Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

msls51.dll TR/Agent.APEN


  • This topic is locked This topic is locked
30 replies to this topic

#1 Pulsar100

Pulsar100

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 13 April 2010 - 06:26 PM

Hello,

yesterday, while i was installing a media player, it asked for further files to download. I agreed, and while it was downloading several files, my AVG reported this:



I clicked AVG to deny access. It worked. Later i turned off the system.
Today after starting PC, AVG came again with this:



All further actions with AVG failed. The AVG message appears over and over again. I had to turn AVG off:



My problem is pretty similar to this guy from the forum here: http://www.bleepingcomputer.com/forums/ind...3&hl=msls51


I then ran dds. After that i ran gmer, but (like the other guy reported) PC crashed after a while when gmer runs. After restarting the system for about 10 times, i ran gmer only until the point where it round about crashed before, and saved so far.
Please help me to solve this problem.

Here the DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Boris at 23:05:44.20 on 13.04.2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.49.1031.18.1023.556 [GMT 2:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00FD-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-0114-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00F1-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00DB-0D24-347CA8A3377C}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00EC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-0103-0D24-347CA8A3377C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\Dokumente und Einstellungen\Boris\Desktop\picpick.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Multimedia Combo Set Driver\PS2USBKbdDrv.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Programme\Opera 10.10 März 2010\opera surfen.exe
C:\Dokumente und Einstellungen\Boris\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://alice.aol.de
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://alice.aol.de
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar mit Pop-Up-Blocker: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: UIHost=c:\dokumente und einstellungen\all users\anwendungsdaten\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\programme\orbitdownloader\orbitcth.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Yahoo! Toolbar mit Pop-Up-Blocker: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Burn4Free Toolbar: {55faf0f2-44d4-425f-b5f5-6b275b621eab} - c:\programme\burn4free toolbar\v3.1.0.0\Burn4Free_Toolbar.dll
EB: iOpus iMacros: {0483894e-2422-45e0-8384-021aff1af3cd} - c:\programme\imacros\imacros.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ICQ] "c:\programme\icq6\ICQ.exe" silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [WireLessKeyboard] c:\programme\multimedia combo set driver\StartAutorun.exe PS2USBKbdDrv.exe
mRun: [PicPick Start] c:\dokumente und einstellungen\boris\desktop\picpick.exe
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Ashampoo FireWall] "c:\programme\ashampoo\ashampoo firewall\FireWall.exe" -TRAY
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Versato] c:\program files\magickey\MagicKey.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: <NO NAME> =
IE: &Download by Orbit - c:\programme\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programme\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\programme\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programme\orbitdownloader\orbitmxt.dll/202
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {49783ED4-258D-4f9f-BE11-137C18D3E543}
IE: {A2AB1320-B1B6-40fd-A694-8197D8596FFD} - c:\programme\intertopsmpp\MPPoker.exe
IE: {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\programme\icqlite\ICQLite.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\programme\icq6.5\ICQ.exe
LSP: c:\programme\ashampoo\ashampoo firewall\spi.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\programme\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programme\gemeinsame dateien\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\boris\anwend~1\mozilla\firefox\profiles\theuuye3.default\
FF - component: c:\dokumente und einstellungen\boris\anwendungsdaten\mozilla\firefox\profiles\theuuye3.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\dokumente und einstellungen\boris\lokale einstellungen\anwendungsdaten\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\programme\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programme\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\programme\opera 10.10 mã¤rz 2010\program\plugins\npdsplay.dll
FF - plugin: c:\programme\opera 10.10 mã¤rz 2010\program\plugins\NPSWF32.dll
FF - plugin: c:\programme\opera 10.10 mã¤rz 2010\program\plugins\npwmsdrm.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npdsplay.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npqtplugin.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npqtplugin2.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npqtplugin3.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npqtplugin4.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npqtplugin5.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npqtplugin6.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npqtplugin7.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\NPSWF32.dll
FF - plugin: c:\programme\opera fã¼r normales surfen\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-16 64160]
R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2009-10-15 11608]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-3-4 11886]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\avira\antivir desktop\sched.exe [2009-10-15 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2009-10-15 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-15 56816]
R2 MSSQL$PROVIDUSSTD;MSSQL$PROVIDUSSTD;c:\programme\microsoft sql server\mssql$providusstd\binn\sqlservr.exe -sprovidusstd --> c:\programme\microsoft sql server\mssql$providusstd\binn\sqlservr.exe -sPROVIDUSSTD [?]
R3 ausbmon;Advanced USB Port Monitor Filter Driver;c:\windows\system32\drivers\ausbmon.sys [2009-12-11 19744]
R3 AVMNDSL;AVM DSL NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmndsl.sys [2002-4-19 38608]
R3 AVMWAN;AVM NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmwan.sys [2002-4-19 29968]
R3 FDSLBASE;AVM FRITZ!Card DSL (WinXP/2000);c:\windows\system32\drivers\fdslbase.sys [2006-7-21 868432]
S2 Ca533av;WWL 401 Video Camera Device;c:\windows\system32\drivers\ca533av.sys --> c:\windows\system32\drivers\Ca533av.sys [?]
S2 gupdate1c98e1f6b3fe650;Google Update Service (gupdate1c98e1f6b3fe650);c:\programme\google\update\GoogleUpdate.exe [2009-2-13 133104]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-4-19 16512]
S3 HRService;Haufe iDesk-Service in c:\programme\haufe\idesk\ideskservice\zope;c:\programme\haufe\idesk\ideskservice\ideskservice.exe [2006-10-23 71072]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programme\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
S3 PDNMp50;PDNMp50 NDIS Protocol Driver;\??\c:\windows\system32\drivers\pdnmp50.sys --> c:\windows\system32\drivers\PDNMp50.sys [?]
S3 PDNSp50;PDNSp50 NDIS Protocol Driver;\??\c:\windows\system32\drivers\pdnsp50.sys --> c:\windows\system32\drivers\PDNSp50.sys [?]
S3 SQLAgent$PROVIDUSSTD;SQLAgent$PROVIDUSSTD;c:\programme\microsoft sql server\mssql$providusstd\binn\sqlagent.exe -i providusstd --> c:\programme\microsoft sql server\mssql$providusstd\binn\sqlagent.EXE -i PROVIDUSSTD [?]

=============== Created Last 30 ================

2010-04-12 18:35:26 0 d-----w- c:\programme\DCoder Image Source
2010-04-12 18:35:20 0 d-----w- c:\programme\FFMPEG Core Files
2010-04-12 18:35:10 0 d-----w- c:\programme\SHOUTcast Source
2010-04-12 18:35:09 0 d-----w- c:\programme\MONOGRAM AMR SplitterDecoder
2010-04-12 18:35:07 0 d-----w- c:\programme\CD Audio Reader Filter
2010-04-12 18:35:06 0 d-----w- c:\programme\OpenSource AVI Splitter
2010-04-12 18:35:05 0 d-----w- c:\programme\Gabest MPEG Splitter
2010-04-12 18:35:00 0 d-----w- c:\programme\OpenSource DTSAC3DD+ Source Filter
2010-04-12 18:34:52 0 d-----w- c:\programme\RealMedia
2010-04-12 18:34:36 0 d-----w- c:\programme\DScaler5
2010-04-12 18:34:23 497664 ----a-w- c:\windows\system32\ac3filter.acm
2010-04-12 18:34:23 0 d-----w- c:\programme\AC3Filter
2010-04-12 18:34:02 0 d-----w- c:\programme\DirectVobSub
2010-04-12 18:33:54 0 d-----w- c:\programme\Haali
2010-04-12 18:33:50 0 d-----w- c:\programme\Bass Audio Decoder
2010-04-12 18:33:45 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-04-12 18:33:44 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-04-12 18:33:42 0 d-----w- c:\programme\ffdshow
2010-04-12 18:32:53 0 d-----w- c:\programme\Zoom Player
2010-04-12 18:32:53 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Zoom Player
2010-04-12 10:00:28 0 d-----w- c:\dokume~1\boris\anwend~1\Malwarebytes
2010-04-12 10:00:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 10:00:11 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-04-12 10:00:10 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 10:00:10 0 d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-04-11 19:16:38 568857 ----a-w- c:\dokumente und einstellungen\boris\.recently-used.xbel
2010-04-01 10:30:48 0 d-----w- c:\programme\ICQ6.5
2010-04-01 10:27:35 0 d-----w- c:\programme\ICQ6
2010-03-26 15:54:10 161379 ----a-w- c:\windows\EXIFutils for Windows Uninstaller.exe
2010-03-26 15:54:09 0 d-----w- c:\programme\gemeinsame dateien\Thraex Software
2010-03-26 15:54:09 0 d-----w- c:\programme\EXIFutils for Windows
2010-03-25 18:41:08 0 d-----w- C:\Ablage
2010-03-25 11:42:06 0 d-----w- c:\programme\Opera 10.10 März 2010
2010-03-23 10:10:35 371 ----a-w- C:\Ablageeee.lnk

==================== Find3M ====================

2010-03-28 09:02:44 91942 ----a-w- c:\windows\system32\perfc007.dat
2010-03-28 09:02:44 476652 ----a-w- c:\windows\system32\perfh007.dat
2010-03-25 17:18:42 23636 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-08 10:42:40 26448 ----a-w- c:\dokume~1\boris\anwend~1\GDIPFONTCACHEV1.DAT
2010-01-28 09:28:34 49152 ----a-r- c:\windows\system32\inetwh32.dll
2010-01-28 09:28:34 1044480 ----a-r- c:\windows\system32\roboex32.dll
2008-03-30 17:17:34 977 ----a-w- c:\programme\metalhand.zip
2006-12-14 10:16:14 692 ----a-w- c:\programme\file_id.diz
2005-03-23 16:17:10 326 ----a-w- c:\programme\metalhand.cur
2006-08-25 15:46:47 617472 --sha-w- c:\windows\system32\comctl32.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-08-03 22:57:24 1028096 --sha-w- c:\windows\system32\mfc42.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2004-08-03 22:57:30 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2004-08-03 22:57:38 30749 --sha-w- c:\windows\system32\vbajet32.dll

============= FINISH: 23:07:03.72 ===============


By the way:
I don't know if it is the problem, but they from Zoomplayer (after installing Zoomplayer, the malware was detected) write on their page: Why will certain Anti-Virus software claim Zoom Player is infected?

Zoom Player uses an EXE compressor called ASPack. Some Anti-Virus program may mistake the compression scheme for a virus (very rare).

All Zoom Player downloads have an MD5 checksum on the download page which allows you to verify if your Zoom Player installer was tampered with.

http://www.inmatrix.com/zplayer/faq/faq_entry0005.shtml

Attached Files


Edited by Pulsar100, 14 April 2010 - 11:34 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:38 AM

Posted 18 April 2010 - 05:08 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 19 April 2010 - 03:29 PM

Dear Supporter,

gmer always crashes after a while. So i ran it and stopped it after 2:30 minutes before it crashes.






OTL:
OTL logfile created on: 19.04.2010 13:58:34 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Dokumente und Einstellungen\\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

1.023.00 Mb Total Physical Memory | 405.00 Mb Available Physical Memory | 40.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 111.75 Gb Total Space | 2.41 Gb Free Space | 2.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: xxx
Current User Name: xxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.04.19 13:56:53 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\xxx\Desktop\OTL.exe
PRC - [2009.11.20 20:01:18 | 000,832,296 | ---- | M] (Opera Software) -- C:\Programme\Opera 10.10 März 2010\opera surfen.exe
PRC - [2009.07.21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2009.03.02 15:55:04 | 000,888,320 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\Desktop\picpick.exe
PRC - [2009.03.02 13:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2007.04.05 15:57:52 | 003,251,800 | ---- | M] () -- C:\Programme\Ashampoo\Ashampoo FireWall\FireWall.exe
PRC - [2006.07.23 17:55:10 | 001,585,152 | ---- | M] () -- C:\Programme\Multimedia Combo Set Driver\PS2USBKbdDrv.exe
PRC - [2005.08.24 02:29:52 | 000,118,272 | ---- | M] (TuneUp Software GmbH) -- C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
PRC - [2004.09.29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004.08.04 00:57:54 | 001,035,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004.01.08 09:50:00 | 000,037,888 | ---- | M] (Logitech Inc.) -- C:\Programme\Logitech\MouseWare\system\EM_EXEC.EXE
PRC - [2002.12.17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe


========== Modules (SafeList) ==========

MOD - [2010.04.19 13:56:53 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\xxx\Desktop\OTL.exe
MOD - [2006.08.25 17:46:44 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_659xxx\comctl32.dll
MOD - [2006.05.03 23:53:54 | 000,174,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\framedyn.dll
MOD - [2005.08.24 02:29:52 | 000,076,288 | ---- | M] () -- C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll
MOD - [2004.08.04 00:57:30 | 000,413,696 | -HS- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2004.01.08 09:50:00 | 000,024,064 | ---- | M] (Logitech Inc.) -- C:\Programme\Gemeinsame Dateien\Logitech\Scrolling\LGMSGHK.DLL
MOD - [2004.01.08 09:50:00 | 000,006,144 | ---- | M] (Logitech Inc.) -- C:\Programme\Logitech\MouseWare\system\LgWndHk.dll


========== Win32 Services (SafeList) ==========

SRV - [2009.12.16 18:23:42 | 001,028,432 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Programme\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009.07.21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009.03.03 15:53:32 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2007.01.19 12:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006.10.23 03:39:22 | 000,071,072 | ---- | M] () [On_Demand | Stopped] -- C:\Programme\Haufe\iDesk\iDeskService\iDeskService.exe -- (HRService)
SRV - [2005.08.24 02:29:52 | 000,118,272 | ---- | M] (TuneUp Software GmbH) [Auto | Running] -- C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe -- (TUWinStylerThemeSvc)
SRV - [2004.10.22 02:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004.09.29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002.12.17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe -- (MSSQL$PROVIDUSSTD)
SRV - [2002.12.17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlagent.EXE -- (SQLAgent$PROVIDUSSTD)


========== Driver Services (SafeList) ==========

DRV - [2010.04.19 10:47:09 | 000,004,096 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Temp\ASFWHide -- (ASFWHide)
DRV - [2009.12.16 18:20:46 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009.12.08 20:53:25 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009.05.11 10:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.03.30 10:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009.03.02 19:08:16 | 000,019,744 | --S- | M] (AGG Software (http://www.aggsoft.com)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ausbmon.sys -- (ausbmon)
DRV - [2009.02.13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2007.07.03 17:58:20 | 000,106,792 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2007.07.03 17:57:24 | 000,011,944 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2007.07.03 17:54:24 | 000,080,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2006.07.24 17:05:00 | 000,005,632 | ---- | M] () [File_System | System | Running] -- C:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2006.03.17 14:08:03 | 000,084,512 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssm_mdm.sys -- (ssm_mdm)
DRV - [2006.03.17 14:08:03 | 000,006,096 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssm_mdfl.sys -- (ssm_mdfl)
DRV - [2006.03.17 14:08:02 | 000,052,416 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssm_bus.sys -- (ssm_bus) Samsung Mobile USB Device II 1.0 driver (WDM)
DRV - [2006.03.09 15:29:00 | 003,650,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004.08.04 00:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB-Audiotreiber (WDM)
DRV - [2004.08.03 23:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2003.12.17 09:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)
DRV - [2003.12.17 09:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042PR2.SYS -- (L8042pr2)
DRV - [2003.12.17 09:50:00 | 000,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidUsb.sys -- (LHidUsb)
DRV - [2003.12.17 09:50:00 | 000,025,505 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys -- (LHidFlt2)
DRV - [2002.08.30 18:29:02 | 001,293,440 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2002.07.17 08:05:10 | 000,016,512 | ---- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)
DRV - [2002.04.19 02:02:00 | 000,868,432 | R--- | M] (AVM Berlin) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fdslbase.sys -- (FDSLBASE) AVM FRITZ!Card DSL (WinXP/2000)
DRV - [2002.04.19 02:02:00 | 000,038,608 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avmndsl.sys -- (AVMNDSL)
DRV - [2002.04.19 02:02:00 | 000,029,968 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avmwan.sys -- (AVMWAN)
DRV - [2001.11.27 01:07:20 | 000,011,886 | ---- | M] (WayTech Development, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kbfilter.sys -- (kbfilter)
DRV - [1999.12.17 01:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://alice.aol.de
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://alice.aol.de
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1644491937-823518204-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1644491937-823518204-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com/
IE - HKU\S-1-5-21-1644491937-823518204-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1644491937-823518204-839522115-1004\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1644491937-823518204-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1644491937-823518204-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.8
FF - prefs.js..extensions.enabledItems: {0b457cAA-602d-484a-8fe7-c1d894a011ba}:0.80
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.0.7

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.03.11 01:41:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.03.11 01:41:04 | 000,000,000 | ---D | M]

[2010.01.07 23:51:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\Mozilla\Extensions
[2010.04.12 13:43:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\Mozilla\Firefox\Profiles\theuuye3.default\extensions
[2010.01.22 13:26:52 | 000,000,000 | ---D | M] (FireShot) -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\Mozilla\Firefox\Profiles\theuuye3.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2010.04.07 19:32:33 | 000,000,000 | ---D | M] (FlashGot) -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\Mozilla\Firefox\Profiles\theuuye3.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010.02.10 12:00:32 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\Mozilla\Firefox\Profiles\theuuye3.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010.04.12 13:43:37 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2004.11.13 05:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Mozilla Firefox\plugins\NPAdbESD.dll
[2007.09.27 20:49:34 | 000,061,440 | ---- | M] (Joost Technologies B.V. ) -- C:\Programme\Mozilla Firefox\plugins\npJoostPlugin.dll
[2009.12.22 05:57:54 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2009.12.22 05:57:54 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2009.12.22 05:57:54 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2009.12.22 05:57:54 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2009.12.22 05:57:54 | 000,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2002.06.27 17:12:51 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1644491937-823518204-839522115-1004\..\Toolbar\ShellBrowser: (Burn4Free Toolbar) - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Programme\Burn4Free Toolbar\v3.1.0.0\Burn4Free_Toolbar.dll ()
O3 - HKU\S-1-5-21-1644491937-823518204-839522115-1004\..\Toolbar\WebBrowser: (Burn4Free Toolbar) - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Programme\Burn4Free Toolbar\v3.1.0.0\Burn4Free_Toolbar.dll ()
O3 - HKU\S-1-5-21-1644491937-823518204-839522115-1004\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Ashampoo FireWall] C:\Programme\Ashampoo\Ashampoo FireWall\FireWall.exe ()
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PicPick Start] C:\Dokumente und Einstellungen\xxx\Desktop\picpick.exe ()
O4 - HKLM..\Run: [WireLessKeyboard] C:\Programme\Multimedia Combo Set Driver\StartAutorun.exe PS2USBKbdDrv.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1644491937-823518204-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Download by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - Reg Error: Value error. File not found
O9 - Extra Button: Intertops Poker - {A2AB1320-B1B6-40fd-A694-8197D8596FFD} - C:\Programme\IntertopsMPP\MPPoker.exe (Microgaming)
O9 - Extra Button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - Reg Error: Value error. File not found
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe File not found
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe File not found
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Programme\Ashampoo\Ashampoo FireWall\spi.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Programme\Ashampoo\Ashampoo FireWall\spi.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Programme\Ashampoo\Ashampoo FireWall\spi.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Programme\Ashampoo\Ashampoo FireWall\spi.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Programme\Ashampoo\Ashampoo FireWall\spi.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Programme\Ashampoo\Ashampoo FireWall\spi.dll ()
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Programme\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = xxx
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\haufereader - No CLSID value found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe) - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe (Microsoft Corporation)
O24 - Desktop Components:0 () - file:///C:/DOKUME~1/xxx/LOKALE~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Components:1 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 0
O33 - MountPoints2\{16dc54f2-a79c-11de-b01a-0007e9bceb88}\Shell - "" = AutoRun
O33 - MountPoints2\{16dc54f2-a79c-11de-b01a-0007e9bceb88}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{98c9b45e-687d-11de-afa3-0007e9bceb88}\Shell\AutoRun\command - "" = VIRTUAL_OPTICIAN.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.04.19 13:56:53 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\xxx\Desktop\OTL.exe
[2010.04.14 14:42:05 | 000,000,000 | ---D | C] -- C:\rsit
[2010.04.14 11:47:43 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\xxx\Recent
[2010.04.14 11:38:14 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\Yahoo!
[2010.04.14 02:39:22 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\xxx\Desktop\malware april
[2010.04.12 20:35:26 | 000,000,000 | ---D | C] -- C:\Programme\DCoder Image Source
[2010.04.12 20:35:20 | 000,000,000 | ---D | C] -- C:\Programme\FFMPEG Core Files
[2010.04.12 20:35:10 | 000,000,000 | ---D | C] -- C:\Programme\SHOUTcast Source
[2010.04.12 20:35:09 | 000,000,000 | ---D | C] -- C:\Programme\MONOGRAM AMR SplitterDecoder
[2010.04.12 20:35:07 | 000,000,000 | ---D | C] -- C:\Programme\CD Audio Reader Filter
[2010.04.12 20:35:06 | 000,000,000 | ---D | C] -- C:\Programme\OpenSource AVI Splitter
[2010.04.12 20:35:05 | 000,000,000 | ---D | C] -- C:\Programme\Gabest MPEG Splitter
[2010.04.12 20:35:00 | 000,000,000 | ---D | C] -- C:\Programme\OpenSource DTSAC3DD+ Source Filter
[2010.04.12 20:34:52 | 000,000,000 | ---D | C] -- C:\Programme\RealMedia
[2010.04.12 20:34:36 | 000,000,000 | ---D | C] -- C:\Programme\DScaler5
[2010.04.12 20:34:23 | 000,000,000 | ---D | C] -- C:\Programme\AC3Filter
[2010.04.12 20:34:02 | 000,000,000 | ---D | C] -- C:\Programme\DirectVobSub
[2010.04.12 20:33:54 | 000,000,000 | ---D | C] -- C:\Programme\Haali
[2010.04.12 20:33:50 | 000,000,000 | ---D | C] -- C:\Programme\Bass Audio Decoder
[2010.04.12 20:33:42 | 000,000,000 | ---D | C] -- C:\Programme\ffdshow
[2010.04.12 20:32:53 | 000,000,000 | ---D | C] -- C:\Programme\Zoom Player
[2010.04.12 20:32:53 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Zoom Player
[2010.04.12 12:00:28 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\Malwarebytes
[2010.04.12 12:00:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.04.12 12:00:11 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.04.12 12:00:10 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.04.12 12:00:10 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware

[2010.04.01 12:30:48 | 000,000,000 | ---D | C] -- C:\Programme\ICQ6.5
[2010.04.01 12:28:22 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\ICQ
[2010.04.01 12:27:35 | 000,000,000 | ---D | C] -- C:\Programme\ICQ6
[2010.03.26 17:54:09 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Thraex Software
[2010.03.26 17:54:09 | 000,000,000 | ---D | C] -- C:\Programme\EXIFutils for Windows
[2010.03.25 20:41:08 | 000,000,000 | ---D | C] -- C:\Ablage
[2010.03.25 13:42:06 | 000,000,000 | ---D | C] -- C:\Programme\Opera 10.10 März 2010
[2010.03.21 23:48:10 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\xxx\Desktop\Fone neu märz
[2009.11.25 13:40:42 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Temp
[2009.10.14 14:52:42 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Microsoft
[2009.10.14 14:52:42 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Microsoft
[2009.10.14 14:52:42 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2009.10.14 14:52:42 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2009.08.12 09:38:39 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Temp
[2009.06.11 16:36:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Apple
[2009.03.29 02:58:10 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Adobe
[2009.02.14 11:37:34 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Google
[2009.02.13 23:10:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Google
[2007.05.14 23:39:23 | 000,047,360 | ---- | C] (VSO Software) -- C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\pcouffin.sys
[2002.04.11 03:41:00 | 000,065,536 | R--- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\*.tmp files -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.04.19 13:56:53 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\xxx\Desktop\OTL.exe
[2010.04.19 13:43:04 | 000,078,227 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\Desktop\1271627887001.jpg
[2010.04.19 13:23:11 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010.04.19 12:02:17 | 000,001,156 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-823518204-839522115-1004.job
[2010.04.19 11:23:00 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010.04.19 10:47:09 | 000,000,504 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\Desktop\picpick.ini
[2010.04.19 10:47:02 | 000,050,257 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010.04.19 10:46:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.04.19 10:46:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.04.19 10:46:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.04.19 00:43:37 | 008,126,464 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\NTUSER.DAT
[2010.04.19 00:43:37 | 000,000,300 | -HS- | M] () -- C:\Dokumente und Einstellungen\xxx\ntuser.ini
[2010.04.19 00:23:09 | 000,027,648 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.04.19 00:21:40 | 001,696,594 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\Desktop\bookmarks.adr
[2010.04.18 23:09:49 | 000,572,754 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\.recently-used.xbel
[2010.04.15 16:36:06 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010.04.12 20:33:05 | 000,001,636 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Zoom Player Home Professional.lnk
[2010.04.12 17:23:01 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010.04.12 12:00:20 | 000,000,676 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.04.10 19:34:08 | 000,130,727 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\Desktop\Rückentrainer.png
[2010.04.10 03:24:22 | 000,022,528 | ---- | M] () -- C:\Dokumente und Einstellungen\xxx\Eigene Dateien\Mappe1.xls
[2010.04.09 17:15:00 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\1-Klick-Wartung.job
[2010.04.08 18:39:47 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LauncherAccess.dt
[2010.04.05 23:14:19 | 005,449,945 | ---- | M] () -- C:\Dokumente und Einstellungen\\Desktop\happy-planet-index-2-0.pdf
[2010.04.02 10:53:44 | 000,002,163 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Safari.lnk
[2010.04.01 12:34:17 | 000,001,451 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\ICQ6.5.lnk
[2010.03.30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.03.30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.03.28 11:02:45 | 000,458,954 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.03.28 11:02:44 | 001,122,348 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.03.28 11:02:44 | 000,476,652 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.03.28 11:02:44 | 000,091,942 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.03.28 11:02:44 | 000,078,676 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.03.26 17:54:10 | 000,161,379 | ---- | M] () -- C:\WINDOWS\EXIFutils for Windows Uninstaller.exe
[2010.03.26 16:03:22 | 000,000,640 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.03.25 19:18:42 | 000,023,636 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010.03.25 18:54:20 | 000,000,691 | ---- | M] () -- C:\Dokumente und Einstellungen\Boris\Desktop\opera surfen.lnk
[2010.03.24 11:00:28 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.03.24 11:00:28 | 000,000,152 | -HS- | M] () -- C:\boot.ini
[2010.03.23 12:14:56 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010.03.23 12:14:56 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010.03.23 12:10:35 | 000,000,371 | ---- | M] () -- C:\Ablageeee.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\*.tmp files -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.04.19 13:43:03 | 000,078,227 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Desktop\1271627887001.jpg
[2010.04.18 23:09:49 | 000,572,754 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\.recently-used.xbel
[2010.04.12 20:34:23 | 000,497,664 | ---- | C] () -- C:\WINDOWS\System32\ac3filter.acm
[2010.04.12 20:33:45 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010.04.12 20:33:44 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010.04.12 20:33:05 | 000,001,636 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Zoom Player Home Professional.lnk
[2010.04.12 12:00:20 | 000,000,676 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.04.10 19:34:07 | 000,130,727 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Desktop\Rückentrainer.png
[2010.04.10 03:24:22 | 000,022,528 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Eigene Dateien\Mappe1.xls
[2010.04.05 23:14:19 | 005,449,945 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Desktop\happy-planet-index-2-0.pdf
[2010.04.01 12:34:17 | 000,001,451 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\ICQ6.5.lnk
[2010.03.26 17:54:10 | 000,161,379 | ---- | C] () -- C:\WINDOWS\EXIFutils for Windows Uninstaller.exe
[2010.03.25 18:54:20 | 000,000,691 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Desktop\opera surfen.lnk
[2010.03.23 12:14:56 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010.03.23 12:14:56 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010.03.23 12:10:35 | 000,000,371 | ---- | C] () -- C:\Ablageeee.lnk
[2010.01.27 14:21:39 | 000,000,062 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\.gtk-bookmarks
[2010.01.09 23:34:32 | 000,084,576 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
[2009.12.16 14:43:30 | 000,001,384 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009.12.10 18:40:39 | 000,000,032 | ---- | C] () -- C:\WINDOWS\Menu.INI
[2009.09.24 09:26:40 | 000,000,185 | ---- | C] () -- C:\WINDOWS\System32\msblcd32.dll
[2009.05.09 12:03:22 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2009.04.13 20:51:40 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Pf 1
[2009.01.13 21:55:18 | 000,011,302 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\gsview32.ini
[2009.01.13 21:25:15 | 000,000,040 | ---- | C] () -- C:\WINDOWS\winDecrypt.INI
[2008.11.23 12:43:56 | 000,001,484 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\filterclsid.dat
[2008.11.23 11:24:07 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LauncherAccess.dt
[2008.11.23 11:14:42 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2008.08.28 20:57:31 | 000,003,401 | ---- | C] () -- C:\WINDOWS\messer.ini
[2008.08.11 23:25:38 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\AVERM.dll
[2008.08.11 23:25:38 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\AVEQT.dll
[2008.08.11 22:35:47 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2008.08.11 22:35:46 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008.08.11 21:45:23 | 000,448,512 | ---- | C] () -- C:\WINDOWS\System32\avformat-50.dll
[2008.08.11 21:45:23 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\avutil-49.dll
[2008.08.11 21:45:22 | 003,345,408 | ---- | C] () -- C:\WINDOWS\System32\avcodec-51.dll
[2008.06.05 17:23:43 | 000,000,692 | ---- | C] () -- C:\Programme\file_id.diz
[2008.04.29 20:55:50 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2008.03.30 19:19:48 | 000,000,326 | ---- | C] () -- C:\Programme\metalhand.cur
[2008.03.30 19:17:33 | 000,000,977 | ---- | C] () -- C:\Programme\metalhand.zip
[2008.03.23 04:27:43 | 000,000,186 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\schedlog.txt
[2008.03.21 19:07:32 | 000,000,000 | -H-- | C] () -- C:\Dokumente und Einstellungen\Boris\NTUSER.DAT.rctemp.LOG
[2008.03.21 19:02:44 | 000,012,863 | ---- | C] () -- C:\WINDOWS\System32\msdx92.dll
[2008.01.26 12:09:19 | 000,001,999 | ---- | C] () -- C:\WINDOWS\rackdata5.ini
[2007.10.20 20:20:20 | 000,000,082 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\AVSDVDPlayer.m3u
[2007.10.20 17:49:48 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007.10.20 17:49:48 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007.10.15 18:26:47 | 000,000,024 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\xpy.ini
[2007.10.13 17:01:28 | 000,000,350 | ---- | C] () -- C:\WINDOWS\RefreshLock.ini
[2007.08.25 17:09:13 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\pokerclient.log
[2007.07.16 13:07:55 | 000,000,111 | ---- | C] () -- C:\WINDOWS\telephon.ini
[2007.06.03 22:15:55 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2007.05.14 23:39:39 | 000,000,034 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\pcouffin.log
[2007.05.14 23:39:23 | 000,087,608 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\ezpinst.exe
[2007.05.14 23:39:23 | 000,001,144 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\pcouffin.inf
[2007.05.14 23:39:23 | 000,001,074 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\pcouffin.cat
[2007.05.14 13:49:43 | 000,000,067 | ---- | C] () -- C:\WINDOWS\AVIConverter.INI
[2007.01.19 12:07:36 | 000,000,901 | ---- | C] () -- C:\WINDOWS\TVTEmulator.ini
[2007.01.17 18:09:38 | 000,196,239 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\.fonts.cache-1
[2006.12.12 18:30:26 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006.12.12 18:24:42 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006.10.27 11:45:34 | 000,001,359 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\QTSBandwidthCache
[2006.10.16 15:19:25 | 000,015,428 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\RefEdit.exd
[2006.08.31 16:26:29 | 000,001,614 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006.08.22 13:24:42 | 000,000,026 | R--- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2006.08.22 10:23:24 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2006.08.22 10:23:13 | 000,000,064 | ---- | C] () -- C:\WINDOWS\P16x.ini
[2006.08.22 09:48:13 | 000,002,092 | R--- | C] () -- C:\WINDOWS\System32\P16X.ini
[2006.08.07 14:17:02 | 000,000,003 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\dxva_sig.txt
[2006.07.05 19:03:04 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006.06.25 12:07:47 | 000,000,138 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
[2006.06.24 10:58:25 | 000,000,054 | ---- | C] () -- C:\WINDOWS\rssimx.dll
[2006.06.24 10:58:25 | 000,000,040 | ---- | C] () -- C:\WINDOWS\rssimx.dll.exe
[2006.06.24 10:58:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\imsys.dll
[2006.06.11 21:34:39 | 000,045,635 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Lokale Einstellungen\Anwendungsdaten\FASTWiz.log
[2006.06.10 18:49:59 | 000,000,356 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hpzinstall.log
[2006.06.08 16:09:56 | 000,000,129 | ---- | C] () -- C:\WINDOWS\CTWave32.ini
[2006.06.07 17:20:15 | 000,262,144 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\ntuser.dat
[2006.06.07 17:20:15 | 000,001,024 | -H-- | C] () -- C:\Dokumente und Einstellungen\All Users\ntuser.dat.LOG
[2006.06.07 16:27:42 | 000,027,648 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006.06.07 15:58:37 | 000,000,245 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2006.06.07 15:38:39 | 000,000,322 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\dm.ini
[2006.06.07 15:38:38 | 000,001,557 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\AdobeDLM.log
[2006.06.07 15:22:50 | 000,000,305 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html
[2006.06.07 15:09:05 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006.06.07 14:50:29 | 000,000,300 | -HS- | C] () -- C:\Dokumente und Einstellungen\Boris\ntuser.ini
[2006.06.07 14:50:28 | 000,032,768 | -H-- | C] () -- C:\Dokumente und Einstellungen\Boris\ntuser.dat.LOG
[2006.06.07 14:50:27 | 008,126,464 | ---- | C] () -- C:\Dokumente und Einstellungen\Boris\NTUSER.DAT
[2006.06.07 14:50:27 | 007,340,032 | -H-- | C] () -- C:\Dokumente und Einstellungen\Boris\NTUSER.DAT.rcbak
[2006.03.09 15:29:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006.03.09 15:29:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006.03.09 15:29:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006.03.09 15:29:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006.03.09 15:29:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006.03.09 15:29:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006.03.09 15:29:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004.09.27 13:58:24 | 000,000,096 | ---- | C] () -- C:\WINDOWS\ez-pdf2pngcfg.ini
[2004.08.18 15:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\msls51.dll
[2002.06.27 17:20:04 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2002.05.10 08:25:00 | 000,039,936 | R--- | C] () -- C:\WINDOWS\System32\P16X.dll
[2002.04.22 04:24:50 | 000,005,917 | ---- | C] () -- C:\WINDOWS\SBMIXDEF.INI
[2002.04.03 11:28:54 | 000,006,175 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2001.10.10 08:57:58 | 000,073,786 | ---- | C] () -- C:\WINDOWS\System32\dntvmc23.dll
[2001.10.10 08:57:58 | 000,061,497 | ---- | C] () -- C:\WINDOWS\System32\dntvm23.dll
[2001.03.07 08:02:30 | 000,229,431 | ---- | C] () -- C:\WINDOWS\System32\dnt23.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 135 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:0CE7F3C9
@Alternate Data Stream - 108 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:44807EFA
< End of report >









Extras:

OTL Extras logfile created on: 19.04.2010 13:58:34 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Dokumente und Einstellungen\Boris\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

1.023.00 Mb Total Physical Memory | 405.00 Mb Available Physical Memory | 40.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 111.75 Gb Total Space | 2.41 Gb Free Space | 2.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name:
Current User Name:
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Programme\Opera 10.10 März 2010\opera surfen.exe (Opera Software)

[HKEY_USERS\S-1-5-21-1644491937-823518204-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bildübersicht mit PhotoLine 32...] -- "C:\Programme\PhotoLine\PhotoLine.exe" -browse "%L" (Computerinsel GmbH)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OtsMedia.Surf] -- Reg Error: Key error.
Directory [PlayWithVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"20:TCP" = 20:TCP:*:Enabled:o2 DSL FTP 20
"23:TCP" = 23:TCP:*:Enabled:o2 DSL Telnet 23
"80:TCP" = 80:TCP:*:Enabled:o2 DSL HTTP 80
"161:UDP" = 161:UDP:*:Enabled:o2 DSL SNMP 161

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programme\MSN Messenger\livecall.exe" = C:\Programme\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\ICQLite\ICQLite.exe" = C:\Programme\ICQLite\ICQLite.exe:*:Enabled:ICQ Lite -- File not found
"C:\Programme\Joost\xulrunner\tvprunner.exe" = C:\Programme\Joost\xulrunner\tvprunner.exe:*:Enabled:tvprunner -- (Joost Technologies B.V.)
"C:\Programme\MSN Messenger\livecall.exe" = C:\Programme\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)
"C:\Programme\uTorrent\uTorrent.exe" = C:\Programme\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Programme\Orbitdownloader\orbitdm.exe" = C:\Programme\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Programme\Orbitdownloader\orbitnet.exe" = C:\Programme\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Programme\Gemeinsame Dateien\XpressUpdate\XPressUpdate.exe" = C:\Programme\Gemeinsame Dateien\XpressUpdate\XPressUpdate.exe:*:Enabled:XPressUpdate -- (PixelPlanet GmbH)
"C:\Programme\Opera 10 Beta\opera.exe" = C:\Programme\Opera 10 Beta\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Programme\Opera für normales Surfen\opera.exe" = C:\Programme\Opera für normales Surfen\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Programme\Opera 10.10 März 2010\opera.exe" = C:\Programme\Opera 10.10 März 2010\opera.exe:*:Enabled:Opera Internet Browser -- File not found
"C:\Programme\Opera 10.10 März 2010\opera surfen.exe" = C:\Programme\Opera 10.10 März 2010\opera surfen.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Programme\ICQ6\ICQ.exe" = C:\Programme\ICQ6\ICQ.exe:*:Enabled:ICQ6 -- File not found
"C:\Programme\ICQ6.5\ICQ.exe" = C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, LLC.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{05ADEEC8-BD58-43D9-A9E3-1F53B0DA117A}" = Opera 10.51
"{06A940CD-4924-485E-8500-476C9E08A820}" = Samsung PC Studio 3
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0DD140D3-9563-481E-AA75-BA457CBDAEF2}" = PC Inspector File Recovery
"{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{174D5678-D941-433C-BD23-58A5C7B0D36D}" = Jasc Animation Shop 3
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{204FE420-B0D0-4A37-B1DE-C83EAD840BD4}" = PokerChamps
"{205C26CB-6D52-458C-A87F-1EE77F9625C6}" = Intel® PRO Network Connections
"{21E90952-11F1-4473-9D6C-2EE09BCB10C3}" = OpenOffice.org 2.0
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{279DB581-239C-4E13-97F8-0F48E40BE75C}" = Windows Live Messenger
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35917680-C0DA-4618-B878-54B74694A2FB}" = Yahoo! Widget Engine
"{382BAB22-50F4-4F11-91F6-9A35C0FB6BE9}" = TAXMAN 2007
"{3E5CBADD-2E51-47C1-BBE2-B802DB6DA56A}" = MetaTrader - FXOpen 4.00
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{53480870-02D8-48FB-BC27-72C956885168}" = O&O MediaRecovery
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{5E96F183-04E6-4263-BD8B-D767D444F1E5}" = eXPert PDF Editor Professional Edition
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{636F485A-2053-43FA-BE1D-CC27CDA4A0AC}" = MSynth 1.5 alpha
"{690BE098-6D0D-493D-B079-BD7E8F81A141}" = Opera 10.10
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6D9B4C6B-7879-477A-B5EE-7DF068B91F34}" = PdfGrabber 5.0
"{6E65247F-58F9-41CA-BE69-0316F7907170}" = Disc2Phone
"{7252D1A7-B4FD-4B82-BC59-B4D6EF4B03F3}_is1" = Holgers PDFshellConvert 1.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{740A4B66-2185-403E-933A-85239C3898FB}" = Web Scraper Lite
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8148F35A-B15C-465B-80C2-DC0E1234EC20}" = Samsung PC Studio II 2.0 Image Editor
"{868D7896-99D4-4513-BC62-2B3AD3E24926}" = TuneUp Utilities 2006
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8927E07C-97F7-4A54-88FB-D976F50DD46E}" = Turbo Lister 2
"{896BF48E-344E-4982-BFEA-7C4F1BC54D93}" = Betfair Rapid
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B6FC947-8168-4086-915B-F71392823473}" = Paint.NET v2.63
"{9021D6A4-21EB-4EC6-A799-B23F390825E4}" = Bet Angel - Basic
"{90280407-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional mit FrontPage
"{90AF0407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}" = Sound Blaster Live!
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F942E88-5ECA-4A21-94B1-6F5182A1314F}" = 3D Canvas
"{A1B80495-4ED3-4ED0-BD57-7F9E0A0EDF35}" = Haufe iDesk-Browser
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8E97458-4089-48D2-9BEB-6FD62D4FBB33}" = TAXMAN Bibliothek 2007
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9669DD6-33A2-4F12-85BA-AA5EE03B3CA5}_is1" = Video Snapshot Wizard 1.1
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B8C11C23-F46C-48C1-8EA8-CEA82115586A}" = Multimedia Combo Set Driver
"{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.1.12
"{BCB4C18A-ACA6-4383-8688-E19933A705DD}" = Microsoft SOAP Toolkit 3.0
"{BD866896-F51F-43BC-A23B-E7A71C07D7D2}" = RealTick
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2C284D2-6BD7-3B34-B0C5-B2CAED168DF7}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU
"{C314CE45-3392-3B73-B4E1-139CD41CA933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU
"{C4526CCC-CF15-4908-892F-37FAF69946A6}_is1" = nFLVPlayer
"{C4A4722E-79F9-417C-BD72-8D359A090C97}" = Samsung PC Studio 3
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C9A87D86-FDFD-418B-BF96-EF09320973B3}" = PC Inspector smart recovery
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BB}" = WinZip 14.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D4A6F05B-D32D-4EA3-B288-05894E803225}" = Betfair Poker
"{D4E01931-9B3F-49BD-B19B-511000A1E039}" = Samsung PC Studio II 2.0 PIMS & File Manager
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF166BA8-FA8D-456E-9411-4FAA0E11BE84}" = Betfair Trader
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"{E1423608-F529-40A1-93CA-C7F396F30DF0}" = Google SketchUp
"{E1BBBAC5-2857-4155-82A6-54492CE88620}" = Opera 9.64
"{E706D4DA-8463-412A-BEF7-A63D1A72CED8}" = Haufe iDesk-Service
"{E76CDDCE-EFC0-4FE5-9972-9489CE49AA55}_is1" = NeoDownloader 2.3c
"{EC1399C9-40E3-4BE6-B28E-D077E70FE21F}" = TMPGEnc 4.0 XPress Trial Version
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F850707C-B6A0-4B56-8709-F89CF8F9AC6D}" = Eraser
"{FB8148DD-C575-4B0A-9F6C-0CFC46937930}" = Opera 10.10
"3GP Video Converter 3" = 3GP Video Converter 3
"4Musics WAV to MP3 Converter 4.2_is1" = 4Musics WAV to MP3 Converter 4.2
"7-Zip" = 7-Zip 4.65
"964DE571-3F1E-45CB-829D-648AACF33A52_is1" = Registry CleanUP 2008
"Abloadtool" = Abloadtool
"Absolute Poker" = Absolute Poker
"AC3Filter_is1" = AC3Filter 1.63b
"Actual RAR Repair_is1" = Actual RAR Repair v.3.0
"Ad-Aware" = Ad-Aware
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AdobeESD" = Adobe Download Manager 2.2 (Nur entfernen)
"Advanced GIF Animator_is1" = Advanced GIF Animator 3.0
"Advanced MP3/WMA Recorder" = Advanced MP3/WMA Recorder
"Advanced RAR Repair v1.2" = Advanced RAR Repair v1.2
"Advanced USB Port Monitor_is1" = Advanced USB Port Monitor
"AirRack_is1" = AirRack 1.0
"Alive 3GP Video Converter_is1" = Alive 3GP Video Converter (version 1.6.9.6)
"Ares Tube_is1" = Ares Tube 3.0
"Ashampoo Burning Studio 6" = Ashampoo Burning Studio 6
"Ashampoo FireWall_is1" = Ashampoo FireWall 1.20
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.5 (Unicode)
"Audacity_is1" = Audacity 1.2.6
"Audio To Video Mixer_is1" = Audio To Video Mixer version 3.1
"AvaTrader" = AvaTrader (remove only)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AVS DVD Player_is1" = AVS DVD Player version 2.4
"B991B020-2968-11D8-AF23-444553540000_is1" = FreeMind
"Bass Audio Decoder" = Bass Audio Decoder (remove only)
"bet365poker" = bet365poker
"Boilsoft AVI to VCD SVCD DVD Converter_is1" = Boilosft AVI to VCD SVCD DVD Converter 3.61
"Bridge Building Game" = Bridge Building Game
"Burn4Free" = Burn4Free CD and DVD
"Burn4Free Toolbar" = Burn4Free Toolbar
"BurnQuick" = BurnQuick
"CadStd" = CadStd
"CaribbeanSunPoker" = SunPoker.com
"CCleaner" = CCleaner
"CD Audio Reader Filter" = CD Audio Reader Filter (remove only)
"CodInstl" = Intel A/V Codecs V2.0
"CoffeeCup GIF Animator" = CoffeeCup GIF Animator
"Convexsoft Video to FLV SWF GIF Converter" = Convexsoft Video to FLV SWF GIF Converter
"DCoder Image Source" = DCoder Image Source (remove only)
"DirectVobSub" = DirectVobSub (remove only)
"DivX Content Uploader" = DivX Content Uploader
"Dream Poker" = Dream Poker
"Driver Utility_is1" = Driver Utility
"DScaler 5 Mpeg Decoders_is1" = DScaler 5 Mpeg Decoders
"E.M. Magic Swf2Avi 2008_is1" = E.M. Magic Swf2Avi 2008 build 5.2.7.281
"EasyBurning" = Easy Burning (remove only)
"Elecard MPEG-2 Decoder&Streaming Pack 1.0.50824" = Elecard MPEG-2 Decoder&Streaming Pack
"Eraser" = Eraser
"EXIFutils for Windows" = EXIFutils for Windows
"Expekt_is1" = Expekt Poker
"EZ-Forms PRO TestDrive5.50.ec" = EZ-Forms PRO TestDrive
"FairBot_is1" = FairBot 1.6
"ffdshow_is1" = ffdshow [rev 3124] [2009-11-03]
"FFMPEG Core Files" = FFMPEG Core Files (remove only)
"Flash Movie Extract Pilot (freeware)_is1" = Flash Movie Extract Pilot
"Flash to Video Encoder Pro_is1" = Flash to Video Encoder Pro
"Flash-SWF to AVI GIF Converter_is1" = Flash-SWF to AVI GIF Converter v2.013 (Release date: 06-09-01 F
"FLV Encoder" = FLV Encoder 1.0.4
"FLVPlayer" = FLV Player 1.3.3
"FormatFactory" = FormatFactory 1.85
"Foxit PDF Editor" = Foxit PDF Editor
"Free 3GP Video Converter_is1" = Free 3GP Video Converter version 2.5
"Free Studio_is1" = Free Studio version 4.2
"Free YouTube Download_is1" = Free YouTube Download 2.1
"Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 2.5
"Gabest MPEG Splitter" = Gabest MPEG Splitter (remove only)
"GoogleVideoPlayer" = Google Video Player
"GPL Ghostscript 8.15" = GPL Ghostscript 8.15
"GPL Ghostscript Fonts" = GPL Ghostscript Fonts
"GSview 4.9" = GSview 4.9
"HaaliMkx" = Haali Media Splitter
"HDCleaner" = HDCleaner
"HijackThis" = HijackThis 2.0.2
"HyperCam 2" = HyperCam 2
"IIM5_is1" = iMacros V5.10
"ImageConverter Plus_is1" = ImageConverter Plus 7.1
"IN MEDIA KG - CSV-Editor_is1" = IN MEDIA KG - CSV-Editor
"InfraRecorder" = InfraRecorder
"InstallShield_{740A4B66-2185-403E-933A-85239C3898FB}" = Web Scraper Lite
"InstallShield_{B8C11C23-F46C-48C1-8EA8-CEA82115586A}" = Multimedia Combo Set Driver
"Intertops Poker" = Intertops Poker
"IrfanView" = IrfanView (remove only)
"IsoBuster_is1" = IsoBuster 1.9.1
"Joost" = Joost ™ Beta 1.0
"KAMERA v1.1" = KAMERA v1.1
"Ladbrokes Poker" = Ladbrokes Poker
"Magic Mirror_is1" = Magic Mirror 3.0
"Magic Swf2Gif_is1" = Magic Swf2Gif 1.35
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mermaid Poker" = Mermaid Poker
"Messenger Plus! Live" = Messenger Plus! Live
"Messer_is1" = Messer v0.992
"MetaProducts StartUp Organizer" = MetaProducts StartUp Organizer
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mihov Picture Downloader" = Mihov Picture Downloader 1.4 (remove only)
"MIKSOFT Mobile AMR converter_is1" = MIKSOFT Mobile AMR converter
"MONOGRAM AMR Splitter/Decoder" = MONOGRAM AMR Splitter/Decoder (remove only)
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MPEG-AVI 2 GIF 1" = MPEG-AVI 2 GIF 1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"OpenSource AVI Splitter" = OpenSource AVI Splitter (remove only)
"OpenSource DTS/AC3/DD+ Source Filter" = OpenSource DTS/AC3/DD+ Source Filter (remove only)
"Orbit_is1" = Orbit Downloader
"OtsDJ Demo" = OtsDJ Demo 1.75.008
"Pacific Poker" = Pacific Poker
"PartyPokerNet" = PartyPokerNet
"PDF Editor 2" = PDF Editor 2
"PhotoFiltre" = PhotoFiltre
"PhotoLine 32_is1" = PhotoLine 32, Version 13.00
"PhotoRescue PC_is1" = PhotoRescue PC v3.1.4.10864
"Prism" = Prism Video Converter
"RealMedia" = RealMedia (remove only)
"RealPlayer 6.0" = RealPlayer
"Recover My Files_is1" = Recover My Files
"RMVB Player_is1" = RMVB Player 1.0
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"Samsung Mobile USB Modem" = Samsung Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"Security Task Manager" = Security Task Manager 1.7e
"SHOUTcast Source" = SHOUTcast Source (remove only)
"Soundman_is1" = Soundman 1.4.7
"SpeedTestPro_is1" = Absolute Futurity SpeedTestPro Ver 1.0.71
"Sportcalculator" = Sportcalculator
"Steam" = Steam
"Streamripper" = Streamripper (Remove only)
"SUPER ©" = SUPER © Version 2008.bld.33 (Sep 2, 2008)
"SWF & FLV Toolbox_is1" = SWF & FLV Toolbox 3.5 (build 3.5.20.286)
"SWF To Image library (full)_is1" = SWF To Image
"SWR3 RauchFrei_is1" = SWR3 RauchFrei Version 1.2
"ToolBox" = NCH Toolbox
"Total HTML Converter_is1" = TotalHTMLConverter
"Total Video Converter 3.12_is1" = Total Video Converter 3.12 080330
"TreeSize Free_is1" = TreeSize Free V2.2.1
"TV-Total Emulator_is1" = TV-Total Emulator v1.4.1.1
"TVUPlayer" = TVUPlayer 1.5.12
"Ultra Flash Video FLV Converter_is1" = Ultra Flash Video FLV Converter 4.2.0716
"Ultra Flat Metal USB-Hub Keyboard" = Ultra Flat Metal USB-Hub Keyboard
"Uninstall_is1" = Uninstall 1.0.0.1
"Uplink Demo" = Uplink Demo (remove only)
"Vegas Poker 247" = Vegas Poker 247
"Versato" = Slim Multimedia Keyboard
"Video-AVI to GIF-JPEG" = Video-AVI to GIF-JPEG 3.1
"VidGIF_is1" = VidGIF
"Virtual DJ - Atomix Productions" = Virtual DJ - Atomix Productions
"VLC media player" = VLC media player 1.0.3
"WebMon_is1" = WebMon
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Window Topper_is1" = Window Topper 3.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinGimp-2.0_is1" = GIMP 2.4.6
"WinGTK-2_is1" = GTK+ 2.10.6-1 runtime environment
"WinPatrol" = WinPatrol
"WinRAR archiver" = WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wordpool_is1" = Wordpool 2.7.7
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XFeeder" = XFeeder 1.6
"XFeeder_2.0 Lite" = XFeeder 2.0 Lite
"Xilisoft FLV Converter" = Xilisoft FLV Converter
"xp-AntiSpy" = xp-AntiSpy 3.96-2
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Widget Engine" = Yahoo! Widget Engine
"YASA 3GP Video Converter v3.8 (build 0055)" = YASA 3GP Video Converter v3.8 (build 0055)
"YInstHelper" = Yahoo! Install Manager
"ZoomPlayer" = Zoom Player (remove only)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1644491937-823518204-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"5f48e2ab41c5d005" = RapidShare Manager
"Google Chrome" = Google Chrome
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 18.04.2010 17:56:00 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 18.04.2010 18:23:09 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 19.04.2010 04:46:42 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 19.04.2010 04:53:24 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 19.04.2010 05:23:09 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 19.04.2010 05:53:23 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 19.04.2010 06:23:08 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 19.04.2010 06:53:29 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 19.04.2010 07:23:10 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

Error - 19.04.2010 07:53:24 | Computer Name = xxx | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 18.04.2010 07:18:23 | Computer Name = xxx | Source = Service Control Manager | ID = 7000
Description = Der Dienst "WWL 401 Video Camera Device" wurde aufgrund folgenden
Fehlers nicht gestartet: %%2

Error - 18.04.2010 07:18:29 | Computer Name = xxx | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
i8042prt

Error - 18.04.2010 07:33:56 | Computer Name = xxx | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1058" aufgetreten, als der Dienst "upnphost"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56}

Error - 18.04.2010 09:53:22 | Computer Name = xxx | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1058" aufgetreten, als der Dienst "upnphost"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56}

Error - 18.04.2010 09:58:23 | Computer Name = xxx | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1058" aufgetreten, als der Dienst "upnphost"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56}

Error - 18.04.2010 15:41:09 | Computer Name = xxx | Source = Service Control Manager | ID = 7000
Description = Der Dienst "WWL 401 Video Camera Device" wurde aufgrund folgenden
Fehlers nicht gestartet: %%2

Error - 18.04.2010 15:41:19 | Computer Name = xxx | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
i8042prt

Error - 18.04.2010 17:51:24 | Computer Name = xxx | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1058" aufgetreten, als der Dienst "upnphost"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56}

Error - 19.04.2010 04:46:26 | Computer Name = xxx | Source = Service Control Manager | ID = 7000
Description = Der Dienst "WWL 401 Video Camera Device" wurde aufgrund folgenden
Fehlers nicht gestartet: %%2

Error - 19.04.2010 04:46:33 | Computer Name = xxx | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
i8042prt


< End of report >










gmer:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-14 00:23:07
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOKUME~1\xxx\LOKALE~1\Temp\fgliaaoc.sys


---- System - GMER 1.0.15 ----

SSDT F7DA4C66 ZwCreateKey
SSDT F7DA4C5C ZwCreateThread
SSDT F7DA4C6B ZwDeleteKey
SSDT F7DA4C75 ZwDeleteValueKey
SSDT F7DA4C7A ZwLoadKey
SSDT F7DA4C48 ZwOpenProcess
SSDT F7DA4C4D ZwOpenThread
SSDT \??\C:\DOKUME~1\xxx\LOKALE~1\Temp\ASFWHide ZwQuerySystemInformation [0xF7D94486]
SSDT F7DA4C84 ZwReplaceKey
SSDT F7DA4C7F ZwRestoreKey
SSDT F7DA4C70 ZwSetValueKey
SSDT \??\C:\DOKUME~1\xxx\LOKALE~1\Temp\ASFWHide ZwTerminateProcess [0xF7D946DA]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 301 804E295D 3 Bytes [44, D9, F7] {INC ESP; FINCSTP }
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6B67380, 0x21F24D, 0xE8000020]
? C:\WINDOWS\TEMP\mc21.tmp Das System kann die angegebene Datei nicht finden. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\svchost.exe[116] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\CTsvcCDA.exe[216] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\CTsvcCDA.exe[216] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\CTsvcCDA.exe[216] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Java\jre6\bin\jqs.exe[504] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Java\jre6\bin\jqs.exe[504] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Java\jre6\bin\jqs.exe[504] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe[616] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe[616] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe[616] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[640] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[640] KERNEL32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[664] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[664] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe[964] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe[964] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\nvsvc32.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\nvsvc32.exe[1152] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\nvsvc32.exe[1152] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\HPZipm12.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\HPZipm12.exe[1240] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\HPZipm12.exe[1240] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1460] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1460] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\svchost.exe[1460] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1520] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\MsPMSPSv.exe[1520] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1576] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\spoolsv.exe[1576] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1628] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1628] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Dokumente und Einstellungen\Boris\Desktop\picpick.exe[1800] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Dokumente und Einstellungen\Boris\Desktop\picpick.exe[1800] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Dokumente und Einstellungen\Boris\Desktop\picpick.exe[1800] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[1840] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[1840] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[1840] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[1964] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[1964] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[1964] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Google\Update\GoogleUpdate.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Google\Update\GoogleUpdate.exe[1976] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Google\Update\GoogleUpdate.exe[1976] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Bonjour\mDNSResponder.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Bonjour\mDNSResponder.exe[1992] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Bonjour\mDNSResponder.exe[1992] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Dokumente und Einstellungen\Boris\Desktop\gmer.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Dokumente und Einstellungen\Boris\Desktop\gmer.exe[2012] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Dokumente und Einstellungen\Boris\Desktop\gmer.exe[2012] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Ashampoo\Ashampoo FireWall\FireWall.exe[2088] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Ashampoo\Ashampoo FireWall\FireWall.exe[2088] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Ashampoo\Ashampoo FireWall\FireWall.exe[2088] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Logitech\MouseWare\system\em_exec.exe[2116] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Logitech\MouseWare\system\em_exec.exe[2116] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Logitech\MouseWare\system\em_exec.exe[2116] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[2136] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[2136] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\RUNDLL32.EXE[2136] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\Programme\Multimedia Combo Set Driver\PS2USBKbdDrv.exe[2152] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Programme\Multimedia Combo Set Driver\PS2USBKbdDrv.exe[2152] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\Programme\Multimedia Combo Set Driver\PS2USBKbdDrv.exe[2152] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2624] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscntfy.exe[2624] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\wscntfy.exe[2624] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[3140] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[3140] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\alg.exe[3140] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wuauclt.exe[3184] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wuauclt.exe[3184] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\wuauclt.exe[3184] kernel32.dll!CreateFileW 7C810760 6 Bytes JMP 5F040F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583c2c80f
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583c2c80f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001583c2c80f (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{99CC4FB0-3379-2EC5-43A6-8C49EED81999}

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:38 AM

Posted 19 April 2010 - 03:32 PM

Hello, thanks for letting me know about GMER; the log shows the sections I need to see, so no worries there.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2010 - 06:23 AM

Supporter,

i ran combofix. It installed a Windows Recovery Console, before it began "cleaning".
After it was finished, i recieved the windows error message: msls51.dll file missing. blink.gif
From that moment on i recieved about over a hundred error messages with even more different windows system files are missing now.
After combofix restarted the PC, i got error messages again, and now the windows explorer is gone. No internet connection too.

I tried to do the windows recovery console. There is to choose the name of my windows installation, and above the recovery console. The recovery console chosen, it starts in black screen shows some bars loading in DOS enviroment.
It asks if i want to do recovery or to press exit.
I press "1" for my windows installation.
Then there appears C:\
Thats all.

Tell me how i set back to the point which was set from the recovery console before combofix cleaning.




#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:38 AM

Posted 20 April 2010 - 07:18 AM

Don't worry, I think I know what is causing this problem smile.gif

In the recovery console at c:\windows> type the following lines and press enter after every line.

cd system32

ren uxteme.dll uxtheme.vir

copy c:\windows\servicepackfiles\i386\uxtheme.dll uxtheme.dll


You should now see: 1 file(s) copied.

Type EXIT and press enter to reboot. If you have still the problems on reboot, try safe mode, this will work reasonable.

To explain what happens here: the msls51.dll file is required by an infected copy of uxtheme.dll. Because Combofix deleted msls51.dll, but left the infected copy of uxtheme.dll in place, uxtheme.dll now searches for msls51.dll on startup but doesn't find it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2010 - 12:48 PM

Dear Supporter,

thats what i did:

cd system32

ren uxtheme.dll uxtheme.vir

copy c:\windows\servicepackfiles\i386\uxtheme.dll uxtheme.dll


After reboot, the desktop looked familiar, explorer was there smile.gif
But there was a window of combofix, saying: "Writing combofix log file. Don't start any programs."
I waited a long time doing nothing, but nothing happend with combofix.
I couldn't start the task manager, and there were no icons in the task menue in the right down corner.
So i rebooted, this time in safe mode.
Then the combofix window was gone and all looked nice working.
I rebooted again in normal mode, and it is all working smile.gif

So i have no combofix log file.
New is the ms internet explorer icon on the desktop.

I wonder why malwarebytes didn't tell anything about msls51.dll or the uxtheme.dll.
Is my system now fully cleared?
What was that exactly for a kind of malware, what was its purpose?
Can i keep my windows installation or ist it better/safer to reinstall xp?

Thanks.




#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:38 AM

Posted 20 April 2010 - 12:54 PM

Hello again,

Sorry for the typo, and good you spotted it smile.gif
QUOTE
New is the ms internet explorer icon on the desktop.
This is done by Combofix. Some malware likes to make it difficult to access the internet and hides this.

Can you please look if there is a log at c:\combofix.txt? If so please post it.

Please do NOT remove the renamed copy of uxtheme.dll yet (uxtheme.vir), I would like you to upload a copy of that file so we can have a look at it. However, first I want to see the log if it is there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2010 - 01:16 PM

Hello Supporter,

no there is no combofix.txt in c: mellow.gif



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:38 AM

Posted 20 April 2010 - 01:28 PM

Hello again, in that case lets run Combofix again.

CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

CODE
<http://www.bleepingcomputer.com/forums/index.php?showtopic=309497&view=findpost&p=1723566>

Collect::
c:\windows\system32\uxtheme.vir


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2010 - 01:37 PM

Supporter,

ehm, somewhere i read that running combofix twice would harm the system, because combofix is a strong intervention for the system.
What do you think?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:38 AM

Posted 20 April 2010 - 01:40 PM

Don't worry smile.gif

Its true Combofix is a powerful tool and thats why we do not recommend to run it unsupervised. In your case, when something goes wrong, its my job to get you up and running again. It wouldn't be the first time I have fixed that particular problem smile.gif

But in this case I see no reason why it would cause any serious problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2010 - 01:51 PM

OK Supporter,

i will run combofix again later after i have worked here something.



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:38 AM

Posted 20 April 2010 - 02:03 PM

No problem, take your time smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2010 - 02:32 PM

OK i can run it now.

Supporter, why should i be connected to the internet while running combofix?
What does combofix send via internet and to who??

Do i have to switch off Avira and my firewall again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users