 ========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

 
 ========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 
 ========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

 
 ========== System Restore Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

 
 ========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

 
 ========== Authorized Applications List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

 

 
 ========== Vista Active Open Ports Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{10742AF8-2AA7-49A0-9997-F9D85ADE06D5}" = rport=139 | protocol=6 | dir=out | app=system | 

"{1135FA2B-2D2A-4AA7-A6B4-67E5E59ABE9B}" = lport=138 | protocol=17 | dir=in | app=system | 

"{137E5F09-3F24-4453-AA91-AF1680B9EC37}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 

"{16822AEC-3D80-4AA5-B704-30A7DCC948EF}" = lport=49163 | protocol=6 | dir=in | name=akamai netsession interface | 

"{1A44E664-B94B-4D48-8461-B3A19D6F4F81}" = lport=445 | protocol=6 | dir=in | app=system | 

"{2034DD3C-7779-472A-8B59-F18B0A3A0223}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 

"{27A79B87-4FF0-4902-BDB4-84135D57385C}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 

"{31D02CE6-C1BB-49C6-982A-FD1304709ED1}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 

"{388340A3-3AFB-4E58-B4A0-A6810C30B4A5}" = lport=49328 | protocol=6 | dir=in | name=akamai netsession interface | 

"{40DE82B2-22D4-4250-BB7A-5BC934C7CA2B}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface | 

"{5CC7D6CF-759A-4B96-8DDE-6A6AB6572E7A}" = lport=2869 | protocol=6 | dir=in | app=system | 

"{5D44DB62-1DEC-4233-BB9B-CBE47B409A2F}" = lport=2869 | protocol=6 | dir=in | app=system | 

"{69073A04-B7FD-426D-9AAA-8CB0C6F17D81}" = rport=445 | protocol=6 | dir=out | app=system | 

"{6FCFCC70-AF7F-4C6E-AF06-E530B44CB858}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 

"{81CCF927-5012-4C8E-A7FA-17488196D11B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 

"{8BA8CDF8-0080-4167-B430-974FCEAD9645}" = lport=139 | protocol=6 | dir=in | app=system | 

"{8F8B2121-9AB7-4FBA-B7E8-220F85ACB3B0}" = rport=137 | protocol=17 | dir=out | app=system | 

"{99D28499-D3CF-4511-A7BC-34388F58C784}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 

"{A6DB1FB2-FB7C-4D76-B590-F88C72535386}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 

"{A6F1D90C-835D-4347-932B-9711AABD9CB9}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface | 

"{B95B1953-FBF1-4A05-B5D3-4FC0D85720A8}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 

"{BB746623-3CBF-4BA0-8480-4DCA5790A8A4}" = rport=138 | protocol=17 | dir=out | app=system | 

"{BD2DE017-24A4-43EA-8F0B-3EA85CB7067A}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 

"{CF064EB9-2C51-44DA-BE41-F0D6DA0E06F3}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | 

"{D339A7AF-319C-48F1-A8AC-85A206FA7E8E}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 

"{D71EAE41-7190-4C0A-9E99-6DF0B0D8CA93}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | 

"{E1DA6662-DD6C-40E3-A205-2EC08D2FC01A}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 

"{E5C52DCC-72C3-408F-A476-0919ABA1DFF8}" = lport=137 | protocol=17 | dir=in | app=system | 

"{E7D1CB0D-10EC-4534-AD74-A1CA3A668A90}" = lport=10243 | protocol=6 | dir=in | app=system | 

"{E80E4C5A-3158-476B-87DF-3AB15A4905A7}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | 

"{EE3D44A4-7934-4EF9-8023-31050641E91F}" = rport=10243 | protocol=6 | dir=out | app=system | 

"{FB37903A-9B52-432C-8ED4-88B8181E2A9B}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 

"{FFD2DB90-2C5E-4070-BED7-7B1EA884F6D6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 

 
 ========== Vista Active Application Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{03154D4E-D952-49A5-8A31-2861C48F186F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 

"{05EA0306-6D90-43BA-9613-EDEA80A669BF}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 

"{091E4D46-543F-4556-B50F-E196892EC60B}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 

"{0BBD284A-09F0-453C-BE47-122312E6F594}" = protocol=6 | dir=in | app=c:\program files\icq7.0\icq.exe | 

"{140DB9C5-FD5A-44E7-A044-A83EF457169B}" = protocol=6 | dir=in | app=c:\program files\icq7.0\aolload.exe | 

"{2A5DBE9E-3A0F-4B97-A53E-E2A507DC0ACF}" = protocol=6 | dir=in | app=c:\program files\icq7.0\icq.exe | 

"{2B4B34C5-D09D-400E-8531-4D7087813952}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 

"{2D62BB05-C0F0-43B3-A13D-45889B2CF797}" = protocol=17 | dir=in | app=c:\program files\icq7.0\aolload.exe | 

"{43120D8D-2DDB-48CA-91A2-3C8035C48FF0}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | 

"{43B6933F-89C1-4DD2-BDFB-28020D4BF32F}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 

"{4C05BD6E-B64C-4772-9760-EA7542F341F9}" = protocol=6 | dir=in | app=c:\program files\icq7.0\aolload.exe | 

"{50DB3FC8-C552-455C-B824-295D47D770EB}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 

"{6077E9A7-1B0A-4EEC-AF10-2C7B3EDD1786}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 

"{7052A128-9A4C-4769-B1EA-F835AE0BF05C}" = protocol=6 | dir=out | app=system | 

"{78707D3B-D1CD-4002-B6E9-1134E6BEFF54}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 

"{7D675BFC-8128-428D-B22A-9350766DA3AE}" = protocol=17 | dir=in | app=c:\program files\icq7.0\aolload.exe | 

"{7E09F44E-B3C2-473D-965A-99D7A20598D1}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 

"{8055C730-3BD6-4E52-B262-05758938150C}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | 

"{90F847E0-32E8-471D-98B8-39588140768B}" = dir=in | app=c:\program files\skype\phone\skype.exe | 

"{930F5CFF-212A-4585-B7BF-38DB54507E98}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 

"{96AC415E-0722-491C-8D4D-4B58BBEA8E7E}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 

"{AA97F84F-3043-40B9-BD2A-EE6FFAE0794E}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 

"{B3E1BC52-6D5D-41AD-A3FE-273944B6A53C}" = protocol=17 | dir=in | app=c:\program files\icq7.0\icq.exe | 

"{BC6C779C-D8F3-4A27-A5A8-BE2AB454D17F}" = protocol=17 | dir=in | app=c:\program files\icq7.0\icq.exe | 

"{BD444F93-C4B7-4569-9C6B-97289EBB0A00}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 

"{BFB7C3AF-4ED9-40AB-8740-3B782EEBC4E5}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 

"{BFD157E4-F1F2-4A76-9BB7-D8AD74D0E50D}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 

"{C31E1EA5-53D2-411F-9093-CFC97D3F1ACB}" = dir=in | app=c:\program files\itunes\itunes.exe | 

"{CB5EB40E-2A2F-4D23-850E-A36FF5F7C497}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 

"{E48B904A-1A8B-40CC-B3F7-AFB665EB304F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 

"{FA7CB6FA-DAFB-4C3E-AC80-00564AF3C7FA}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 

"TCP Query User{7B0B0216-A56C-434B-8F09-014CBDCB48B1}C:\program files\icq7.0\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq7.0\icq.exe | 

"TCP Query User{98B722AA-2A50-4D14-B106-F2B3646F45D1}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | 

"UDP Query User{8DF30FF0-D68D-4B16-9ABD-2AC7EF0E1FDD}C:\program files\icq7.0\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq7.0\icq.exe | 

"UDP Query User{E8064C10-8379-4520-874D-3AABE5424239}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | 

 
 ========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{00772F8B-37FF-4704-A47D-72B30BFAF126}" = MPM

"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86

"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu

"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86

"{0BC4864E-72C5-472D-8692-0E5971E0BD36}" = BPDSoftware_Ini

"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help

"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86

"{10829556-7C82-4a83-8C81-F2D98472C76B}" = H470

"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp

"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch

"{192A107E-C6B9-41B9-BDBF-38E3AA226054}" = OpenOffice.org 3.2

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool

"{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 22

"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg

"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes

"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour

"{2CC667CD-2234-4774-A536-2757606A1031}" = Nero 8 Essentials

"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support

"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform

"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker

"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4A57592C-FF92-4083-97A9-92783BD5AFB4}" = Bison WebCam

"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime

"{586509F0-350D-48B5-B763-9CC2F8D96C4C}" = Windows Live Sync

"{59046D29-2E6B-4224-BF0D-64F3E7A93F7B}" = LightScribe System Software  1.10.19.1

"{5A15F754-086E-4185-96F4-0BC31F1A2382}" = HP Officejet H470 Series

"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053

"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86

"{6673E0F4-D376-431b-A6F4-18D1B86B4A89}" = BPDSoftware

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6B349DE1-590D-4506-B272-9115EC31F7D2}" = 470_Help

"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware

"{7782916E-3D46-4F1F-AC4B-3FB9D17049F4}" = Microsoft Antimalware Service DE-DE Language Pack

"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{84ED5482-CFB0-4DD9-BF18-489FFDACD18A}" = Microsoft Antimalware Service DE-DE Language Pack

"{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie

"{859B9BCA-5376-4566-9F88-C6C9DAA7A925}" = Microsoft Security Client DE-DE Language Pack

"{88EB38EF-4D2C-436D-ABD3-56B232674062}" = ICQ7

"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A71D5E81-B967-43DB-93D7-FD31BFB95748}" = MobileMe Control Panel

"{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.3 - Deutsch

"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant

"{AED2DD42-9853-407E-A6BC-8A1D6B715909}" = Windows Live Messenger

"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update

"{BA72A4E3-D2D0-4203-A17E-E53012B8807C}" = BPD_HPSU

"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter

"{C73F2967-062E-48F2-A462-D335B8950183}" = Safari

"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support

"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2

"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86

"{D2041A37-5FEC-49F0-AE5C-3F2FFDFAA4F4}" = Windows Live Call

"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser

"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86

"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader

"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player

"{E022C318-BAC9-468D-8731-3C5EE63C7743}" = 470_Readme

"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm

"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218

"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox

"{EE5F0136-2C7C-42a7-B1B0-5F12D107A0EE}" = ProductContext

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer

"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack

"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Akamai" = Akamai NetSession Interface

"APU" = CANON iMAGE GATEWAY Album Plugin Utility

"CCleaner" = CCleaner

"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help

"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F10001" = HDAUDIO Soft Data Fax Modem with SmartCP

"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player

"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters

"DivX Setup.divx.com" = DivX-Setup

"ERUNT_is1" = ERUNT 1.1j

"HP Imaging Device Functions" = HP Imaging Device Functions 9.0

"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0

"HPExtendedCapabilities" = HP Customer Participation Program 9.0

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Messenger Plus!" = Messenger Plus! 5

"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack

"Microsoft Security Client" = Microsoft Security Essentials

"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)

"NVIDIA Drivers" = NVIDIA Drivers

"Picasa 3" = Picasa 3

"WinLiveSuite_Wave3" = Windows Live Essentials

"WinRAR archiver" = WinRAR

 
 ========== HKEY_CURRENT_USER Uninstall List ==========

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

 
 ========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 03.04.2011 15:23:12 | Computer Name = XXX-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: Continuously busy for more than a second

 

Error - 03.04.2011 15:23:12 | Computer Name = XXX-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledEvent 193530738

 

Error - 03.04.2011 15:23:12 | Computer Name = XXX-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 193530738

 

Error - 03.04.2011 15:23:13 | Computer Name = XXX-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: Continuously busy for more than a second

 

Error - 03.04.2011 15:23:13 | Computer Name = XXX-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledEvent 193531799

 

Error - 03.04.2011 15:23:13 | Computer Name = XXX-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 193531799

 

Error - 03.04.2011 15:23:34 | Computer Name = XXX-PC | Source = Application Error | ID = 1000

Description = Fehlerhafte Anwendung jaucheck.exe, Version 2.0.2.4, Zeitstempel 0x4bed9a14,

 fehlerhaftes Modul jaucheck.exe, Version 2.0.2.4, Zeitstempel 0x4bed9a14, Ausnahmecode

 0xc0000005, Fehleroffset 0x0000c940,  Prozess-ID 0x1738, Anwendungsstartzeit 01cbf2349466b010.

 

Error - 03.04.2011 17:26:11 | Computer Name = XXX-PC | Source = Application Hang | ID = 1002

Description = Programm Explorer.EXE, Version 6.0.6002.18005 arbeitet nicht mehr 

mit Windows zusammen und wurde beendet. Überprüfen Sie den Problemverlauf im Applet

 "Lösungen für Probleme" in der Systemsteuerung, um nach weiteren Informationen 

über das Problem zu suchen.  Prozess-ID: 1e4  Anfangszeit: 01cbf2441aa8abfe  Zeitpunkt

 der Beendigung: 31

 

Error - 03.04.2011 18:29:48 | Computer Name = XXX-PC | Source = Application Error | ID = 1000

Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel

 0x47918b89, fehlerhaftes Modul ntdll.dll, Version 6.0.6002.18327, Zeitstempel 0x4cb73436,

 Ausnahmecode 0xc000071b, Fehleroffset 0x00088d15,  Prozess-ID 0x4c8, Anwendungsstartzeit

 01cbf24cbac3ff04.

 

Error - 03.04.2011 19:20:56 | Computer Name = XXX-PC | Source = Application Error | ID = 1000

Description = Fehlerhafte Anwendung zwdzzfwr.exe, Version 1.0.15.15570, Zeitstempel

 0x4d86265c, fehlerhaftes Modul zwdzzfwr.exe, Version 1.0.15.15570, Zeitstempel 

0x4d86265c, Ausnahmecode 0xc0000005, Fehleroffset 0x0000c676,  Prozess-ID 0x1494, 

Anwendungsstartzeit 01cbf2559762680b.

 

[ System Events ]

Error - 03.04.2011 17:32:52 | Computer Name = XXX-PC | Source = EventLog | ID = 6008

Description = Das System wurde zuvor am 03.04.2011 um 23:30:57 unerwartet heruntergefahren.

 

Error - 03.04.2011 17:34:19 | Computer Name = XXX-PC | Source = Service Control Manager | ID = 7000

Description = 

 

Error - 03.04.2011 18:11:01 | Computer Name = XXX-PC | Source = EventLog | ID = 6008

Description = Das System wurde zuvor am 04.04.2011 um 00:09:28 unerwartet heruntergefahren.

 

Error - 03.04.2011 18:12:26 | Computer Name = XXX-PC | Source = Service Control Manager | ID = 7000

Description = 

 

Error - 03.04.2011 18:16:02 | Computer Name = XXX-PC | Source = EventLog | ID = 6008

Description = Das System wurde zuvor am 04.04.2011 um 00:14:55 unerwartet heruntergefahren.

 

Error - 03.04.2011 18:17:31 | Computer Name = XXX-PC | Source = Service Control Manager | ID = 7000

Description = 

 

Error - 03.04.2011 18:32:18 | Computer Name = XXX-PC | Source = Service Control Manager | ID = 7000

Description = 

 

Error - 03.04.2011 19:10:38 | Computer Name = XXX-PC | Source = Service Control Manager | ID = 7000

Description = 

 

Error - 03.04.2011 19:31:00 | Computer Name = XXX-PC | Source = Service Control Manager | ID = 7031

Description = 

 

Error - 03.04.2011 19:34:58 | Computer Name = XXX-PC | Source = Service Control Manager | ID = 7000

Description = 

 

 

< End of report >

Code:

GMER Logfile:
 

        Code:


        
GMER 1.0.15.15570 - hxxp://www.gmer.net

Rootkit scan 2011-04-04 02:22:16

Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005d WDC_WD32 rev.11.0

Running: g2m3e4r.exe; Driver: C:\Users\XXX~1\AppData\Local\Temp\uflcrkob.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

.text  C:\Windows\system32\DRIVERS\nvlddmkm.sys                                                                                          section is writeable [0x8BC00380, 0x3559E2, 0xE8000020]
 

---- Registry - GMER 1.0.15 ----
 

Reg    HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EDD37E20-BC7B-7D98-7A45-C2D5793867DF}                   

Reg    HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EDD37E20-BC7B-7D98-7A45-C2D5793867DF}@haelllpplkkgcknj  0x6B 0x61 0x6F 0x70 ...
 

---- EOF - GMER 1.0.15 ----

--- --- ---