Hi, danke werd ich gleich mal gucken, habe jetz Windows 7 neu aufgesetzt habe aber immer noch das gefühl das er noch da ist.
Habe mal alle Logs gemacht (sieht glaub ich nich so gut aus) :
OTL Code:
OTL logfile created on: 13.04.2011 22:19:13 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Deav\Desktop
Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 75,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 86,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 223,34 Gb Free Space | 95,90% Space Free | Partition Type: NTFS
Computer Name: Deav-PC | User Name: Deav | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011.04.13 22:14:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Deav\Desktop\OTL.exe
PRC - [2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.07.14 03:14:47 | 001,121,280 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
========== Modules (SafeList) ==========
MOD - [2011.04.13 22:14:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Deav\Desktop\OTL.exe
MOD - [2010.09.08 06:28:01 | 000,163,328 | ---- | M] (Microsoft Corporation) -- C:\Programme\Internet Explorer\ieproxy.dll
MOD - [2010.08.21 07:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2009.07.14 03:16:16 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\Programme\Common Files\microsoft shared\ink\tiptsf.dll
========== Win32 Services (SafeList) ==========
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
========== Driver Services (SafeList) ==========
DRV - [2009.07.14 03:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009.07.14 03:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009.07.14 03:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009.07.14 01:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009.07.14 01:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009.07.14 00:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)
DRV - [2009.06.10 23:19:48 | 009,853,248 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
========== Files/Folders - Created Within 30 Days ==========
[2011.04.14 00:42:27 | 000,000,000 | -HSD | C] -- C:\Boot
[2011.04.14 00:00:29 | 000,000,000 | R--D | C] -- C:\Users\Deav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2011.04.14 00:00:29 | 000,000,000 | R--D | C] -- C:\Users\Deav\Searches
[2011.04.14 00:00:29 | 000,000,000 | R--D | C] -- C:\Users\Deav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011.04.14 00:00:21 | 000,000,000 | ---D | C] -- C:\Users\Deav\AppData\Roaming\Identities
[2011.04.14 00:00:20 | 000,000,000 | R--D | C] -- C:\Users\Deav\Contacts
[2011.04.14 00:00:08 | 000,000,000 | ---D | C] -- C:\Users\Deav\AppData\Local\VirtualStore
[2011.04.14 00:00:05 | 000,000,000 | --SD | C] -- C:\Users\Deav\AppData\Roaming\Microsoft
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Videos
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Saved Games
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Pictures
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Music
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Links
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Favorites
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Downloads
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Documents
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\Desktop
[2011.04.14 00:00:05 | 000,000,000 | R--D | C] -- C:\Users\Deav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Vorlagen
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\AppData\Local\Verlauf
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\AppData\Local\Temporary Internet Files
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Startmenü
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\SendTo
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Recent
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Netzwerkumgebung
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Lokale Einstellungen
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Documents\Eigene Videos
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Documents\Eigene Musik
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Eigene Dateien
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Documents\Eigene Bilder
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Druckumgebung
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Cookies
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\AppData\Local\Anwendungsdaten
[2011.04.14 00:00:05 | 000,000,000 | -HSD | C] -- C:\Users\Deav\Anwendungsdaten
[2011.04.14 00:00:05 | 000,000,000 | -H-D | C] -- C:\Users\Deav\AppData
[2011.04.14 00:00:05 | 000,000,000 | ---D | C] -- C:\Users\Deav\AppData\Local\Temp
[2011.04.14 00:00:05 | 000,000,000 | ---D | C] -- C:\Users\Deav\AppData\Local\Microsoft
[2011.04.14 00:00:05 | 000,000,000 | ---D | C] -- C:\Users\Deav\AppData\Roaming\Media Center Programs
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\ProgramData\Vorlagen
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\ProgramData\Startmenü
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\Recovery
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\Programme
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\Programme\Gemeinsame Dateien
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\ProgramData\Favoriten
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Videos
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Musik
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Bilder
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\ProgramData\Dokumente
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\ProgramData\Desktop
[2011.04.13 23:59:59 | 000,000,000 | -HSD | C] -- C:\ProgramData\Anwendungsdaten
[2011.04.13 23:59:55 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2011.04.13 23:56:33 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2011.04.13 23:56:30 | 000,000,000 | ---D | C] -- C:\Windows\CSC
[2011.04.13 22:17:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011.04.13 22:16:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011.04.13 22:16:47 | 000,000,000 | ---D | C] -- C:\Programme\ERUNT
[2011.04.13 22:14:27 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Deav\Desktop\Erunt-setup.exe
[2011.04.13 22:14:27 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Deav\Desktop\OTL.exe
[2011.04.13 22:14:27 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Deav\Desktop\TFC.exe
========== Files - Modified Within 30 Days ==========
[2011.04.14 00:42:29 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2011.04.14 00:03:54 | 000,653,928 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.04.14 00:03:54 | 000,615,810 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.04.14 00:03:54 | 000,129,800 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.04.14 00:03:54 | 000,106,190 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.04.13 23:58:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.04.13 23:58:42 | 1609,474,048 | -HS- | M] () -- C:\hiberfil.sys
[2011.04.13 23:58:11 | 000,000,751 | ---- | M] () -- C:\Windows\System32\license.rtf
[2011.04.13 22:16:48 | 000,000,898 | ---- | M] () -- C:\Users\Deav\Desktop\NTREGOPT.lnk
[2011.04.13 22:16:48 | 000,000,879 | ---- | M] () -- C:\Users\Deav\Desktop\ERUNT.lnk
[2011.04.13 22:14:59 | 000,009,984 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011.04.13 22:14:59 | 000,009,984 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011.04.13 22:14:50 | 000,301,568 | ---- | M] () -- C:\Users\Deav\Desktop\g2m3e4r.exe
[2011.04.13 22:14:47 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\Deav\Desktop\Erunt-setup.exe
[2011.04.13 22:14:36 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Deav\Desktop\TFC.exe
[2011.04.13 22:14:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Deav\Desktop\OTL.exe
[2011.04.13 22:11:20 | 000,377,280 | ---- | M] () -- C:\Users\Deav\Desktop\Load.exe
========== Files Created - No Company Name ==========
[2011.04.14 00:42:29 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK
[2011.04.14 00:42:28 | 000,383,562 | RHS- | C] () -- C:\bootmgr
[2011.04.14 00:00:30 | 000,001,413 | ---- | C] () -- C:\Users\Deav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011.04.13 23:56:02 | 1609,474,048 | -HS- | C] () -- C:\hiberfil.sys
[2011.04.13 22:16:48 | 000,000,898 | ---- | C] () -- C:\Users\Deav\Desktop\NTREGOPT.lnk
[2011.04.13 22:16:48 | 000,000,879 | ---- | C] () -- C:\Users\Deav\Desktop\ERUNT.lnk
[2011.04.13 22:14:27 | 000,301,568 | ---- | C] () -- C:\Users\Deav\Desktop\g2m3e4r.exe
[2011.04.13 22:11:19 | 000,377,280 | ---- | C] () -- C:\Users\Deav\Desktop\Load.exe
[2009.07.14 11:04:11 | 000,653,928 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2009.07.14 11:04:11 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2009.07.14 11:04:11 | 000,129,800 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2009.07.14 11:04:11 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2009.07.14 06:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009.07.14 06:33:53 | 000,265,640 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009.07.14 04:05:48 | 000,615,810 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009.07.14 04:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009.07.14 04:05:48 | 000,106,190 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009.07.14 04:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009.07.14 04:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009.07.14 04:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009.07.14 02:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009.07.14 01:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009.06.10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
========== LOP Check ==========
[2009.07.14 06:53:46 | 000,002,392 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*. >
[2011.04.14 00:00:19 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin
[2011.04.14 00:42:28 | 000,000,000 | -HSD | M] -- C:\Boot
[2011.04.13 23:59:59 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen
[2009.07.14 04:37:05 | 000,000,000 | ---D | M] -- C:\PerfLogs
[2011.04.13 22:16:47 | 000,000,000 | R--D | M] -- C:\Programme
[2011.04.13 23:59:59 | 000,000,000 | -H-D | M] -- C:\ProgramData
[2011.04.13 23:59:59 | 000,000,000 | -HSD | M] -- C:\Programme
[2011.04.13 23:59:59 | 000,000,000 | -HSD | M] -- C:\Recovery
[2011.04.14 00:08:28 | 000,000,000 | -HSD | M] -- C:\System Volume Information
[2011.04.14 00:00:05 | 000,000,000 | R--D | M] -- C:\Users
[2011.04.13 22:17:16 | 000,000,000 | ---D | M] -- C:\Windows
< %PROGRAMFILES%\*.exe >
< %LOCALAPPDATA%\*.exe >
< %systemroot%\*. /mp /s >
< MD5 for: EXPLORER.EXE >
[2009.07.14 03:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\explorer.exe
[2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2009.08.03 07:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009.08.03 07:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009.10.31 08:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
< MD5 for: USERINIT.EXE >
[2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe
[2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
< MD5 for: WININIT.EXE >
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe
< MD5 for: WINLOGON.EXE >
[2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe
[2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009.10.28 07:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2009.07.14 03:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >
Extras Code:
OTL Extras logfile created on: 13.04.2011 22:19:13 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Deav\Desktop
Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 75,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 86,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 223,34 Gb Free Space | 95,90% Space Free | Partition Type: NTFS
Computer Name: Deav-PC | User Name: Deav | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"ERUNT_is1" = ERUNT 1.1j
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
========== Last 10 Event Log Errors ==========
[ System Events ]
Error - 13.04.2011 18:00:18 | Computer Name = Deav-PC | Source = cdrom | ID = 262159
Description = Das Gerät \Device\CdRom0 ist für den Zugriff noch nicht bereit.
Error - 13.04.2011 18:00:19 | Computer Name = Deav-PC | Source = cdrom | ID = 262159
Description = Das Gerät \Device\CdRom0 ist für den Zugriff noch nicht bereit.
Error - 13.04.2011 18:00:20 | Computer Name = Deav-PC | Source = cdrom | ID = 262159
Description = Das Gerät \Device\CdRom0 ist für den Zugriff noch nicht bereit.
Error - 13.04.2011 18:00:21 | Computer Name = Deav-PC | Source = cdrom | ID = 262159
Description = Das Gerät \Device\CdRom0 ist für den Zugriff noch nicht bereit.
Error - 13.04.2011 18:00:22 | Computer Name = Deav-PC | Source = atapi | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\Ide\IdePort0 gefunden.
Error - 13.04.2011 18:00:22 | Computer Name = Deav-PC | Source = cdrom | ID = 262159
Description = Das Gerät \Device\CdRom0 ist für den Zugriff noch nicht bereit.
Error - 13.04.2011 16:13:32 | Computer Name = Deav-PC | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Microsoft .NET Framework NGEN v4.0.30319_X86" wurde unerwartet
beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden
in 120000 Millisekunden durchgeführt: Neustart des Diensts.
Error - 13.04.2011 16:13:36 | Computer Name = Deav-PC | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Windows Modules Installer" wurde unerwartet beendet. Dies
ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 120000 Millisekunden
durchgeführt: Neustart des Diensts.
Error - 13.04.2011 16:13:40 | Computer Name = Deav-PC | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Windows Media Player-Netzwerkfreigabedienst" wurde unerwartet
beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden
in 30000 Millisekunden durchgeführt: Neustart des Diensts.
Error - 13.04.2011 16:14:59 | Computer Name = Deav-PC | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Software Protection" wurde unerwartet beendet. Dies ist
bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 120000 Millisekunden
durchgeführt: Neustart des Diensts.
< End of report >
GMER Code:
GMER 1.0.15.15570 - hxxp://www.gmer.net
Rootkit scan 2011-04-13 22:33:22
Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000051 ST325031 rev.3.AA
Running: g2m3e4r.exe; Driver: C:\Users\Deav\AppData\Local\Temp\kxldapog.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82886599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828AAF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 8C235000 221 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 506E 8C2350DE 68 Bytes [8C, 75, 06, 09, 0D, 28, 05, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 8C235123 629 Bytes [05, 23, 8C, FE, 05, 34, 05, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 8C235399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F 8C2353FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000003e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Allerdings hatte ich jetz die (vielleicht/oder wahrscheinlich) infizierten Datenplatten nicht mit dran, soll ichs mir den nochmal machen oder gleich mit ubuntu? |
