Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google results redirected...


  • This topic is locked This topic is locked
31 replies to this topic

#1 katharina

katharina

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Berlin
  • Local time:05:34 AM

Posted 15 May 2010 - 01:37 PM

Yesterday, while just browsing the web, I caught a 'Security Essentials 2010' trojan. It seemed as if a Java Web Starter window popped up briefly just seconds prior to the infection.

After precisely following Bleepingcomputer's removal instructions , the described files and Registry entries were successfully deleted by Malwarebytes, which, along with Superantispyware (complete OS drive scan) and Kaspersky (quick scan) reported no remaining infections.

However, my Google search result links are still sporadically redirected to spam sites. Reinstalling Firefox didn't help.
[Edit:] Chrome is affected, too. It starts, but it won't load any websites. Internet Explorer starts and loads fine, but also suffers from redirects.

I'd kindly ask you to have a quick look at my system.

Attached logs:
1. DDS
2. OTL Report, created adhering to Myrti's posts
3. GMER log ('ark.txt').

CODE
DDS (Ver_10-03-17.01) - NTFSx86  
Run by katha at 20:57:20,73 on Sa 15.05.2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.3326.1816 [GMT 2:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)   {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
d:\scripts\PowerPro\Pprotray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Creative\Shared Files\CTAudSvc.exe
C:\Programme\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NMSAccessU.exe
C:\Programme\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Programme\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\EIZO\ScreenManager Pro for LCD\Lcdctrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\GPSoftware\Directory Opus\dopusrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Sandboxie\SbieCtrl.exe
C:\Programme\Growl for Windows\Growl.exe
C:\Programme\GPSoftware\Directory Opus\dopus.exe
C:\Programme\FindAndRunRobot\FindAndRunRobot.exe
D:\scripts\autohotkey\AutoHotkey.exe
C:\Programme\Babylon\Babylon-Pro\Babylon.exe
D:\programme\everything\Everything-1.2.1.451a.exe
c:\programme\foobar2000\foobar2000.exe
C:\Programme\mozilla firefox\firefox.exe
D:\tmp\adhoc\5.15\OTL.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
D:\data\emacs-23\bin\emacs.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
D:\tmp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://regalyzer/
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = 80.67.172.70:8118
mWinlogon: SfcDisable=-99 (0xffffff9d)
mWinlogon: Userinit=c:\windows\system32\userinit.exe,d:\scripts\powerpro\Pprotray.exe,
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\programme\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\programme\siber systems\ai roboform\roboform.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\programme\siber systems\ai roboform\roboform.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\programme\orbitdownloader\GrabPro.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Directory Opus Desktop Dblclk] "c:\programme\gpsoftware\directory opus\dopusrt.exe" /dblclk
uRun: [AdobeBridge]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\programme\sandboxie\SbieCtrl.exe"
uRun: [Growl] c:\programme\growl for windows\Growl.exe
mRun: [ScreenManager Pro for LCD] c:\programme\eizo\screenmanager pro for lcd\Lcdctrl.exe
mRun: []
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [IE7] rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\dokume~1\nonseq~1\startm~1\progra~1\autost~1\direct~1.lnk - c:\programme\gpsoftware\directory opus\dopus.exe
StartupFolder: c:\dokume~1\nonseq~1\startm~1\progra~1\autost~1\findan~1.lnk - c:\programme\findandrunrobot\FindAndRunRobot.exe
StartupFolder: c:\dokume~1\nonseq~1\startm~1\progra~1\autost~1\main.lnk - d:\scripts\autohotkey\scripts\main.ahk
StartupFolder: c:\dokume~1\nonseq~1\startm~1\progra~1\autost~1\syncba~1.lnk - c:\programme\2brightsparks\syncbackse\SyncBackSE.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download by Orbit - c:\programme\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programme\orbitdownloader\orbitmxt.dll/204
IE: An vorhandene PDF-Datei anfügen - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\programme\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programme\orbitdownloader\orbitmxt.dll/202
IE: In Adobe PDF konvertieren - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: RF - Formular ausfüllen - file://c:\programme\siber systems\ai roboform\RoboFormComFillForms.html
IE: RF - Formular speichern - file://c:\programme\siber systems\ai roboform\RoboFormComSavePass.html
IE: Translate with &Babylon - c:\programme\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\programme\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\programme\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\programme\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
LSP: c:\programme\vmware\vmware workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: {DEECFAB6-361B-4AE7-A3B5-6EB19C668F00} = 192.168.1.1
Handler: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - c:\programme\gemeinsame dateien\binarysense\hlAPP.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Directory Opus Shell Execute Hook: {3cf9ece0-1a9f-11d2-8c73-00c06c2005de} - c:\programme\gpsoftware\directory opus\dopuslib.dll
mASetup: {6E4188EE-6F44-4DF5-810D-38DA4A57A747} - c:\dokumente und einstellungen\all users\application data\instedit.com\insted\AEremSendto.vbs

================= FIREFOX ===================

FF - ProfilePath - d:\arbeit~1\anwend~2\mozilla\firefox\profiles\x6ppvo6a.default\
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programme\microsoft research\hdview for firefox\nphdview.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten\mozilla\plugins\npoctoshape.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten_lokal\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten_lokal\myvrnpapi\npmyvr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programme\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programme\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\programme\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programme\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\programme\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\programme\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programme\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programme\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-4-18 39472]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-3-29 911680]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 SASDIFSV;SASDIFSV;d:\arbeit~1\win_or~1\wintemp\sas_selfextract\SASDIFSV.SYS [2010-5-14 9968]
R1 SASKUTIL;SASKUTIL;d:\arbeit~1\win_or~1\wintemp\sas_selfextract\SASKUTIL.sys [2010-5-14 74480]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-9-6 123280]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704]
R3 SbieDrv;SbieDrv;c:\programme\sandboxie\SbieDrv.sys [2010-4-17 115944]
S0 vvrzyqd;vvrzyqd;c:\windows\system32\drivers\vvrzyqd.sys [2010-5-14 755200]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2008-1-30 9472]
S2 gupdate1c98d46984b34e4;Google Update Service (gupdate1c98d46984b34e4);c:\programme\google\update\GoogleUpdate.exe [2009-2-12 133104]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\programme\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-3-29 160288]
S3 AVP;Kaspersky Anti-Virus;c:\programme\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
S3 GEST Service;GEST Service for program management.;c:\programme\gigabyte\gest\GSvr.exe [2008-4-11 47624]
S3 PORTMON;PORTMON;\??\d:\programme\essentiell\sysinternalssuite\portmsys.sys --> d:\programme\essentiell\sysinternalssuite\PORTMSYS.SYS [?]
S3 Ramdisk;Windows RAM-Laufwerktreiber;c:\windows\system32\drivers\ramdisk.sys [2000-4-19 20736]
S3 SASENUM;SASENUM;\??\d:\arbeit~1\win_or~1\wintemp\sas_selfextract\sasenum.sys --> d:\arbeit~1\win_or~1\wintemp\sas_selfextract\SASENUM.SYS [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\d:\arbeit~1\win_or~1\wintemp\tccpuinfo.sys --> d:\arbeit~1\win_or~1\wintemp\TCCpuInfo.sys [?]
S3 usbsnoop;usbsnoop (display);c:\windows\system32\drivers\usbsnoop.sys --> c:\windows\system32\drivers\usbsnoop.sys [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2009-6-25 31952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S4 afcdpsrv;Acronis Nonstop Backup service;c:\programme\gemeinsame dateien\acronis\cdp\afcdpsrv.exe [2010-3-29 2480048]

============== File Associations ===============

txtfile="c:\programme\e\e.exe" "%1"

=============== Created Last 30 ================

2010-05-15 16:24:07    0    d-----w-    C:\downloads
2010-05-15 15:37:08    0    d-----w-    d:\arbeit~1\anwend~2\SUPERAntiSpyware.com
2010-05-15 15:37:08    0    d-----w-    c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com
2010-05-15 11:55:59    664    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-05-14 21:33:26    0    d-----w-    d:\arbeit~1\anwend~2\Malwarebytes
2010-05-14 21:33:01    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 21:33:00    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-05-14 21:33:00    0    d-----w-    c:\programme\Malwarebytes' Anti-Malware
2010-05-14 21:33:00    0    d-----w-    c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-05-14 20:56:34    755200    ----a-w-    c:\windows\system32\drivers\vvrzyqd.sys
2010-05-14 20:56:22    16    ----a-w-    d:\arbeit~1\anwend~2\qvjsge.dat
2010-05-09 20:02:30    64    ----a-w-    c:\windows\system32\-1
2010-05-09 20:02:30    0    d-----w-    c:\programme\WinPcap
2010-05-01 19:33:14    180224    ----a-w-    c:\windows\system32\QTCF.dll

==================== Find3M  ====================

2010-05-13 13:27:55    237568    ----a-w-    c:\windows\system32\rmc_rtspdl.dll
2010-05-13 13:27:55    156672    ----a-w-    c:\windows\system32\rmc_fixasf.exe
2010-05-08 09:37:37    85920    ----a-w-    c:\windows\system32\perfc007.dat
2010-05-08 09:37:37    461490    ----a-w-    c:\windows\system32\perfh007.dat
2010-03-29 19:53:57    160288    ----a-w-    c:\windows\system32\drivers\afcdp.sys
2010-03-29 19:53:54    911680    ----a-w-    c:\windows\system32\drivers\tdrpm258.sys
2010-03-29 19:53:53    581984    ----a-w-    c:\windows\system32\drivers\timntr.sys
2010-03-29 19:53:47    158272    ----a-w-    c:\windows\system32\drivers\snapman.sys
2010-03-10 06:15:55    420352    ----a-w-    c:\windows\system32\vbscript.dll
2010-03-10 06:15:55    420352    ----a-w-    c:\windows\system32\dllcache\vbscript.dll
2010-03-03 10:05:38    411368    ----a-w-    c:\windows\system32\deploytk.dll
2010-02-25 09:45:00    11070976    ----a-w-    c:\windows\system32\dllcache\ieframe.dll
2010-02-25 06:15:07    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-02-25 06:15:07    916480    ----a-w-    c:\windows\system32\dllcache\wininet.dll
2010-02-25 06:15:07    12800    ------w-    c:\windows\system32\dllcache\xpshims.dll
2010-02-25 06:15:07    1209344    ----a-w-    c:\windows\system32\dllcache\urlmon.dll
2010-02-25 06:15:06    611840    ----a-w-    c:\windows\system32\dllcache\mstime.dll
2010-02-25 06:15:06    206848    ----a-w-    c:\windows\system32\dllcache\occache.dll
2010-02-25 06:15:05    5944832    ----a-w-    c:\windows\system32\dllcache\mshtml.dll
2010-02-25 06:15:02    594432    ----a-w-    c:\windows\system32\dllcache\msfeeds.dll
2010-02-25 06:15:02    55296    ----a-w-    c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-25 06:15:01    25600    ----a-w-    c:\windows\system32\dllcache\jsproxy.dll
2010-02-25 06:15:01    1985536    ----a-w-    c:\windows\system32\dllcache\iertutil.dll
2010-02-25 06:14:59    247808    ------w-    c:\windows\system32\dllcache\ieproxy.dll
2010-02-25 06:14:59    184320    ------w-    c:\windows\system32\dllcache\iepeers.dll
2010-02-25 06:14:55    387584    ----a-w-    c:\windows\system32\dllcache\iedkcs32.dll
2010-02-24 13:11:07    455680    ------w-    c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:53:49    173056    ----a-w-    c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 12:04:26    2192256    ----a-w-    c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 19:04:25    2069120    ------w-    c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 19:04:17    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
2010-02-16 19:04:17    2148864    ----a-w-    c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 19:04:17    2027008    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2010-02-16 19:04:17    2027008    ------w-    c:\windows\system32\dllcache\ntkrpamp.exe
2009-06-16 17:51:27    443    ----a-w-    c:\programme\gemeinsame dateien\fnp_registrations.xml
2009-01-23 08:12:51    655624    ----a-w-    c:\programme\gemeinsame dateien\FNPLicensingService.exe
2008-05-19 15:28:01    23    --sha-w-    c:\windows\system32\faaacbeaf7_z.dll
2009-10-16 13:33:47    16384    --sha-w-    c:\windows\system32\config\systemprofile\cookies\index.dat
2009-10-16 13:33:47    32768    --sha-w-    c:\windows\system32\config\systemprofile\lokale einstellungen\temporary internet files\content.ie5\index.dat
2009-10-16 13:33:47    32768    --sha-w-    c:\windows\system32\config\systemprofile\lokale einstellungen\verlauf\history.ie5\index.dat
2008-06-06 06:26:01    32768    --sha-w-    c:\windows\system32\config\systemprofile\lokale einstellungen\verlauf\history.ie5\mshist012008060620080607\index.dat

============= FINISH: 20:58:13,62 ===============



CODE
OTL logfile created on: 15.5.2010 19:36:32 - Run 1
OTL by OldTimer - Version 3.2.4.1     Folder = D:\tmp\adhoc\5.15
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: d.M.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 61,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): Z:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 24,41 Gb Total Space | 0,68 Gb Free Space | 2,79% Space Free | Partition Type: NTFS
Drive D: | 441,35 Gb Total Space | 31,90 Gb Free Space | 7,23% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 40,09 Gb Total Space | 25,75 Gb Free Space | 64,25% Space Free | Partition Type: NTFS
Drive N: | 385,66 Gb Total Space | 1,98 Gb Free Space | 0,51% Space Free | Partition Type: NTFS
Drive P: | 954,05 Mb Total Space | 949,78 Mb Free Space | 99,55% Space Free | Partition Type: FAT
Drive Y: | 35,00 Gb Total Space | 4,33 Gb Free Space | 12,36% Space Free | Partition Type: NTFS
Drive Z: | 5,00 Gb Total Space | 1,72 Gb Free Space | 34,31% Space Free | Partition Type: NTFS

Computer Name: MIT
Current User Name: katha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.05.15 19:27:22 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\tmp\adhoc\5.15\OTL.exe
PRC - [2010.04.29 16:43:38 | 001,782,272 | ---- | M] () -- c:\Programme\foobar2000\foobar2000.exe
PRC - [2010.04.17 12:56:08 | 000,394,984 | ---- | M] (tzuk) -- C:\Programme\Sandboxie\SbieCtrl.exe
PRC - [2010.04.17 12:56:06 | 000,073,960 | ---- | M] (tzuk) -- C:\Programme\Sandboxie\SbieSvc.exe
PRC - [2010.04.01 20:00:17 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2010.03.19 15:08:26 | 000,909,312 | ---- | M] (element code project) -- C:\Programme\Growl for Windows\Growl.exe
PRC - [2010.03.18 12:38:04 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Programme\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010.03.17 09:07:24 | 007,312,840 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopus.exe
PRC - [2010.03.17 08:49:04 | 000,271,840 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopusrt.exe
PRC - [2010.02.28 21:13:58 | 004,421,632 | ---- | M] (DonationCoder.com) -- C:\Programme\FindAndRunRobot\FindAndRunRobot.exe
PRC - [2010.01.22 22:13:24 | 000,395,824 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
PRC - [2010.01.22 22:13:02 | 000,334,384 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
PRC - [2010.01.22 22:12:46 | 000,113,200 | ---- | M] (VMware, Inc.) -- C:\Programme\VMware\VMware Workstation\vmware-authd.exe
PRC - [2009.11.24 18:21:10 | 000,760,320 | ---- | M] () -- D:\programme\everything\Everything-1.2.1.451a.exe
PRC - [2009.01.12 08:15:52 | 000,071,096 | ---- | M] () -- C:\WINDOWS\system32\NMSAccessU.exe
PRC - [2008.07.17 12:59:06 | 000,033,792 | ---- | M] (ww) -- d:\scripts\PowerPro\PProtray.exe
PRC - [2008.04.14 04:22:45 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008.04.02 09:46:49 | 003,551,456 | ---- | M] (Babylon Ltd.) -- C:\Programme\Babylon\Babylon-Pro\Babylon.exe
PRC - [2008.03.09 12:12:24 | 000,240,640 | ---- | M] () -- D:\scripts\autohotkey\AutoHotkey.exe
PRC - [2008.03.07 19:24:18 | 000,417,792 | ---- | M] (Creative Technology Ltd) -- C:\Programme\Creative\Shared Files\CTAudSvc.exe
PRC - [2008.02.07 06:17:22 | 011,859,240 | ---- | M] (EIZO NANAO CORPORATION) -- C:\Programme\EIZO\ScreenManager Pro for LCD\Lcdctrl.exe


========== Modules (SafeList) ==========

MOD - [2010.05.15 19:27:22 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\tmp\adhoc\5.15\OTL.exe
MOD - [2010.03.17 09:13:10 | 000,311,232 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopushlp.dll
MOD - [2010.03.17 08:48:06 | 000,838,104 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopuslib.dll
MOD - [2008.07.17 12:59:06 | 000,027,648 | ---- | M] () -- d:\scripts\PowerPro\PProtray.Dll
MOD - [2008.04.14 04:22:25 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shfolder.dll
MOD - [2008.04.14 04:22:18 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2008.04.14 04:22:07 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll
MOD - [2008.04.14 04:21:06 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008.03.06 13:05:18 | 000,181,248 | ---- | M] (Babylon Ltd.) -- C:\Programme\Babylon\Babylon-Pro\captlib.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] --  -- (Bonjour Service)
SRV - File not found [Auto | Stopped] --  -- (astcc)
SRV - [2010.04.17 12:56:06 | 000,073,960 | ---- | M] (tzuk) [Auto | Running] -- C:\Programme\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2010.03.29 21:53:57 | 002,480,048 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010.01.22 22:13:24 | 000,395,824 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2010.01.22 22:13:02 | 000,334,384 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2010.01.22 22:12:46 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Programme\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService)
SRV - [2010.01.22 21:00:48 | 000,563,760 | ---- | M] (VMware, Inc.) [Auto | Stopped] -- C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2009.11.12 05:42:50 | 000,661,072 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009.10.20 20:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) [On_Demand | Stopped] -- C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe -- (AVP)
SRV - [2009.10.20 20:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Programme\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009.10.12 14:32:24 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Programme\VMware\VMware Workstation\vmware-ufad.exe -- (ufad-ws60)
SRV - [2009.01.23 10:12:51 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.01.12 08:15:52 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\NMSAccessU.exe -- (NMSAccess)
SRV - [2008.05.22 00:43:36 | 000,307,968 | ---- | M] (TuneUp Software GmbH) [Disabled | Stopped] -- C:\WINDOWS\system32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2008.03.07 19:24:18 | 000,417,792 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Programme\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008.02.27 13:15:14 | 000,028,416 | ---- | M] (TuneUp Software GmbH) [Disabled | Stopped] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2007.12.14 11:46:28 | 000,047,624 | ---- | M] () [On_Demand | Stopped] -- C:\Programme\GIGABYTE\GEST\GSvr.exe -- (GEST Service)
SRV - [2003.07.28 13:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010.05.14 23:41:34 | 000,755,200 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\vvrzyqd.sys -- (vvrzyqd)
DRV - [2010.05.14 21:09:36 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\arbeitsdaten\win_ordner\wintemp\SAS_SelfExtract\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010.05.14 21:09:36 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\arbeitsdaten\win_ordner\wintemp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2010.04.17 12:56:02 | 000,115,944 | ---- | M] (tzuk) [Kernel | On_Demand | Running] -- C:\Programme\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV - [2010.03.29 21:53:57 | 000,160,288 | ---- | M] (Acronis) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)
DRV - [2010.03.29 21:53:54 | 000,911,680 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm258.sys -- (tdrpman258) Acronis Try&Decide and Restore Points filter (build 258)
DRV - [2010.03.29 21:53:53 | 000,581,984 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2010.03.29 21:53:47 | 000,158,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010.01.22 22:14:20 | 000,032,688 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2010.01.22 22:14:16 | 000,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2010.01.22 22:14:14 | 000,023,216 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2010.01.22 22:14:12 | 000,854,192 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2010.01.22 22:14:12 | 000,070,704 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2010.01.22 22:13:04 | 000,014,896 | ---- | M] (VMware, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport)
DRV - [2010.01.22 21:00:42 | 000,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2010.01.22 17:13:00 | 000,016,560 | R--- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2009.12.17 19:52:19 | 000,073,312 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2009.11.30 13:27:36 | 000,123,280 | ---- | M] (Sun Microsystems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxDrv.sys -- (VBoxDrv)
DRV - [2009.11.21 04:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009.10.20 20:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009.10.12 14:31:52 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Programme\VMware\VMware Workstation\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2009.10.02 13:40:50 | 000,432,664 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2009.09.01 15:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2009.07.06 13:21:14 | 000,217,664 | ---- | M] (TrueCrypt Foundation) [Kernel | Disabled | Running] -- P:\crypt\TrueCrypt\truecrypt.sys -- (truecrypt)
DRV - [2009.05.29 20:13:38 | 000,031,952 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VBoxUSB.sys -- (VBoxUSB)
DRV - [2009.01.23 10:49:08 | 000,037,664 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2008.11.02 10:44:10 | 000,056,572 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008.04.13 20:41:23 | 000,020,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ramdisk.sys -- (Ramdisk)
DRV - [2008.04.13 20:20:12 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008.04.13 18:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008.04.07 09:19:52 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2008.02.25 09:44:38 | 001,172,504 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2008.02.25 09:44:22 | 000,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2008.02.25 09:44:08 | 000,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008.02.25 09:44:00 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008.02.25 09:43:56 | 000,127,000 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008.02.25 09:43:30 | 000,346,856 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2008.02.25 09:43:24 | 000,524,312 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008.02.25 09:43:16 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008.02.25 09:41:50 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2008.02.25 09:41:44 | 000,170,520 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2008.02.25 09:41:36 | 001,323,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2008.02.25 09:41:28 | 000,329,240 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2008.02.25 09:41:18 | 000,134,680 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2008.02.25 09:41:14 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2008.02.25 09:41:10 | 000,286,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2008.02.25 09:41:06 | 000,174,104 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2008.02.25 09:41:02 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2008.02.25 09:40:56 | 000,551,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2008.02.25 09:40:52 | 000,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2008.01.30 22:59:07 | 000,069,168 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\si3112.sys -- (Si3112)
DRV - [2008.01.30 22:53:55 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\dumpdrv.sys -- (DumpDrv)
DRV - [2008.01.30 22:53:52 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (Aspi32)
DRV - [2008.01.03 22:10:16 | 000,105,856 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007.11.02 11:09:58 | 000,039,472 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\hotcore3.sys -- (hotcore3)
DRV - [2007.10.11 11:10:52 | 000,030,008 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ET5Drv.sys -- (ET5Drv)
DRV - [2007.07.23 10:56:58 | 000,042,624 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Alpham1.sys -- (Alpham1)
DRV - [2007.03.20 12:49:52 | 000,018,432 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Alpham2.sys -- (Alpham2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;
IE - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 80.67.172.70:8118

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Programme\Siber Systems\AI RoboForm\Firefox [2008.04.02 12:52:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Minefield 3.7a1pre\extensions\\Components: C:\Programme\Minefield\components [2009.09.28 19:26:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Minefield 3.7a1pre\extensions\\Plugins: C:\Programme\Minefield\plugins [2010.04.14 08:55:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Components: C:\Programme\ff3test\components
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Plugins: C:\Programme\ff3test\plugins
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.05.15 18:26:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.05.15 18:26:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Programme\Mozilla Thunderbird\components [2010.05.01 21:35:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Programme\Mozilla Thunderbird\plugins [2010.05.01 21:35:23 | 000,000,000 | ---D | M]

[2010.05.15 18:31:25 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Extensions
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] (No name found) -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions\staged-xpis
[2010.05.15 18:31:26 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.04.01 18:54:38 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.04.01 18:54:38 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.04.01 18:54:38 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.04.01 18:54:38 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.04.01 18:54:38 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.11.06 21:01:39 | 000,001,504 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll ()
O3 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [ScreenManager Pro for LCD] C:\Programme\EIZO\ScreenManager Pro for LCD\Lcdctrl.exe (EIZO NANAO CORPORATION)
O4 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004..\Run: [AdobeBridge]  File not found
O4 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004..\Run: [Directory Opus Desktop Dblclk] C:\Programme\GPSoftware\Directory Opus\dopusrt.exe (GP Software)
O4 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004..\Run: [Growl] C:\Programme\Growl for Windows\Growl.exe (element code project)
O4 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004..\Run: [SandboxieControl] C:\Programme\Sandboxie\SbieCtrl.exe (tzuk)
O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix]  File not found
O4 - HKU\S-1-5-18..\RunOnce: [ShowDeskFix]  File not found
O4 - HKU\S-1-5-20..\RunOnce: [ShowDeskFix]  File not found
O4 - Startup: C:\Dokumente und Einstellungen\katha\Startmenü\Programme\Autostart\Directory Opus.lnk = C:\Programme\GPSoftware\Directory Opus\dopus.exe (GP Software)
O4 - Startup: C:\Dokumente und Einstellungen\katha\Startmenü\Programme\Autostart\Find and Run Robot.lnk = C:\Programme\FindAndRunRobot\FindAndRunRobot.exe (DonationCoder.com)
O4 - Startup: C:\Dokumente und Einstellungen\katha\Startmenü\Programme\Autostart\main.lnk = D:\scripts\autohotkey\Scripts\main.ahk ()
O4 - Startup: C:\Dokumente und Einstellungen\katha\Startmenü\Programme\Autostart\SyncBackSE.lnk = C:\Programme\2BrightSparks\SyncBackSE\SyncBackSE.exe (2BrightSparks Pte Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00  [binary data]
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00  [binary data]
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O7 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 1
O7 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF 03  [binary data]
O8 - Extra context menu item: &Download by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: An vorhandene PDF-Datei anfügen - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: In Adobe PDF konvertieren - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Linkziel an vorhandene PDF-Datei anhängen - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Linkziel in Adobe PDF konvertieren - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: RF - Formular ausfüllen - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RF - Formular speichern - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Translate with &Babylon - C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9 - Extra Button: Ausfüllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : RF - Formular ausfüllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : RF - Formular speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RF - RoboForm-Leiste ein/aus - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Programme\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Programme\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O18 - Protocol\Handler\hddlife {BD758015-47D9-477A-8873-4B688A2BC0E2} - C:\Programme\Gemeinsame Dateien\BinarySense\hlAPP.dll (BinarySense, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (d:\scripts\PowerPro\Pprotray.exe) - d:\scripts\PowerPro\PProtray.exe (ww)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O28 - HKLM ShellExecuteHooks: {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Programme\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008.04.01 17:17:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{16864dc6-b3d5-11de-baa1-001d7dd033d6}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found
O33 - MountPoints2\{2e8fb90e-9f57-11dd-ba53-001d7dd033d6}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.05.15 18:29:05 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\win_ordner\desktop\Neuer Ordner
[2010.05.15 18:24:40 | 008,188,856 | ---- | C] (Mozilla) -- D:\arbeitsdaten\win_ordner\desktop\Firefox Setup 3.6.3.exe
[2010.05.15 18:24:07 | 000,000,000 | ---D | C] -- C:\downloads
[2010.05.15 17:37:08 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\anwendungsdaten\SUPERAntiSpyware.com
[2010.05.15 17:37:08 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
[2010.05.15 12:32:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.05.15 12:20:02 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\katha\Recent
[2010.05.15 12:02:55 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\win_ordner\desktop\GooredFix Backups
[2010.05.14 23:33:26 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\anwendungsdaten\Malwarebytes
[2010.05.14 23:33:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.05.14 23:33:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.05.14 23:33:00 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.05.14 23:33:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.05.09 22:02:30 | 000,000,000 | ---D | C] -- C:\Programme\WinPcap
[2010.05.01 21:33:14 | 000,180,224 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QTCF.dll
[2008.02.20 20:59:14 | 000,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.05.15 19:05:00 | 000,001,148 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004UA.job
[2010.05.15 18:43:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010.05.15 18:26:21 | 008,188,856 | ---- | M] (Mozilla) -- D:\arbeitsdaten\win_ordner\desktop\Firefox Setup 3.6.3.exe
[2010.05.15 13:55:59 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.05.15 12:33:09 | 000,237,662 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010.05.15 12:32:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.05.15 12:31:47 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010.05.15 12:31:25 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010.05.15 12:31:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.05.15 12:31:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.05.15 12:31:09 | 3488,067,584 | -HS- | M] () -- C:\hiberfil.sys
[2010.05.15 12:30:28 | 007,864,320 | ---- | M] () -- C:\Dokumente und Einstellungen\katha\ntuser.dat
[2010.05.15 12:30:27 | 000,055,468 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.15 12:30:27 | 000,055,468 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.15 12:30:27 | 000,000,788 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.15 12:10:54 | 000,002,760 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2010.05.15 00:31:10 | 000,000,283 | ---- | M] () -- C:\Dokumente und Einstellungen\katha\Startmenü\Programme\Autostart\ccleaner.lnk
[2010.05.14 23:41:34 | 000,755,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\vvrzyqd.sys
[2010.05.14 23:04:03 | 000,002,221 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Growl.lnk
[2010.05.14 22:56:22 | 000,000,016 | ---- | M] () -- D:\arbeitsdaten\anwendungsdaten\qvjsge.dat
[2010.05.14 22:05:00 | 000,001,096 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004Core.job
[2010.05.13 15:27:55 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010.05.13 15:27:55 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2010.05.11 16:48:47 | 000,001,710 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Directory Opus.lnk
[2010.05.09 22:02:31 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\-1
[2010.05.09 21:53:43 | 000,000,746 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Sandboxed Web Browser.lnk
[2010.05.09 09:00:00 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\SyncBackSE Supermemo-Backup lokal.job
[2010.05.08 11:37:37 | 001,077,540 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.05.08 11:37:37 | 000,461,490 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.05.08 11:37:37 | 000,443,504 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.05.08 11:37:37 | 000,085,920 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.05.08 11:37:37 | 000,072,348 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.05.08 11:34:07 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010.05.08 11:34:07 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010.05.04 15:32:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.05.02 17:08:15 | 000,000,431 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\210_marine_girls_-_honey.mp3
[2010.05.01 16:06:13 | 000,000,426 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Verknüpfung mit neo layout.lnk
[2010.04.30 14:00:57 | 004,955,435 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\beat_happening-indian_summer.mp3
[2010.04.30 08:23:52 | 000,001,554 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\myKaruga shooter!.lnk
[2010.04.29 23:15:01 | 000,001,554 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Prototyp!.lnk
[2010.04.29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.04.29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.04.22 20:29:33 | 000,499,400 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.04.22 19:08:28 | 000,018,432 | ---- | M] () -- D:\arbeitsdaten\anwendungsdaten_lokal\GDIPFONTCACHEV1.DAT
[2010.04.21 08:45:37 | 000,001,887 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Earth.lnk
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.05.15 13:55:59 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.05.14 22:56:34 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\drivers\vvrzyqd.sys
[2010.05.14 22:56:22 | 000,000,016 | ---- | C] () -- D:\arbeitsdaten\anwendungsdaten\qvjsge.dat
[2010.05.11 16:48:47 | 000,001,710 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Directory Opus.lnk
[2010.05.09 22:02:30 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\-1
[2010.05.09 21:54:07 | 000,000,746 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Sandboxed Web Browser.lnk
[2010.05.02 17:08:14 | 000,000,431 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\210_marine_girls_-_honey.mp3
[2010.05.01 16:06:13 | 000,000,426 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Verknüpfung mit neo layout.lnk
[2010.04.30 14:00:34 | 004,955,435 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\beat_happening-indian_summer.mp3
[2010.04.30 08:23:52 | 000,001,554 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\myKaruga shooter!.lnk
[2010.04.29 23:15:01 | 000,001,554 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Prototyp!.lnk
[2010.04.21 08:45:37 | 000,001,887 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Earth.lnk
[2010.03.30 12:17:59 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\SyncBackPro.dll
[2009.11.09 23:54:03 | 000,002,760 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2009.10.20 20:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009.10.15 13:25:17 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009.05.09 14:05:58 | 000,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll
[2009.05.09 14:05:58 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll
[2009.03.27 04:00:14 | 000,499,712 | R--- | C] () -- C:\WINDOWS\System32\XmlSpyLib.dll
[2008.11.15 02:46:00 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2008.07.24 10:40:51 | 000,000,125 | ---- | C] () -- C:\WINDOWS\fd3.INI
[2008.07.16 15:55:02 | 000,002,005 | ---- | C] () -- C:\WINDOWS\APDFPRP.INI
[2008.05.19 17:28:01 | 000,000,023 | -HS- | C] () -- C:\WINDOWS\System32\faaacbeaf7_z.dll
[2008.05.19 11:47:16 | 000,001,131 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
[2008.04.30 09:33:43 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008.04.19 11:34:31 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.04.18 08:22:16 | 004,244,744 | ---- | C] () -- C:\WINDOWS\System32\qtp-mt334.dll
[2008.04.18 08:22:16 | 000,247,560 | ---- | C] () -- C:\WINDOWS\System32\prgiso.dll
[2008.04.05 12:38:54 | 000,000,152 | ---- | C] () -- C:\WINDOWS\CoolPlay.ini
[2008.04.02 09:30:10 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008.04.02 09:30:09 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008.04.02 09:23:40 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008.04.01 21:29:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIGER.DLL
[2008.04.01 20:29:04 | 000,000,154 | ---- | C] () -- C:\WINDOWS\usdthank.ini
[2008.04.01 20:29:03 | 000,000,031 | ---- | C] () -- C:\WINDOWS\idc.ini
[2008.04.01 17:21:59 | 000,394,752 | ---- | C] () -- C:\WINDOWS\System32\cygwinb19.dll
[2008.02.25 14:55:32 | 000,101,603 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008.02.20 21:24:36 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008.02.20 21:00:12 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008.01.30 22:54:00 | 001,800,192 | ---- | C] () -- C:\WINDOWS\System32\hmtcdres.dll
[2008.01.30 22:53:58 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\hmtcd.dll
[2007.12.05 01:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007.08.13 20:45:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2006.10.02 17:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[1998.03.14 06:22:21 | 000,002,880 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS  >
[2008.01.30 23:08:22 | 016,804,055 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008.06.06 08:20:04 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008.06.06 08:20:04 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008.04.13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS  >
[2008.01.30 23:08:22 | 016,804,055 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008.06.06 08:20:04 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008.06.06 08:20:04 | 023,898,261 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008.01.30 21:48:32 | 000,096,384 | ---- | M] (Microsoft Corporation) MD5=2218E3FD674DC284CE98C807086CAB14 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008.01.30 22:48:32 | 000,096,384 | ---- | M] (Microsoft Corporation) MD5=2218E3FD674DC284CE98C807086CAB14 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2008.01.30 21:48:32 | 000,096,384 | ---- | M] (Microsoft Corporation) MD5=2218E3FD674DC284CE98C807086CAB14 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008.04.13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL  >
[2008.04.14 04:22:10 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008.04.14 04:22:10 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\system32\eventlog.dll
[2008.09.03 15:17:20 | 000,028,797 | R--- | M] () MD5=258ED9A1CCD8102C3236DD97354C51EC -- C:\Programme\Perl\lib\auto\Win32\EventLog\EventLog.dll
[2008.01.30 22:50:04 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=44387A49F02E25F5F5028C48264E1CBE -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS  >
[2008.01.30 22:58:56 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\NLDRV\003\iastor.sys
[2008.01.30 22:59:13 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\NLDRV\010\iastor.sys
[2008.01.30 22:59:28 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\NLDRV\012\iastor.sys
[2009.10.02 13:40:50 | 000,432,664 | ---- | M] (Intel Corporation) MD5=D5EDB998656E6ECF1A17C78DAB019A3C -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL  >
[2008.04.14 04:22:19 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008.04.14 04:22:19 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\system32\netlogon.dll
[2008.01.30 22:51:28 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=45120C7710B788E0600ABAFFD1F43CBD -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS  >
[2008.01.30 22:59:05 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\WINDOWS\NLDRV\004\nvatabus.sys

< MD5 for: NVRAID.SYS  >
[2008.01.30 22:59:05 | 000,077,056 | ---- | M] (NVIDIA Corporation) MD5=A4F2A29B9D40F9FFBBB54E56CE483797 -- C:\WINDOWS\NLDRV\004\nvraid.sys

< MD5 for: SCECLI.DLL  >
[2008.04.14 04:22:23 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008.04.14 04:22:23 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\system32\scecli.dll
[2008.01.30 22:52:07 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=B3C5C15F59E7F3555AA148E5D49709A3 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< MD5 for: VIAMRAID.SYS  >
[2008.01.30 22:59:11 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\WINDOWS\NLDRV\009\viamraid.sys
[2008.01.30 22:59:10 | 000,092,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=FBF18F9F5FB852C2976723587B44F346 -- C:\WINDOWS\NLDRV\008\viamraid.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008.04.01 19:05:19 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008.04.01 19:05:19 | 002,187,264 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008.04.01 19:05:19 | 000,458,752 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010.03.29 21:53:57 | 000,160,288 | ---- | M] (Acronis) -- C:\WINDOWS\system32\drivers\afcdp.sys
[2010.02.15 21:07:07 | 000,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klif.sys
[2010.04.29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010.04.29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010.02.24 15:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010.03.29 21:53:47 | 000,158,272 | ---- | M] (Acronis) -- C:\WINDOWS\system32\drivers\snapman.sys
[2010.03.29 21:53:54 | 000,911,680 | ---- | M] (Acronis) -- C:\WINDOWS\system32\drivers\tdrpm258.sys
[2010.03.29 21:53:53 | 000,581,984 | ---- | M] (Acronis) -- C:\WINDOWS\system32\drivers\timntr.sys
[2010.05.14 23:41:34 | 000,755,200 | ---- | M] () -- C:\WINDOWS\system32\drivers\vvrzyqd.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 2960 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\sdpsenv.dat:naughtypirates
< End of report >


CODE
OTL Extras logfile created on: 15.5.2010 19:36:32 - Run 1
OTL by OldTimer - Version 3.2.4.1     Folder = D:\tmp\adhoc\5.15
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: d.M.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 61,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): Z:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 24,41 Gb Total Space | 0,68 Gb Free Space | 2,79% Space Free | Partition Type: NTFS
Drive D: | 441,35 Gb Total Space | 31,90 Gb Free Space | 7,23% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 40,09 Gb Total Space | 25,75 Gb Free Space | 64,25% Space Free | Partition Type: NTFS
Drive N: | 385,66 Gb Total Space | 1,98 Gb Free Space | 0,51% Space Free | Partition Type: NTFS
Drive P: | 954,05 Mb Total Space | 949,78 Mb Free Space | 99,55% Space Free | Partition Type: FAT
Drive Y: | 35,00 Gb Total Space | 4,33 Gb Free Space | 12,36% Space Free | Partition Type: NTFS
Drive Z: | 5,00 Gb Total Space | 1,72 Gb Free Space | 34,31% Space Free | Partition Type: NTFS

Computer Name: MIT
Current User Name: katha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.txt [@ = txtfile] -- C:\Programme\e\e.exe ()

[HKEY_USERS\S-1-5-21-1606980848-1960408961-725345543-1004\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Programme\Firefox3\firefox.exe" -requestPending -osint -url "%1" File not found
https [open] -- "C:\Programme\Firefox3\firefox.exe" -requestPending -osint -url "%1" File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- "C:\Programme\e\e.exe" "%1" ()
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Betrachten mit XnView] -- "C:\Programme\XnView\xnview.exe" "%1" (XnView, http://www.xnview.com)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Programme\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Programme\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Programme\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"2799:UDP" = 2799:UDP:*:Enabled:Altova License Metering Port (UDP)
"2799:TCP" = 2799:TCP:*:Enabled:Altova License Metering Port (TCP)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programme\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe" = C:\Programme\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services -- (Rosetta Stone Ltd.  )
"C:\Programme\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe" = C:\Programme\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone Version 3 Application -- (Rosetta Stone Ltd.  )
"C:\Programme\VMware\VMware Workstation\vmware-authd.exe" = C:\Programme\VMware\VMware Workstation\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\Bonjour\mDNSResponder.exe" = C:\Programme\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour -- File not found
"C:\Programme\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe" = C:\Programme\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services -- (Rosetta Stone Ltd.  )
"C:\Programme\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe" = C:\Programme\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone Version 3 Application -- (Rosetta Stone Ltd.  )
"C:\Programme\xchat\xchat.exe" = C:\Programme\xchat\xchat.exe:*:Enabled:XChat IRC Client -- ()
"C:\Programme\Spotify\spotify.exe" = C:\Programme\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Programme\Gemeinsame Dateien\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Programme\Gemeinsame Dateien\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Programme\gnucash\bin\gnucash-bin.exe" = C:\Programme\gnucash\bin\gnucash-bin.exe:*:Enabled:GnuCash Free Finance Manager -- ()
"C:\Programme\gnucash\bin\gconfd-2.exe" = C:\Programme\gnucash\bin\gconfd-2.exe:*:Enabled:GConf Settings Manager -- ()
"C:\Programme\VMware\VMware Workstation\vmware-authd.exe" = C:\Programme\VMware\VMware Workstation\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)
"C:\Programme\uTorrent\uTorrent.exe" = C:\Programme\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{003BFBBD-6C67-419E-A24D-0DCAFC3A5249}" = tools-freebsd
"{00C297B1-02F3-4BEE-8B57-7BCA695A41DA}" = EverNote
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{0819E89D-6214-4B6F-A18D-4633CB4E0E4A}" = Softwareupdate für Webordner
"{08C0729E-3E50-11DF-9D81-005056806466}" = Google Earth
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{098A2A49-7CF3-4F08-A38D-FB879117152A}" = Adobe Color NA Extra Settings CS4
"{0D025345-1033-4F35-A5CE-68CDCDE6CC03}" = Evernote
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0DC0E85F-36E4-463B-B3EA-4CD8ED2222A1}" = Adobe Color EU Recommended Settings CS4
"{0E592C31-09EF-3CA1-A7DE-05D13DFCF791}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - deu
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{148E08FF-D7C4-46ED-8D4D-601C67FE0AFD}" = Rosetta Stone Version 3
"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}" = Sound Blaster X-Fi
"{197597A7-AD33-4898-9D8E-73066818B464}" = tools-netware
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4
"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler
"{235674B0-A35F-4811-8A8F-E8F42A919EA3}" = PhotoPresets with One-Click WOW!
"{24aab420-4e30-4496-9739-3e216f3de6ae}" = Python 2.6.2
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)
"{2DFAC810-6DD8-4E23-96A4-BEB118408203}" = Mask Pro 4.1
"{2E0DFC24-7C4B-4DCF-BCC7-81C513BED3BC}" = Python 2.5.4
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{32A3A4F4-B792-11D6-A78A-00B0D0160120}" = Java™ SE Development Kit 6 Update 12
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{353B1E6D-7073-4450-8C80-699BD8FCFB49}" = MTP Porting Kit
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{414A373B-59DF-4102-94CA-9FE9A74CBDDA}" = Garmin Trip and Waypoint Manager v5
"{43A056A0-2804-4FF4-ADA7-1E8B239E8E4A}" = Altova XMLSpy® 2009 sp1 Enterprise Edition
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4
"{556DF27F-5B74-11D5-B876-004005E12EF1}" = GPSoftware Directory Opus
"{572F1B5E-6FDF-422E-8FED-1156DD211269}" = PDF2ID v1.1
"{5869CE1E-BC0B-4648-B1AE-6EF4A985590C}" = Dynamic Energy Saver 1.0 B8.0128.1
"{5888428E-699C-4E71-BF71-94EE06B497DA}" = TuneUp Utilities 2008
"{58FA5D40-E35A-47ED-8AFA-68CCC758559E}" = Garmin MapSource
"{59991D18-A988-45AB-B1BF-5ADE6E64CD3F}" = SnagIt 9
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{67ED38A3-4882-448B-B44D-3428AB00D7D5}" = Acronis True Image Home
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{81CB77FF-9789-4337-A46E-185F7876AC40}" = Adobe Photoshop Lightroom 2.6
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{82A27957-45D5-41BC-8593-60249895727B}" = ActivePerl 5.10.0 Build 1004
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{92DF2F1B-F63C-4D9A-B3E1-B2D11AE29790}" = Windows Presentation Foundation Language Pack (DEU)
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{943B6738-4801-4982-90EC-0442EF7AEB16}" = Kaspersky Anti-Virus 2010
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A128921B-D03F-4BFB-8141-C365AA48D660}" = Adobe Setup
"{A2881E09-38DB-4F79-9135-00FDA01768A7}" = Adobe Creative Suite 4 Design Premium
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}" = VMware Workstation
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB1C87CB-1807-4CF0-B4C2-CEE14C18CDB4}" = tools-solaris
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}_932" = Adobe Acrobat 9.3.2 - CPSID_53951
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{ADF29850-DAD7-4F1D-B9DE-0AC58A167C0F}" = Sun VirtualBox
"{AE0F62A7-A1A2-407F-9F4C-48939BD9AD8D}" = tools-winPre2k
"{AF515C21-22F7-41B7-B2D1-1E06093BC13A}" = Keyboard Shortcuts Panel
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2C284D2-6BD7-3B34-B0C5-B2CAED168DF7}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU
"{C314CE45-3392-3B73-B4E1-139CD41CA933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C700F32C-32E6-4F47-A73B-3632CF29DA62}" = Growl for Windows
"{C86E7C99-E4AD-79C7-375B-1AEF9A91EC2B}" = Acrobat.com
"{C9BB0122-EB81-4C55-AF0E-39B9925E08CF}}_is1" = Helium Music Manager 2009 (build 6910)
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CCF22908-ECD2-4068-84F1-BA02DA1EC72D}" = GoGear Spark Device Manager
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D102611A-6466-4101-A51D-51069303AC65}" = tools-linux
"{D42AE162-C718-4CC8-B8BF-C58C9839CAE4}" = YAAC
"{D5A7D7AB-3093-3619-9261-74DB250ECF7B}" = Microsoft Visual C++ 2008 Express Edition with SP1 - DEU
"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"{DAB265AD-27B2-4651-B8D8-F4F3A8ECC705}" = ScreenManager Pro for LCD
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E6445FCC-EAF6-4E35-9E72-6EF105A4C177}" = HDView for Firefox
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{E7A9DCC5-8D19-4B95-BED8-2DB41F920F11}" = Microsoft WorldWide Telescope
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F856EB81-52F8-40B8-A180-3A20F1A14587}" = GoGear Spark Device Manager
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FB8BD91F-DC90-4770-AE33-8AA6AA2E691B}" = Extensis Suitcase Fusion 2
"{FCADA4FF-142C-42A8-B73C-0A54A7F83345}" = Genuine Fractals 6.0.2 Professional Edition
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FD296F77-5EA5-47B5-A99B-8B25F7212213}" = Paragon Partition Manager 8.5 Server Edition
"{FFD9383C-01D5-4897-A954-43AF599AED30}" = tools-windows
"3D Topicscape Personal Edition Pro_is1" = 3D Topicscape Personal Edition
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (03/08/2007 2.2.1.0)
"7-Zip" = 7-Zip 4.57
"AC3Filter_is1" = AC3Filter 1.63b
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_55230b0b70661df0f212e88f0b655f7" = Adobe Creative Suite 4 Design Premium
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"AdobeFlashFiles" = Adobe Flash Player
"AI RoboForm" = AI RoboForm (All Users)
"AsfTools 3.1" = AsfTools 3.1 (remove only)
"Audacity_is1" = Audacity 1.2.6
"AudioCS" = Creative-Audiokonsole
"B991B020-2968-11D8-AF23-444553540000_is1" = FreeMind
"Babylon" = Babylon
"Bass Audio Decoder" = Bass Audio Decoder (remove only)
"Biet-O-Matic v2.6.2" = Biet-O-Matic v2.6.2
"Brain Workshop_is1" = Brain Workshop 4.4
"CCleaner" = CCleaner
"CD Audio Reader Filter" = CD Audio Reader Filter (remove only)
"CHM To PDF PRO_is1" = CHM To PDF Converter PRO
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only)
"DC-Bass Source" = DC-Bass Source 1.1.1
"DcUpdater_is1" = DcUpdater 1.26.01
"dictator_is1" = dictator 0.9.6
"Digital Editions" = Adobe Digital Editions
"Digitale Bibliothek 4" = Digitale Bibliothek 4
"DirectVobSub" = DirectVobSub (remove only)
"DjVuLibre+DjView" = DjVuLibre+DjView
"Dornseiff" = Dornseiff
"DScaler 5 Mpeg Decoders_is1" = DScaler 5 Mpeg Decoders
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DXAddon" = DirectX 9.0c Zusatzdateien
"e_is1" = e - v1.0.42b
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v4.50
"Exact Audio Copy" = Exact Audio Copy 0.99pb4
"ffdshow_is1" = ffdshow [rev 3124] [2009-11-03]
"Find and Run Robot_is1" = Find+Run Robot 2.86.01
"FLAC" = FLAC 1.2.1b (remove only)
"Flash Decompiler Trillix_is1" = Flash Decompiler Trillix
"foobar2000" = foobar2000 v1.0.3
"Gabest MPEG Splitter" = Gabest MPEG Splitter (remove only)
"GHC_is1" = GHC 6.8.2
"GnuCash_is1" = GnuCash 2.2.9
"Google Updater" = Google Updater
"GTK 2.0" = GTK+ Runtime 2.12.1 rev b (remove only)
"HaaliMkx" = Haali Media Splitter
"HandyFind_is1" = HandyFind 2.0.10
"HD Tune Pro_is1" = HD Tune Pro 3.50
"HijackThis" = HijackThis 1.99.1
"HyperSnap 6" = HyperSnap 6
"ie8" = Windows Internet Explorer 8
"Image Grabber II" = Image Grabber II
"InstallShield_{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"InstallWIX_{943B6738-4801-4982-90EC-0442EF7AEB16}" = Kaspersky Anti-Virus 2010
"IntelliJ IDEA 9.0.1" = IntelliJ IDEA 9.0.1
"jv16 PowerTools 2008_is1" = jv16 PowerTools 2008
"KeyTweak" = KeyTweak - Keyboard Remapper (remove only)
"Kindlers neues Literaturlexikon" = Kindlers neues Literaturlexikon
"LightZone 3.5" = LightZone 3.5
"Live 8.0.4" = Live 8.0.4
"MainType2_is1" = MainType 2.1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaMonkey_is1" = MediaMonkey 3.2
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual C++ 2008 Express Edition with SP1 - DEU" = Microsoft Visual C++ 2008 Express Edition mit SP1 - DEU
"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"Minefield (3.7a1pre)" = Minefield (3.7a1pre)
"Miro" = Miro
"MKVtoolnix" = MKVtoolnix 2.2.0
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MusicBrainz Picard" = MusicBrainz Picard 0.10
"MusicIP Mixer_is1" = MusicIP Mixer 1.8.1
"nbi-nb-base-6.8.0.0.0" = NetBeans IDE 6.8
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"OpenSource Flash Video Splitter" = OpenSource Flash Video Splitter (remove only)
"Orbit_is1" = Orbit Downloader
"PersonalBrain 4.0.3.1" = PersonalBrain 4.0.3.1
"PLT" = PLT Scheme v4.0.1
"PowerGREP 3" = JGsoft PowerGREP 3 v.3.4.2
"PowerISO" = PowerISO
"PowerShell" = Windows PowerShell™ 1.0
"PRE-XP-SP3" = Sereby's Updatepack Version 1.8.1
"pyHook-py2.5" = Python 2.5 pyHook-1.5.1
"pywin32-py2.5" = Python 2.5 pywin32-212
"qt7lite_is1" = QT Lite 3.2.2
"RealAlt_is1" = Real Alternative 1.9.0 Lite
"RegexBuddy 3" = JGsoft RegexBuddy 3 v.3.1.0
"Replay Media Catcher 3.11" = Replay Media Catcher 3.11
"RouterControl" = RouterControl 1.90
"Ruby-186-25" = Ruby-186-25
"Runtimes" = Allgemeine Runtime Dateien
"Sandboxie" = Sandboxie 3.442
"SHOUTcast Source" = SHOUTcast Source (remove only)
"Snapshot" = Snapshot (remove only)
"Spotify" = Spotify
"StarDict" = StarDict (remove only)
"SuperMemo" = SuperMemo
"SyncBackPro_is1" = SyncBackPro
"SyncBackSE_is1" = SyncBackSE
"Take It Easy" = Take It Easy
"The Regex Coach_is1" = The Regex Coach 0.9.1
"The Rosetta Stone" = The Rosetta Stone
"Tweak UI 2.10" = Tweak UI
"Unlocker" = Unlocker 1.8.7
"uTorrent" = µTorrent
"VisiPics_is1" = VisiPics V1.30
"VLC media player" = VLC media player 1.0.5
"VMware_Workstation" = VMware Workstation
"Vuze" = Vuze
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Presentation Foundation Language Pack (DEU)" = Windows Presentation Foundation Language Pack (DEU)
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPcapInst" = WinPcap 4.1.1
"WinPowerPro" = PowerPro 4.8 (remove only)
"WinRAR archiver" = WinRAR
"WinSnap" = WinSnap
"XanaduSpace" = XanaduSpace
"xchat" = XChat 2 (remove only)
"XnView_is1" = XnView 1.97
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0
"Zattoo" = Zattoo 3.3.4 Beta
"ZoomPlayer" = Zoom Player (remove only)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1606980848-1960408961-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Adobe Digital Editions" = Adobe Digital Editions
"Advanced PDF Password Recovery" = Advanced PDF Password Recovery
"BezierAnim3D" = BezierAnim3D
"Competition Arena" = Competition Arena
"GIVE 3D Client" = GIVE 3D Client
"Google Chrome" = Google Chrome
"Icon Book" = Icon Book
"Irssi" = Irssi Console IRC Client 0.8.12
"JCanyon" = JCanyon
"JxBrowserDemo" = JxBrowserDemo
"Lattice Effect" = Lattice Effect
"LWJGL Demo [examples.spaceinvaders.Game]" = LWJGL Demo [examples.spaceinvaders.Game]
"LWJGL Demo [test.input.MouseCreationTest]" = LWJGL Demo [test.input.MouseCreationTest]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Octoshape Streaming Services" = Octoshape Streaming Services
"Prototyp!" = Prototyp!
"Qt Jambi Demo" = Qt Jambi Demo
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8.5.2010 14:37:54 | Computer Name = MIT | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung test_inputbox.exe, Version 0.0.0.0, fehlgeschlagenes
Modul test_inputbox.exe, Version 0.0.0.0, Fehleradresse 0x0000106f.

Error - 8.5.2010 15:18:39 | Computer Name = MIT | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{fd709597-67d8-11dd-aac4-001d7dd033d6},0xc0000000,0x00000003,...)".
hr = 0x80070020.

Error - 8.5.2010 15:18:39 | Computer Name = MIT | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{162eafad-44e3-11dd-aaa4-806d6172696f},0xc0000000,0x00000003,...)".
hr = 0x80070020.

Error - 9.5.2010 03:27:30 | Computer Name = MIT | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung dcuppdater.exe, Version 1.0.0.0, fehlgeschlagenes
Modul libcurl.dll, Version 7.19.7.0, Fehleradresse 0x000102d4.

Error - 9.5.2010 15:18:53 | Computer Name = MIT | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{fd709597-67d8-11dd-aac4-001d7dd033d6},0xc0000000,0x00000003,...)".
hr = 0x80070020.

Error - 9.5.2010 15:18:53 | Computer Name = MIT | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{162eafad-44e3-11dd-aaa4-806d6172696f},0xc0000000,0x00000003,...)".
hr = 0x80070020.

Error - 10.5.2010 03:40:26 | Computer Name = MIT | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung dcuppdater.exe, Version 1.0.0.0, fehlgeschlagenes
Modul libcurl.dll, Version 7.19.7.0, Fehleradresse 0x000102d4.

Error - 12.5.2010 15:07:44 | Computer Name = MIT | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung dcuppdater.exe, Version 1.0.0.0, fehlgeschlagenes
Modul libcurl.dll, Version 7.19.7.0, Fehleradresse 0x000102d4.

Error - 13.5.2010 09:29:19 | Computer Name = MIT | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung spotify.exe, Version 0.4.3.383, fehlgeschlagenes
Modul gopher.dll, Version 3.1.6.9, Fehleradresse 0x000017de.

Error - 13.5.2010 11:48:11 | Computer Name = MIT | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 1.9.2.3743, fehlgeschlagenes
Modul ws2_32.dll, Version 5.1.2600.5512, Fehleradresse 0x00004c29.

[ System Events ]
Error - 15.5.2010 06:31:28 | Computer Name = MIT | Source = Ntfs | ID = 262199
Description = Die Dateisystemstruktur auf dem Datenträger ist beschädigt und unbrauchbar.
Führen
Sie chkdsk auf Volume "Z:" aus.

Error - 15.5.2010 06:31:28 | Computer Name = MIT | Source = Ntfs | ID = 262199
Description = Die Dateisystemstruktur auf dem Datenträger ist beschädigt und unbrauchbar.
Führen
Sie chkdsk auf Volume "Z:" aus.

Error - 15.5.2010 06:32:20 | Computer Name = MIT | Source = Service Control Manager | ID = 7000
Description = Der Dienst "VMware VMparport" wurde aufgrund folgenden Fehlers nicht
gestartet:   %%20

Error - 15.5.2010 06:32:20 | Computer Name = MIT | Source = Service Control Manager | ID = 7000
Description = Der Dienst "AST Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2

Error - 15.5.2010 06:32:20 | Computer Name = MIT | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Bonjour Service" wurde aufgrund folgenden Fehlers nicht
gestartet:   %%2

Error - 15.5.2010 06:32:20 | Computer Name = MIT | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst VMware
USB Arbitration Service.

Error - 15.5.2010 06:32:20 | Computer Name = MIT | Source = Service Control Manager | ID = 7000
Description = Der Dienst "VMware USB Arbitration Service" wurde aufgrund folgenden
Fehlers nicht gestartet:   %%1053

Error - 15.5.2010 06:35:26 | Computer Name = MIT | Source = BROWSER | ID = 8032
Description = Das Einlesen der Sicherungsliste durch den Suchdienst schlug auf Transport
"\Device\NetBT_Tcpip_{DEECFAB6-361B-4AE7-A3B5-6EB19C668F00}" zu oft fehl.  Der Sicherungssuchdienst
wird beendet.

Error - 15.5.2010 10:21:36 | Computer Name = MIT | Source = MRxSmb | ID = 8003
Description = Der Hauptsuchdienst erhielt eine Serverankündigung vom Computer "MARTIN",
der
der Hauptsuchdienst der Domäne für den NetBT_Tcpip_{DEECFAB6-361B-4AE7-A3-Transport
zu sein scheint.  Der Hauptsuchdienst wurde beendet oder es wird eine Auswahl erzwungen.

Error - 15.5.2010 11:37:10 | Computer Name = MIT | Source = Service Control Manager | ID = 7000
Description = Der Dienst "SASENUM" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2


< End of report >

Attached Files


Edited by katharina, 16 May 2010 - 05:07 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 16 May 2010 - 06:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 katharina

katharina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Berlin
  • Local time:05:34 AM

Posted 17 May 2010 - 01:13 AM

Hi m0le,
thanks for taking my case! I'm standing by. smile.gif

Edited by katharina, 17 May 2010 - 07:58 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 17 May 2010 - 07:13 PM

Do you know anything about this entry?
CODE
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\sdpsenv.dat:naughtypirates


Let's run OTL again but slightly differently.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL
O4 - HKLM..\Run: []  File not found
O4 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004..\Run: [AdobeBridge]  File not found
O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix]  File not found
O4 - HKU\S-1-5-18..\RunOnce: [ShowDeskFix]  File not found
O4 - HKU\S-1-5-20..\RunOnce: [ShowDeskFix]  File not found

:Files
C:\WINDOWS\System32\drivers\vvrzyqd.sys
D:\arbeitsdaten\anwendungsdaten\qvjsge.dat

:Services
vvrzyqd

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Posted Image
m0le is a proud member of UNITE

#5 katharina

katharina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Berlin
  • Local time:05:34 AM

Posted 18 May 2010 - 12:19 AM

QUOTE
Do you know anything about this entry?

That was the first thing I googled after checking the logs. Unfortunately, I have no idea.

A footnote that might explain some obscure entries in my logs: I have mapped 'AppData' to 'D:\arbeitsdaten\anwendungsdaten' and 'Local AppData' to 'D:\arbeitsdaten\anwendungsdaten_lokal'

OTL logfile created on: 18.5.2010 06:53:37 - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = D:\tmp\adhoc\5.15
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: d.M.yyyy

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 79,00% Memory free
6,00 Gb Paging File | 6,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): Z:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 24,41 Gb Total Space | 1,36 Gb Free Space | 5,56% Space Free | Partition Type: NTFS
Drive D: | 441,35 Gb Total Space | 33,01 Gb Free Space | 7,48% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 40,09 Gb Total Space | 25,77 Gb Free Space | 64,28% Space Free | Partition Type: NTFS
Drive N: | 385,66 Gb Total Space | 1,98 Gb Free Space | 0,51% Space Free | Partition Type: NTFS
Drive P: | 954,05 Mb Total Space | 949,78 Mb Free Space | 99,55% Space Free | Partition Type: FAT
Drive Y: | 35,00 Gb Total Space | 4,33 Gb Free Space | 12,36% Space Free | Partition Type: NTFS
Drive Z: | 5,00 Gb Total Space | 1,72 Gb Free Space | 34,31% Space Free | Partition Type: NTFS

Computer Name: MIT
Current User Name: katha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.05.15 19:27:22 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\tmp\adhoc\5.15\OTL.exe
PRC - [2010.03.18 23:00:04 | 000,136,176 | ---- | M] (Google Inc.) -- D:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010.03.18 12:38:04 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Programme\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010.03.17 09:07:24 | 007,312,840 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopus.exe
PRC - [2010.03.17 08:49:04 | 000,271,840 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopusrt.exe
PRC - [2010.01.22 22:13:24 | 000,395,824 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
PRC - [2010.01.22 22:13:02 | 000,334,384 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
PRC - [2009.11.24 18:21:10 | 000,760,320 | ---- | M] () -- D:\programme\everything\Everything-1.2.1.451a.exe
PRC - [2009.10.20 20:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
PRC - [2009.01.12 08:15:52 | 000,071,096 | ---- | M] () -- C:\WINDOWS\system32\NMSAccessU.exe
PRC - [2008.07.17 12:59:06 | 000,033,792 | ---- | M] (ww) -- d:\scripts\PowerPro\PProtray.exe
PRC - [2008.04.14 04:22:45 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008.03.07 19:24:18 | 000,417,792 | ---- | M] (Creative Technology Ltd) -- C:\Programme\Creative\Shared Files\CTAudSvc.exe


========== Modules (SafeList) ==========

MOD - [2010.05.15 19:27:22 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\tmp\adhoc\5.15\OTL.exe
MOD - [2010.03.17 09:13:10 | 000,311,232 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopushlp.dll
MOD - [2008.07.17 12:59:06 | 000,027,648 | ---- | M] () -- d:\scripts\PowerPro\PProtray.Dll
MOD - [2008.04.14 04:21:06 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Bonjour Service)
SRV - File not found [Auto | Stopped] -- -- (astcc)
SRV - [2010.04.17 12:56:06 | 000,073,960 | ---- | M] (tzuk) [Auto | Stopped] -- C:\Programme\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2010.03.29 21:53:57 | 002,480,048 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010.01.22 22:13:24 | 000,395,824 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2010.01.22 22:13:02 | 000,334,384 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2010.01.22 22:12:46 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Stopped] -- C:\Programme\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService)
SRV - [2010.01.22 21:00:48 | 000,563,760 | ---- | M] (VMware, Inc.) [Auto | Stopped] -- C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2009.11.12 05:42:50 | 000,661,072 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009.10.20 20:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) [On_Demand | Running] -- C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe -- (AVP)
SRV - [2009.10.20 20:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Programme\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009.10.12 14:32:24 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Programme\VMware\VMware Workstation\vmware-ufad.exe -- (ufad-ws60)
SRV - [2009.01.23 10:12:51 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.01.12 08:15:52 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\NMSAccessU.exe -- (NMSAccess)
SRV - [2008.05.22 00:43:36 | 000,307,968 | ---- | M] (TuneUp Software GmbH) [Disabled | Stopped] -- C:\WINDOWS\system32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2008.03.07 19:24:18 | 000,417,792 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Programme\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008.02.27 13:15:14 | 000,028,416 | ---- | M] (TuneUp Software GmbH) [Disabled | Stopped] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2007.12.14 11:46:28 | 000,047,624 | ---- | M] () [On_Demand | Stopped] -- C:\Programme\GIGABYTE\GEST\GSvr.exe -- (GEST Service)
SRV - [2003.07.28 13:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010.05.14 23:41:34 | 000,755,200 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\vvrzyqd.sys -- (vvrzyqd)
DRV - [2010.05.14 21:09:36 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\arbeitsdaten\win_ordner\wintemp\SAS_SelfExtract\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010.05.14 21:09:36 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\arbeitsdaten\win_ordner\wintemp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2010.04.17 12:56:02 | 000,115,944 | ---- | M] (tzuk) [Kernel | On_Demand | Stopped] -- C:\Programme\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV - [2010.03.29 21:53:57 | 000,160,288 | ---- | M] (Acronis) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)
DRV - [2010.03.29 21:53:54 | 000,911,680 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm258.sys -- (tdrpman258) Acronis Try&Decide and Restore Points filter (build 258)
DRV - [2010.03.29 21:53:53 | 000,581,984 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2010.03.29 21:53:47 | 000,158,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010.01.22 22:14:20 | 000,032,688 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2010.01.22 22:14:16 | 000,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2010.01.22 22:14:14 | 000,023,216 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2010.01.22 22:14:12 | 000,854,192 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2010.01.22 22:14:12 | 000,070,704 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2010.01.22 22:13:04 | 000,014,896 | ---- | M] (VMware, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport)
DRV - [2010.01.22 21:00:42 | 000,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2010.01.22 17:13:00 | 000,016,560 | R--- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2009.12.17 19:52:19 | 000,073,312 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2009.11.30 13:27:36 | 000,123,280 | ---- | M] (Sun Microsystems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxDrv.sys -- (VBoxDrv)
DRV - [2009.11.21 04:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009.10.20 20:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009.10.12 14:31:52 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Stopped] -- C:\Programme\VMware\VMware Workstation\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2009.10.02 13:40:50 | 000,432,664 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2009.09.01 15:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2009.07.06 13:21:14 | 000,217,664 | ---- | M] (TrueCrypt Foundation) [Kernel | Disabled | Running] -- P:\crypt\TrueCrypt\truecrypt.sys -- (truecrypt)
DRV - [2009.05.29 20:13:38 | 000,031,952 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VBoxUSB.sys -- (VBoxUSB)
DRV - [2009.01.23 10:49:08 | 000,037,664 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2008.11.02 10:44:10 | 000,056,572 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008.04.13 20:41:23 | 000,020,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ramdisk.sys -- (Ramdisk)
DRV - [2008.04.13 20:20:12 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008.04.13 18:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008.04.07 09:19:52 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2008.02.25 09:44:38 | 001,172,504 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2008.02.25 09:44:22 | 000,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2008.02.25 09:44:08 | 000,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008.02.25 09:44:00 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008.02.25 09:43:56 | 000,127,000 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008.02.25 09:43:30 | 000,346,856 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2008.02.25 09:43:24 | 000,524,312 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008.02.25 09:43:16 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008.02.25 09:41:50 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2008.02.25 09:41:44 | 000,170,520 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2008.02.25 09:41:36 | 001,323,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2008.02.25 09:41:28 | 000,329,240 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2008.02.25 09:41:18 | 000,134,680 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2008.02.25 09:41:14 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2008.02.25 09:41:10 | 000,286,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2008.02.25 09:41:06 | 000,174,104 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2008.02.25 09:41:02 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2008.02.25 09:40:56 | 000,551,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2008.02.25 09:40:52 | 000,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2008.01.30 22:59:07 | 000,069,168 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\si3112.sys -- (Si3112)
DRV - [2008.01.30 22:53:55 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\dumpdrv.sys -- (DumpDrv)
DRV - [2008.01.30 22:53:52 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (Aspi32)
DRV - [2008.01.03 22:10:16 | 000,105,856 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007.11.02 11:09:58 | 000,039,472 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\hotcore3.sys -- (hotcore3)
DRV - [2007.10.11 11:10:52 | 000,030,008 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ET5Drv.sys -- (ET5Drv)
DRV - [2007.07.23 10:56:58 | 000,042,624 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Alpham1.sys -- (Alpham1)
DRV - [2007.03.20 12:49:52 | 000,018,432 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Alpham2.sys -- (Alpham2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 80.67.172.70:8118

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Programme\Siber Systems\AI RoboForm\Firefox [2008.04.02 12:52:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Minefield 3.7a1pre\extensions\\Components: C:\Programme\Minefield\components [2009.09.28 19:26:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Minefield 3.7a1pre\extensions\\Plugins: C:\Programme\Minefield\plugins [2010.04.14 08:55:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Components: C:\Programme\ff3test\components
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Plugins: C:\Programme\ff3test\plugins
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.05.15 18:26:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.05.15 18:26:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Programme\Mozilla Thunderbird\components [2010.05.01 21:35:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Programme\Mozilla Thunderbird\plugins [2010.05.01 21:35:23 | 000,000,000 | ---D | M]

[2010.05.15 18:31:25 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Extensions
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] (No name found) -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions\staged-xpis
[2010.05.15 18:31:26 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.04.01 18:54:38 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.04.01 18:54:38 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.04.01 18:54:38 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.04.01 18:54:38 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.04.01 18:54:38 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.11.06 21:01:39 | 000,001,504 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll File not found
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll File not found
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [Directory Opus Desktop Dblclk] C:\Programme\GPSoftware\Directory Opus\dopusrt.exe (GP Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF 03 [binary data]
O8 - Extra context menu item: &Download by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: RF - Formular ausfüllen - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RF - Formular speichern - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Translate with &Babylon - C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9 - Extra Button: Ausfüllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : RF - Formular ausfüllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : RF - Formular speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RF - RoboForm-Leiste ein/aus - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Programme\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Programme\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O18 - Protocol\Handler\hddlife {BD758015-47D9-477A-8873-4B688A2BC0E2} - C:\Programme\Gemeinsame Dateien\BinarySense\hlAPP.dll (BinarySense, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (d:\scripts\PowerPro\Pprotray.exe) - d:\scripts\PowerPro\PProtray.exe (ww)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O28 - HKLM ShellExecuteHooks: {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Programme\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008.04.01 17:17:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{16864dc6-b3d5-11de-baa1-001d7dd033d6}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found
O33 - MountPoints2\{2e8fb90e-9f57-11dd-ba53-001d7dd033d6}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.05.16 14:52:53 | 000,000,000 | ---D | C] -- C:\gmer
[2010.05.16 11:54:49 | 000,000,000 | ---D | C] -- C:\downloads
[2010.05.15 18:29:05 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\win_ordner\desktop\Neuer Ordner
[2010.05.15 18:24:40 | 008,188,856 | ---- | C] (Mozilla) -- D:\arbeitsdaten\win_ordner\desktop\Firefox Setup 3.6.3.exe
[2010.05.15 17:37:08 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\anwendungsdaten\SUPERAntiSpyware.com
[2010.05.15 17:37:08 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
[2010.05.15 12:32:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.05.15 12:20:02 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\katha\Recent
[2010.05.15 12:02:55 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\win_ordner\desktop\GooredFix Backups
[2010.05.14 23:33:26 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\anwendungsdaten\Malwarebytes
[2010.05.14 23:33:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.05.14 23:33:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.05.14 23:33:00 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.05.14 23:33:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.05.09 22:02:30 | 000,000,000 | ---D | C] -- C:\Programme\WinPcap
[2010.05.01 21:33:14 | 000,180,224 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QTCF.dll
[2008.02.20 20:59:14 | 000,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.05.18 00:17:06 | 000,055,468 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.18 00:17:06 | 000,055,468 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.18 00:17:06 | 000,000,788 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.18 00:05:00 | 000,001,148 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004UA.job
[2010.05.17 23:43:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010.05.17 22:05:00 | 000,001,096 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004Core.job
[2010.05.17 14:59:10 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010.05.17 11:43:00 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010.05.16 23:14:37 | 000,000,604 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Orbit.lnk
[2010.05.16 23:04:40 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010.05.16 23:04:40 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2010.05.16 21:03:32 | 000,042,400 | ---- | M] () -- C:\ark_c_.zip
[2010.05.16 11:32:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.05.16 11:31:20 | 000,237,662 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010.05.16 11:31:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.05.16 11:31:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.05.16 11:31:01 | 3488,067,584 | -HS- | M] () -- C:\hiberfil.sys
[2010.05.16 09:45:10 | 000,002,760 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2010.05.16 09:21:29 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\SyncBackSE Supermemo-Backup lokal.job
[2010.05.16 00:00:20 | 007,864,320 | ---- | M] () -- C:\Dokumente und Einstellungen\katha\ntuser.dat
[2010.05.16 00:00:20 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\katha\ntuser.ini
[2010.05.15 18:26:21 | 008,188,856 | ---- | M] (Mozilla) -- D:\arbeitsdaten\win_ordner\desktop\Firefox Setup 3.6.3.exe
[2010.05.15 13:55:59 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.05.14 23:41:34 | 000,755,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\vvrzyqd.sys
[2010.05.14 23:04:03 | 000,002,221 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Growl.lnk
[2010.05.14 22:56:22 | 000,000,016 | ---- | M] () -- D:\arbeitsdaten\anwendungsdaten\qvjsge.dat
[2010.05.11 16:48:47 | 000,001,710 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Directory Opus.lnk
[2010.05.09 22:02:31 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\-1
[2010.05.09 21:53:43 | 000,000,746 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Sandboxed Web Browser.lnk
[2010.05.08 11:37:37 | 001,077,540 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.05.08 11:37:37 | 000,461,490 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.05.08 11:37:37 | 000,443,504 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.05.08 11:37:37 | 000,085,920 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.05.08 11:37:37 | 000,072,348 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.05.08 11:34:07 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010.05.08 11:34:07 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010.05.04 15:32:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.05.02 17:08:15 | 000,000,431 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\210_marine_girls_-_honey.mp3
[2010.05.01 16:06:13 | 000,000,426 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Verknüpfung mit neo layout.lnk
[2010.04.30 14:00:57 | 004,955,435 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\beat_happening-indian_summer.mp3
[2010.04.30 08:23:52 | 000,001,554 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\myKaruga shooter!.lnk
[2010.04.29 23:15:01 | 000,001,554 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Prototyp!.lnk
[2010.04.29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.04.29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.04.22 20:29:33 | 000,499,400 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.04.22 19:08:28 | 000,018,432 | ---- | M] () -- D:\arbeitsdaten\anwendungsdaten_lokal\GDIPFONTCACHEV1.DAT
[2010.04.21 08:45:37 | 000,001,887 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Earth.lnk
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.05.16 23:14:37 | 000,000,604 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Orbit.lnk
[2010.05.16 21:03:30 | 000,042,400 | ---- | C] () -- C:\ark_c_.zip
[2010.05.16 00:01:13 | 3488,067,584 | -HS- | C] () -- C:\hiberfil.sys
[2010.05.15 13:55:59 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.05.14 22:56:34 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\drivers\vvrzyqd.sys
[2010.05.14 22:56:22 | 000,000,016 | ---- | C] () -- D:\arbeitsdaten\anwendungsdaten\qvjsge.dat
[2010.05.11 16:48:47 | 000,001,710 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Directory Opus.lnk
[2010.05.09 22:02:30 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\-1
[2010.05.09 21:54:07 | 000,000,746 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Sandboxed Web Browser.lnk
[2010.05.02 17:08:14 | 000,000,431 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\210_marine_girls_-_honey.mp3
[2010.05.01 16:06:13 | 000,000,426 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Verknüpfung mit neo layout.lnk
[2010.04.30 14:00:34 | 004,955,435 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\beat_happening-indian_summer.mp3
[2010.04.30 08:23:52 | 000,001,554 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\myKaruga shooter!.lnk
[2010.04.29 23:15:01 | 000,001,554 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Prototyp!.lnk
[2010.04.21 08:45:37 | 000,001,887 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Earth.lnk
[2010.03.30 12:17:59 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\SyncBackPro.dll
[2009.11.09 23:54:03 | 000,002,760 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2009.10.20 20:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009.10.15 13:25:17 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009.05.09 14:05:58 | 000,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll
[2009.05.09 14:05:58 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll
[2009.03.27 04:00:14 | 000,499,712 | R--- | C] () -- C:\WINDOWS\System32\XmlSpyLib.dll
[2008.11.15 02:46:00 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2008.07.24 10:40:51 | 000,000,125 | ---- | C] () -- C:\WINDOWS\fd3.INI
[2008.07.16 15:55:02 | 000,002,005 | ---- | C] () -- C:\WINDOWS\APDFPRP.INI
[2008.05.19 17:28:01 | 000,000,023 | -HS- | C] () -- C:\WINDOWS\System32\faaacbeaf7_z.dll
[2008.05.19 11:47:16 | 000,001,131 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
[2008.04.30 09:33:43 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008.04.19 11:34:31 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.04.18 08:22:16 | 004,244,744 | ---- | C] () -- C:\WINDOWS\System32\qtp-mt334.dll
[2008.04.18 08:22:16 | 000,247,560 | ---- | C] () -- C:\WINDOWS\System32\prgiso.dll
[2008.04.05 12:38:54 | 000,000,152 | ---- | C] () -- C:\WINDOWS\CoolPlay.ini
[2008.04.02 09:30:10 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008.04.02 09:30:09 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008.04.02 09:23:40 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008.04.01 21:29:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIGER.DLL
[2008.04.01 20:29:04 | 000,000,154 | ---- | C] () -- C:\WINDOWS\usdthank.ini
[2008.04.01 20:29:03 | 000,000,031 | ---- | C] () -- C:\WINDOWS\idc.ini
[2008.04.01 17:21:59 | 000,394,752 | ---- | C] () -- C:\WINDOWS\System32\cygwinb19.dll
[2008.02.25 14:55:32 | 000,101,603 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008.02.20 21:24:36 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008.02.20 21:00:12 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008.01.30 22:54:00 | 001,800,192 | ---- | C] () -- C:\WINDOWS\System32\hmtcdres.dll
[2008.01.30 22:53:58 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\hmtcd.dll
[2007.12.05 01:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007.08.13 20:45:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2006.10.02 17:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[1998.03.14 06:22:21 | 000,002,880 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll

========== Custom Scans ==========


< :OTL >

< O4 - HKLM..\Run: [] File not found >

< O4 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004..\Run: [AdobeBridge] File not found >

< O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix] File not found >

< O4 - HKU\S-1-5-18..\RunOnce: [ShowDeskFix] File not found >

< O4 - HKU\S-1-5-20..\RunOnce: [ShowDeskFix] File not found >

< >

< :Files >

< C:\WINDOWS\System32\drivers\vvrzyqd.sys >
[2010.05.14 23:41:34 | 000,755,200 | ---- | M] () -- C:\WINDOWS\system32\drivers\vvrzyqd.sys

< D:\arbeitsdaten\anwendungsdaten\qvjsge.dat >
[2010.05.14 22:56:22 | 000,000,016 | ---- | M] () -- D:\arbeitsdaten\anwendungsdaten\qvjsge.dat

< >

< :Services >

< vvrzyqd >

< >

< :reg >

< [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] >

< ""=""%1" %*" >

========== Alternate Data Streams ==========

@Alternate Data Stream - 2960 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\sdpsenv.dat:naughtypirates
< End of report >

Edited by katharina, 18 May 2010 - 12:23 AM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 18 May 2010 - 03:24 PM

There's some resistance to our attempts to remove these items.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 katharina

katharina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Berlin
  • Local time:05:34 AM

Posted 18 May 2010 - 04:17 PM

For your convenience, here's an augmented version of the Combifix log that contains some translations: http://pastie.org/966505.txt
The original log follows:

ComboFix 10-05-17.01 - katha 18.05.2010 22:42:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3326.2646 [GMT 2:00]
ausgeführt von:: d:\tmp\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\eSellerateEngine.dll
c:\windows\system32\vb40032.dll

.
((((((((((((((((((((((( Dateien erstellt von 2010-04-18 bis 2010-05-18 ))))))))))))))))))))))))))))))
.

2010-05-16 19:03 . 2010-05-16 19:03 42400 ----a-w- C:\ark_c_.zip
2010-05-16 12:52 . 2010-05-16 12:53 -------- d-----w- C:\gmer
2010-05-16 09:54 . 2010-05-16 09:54 -------- d-----w- C:\downloads
2010-05-15 15:37 . 2010-05-15 15:37 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\SUPERAntiSpyware.com
2010-05-15 15:37 . 2010-05-15 15:37 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2010-05-15 11:55 . 2010-05-18 13:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Malwarebytes
2010-05-14 21:33 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-05-14 21:33 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 21:05 . 2010-05-14 21:05 -------- d-sh--w- c:\dokumente und einstellungen\NetworkService\IETldCache
2010-05-14 20:56 . 2010-05-14 21:41 755200 ----a-w- c:\windows\system32\drivers\vvrzyqd.sys
2010-05-09 20:02 . 2010-05-09 20:02 -------- d-----w- c:\programme\WinPcap
2010-05-01 19:33 . 2010-03-17 20:53 180224 ----a-w- c:\windows\system32\QTCF.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 20:35 . 2008-04-02 07:45 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Babylon
2010-05-18 17:45 . 2009-11-06 21:33 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Spotify
2010-05-18 15:33 . 2008-08-21 08:08 -------- d-----w- c:\programme\Zoom Player
2010-05-18 15:04 . 2008-04-01 16:21 -------- d-----w- c:\programme\DcUpdater
2010-05-18 15:04 . 2008-04-02 06:33 -------- d-----w- c:\programme\FindAndRunRobot
2010-05-18 14:10 . 2008-07-31 07:27 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\foobar2000
2010-05-18 13:27 . 2009-07-09 19:00 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\vlc
2010-05-18 12:23 . 2008-04-21 06:08 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google Updater
2010-05-18 04:53 . 2008-04-02 07:45 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Babylon
2010-05-18 04:53 . 2008-04-02 07:51 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Orbit
2010-05-17 08:19 . 2008-04-02 10:06 -------- d-----w- c:\programme\Mozilla Thunderbird
2010-05-16 21:14 . 2008-04-02 07:51 -------- d-----w- c:\programme\Orbitdownloader
2010-05-16 21:05 . 2009-11-06 19:02 -------- d-----w- c:\programme\Replay Media Catcher
2010-05-16 21:04 . 2008-11-15 00:46 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-05-16 21:04 . 2008-11-15 00:46 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-05-16 15:28 . 2010-02-15 19:03 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2010-05-16 09:32 . 2009-12-10 19:31 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\VMware
2010-05-16 09:23 . 2008-04-02 07:15 -------- d-----w- c:\programme\Gemeinsame Dateien\Adobe
2010-05-16 01:16 . 2009-12-10 19:31 -------- d-----w- c:\dokumente und einstellungen\LocalService\Anwendungsdaten\VMware
2010-05-15 16:08 . 2008-04-08 17:24 -------- d-----w- c:\programme\xchat
2010-05-15 10:19 . 2008-08-29 14:22 -------- d-----w- c:\programme\CCleaner
2010-05-15 10:05 . 2008-04-18 08:45 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\uTorrent
2010-05-14 21:00 . 2008-04-18 08:45 -------- d-----w- c:\programme\uTorrent
2010-05-13 19:36 . 2009-12-10 19:52 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\VMware
2010-05-12 11:24 . 2008-04-08 17:24 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\X-Chat 2
2010-05-11 16:37 . 2008-07-31 07:27 -------- d-----w- c:\programme\foobar2000
2010-05-08 09:37 . 2001-08-23 12:00 85920 ----a-w- c:\windows\system32\perfc007.dat
2010-05-08 09:37 . 2001-08-23 12:00 461490 ----a-w- c:\windows\system32\perfh007.dat
2010-05-07 12:49 . 2008-04-10 13:06 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2010-05-07 12:49 . 2009-06-05 16:53 -------- d-----w- c:\programme\Microsoft Visual Studio 9.0
2010-05-02 15:23 . 2009-12-05 10:01 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\uTorrent.public
2010-05-01 19:35 . 2008-04-02 07:32 -------- d-----w- c:\programme\QT Lite
2010-04-24 08:38 . 2008-04-01 22:30 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\XnView
2010-04-22 17:08 . 2008-04-02 07:43 18432 ----a-w- d:\arbeitsdaten\anwendungsdaten_lokal\GDIPFONTCACHEV1.DAT
2010-04-17 12:55 . 2009-10-23 16:15 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\dvdcss
2010-04-08 17:07 . 2009-05-06 18:15 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Rosetta Stone
2010-04-04 12:50 . 2008-04-02 07:42 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\FLEXnet
2010-04-02 06:47 . 2010-02-05 21:18 -------- d-----w- c:\programme\Bonjour
2010-04-02 05:59 . 2010-04-02 05:59 -------- d-----w- c:\programme\JetBrains
2010-03-31 12:26 . 2010-03-31 12:26 -------- d-----w- c:\programme\Common Files
2010-03-31 12:25 . 2010-03-31 12:25 -------- d-----w- c:\programme\VMware
2010-03-30 10:17 . 2008-04-01 20:27 -------- d-----w- c:\programme\2BrightSparks
2010-03-30 10:17 . 2008-04-01 15:21 -------- d-----w- c:\programme\Java
2010-03-29 19:53 . 2010-03-29 19:53 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-03-29 19:53 . 2010-03-29 19:53 -------- d-----w- c:\programme\Gemeinsame Dateien\Acronis
2010-03-29 19:53 . 2010-03-29 19:53 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-03-29 19:53 . 2010-03-29 19:53 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-03-29 19:53 . 2010-03-29 19:53 158272 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-03-29 19:53 . 2010-03-29 19:53 -------- d-----w- c:\programme\Acronis
2010-03-21 17:58 . 2010-03-21 17:58 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Growl
2010-03-21 11:41 . 2008-04-27 12:57 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\BOM
2010-03-21 07:13 . 2009-11-25 19:58 -------- d-----w- c:\programme\Growl for Windows
2010-03-10 06:15 . 2008-01-30 20:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 10:05 . 2009-02-24 19:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:15 . 2008-01-30 20:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-01-30 20:50 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-16 17:51 . 2008-08-07 06:37 443 ----a-w- c:\programme\Gemeinsame Dateien\fnp_registrations.xml
2009-01-23 08:12 . 2008-08-07 06:37 655624 ----a-w- c:\programme\Gemeinsame Dateien\FNPLicensingService.exe
2008-05-19 15:28 . 2008-05-19 15:28 23 --sha-w- c:\windows\system32\faaacbeaf7_z.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Directory Opus Desktop Dblclk"="c:\programme\GPSoftware\Directory Opus\dopusrt.exe" [2010-03-17 271840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"IE7"="advpack.dll" [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\programme\GPSoftware\Directory Opus\dopuslib.dll" [2010-03-17 838104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.Defrag"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=3 (0x3)
"HDDlife HDD Access service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Programme\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Programme\\xchat\\xchat.exe"=
"c:\\Programme\\Spotify\\spotify.exe"=
"c:\\Programme\\Gemeinsame Dateien\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Programme\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Programme\\gnucash\\bin\\gconfd-2.exe"=
"c:\\Programme\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"c:\\Programme\\Orbitdownloader\\orbitnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [18.4.2008 08:22 39472]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [29.3.2010 21:53 911680]
R1 SASDIFSV;SASDIFSV;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASDIFSV.SYS --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASKUTIL.sys --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASKUTIL.sys [?]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [6.9.2008 16:35 123280]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20.10.2009 20:19 50704]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22.1.2010 22:14 70704]
S0 vvrzyqd;vvrzyqd;c:\windows\system32\drivers\vvrzyqd.sys [14.5.2010 22:56 755200]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [30.1.2008 22:53 9472]
S2 gupdate1c98d46984b34e4;Google Update Service (gupdate1c98d46984b34e4);c:\programme\Google\Update\GoogleUpdate.exe [12.2.2009 21:17 133104]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\programme\Common Files\VMware\USB\vmware-usbarbitrator.exe [22.1.2010 21:00 563760]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [29.3.2010 21:53 160288]
S3 GEST Service;GEST Service for program management.;c:\programme\GIGABYTE\GEST\GSvr.exe [11.4.2008 12:18 47624]
S3 PORTMON;PORTMON;\??\d:\programme\essentiell\SysinternalsSuite\PORTMSYS.SYS --> d:\programme\essentiell\SysinternalsSuite\PORTMSYS.SYS [?]
S3 Ramdisk;Windows RAM-Laufwerktreiber;c:\windows\system32\drivers\ramdisk.sys [19.4.2000 23:00 20736]
S3 SASENUM;SASENUM;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASENUM.SYS --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASENUM.SYS [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\d:\arbeit~1\WIN_OR~1\wintemp\TCCpuInfo.sys --> d:\arbeit~1\WIN_OR~1\wintemp\TCCpuInfo.sys [?]
S3 usbsnoop;usbsnoop (display);c:\windows\system32\drivers\usbsnoop.sys --> c:\windows\system32\drivers\usbsnoop.sys [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [25.6.2009 18:25 31952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4.8.2004 00:58 14336]
S4 afcdpsrv;Acronis Nonstop Backup service;c:\programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe [29.3.2010 21:53 2480048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7.4.2008 09:19 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners

2010-05-18 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-21 10:18]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-02-12 19:17]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-02-12 19:17]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004Core.job
- d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\GoogleUpdate.exe [2009-02-12 20:01]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004UA.job
- d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\GoogleUpdate.exe [2009-02-12 20:01]

2010-05-16 c:\windows\Tasks\SyncBackSE Supermemo-Backup lokal.job
- c:\programme\2BrightSparks\SyncBackSE\SyncBackSE.exe [2008-04-01 13:59]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://regalyzer/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 80.67.172.70:8118
IE: &Download by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/204
IE: An vorhandene PDF-Datei anfügen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/202
IE: In Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: RF - Formular ausfüllen - file://c:\programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RF - Formular speichern - file://c:\programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Translate with &Babylon - c:\programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
LSP: c:\programme\VMware\VMware Workstation\vsocklib.dll
TCP: {DEECFAB6-361B-4AE7-A3B5-6EB19C668F00} = 192.168.1.1
Handler: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - c:\programme\Gemeinsame Dateien\BinarySense\hlAPP.dll
FF - ProfilePath - d:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programme\Microsoft Research\HDView for Firefox\nphdview.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten\Mozilla\plugins\npoctoshape.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten_lokal\myVRnpapi\npmyvr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- Dateityp-Verknüpfung -------
.
txtfile="c:\programme\e\e.exe" "%1"
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKCU-Run-AdobeBridge - (no file)
ActiveSetup-{6E4188EE-6F44-4DF5-810D-38DA4A57A747} - c:\dokumente und einstellungen\All Users\Application Data\instedit.com\InstEd\AEremSendto.vbs
AddRemove-HijackThis - c:\program files\HijackThis\HijackThis.exe
AddRemove-NVIDIA Display Control Panel - c:\programme\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Adobe Digital Editions - d:\arbeitsdaten\anwendungsdaten\macromedia\flash player\www.macromedia.com\bin\digitaleditions1x5\digitaleditions1x5.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 22:49
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1960408961-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ed,ec,cd,4b,66,8a,ad,81,a0,a4,a6,2e,2c,71,4a,73,db,35,04,fd,c8,e4,9f,
17,93,cd,eb,4d,d3,c5,ae,11,dc,06,07,ed,b4,1e,b2,06,a0,7c,1e,e8,22,dd,cb,84,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\–€|ÿÿÿÿK•€|é•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1184)
c:\programme\Gemeinsame Dateien\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Zeit der Fertigstellung: 2010-05-18 22:52:24
ComboFix-quarantined-files.txt 2010-05-18 20:52

Vor Suchlauf: 1.351.503.872 Bytes frei
Nach Suchlauf: 1.366.855.680 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9742EC956A22688FFFA08DB4F06904E4


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 18 May 2010 - 05:52 PM

QUOTE
For your convenience, here's an augmented version of the Combifix log that contains some translations


Danke smile.gif


Please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\drivers\vvrzyqd.sys

Driver::
vvrzyqd


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please also post a new OTL log so I can see if Combofix has ditched the ADS stream (that's the file naughtypirates, which seems to imply connection to keygens)
Posted Image
m0le is a proud member of UNITE

#9 katharina

katharina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Berlin
  • Local time:05:34 AM

Posted 19 May 2010 - 02:22 AM

Combofix log: http://pastie.org/967240.txt

OTL logfile created on: 19.5.2010 09:02:53 - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = D:\tmp\adhoc\5.15
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: d.M.yyyy

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 84,00% Memory free
6,00 Gb Paging File | 6,00 Gb Available in Paging File | 95,00% Paging File free
Paging file location(s): Z:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 24,41 Gb Total Space | 1,18 Gb Free Space | 4,85% Space Free | Partition Type: NTFS
Drive D: | 441,35 Gb Total Space | 32,94 Gb Free Space | 7,46% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 35,00 Gb Total Space | 4,99 Gb Free Space | 14,25% Space Free | Partition Type: NTFS
Drive Z: | 5,00 Gb Total Space | 1,72 Gb Free Space | 34,31% Space Free | Partition Type: NTFS

Computer Name: MIT
Current User Name: katha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.05.15 19:27:22 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\tmp\adhoc\5.15\OTL.exe
PRC - [2010.04.17 12:56:06 | 000,073,960 | ---- | M] (tzuk) -- C:\Programme\Sandboxie\SbieSvc.exe
PRC - [2010.03.18 12:38:04 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Programme\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010.03.17 09:07:24 | 007,312,840 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopus.exe
PRC - [2010.03.17 08:49:04 | 000,271,840 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopusrt.exe
PRC - [2010.01.22 22:13:24 | 000,395,824 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
PRC - [2010.01.22 22:13:02 | 000,334,384 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
PRC - [2010.01.22 22:12:46 | 000,113,200 | ---- | M] (VMware, Inc.) -- C:\Programme\VMware\VMware Workstation\vmware-authd.exe
PRC - [2009.01.12 08:15:52 | 000,071,096 | ---- | M] () -- C:\WINDOWS\system32\NMSAccessU.exe
PRC - [2008.04.14 04:22:45 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008.03.07 19:24:18 | 000,417,792 | ---- | M] (Creative Technology Ltd) -- C:\Programme\Creative\Shared Files\CTAudSvc.exe


========== Modules (SafeList) ==========

MOD - [2010.05.15 19:27:22 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\tmp\adhoc\5.15\OTL.exe
MOD - [2010.03.17 09:13:10 | 000,311,232 | ---- | M] (GP Software) -- C:\Programme\GPSoftware\Directory Opus\dopushlp.dll
MOD - [2008.04.14 04:21:06 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Bonjour Service)
SRV - File not found [Auto | Stopped] -- -- (astcc)
SRV - [2010.04.17 12:56:06 | 000,073,960 | ---- | M] (tzuk) [Auto | Running] -- C:\Programme\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2010.03.29 21:53:57 | 002,480,048 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010.01.22 22:13:24 | 000,395,824 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2010.01.22 22:13:02 | 000,334,384 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2010.01.22 22:12:46 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Programme\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService)
SRV - [2010.01.22 21:00:48 | 000,563,760 | ---- | M] (VMware, Inc.) [Auto | Stopped] -- C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2009.11.12 05:42:50 | 000,661,072 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009.10.20 20:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) [On_Demand | Stopped] -- C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe -- (AVP)
SRV - [2009.10.20 20:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Programme\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009.10.12 14:32:24 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Programme\VMware\VMware Workstation\vmware-ufad.exe -- (ufad-ws60)
SRV - [2009.01.23 10:12:51 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.01.12 08:15:52 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\NMSAccessU.exe -- (NMSAccess)
SRV - [2008.05.22 00:43:36 | 000,307,968 | ---- | M] (TuneUp Software GmbH) [Disabled | Stopped] -- C:\WINDOWS\system32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2008.03.07 19:24:18 | 000,417,792 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Programme\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008.02.27 13:15:14 | 000,028,416 | ---- | M] (TuneUp Software GmbH) [Disabled | Stopped] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2007.12.14 11:46:28 | 000,047,624 | ---- | M] () [On_Demand | Stopped] -- C:\Programme\GIGABYTE\GEST\GSvr.exe -- (GEST Service)
SRV - [2003.07.28 13:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010.04.17 12:56:02 | 000,115,944 | ---- | M] (tzuk) [Kernel | On_Demand | Running] -- C:\Programme\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV - [2010.03.29 21:53:57 | 000,160,288 | ---- | M] (Acronis) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)
DRV - [2010.03.29 21:53:54 | 000,911,680 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm258.sys -- (tdrpman258) Acronis Try&Decide and Restore Points filter (build 258)
DRV - [2010.03.29 21:53:53 | 000,581,984 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2010.03.29 21:53:47 | 000,158,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010.01.22 22:14:20 | 000,032,688 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2010.01.22 22:14:16 | 000,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2010.01.22 22:14:14 | 000,023,216 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2010.01.22 22:14:12 | 000,854,192 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2010.01.22 22:14:12 | 000,070,704 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2010.01.22 22:13:04 | 000,014,896 | ---- | M] (VMware, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport)
DRV - [2010.01.22 21:00:42 | 000,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2010.01.22 17:13:00 | 000,016,560 | R--- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2009.12.17 19:52:19 | 000,073,312 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2009.11.30 13:27:36 | 000,123,280 | ---- | M] (Sun Microsystems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxDrv.sys -- (VBoxDrv)
DRV - [2009.11.21 04:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009.10.20 20:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009.10.12 14:31:52 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Programme\VMware\VMware Workstation\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2009.10.02 13:40:50 | 000,432,664 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2009.09.01 15:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2009.05.29 20:13:38 | 000,031,952 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VBoxUSB.sys -- (VBoxUSB)
DRV - [2009.01.23 10:49:08 | 000,037,664 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2008.11.02 10:44:10 | 000,056,572 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008.04.13 20:41:23 | 000,020,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ramdisk.sys -- (Ramdisk)
DRV - [2008.04.13 20:20:12 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008.04.13 18:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008.04.07 09:19:52 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2008.02.25 09:44:38 | 001,172,504 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2008.02.25 09:44:22 | 000,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2008.02.25 09:44:08 | 000,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008.02.25 09:44:00 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008.02.25 09:43:56 | 000,127,000 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008.02.25 09:43:30 | 000,346,856 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2008.02.25 09:43:24 | 000,524,312 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008.02.25 09:43:16 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008.02.25 09:41:50 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2008.02.25 09:41:44 | 000,170,520 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2008.02.25 09:41:36 | 001,323,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2008.02.25 09:41:28 | 000,329,240 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2008.02.25 09:41:18 | 000,134,680 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2008.02.25 09:41:14 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2008.02.25 09:41:10 | 000,286,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2008.02.25 09:41:06 | 000,174,104 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2008.02.25 09:41:02 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2008.02.25 09:40:56 | 000,551,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2008.02.25 09:40:52 | 000,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2008.01.30 22:59:07 | 000,069,168 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\si3112.sys -- (Si3112)
DRV - [2008.01.30 22:53:55 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\dumpdrv.sys -- (DumpDrv)
DRV - [2008.01.30 22:53:52 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (Aspi32)
DRV - [2008.01.03 22:10:16 | 000,105,856 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007.11.02 11:09:58 | 000,039,472 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\hotcore3.sys -- (hotcore3)
DRV - [2007.10.11 11:10:52 | 000,030,008 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ET5Drv.sys -- (ET5Drv)
DRV - [2007.07.23 10:56:58 | 000,042,624 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Alpham1.sys -- (Alpham1)
DRV - [2007.03.20 12:49:52 | 000,018,432 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Alpham2.sys -- (Alpham2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 80.67.172.70:8118

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Programme\Siber Systems\AI RoboForm\Firefox [2008.04.02 12:52:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Minefield 3.7a1pre\extensions\\Components: C:\Programme\Minefield\components [2009.09.28 19:26:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Minefield 3.7a1pre\extensions\\Plugins: C:\Programme\Minefield\plugins [2010.04.14 08:55:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Components: C:\Programme\ff3test\components
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Plugins: C:\Programme\ff3test\plugins
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.05.15 18:26:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.05.15 18:26:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Programme\Mozilla Thunderbird\components [2010.05.01 21:35:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Programme\Mozilla Thunderbird\plugins [2010.05.01 21:35:23 | 000,000,000 | ---D | M]

[2010.05.15 18:31:25 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Extensions
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] (No name found) -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.05.15 18:26:51 | 000,000,000 | ---D | M] -- D:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\extensions\staged-xpis
[2010.05.15 18:31:26 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.04.01 18:54:38 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.04.01 18:54:38 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.04.01 18:54:38 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.04.01 18:54:38 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.04.01 18:54:38 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2010.05.19 08:52:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll File not found
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll File not found
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Programme\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [Directory Opus Desktop Dblclk] C:\Programme\GPSoftware\Directory Opus\dopusrt.exe (GP Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Download by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Programme\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: RF - Formular ausfüllen - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RF - Formular speichern - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Translate with &Babylon - C:\Programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9 - Extra Button: Ausfüllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : RF - Formular ausfüllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : RF - Formular speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RF - RoboForm-Leiste ein/aus - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Programme\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Programme\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O18 - Protocol\Handler\hddlife {BD758015-47D9-477A-8873-4B688A2BC0E2} - C:\Programme\Gemeinsame Dateien\BinarySense\hlAPP.dll (BinarySense, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O28 - HKLM ShellExecuteHooks: {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Programme\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008.04.01 17:17:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.05.19 08:58:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010.05.18 22:40:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010.05.18 22:39:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010.05.18 22:39:15 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010.05.18 22:39:15 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010.05.18 22:39:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010.05.18 22:38:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.05.16 14:52:53 | 000,000,000 | ---D | C] -- C:\gmer
[2010.05.16 11:54:49 | 000,000,000 | ---D | C] -- C:\downloads
[2010.05.15 18:29:05 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\win_ordner\desktop\Neuer Ordner
[2010.05.15 18:24:40 | 008,188,856 | ---- | C] (Mozilla) -- D:\arbeitsdaten\win_ordner\desktop\Firefox Setup 3.6.3.exe
[2010.05.15 17:37:08 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\anwendungsdaten\SUPERAntiSpyware.com
[2010.05.15 17:37:08 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
[2010.05.15 12:32:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.05.15 12:20:02 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\katha\Recent
[2010.05.15 12:02:55 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\win_ordner\desktop\GooredFix Backups
[2010.05.14 23:33:26 | 000,000,000 | ---D | C] -- D:\arbeitsdaten\anwendungsdaten\Malwarebytes
[2010.05.14 23:33:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.05.14 23:33:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.05.14 23:33:00 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.05.14 23:33:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.05.09 22:02:30 | 000,000,000 | ---D | C] -- C:\Programme\WinPcap
[2010.05.01 21:33:14 | 000,180,224 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QTCF.dll
[2008.02.20 20:59:14 | 000,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.05.19 08:53:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.05.19 08:53:11 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.05.19 08:52:39 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010.05.19 08:52:30 | 000,237,662 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010.05.19 08:52:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.05.19 08:52:16 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010.05.19 08:52:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.05.19 08:52:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.05.19 08:51:59 | 3488,067,584 | -HS- | M] () -- C:\hiberfil.sys
[2010.05.19 08:51:05 | 007,864,320 | ---- | M] () -- C:\Dokumente und Einstellungen\katha\ntuser.dat
[2010.05.19 08:51:05 | 000,055,468 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.19 08:51:05 | 000,055,468 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.19 08:51:05 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010.05.19 08:51:05 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010.05.19 08:51:05 | 000,000,788 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000001-00001102-00000005-00211102}.rfx
[2010.05.18 23:43:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010.05.18 23:05:00 | 000,001,148 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004UA.job
[2010.05.18 22:40:44 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010.05.18 16:07:32 | 000,000,224 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Tonleiter_c-mi_sheberach.mid
[2010.05.18 15:20:12 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.05.17 22:05:00 | 000,001,096 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004Core.job
[2010.05.16 23:14:37 | 000,000,604 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Orbit.lnk
[2010.05.16 23:04:40 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010.05.16 23:04:40 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2010.05.16 21:03:32 | 000,042,400 | ---- | M] () -- C:\ark_c_.zip
[2010.05.16 09:45:10 | 000,002,760 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2010.05.16 09:21:29 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\SyncBackSE Supermemo-Backup lokal.job
[2010.05.16 00:00:20 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\katha\ntuser.ini
[2010.05.15 18:26:21 | 008,188,856 | ---- | M] (Mozilla) -- D:\arbeitsdaten\win_ordner\desktop\Firefox Setup 3.6.3.exe
[2010.05.14 23:04:03 | 000,002,221 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Growl.lnk
[2010.05.14 22:56:22 | 000,000,016 | ---- | M] () -- D:\arbeitsdaten\anwendungsdaten\qvjsge.dat
[2010.05.11 16:48:47 | 000,001,710 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Directory Opus.lnk
[2010.05.09 22:02:31 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\-1
[2010.05.09 21:53:43 | 000,000,746 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Sandboxed Web Browser.lnk
[2010.05.08 11:37:37 | 001,077,540 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.05.08 11:37:37 | 000,461,490 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.05.08 11:37:37 | 000,443,504 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.05.08 11:37:37 | 000,085,920 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.05.08 11:37:37 | 000,072,348 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.05.04 15:32:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.05.02 17:08:15 | 000,000,431 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\210_marine_girls_-_honey.mp3
[2010.05.01 16:06:13 | 000,000,426 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Verknüpfung mit neo layout.lnk
[2010.04.30 14:00:57 | 004,955,435 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\beat_happening-indian_summer.mp3
[2010.04.30 08:23:52 | 000,001,554 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\myKaruga shooter!.lnk
[2010.04.29 23:15:01 | 000,001,554 | ---- | M] () -- D:\arbeitsdaten\win_ordner\desktop\Prototyp!.lnk
[2010.04.29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.04.29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.04.26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010.04.22 20:29:33 | 000,499,400 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.04.22 19:08:28 | 000,018,432 | ---- | M] () -- D:\arbeitsdaten\anwendungsdaten_lokal\GDIPFONTCACHEV1.DAT
[2010.04.21 08:45:37 | 000,001,887 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Earth.lnk
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.05.18 22:40:43 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010.05.18 22:40:34 | 000,262,448 | ---- | C] () -- C:\cmldr
[2010.05.18 22:39:15 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010.05.18 22:39:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010.05.18 22:39:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010.05.18 22:39:15 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010.05.18 22:39:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010.05.16 23:14:37 | 000,000,604 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Orbit.lnk
[2010.05.16 21:03:30 | 000,042,400 | ---- | C] () -- C:\ark_c_.zip
[2010.05.16 00:01:13 | 3488,067,584 | -HS- | C] () -- C:\hiberfil.sys
[2010.05.15 13:55:59 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.05.14 22:56:22 | 000,000,016 | ---- | C] () -- D:\arbeitsdaten\anwendungsdaten\qvjsge.dat
[2010.05.11 16:48:47 | 000,001,710 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Directory Opus.lnk
[2010.05.09 22:02:30 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\-1
[2010.05.09 21:54:07 | 000,000,746 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Sandboxed Web Browser.lnk
[2010.05.02 17:08:14 | 000,000,431 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\210_marine_girls_-_honey.mp3
[2010.05.01 16:06:13 | 000,000,426 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Verknüpfung mit neo layout.lnk
[2010.04.30 14:00:34 | 004,955,435 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\beat_happening-indian_summer.mp3
[2010.04.30 08:23:52 | 000,001,554 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\myKaruga shooter!.lnk
[2010.04.29 23:15:01 | 000,001,554 | ---- | C] () -- D:\arbeitsdaten\win_ordner\desktop\Prototyp!.lnk
[2010.04.21 08:45:37 | 000,001,887 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Earth.lnk
[2010.03.30 12:17:59 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\SyncBackPro.dll
[2009.11.09 23:54:03 | 000,002,760 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2009.10.20 20:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009.10.15 13:25:17 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009.05.09 14:05:58 | 000,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll
[2009.05.09 14:05:58 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll
[2009.03.27 04:00:14 | 000,499,712 | R--- | C] () -- C:\WINDOWS\System32\XmlSpyLib.dll
[2008.11.15 02:46:00 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2008.07.24 10:40:51 | 000,000,125 | ---- | C] () -- C:\WINDOWS\fd3.INI
[2008.07.16 15:55:02 | 000,002,005 | ---- | C] () -- C:\WINDOWS\APDFPRP.INI
[2008.05.19 17:28:01 | 000,000,023 | -HS- | C] () -- C:\WINDOWS\System32\faaacbeaf7_z.dll
[2008.05.19 11:47:16 | 000,001,131 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
[2008.04.30 09:33:43 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008.04.19 11:34:31 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.04.18 08:22:16 | 004,244,744 | ---- | C] () -- C:\WINDOWS\System32\qtp-mt334.dll
[2008.04.18 08:22:16 | 000,247,560 | ---- | C] () -- C:\WINDOWS\System32\prgiso.dll
[2008.04.05 12:38:54 | 000,000,152 | ---- | C] () -- C:\WINDOWS\CoolPlay.ini
[2008.04.02 09:30:10 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008.04.02 09:30:09 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008.04.02 09:23:40 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008.04.01 21:29:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIGER.DLL
[2008.04.01 20:29:04 | 000,000,154 | ---- | C] () -- C:\WINDOWS\usdthank.ini
[2008.04.01 20:29:03 | 000,000,031 | ---- | C] () -- C:\WINDOWS\idc.ini
[2008.04.01 17:21:59 | 000,394,752 | ---- | C] () -- C:\WINDOWS\System32\cygwinb19.dll
[2008.02.25 14:55:32 | 000,101,603 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008.02.20 21:24:36 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008.02.20 21:00:12 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008.01.30 22:54:00 | 001,800,192 | ---- | C] () -- C:\WINDOWS\System32\hmtcdres.dll
[2008.01.30 22:53:58 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\hmtcd.dll
[2007.12.05 01:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007.08.13 20:45:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2006.10.02 17:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[1998.03.14 06:22:21 | 000,002,880 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll

========== Custom Scans ==========


< :OTL >

< O4 - HKLM..\Run: [] File not found >

< O4 - HKU\S-1-5-21-1606980848-1960408961-725345543-1004..\Run: [AdobeBridge] File not found >

< O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix] File not found >

< O4 - HKU\S-1-5-18..\RunOnce: [ShowDeskFix] File not found >

< O4 - HKU\S-1-5-20..\RunOnce: [ShowDeskFix] File not found >

< >

< :Files >

< C:\WINDOWS\System32\drivers\vvrzyqd.sys >

< D:\arbeitsdaten\anwendungsdaten\qvjsge.dat >
[2010.05.14 22:56:22 | 000,000,016 | ---- | M] () -- D:\arbeitsdaten\anwendungsdaten\qvjsge.dat

< >

< :Services >

< vvrzyqd >

< >

< :reg >

< [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] >

< ""=""%1" %*" >

========== Alternate Data Streams ==========

@Alternate Data Stream - 2960 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\sdpsenv.dat:naughtypirates
< End of report >


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 19 May 2010 - 06:56 PM

There is some infection in your PC's D drive. Make sure that this device is plugged in first.


Now rerun Combofix with the script below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\sdpsenv.dat
D:\arbeitsdaten\anwendungsdaten\qvjsge.dat


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 katharina

katharina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Berlin
  • Local time:05:34 AM

Posted 20 May 2010 - 05:59 AM

ComboFix 10-05-19.02 - katha 20.05.2010 9:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3326.2668 [GMT 2:00]
ausgeführt von:: d:\tmp\adhoc\5.17\ComboFix.exe
Benutzte Befehlsschalter :: d:\tmp\adhoc\5.17\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Neuer Wiederherstellungspunkt wurde erstellt [System Restore Point created]

FILE ::
"c:\dokumente und einstellungen\All Users\Anwendungsdaten\sdpsenv.dat"
"d:\arbeitsdaten\anwendungsdaten\qvjsge.dat"
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen [Other Deletions] ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\All Users\Anwendungsdaten\sdpsenv.dat
d:\arbeitsdaten\anwendungsdaten\qvjsge.dat

.
((((((((((((((((((((((( Dateien erstellt von 2010-04-20 bis 2010-05-20 [Files Created from ...] ))))))))))))))))))))))))))))))
.

2010-05-16 19:03 . 2010-05-16 19:03 42400 ----a-w- C:\ark_c_.zip
2010-05-16 12:52 . 2010-05-16 12:53 -------- d-----w- C:\gmer
2010-05-16 09:54 . 2010-05-16 09:54 -------- d-----w- C:\downloads
2010-05-15 15:37 . 2010-05-15 15:37 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\SUPERAntiSpyware.com
2010-05-15 15:37 . 2010-05-15 15:37 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2010-05-15 11:55 . 2010-05-18 13:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Malwarebytes
2010-05-14 21:33 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-05-14 21:33 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 21:05 . 2010-05-14 21:05 -------- d-sh--w- c:\dokumente und einstellungen\NetworkService\IETldCache
2010-05-09 20:02 . 2010-05-09 20:02 -------- d-----w- c:\programme\WinPcap
2010-05-01 19:33 . 2010-03-17 20:53 180224 ----a-w- c:\windows\system32\QTCF.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 07:03 . 2008-04-02 06:33 -------- d-----w- c:\programme\FindAndRunRobot
2010-05-20 06:58 . 2009-11-06 21:33 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Spotify
2010-05-20 06:58 . 2008-04-02 07:45 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Babylon
2010-05-19 20:28 . 2008-08-21 08:08 -------- d-----w- c:\programme\Zoom Player
2010-05-19 20:27 . 2008-07-31 07:27 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\foobar2000
2010-05-19 19:20 . 2008-04-01 16:21 -------- d-----w- c:\programme\DcUpdater
2010-05-19 15:44 . 2008-04-21 06:08 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google Updater
2010-05-19 08:12 . 2009-07-09 19:00 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\vlc
2010-05-19 06:53 . 2009-12-10 19:31 -------- d-----w- c:\dokumente und einstellungen\LocalService\Anwendungsdaten\VMware
2010-05-19 06:53 . 2009-12-10 19:31 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\VMware
2010-05-18 04:53 . 2008-04-02 07:45 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Babylon
2010-05-18 04:53 . 2008-04-02 07:51 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Orbit
2010-05-17 08:19 . 2008-04-02 10:06 -------- d-----w- c:\programme\Mozilla Thunderbird
2010-05-16 21:14 . 2008-04-02 07:51 -------- d-----w- c:\programme\Orbitdownloader
2010-05-16 21:05 . 2009-11-06 19:02 -------- d-----w- c:\programme\Replay Media Catcher
2010-05-16 21:04 . 2008-11-15 00:46 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-05-16 21:04 . 2008-11-15 00:46 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-05-16 15:28 . 2010-02-15 19:03 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2010-05-16 09:23 . 2008-04-02 07:15 -------- d-----w- c:\programme\Gemeinsame Dateien\Adobe
2010-05-15 16:08 . 2008-04-08 17:24 -------- d-----w- c:\programme\xchat
2010-05-15 10:19 . 2008-08-29 14:22 -------- d-----w- c:\programme\CCleaner
2010-05-15 10:05 . 2008-04-18 08:45 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\uTorrent
2010-05-14 21:00 . 2008-04-18 08:45 -------- d-----w- c:\programme\uTorrent
2010-05-13 19:36 . 2009-12-10 19:52 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\VMware
2010-05-12 11:24 . 2008-04-08 17:24 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\X-Chat 2
2010-05-11 16:37 . 2008-07-31 07:27 -------- d-----w- c:\programme\foobar2000
2010-05-08 09:37 . 2001-08-23 12:00 85920 ----a-w- c:\windows\system32\perfc007.dat
2010-05-08 09:37 . 2001-08-23 12:00 461490 ----a-w- c:\windows\system32\perfh007.dat
2010-05-07 12:49 . 2008-04-10 13:06 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2010-05-07 12:49 . 2009-06-05 16:53 -------- d-----w- c:\programme\Microsoft Visual Studio 9.0
2010-05-02 15:23 . 2009-12-05 10:01 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\uTorrent.public
2010-05-01 19:35 . 2008-04-02 07:32 -------- d-----w- c:\programme\QT Lite
2010-04-24 08:38 . 2008-04-01 22:30 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\XnView
2010-04-22 17:08 . 2008-04-02 07:43 18432 ----a-w- d:\arbeitsdaten\anwendungsdaten_lokal\GDIPFONTCACHEV1.DAT
2010-04-17 12:55 . 2009-10-23 16:15 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\dvdcss
2010-04-08 17:07 . 2009-05-06 18:15 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Rosetta Stone
2010-04-04 12:50 . 2008-04-02 07:42 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\FLEXnet
2010-04-02 06:47 . 2010-02-05 21:18 -------- d-----w- c:\programme\Bonjour
2010-04-02 05:59 . 2010-04-02 05:59 -------- d-----w- c:\programme\JetBrains
2010-03-31 12:26 . 2010-03-31 12:26 -------- d-----w- c:\programme\Common Files
2010-03-31 12:25 . 2010-03-31 12:25 -------- d-----w- c:\programme\VMware
2010-03-30 10:17 . 2008-04-01 20:27 -------- d-----w- c:\programme\2BrightSparks
2010-03-30 10:17 . 2008-04-01 15:21 -------- d-----w- c:\programme\Java
2010-03-29 19:53 . 2010-03-29 19:53 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-03-29 19:53 . 2010-03-29 19:53 -------- d-----w- c:\programme\Gemeinsame Dateien\Acronis
2010-03-29 19:53 . 2010-03-29 19:53 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-03-29 19:53 . 2010-03-29 19:53 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-03-29 19:53 . 2010-03-29 19:53 158272 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-03-29 19:53 . 2010-03-29 19:53 -------- d-----w- c:\programme\Acronis
2010-03-21 17:58 . 2010-03-21 17:58 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Growl
2010-03-21 11:41 . 2008-04-27 12:57 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\BOM
2010-03-10 06:15 . 2008-01-30 20:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 10:05 . 2009-02-24 19:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:15 . 2008-01-30 20:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-01-30 20:50 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-16 17:51 . 2008-08-07 06:37 443 ----a-w- c:\programme\Gemeinsame Dateien\fnp_registrations.xml
2009-01-23 08:12 . 2008-08-07 06:37 655624 ----a-w- c:\programme\Gemeinsame Dateien\FNPLicensingService.exe
2008-05-19 15:28 . 2008-05-19 15:28 23 --sha-w- c:\windows\system32\faaacbeaf7_z.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung [Reg Loading Points] ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Directory Opus Desktop Dblclk"="c:\programme\GPSoftware\Directory Opus\dopusrt.exe" [2010-03-17 271840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"IE7"="advpack.dll" [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\programme\GPSoftware\Directory Opus\dopuslib.dll" [2010-03-17 838104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.Defrag"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=3 (0x3)
"HDDlife HDD Access service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Programme\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Programme\\xchat\\xchat.exe"=
"c:\\Programme\\Spotify\\spotify.exe"=
"c:\\Programme\\Gemeinsame Dateien\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Programme\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Programme\\gnucash\\bin\\gconfd-2.exe"=
"c:\\Programme\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"c:\\Programme\\Orbitdownloader\\orbitnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [18.4.2008 08:22 39472]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [29.3.2010 21:53 911680]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [6.9.2008 16:35 123280]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20.10.2009 20:19 50704]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22.1.2010 22:14 70704]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [30.1.2008 22:53 9472]
S1 SASDIFSV;SASDIFSV;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASDIFSV.SYS --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASKUTIL.sys --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 gupdate1c98d46984b34e4;Google Update Service (gupdate1c98d46984b34e4);c:\programme\Google\Update\GoogleUpdate.exe [12.2.2009 21:17 133104]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\programme\Common Files\VMware\USB\vmware-usbarbitrator.exe [22.1.2010 21:00 563760]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [29.3.2010 21:53 160288]
S3 GEST Service;GEST Service for program management.;c:\programme\GIGABYTE\GEST\GSvr.exe [11.4.2008 12:18 47624]
S3 PORTMON;PORTMON;\??\d:\programme\essentiell\SysinternalsSuite\PORTMSYS.SYS --> d:\programme\essentiell\SysinternalsSuite\PORTMSYS.SYS [?]
S3 Ramdisk;Windows RAM-Laufwerktreiber;c:\windows\system32\drivers\ramdisk.sys [19.4.2000 23:00 20736]
S3 SASENUM;SASENUM;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASENUM.SYS --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASENUM.SYS [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\d:\arbeit~1\WIN_OR~1\wintemp\TCCpuInfo.sys --> d:\arbeit~1\WIN_OR~1\wintemp\TCCpuInfo.sys [?]
S3 usbsnoop;usbsnoop (display);c:\windows\system32\drivers\usbsnoop.sys --> c:\windows\system32\drivers\usbsnoop.sys [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [25.6.2009 18:25 31952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4.8.2004 00:58 14336]
S4 afcdpsrv;Acronis Nonstop Backup service;c:\programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe [29.3.2010 21:53 2480048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7.4.2008 09:19 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners [Contents of the 'Scheduled Tasks' folder]

2010-05-19 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-21 10:18]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-02-12 19:17]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-02-12 19:17]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004Core.job
- d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\GoogleUpdate.exe [2009-02-12 20:01]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004UA.job
- d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\GoogleUpdate.exe [2009-02-12 20:01]

2010-05-16 c:\windows\Tasks\SyncBackSE Supermemo-Backup lokal.job
- c:\programme\2BrightSparks\SyncBackSE\SyncBackSE.exe [2008-04-01 13:59]
.
.
------- Zusätzlicher Suchlauf [Supplementary Scan] -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://regalyzer/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 80.67.172.70:8118
IE: &Download by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/204
IE: An vorhandene PDF-Datei anfügen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/202
IE: In Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: RF - Formular ausfüllen - file://c:\programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RF - Formular speichern - file://c:\programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Translate with &Babylon - c:\programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
LSP: c:\programme\VMware\VMware Workstation\vsocklib.dll
TCP: {DEECFAB6-361B-4AE7-A3B5-6EB19C668F00} = 192.168.1.1
Handler: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - c:\programme\Gemeinsame Dateien\BinarySense\hlAPP.dll
FF - ProfilePath - d:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programme\Microsoft Research\HDView for Firefox\nphdview.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten\Mozilla\plugins\npoctoshape.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten_lokal\myVRnpapi\npmyvr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 10:05
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel [Locked registry keys] ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1960408961-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ed,ec,cd,4b,66,8a,ad,81,a0,a4,a6,2e,2c,71,4a,73,db,35,04,fd,c8,e4,9f,
17,93,cd,eb,4d,d3,c5,ae,11,dc,06,07,ed,b4,1e,b2,06,a0,7c,1e,e8,22,dd,cb,84,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\–€|ÿÿÿÿK•€|é•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs [DLLs Loaded Under Running Processes] ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\programme\Gemeinsame Dateien\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Zeit der Fertigstellung: 2010-05-20 10:09:04
ComboFix-quarantined-files.txt 2010-05-20 08:08

Vor Suchlauf: 1.196.781.568 Bytes frei
Nach Suchlauf: 1.171.931.136 Bytes frei

- - End Of File - - 519D84CCB1C2C39AA70645DB4D0DDD38


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 20 May 2010 - 01:06 PM

That's better.


Please go to ESET's site and do the online scan

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#13 katharina

katharina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Berlin
  • Local time:05:34 AM

Posted 20 May 2010 - 06:04 PM

Eset found two unrelated suspects. The first one came bundled with Unlocker.
C:\Programme\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application deleted - quarantined
C:\System Volume Information\_restore{CC70A9D0-B667-4E54-A42D-194C9820F7B9}\RP2\A0000531.exe a variant of Win32/Adware.ADON application deleted - quarantined

I've just restarted my PC and my router. The original issues persist sad.gif
Google redirects and pop-ups in Firefox and Internet Explorer; page loading in Chrome still completely blocked - even for local files.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 20 May 2010 - 06:07 PM

Please rerun Combofix and post the log smile.gif
Posted Image
m0le is a proud member of UNITE

#15 katharina

katharina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Berlin
  • Local time:05:34 AM

Posted 21 May 2010 - 08:48 AM

Again, thanks for bearing with me smile.gif

ComboFix 10-05-20.A1 - katha 21.05.2010 14:36:50.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3326.2813 [GMT 2:00]
ausgeführt von:: d:\tmp\adhoc\5.17\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((( Dateien erstellt von 2010-04-21 bis 2010-05-21 [Files Created from ...] ))))))))))))))))))))))))))))))
.

2010-05-20 20:43 . 2010-05-20 20:43 -------- d-----w- c:\programme\ESET
2010-05-20 11:30 . 2010-05-20 11:30 -------- d-----r- c:\dokumente und einstellungen\NetworkService\Favoriten
2010-05-16 19:03 . 2010-05-16 19:03 42400 ----a-w- C:\ark_c_.zip
2010-05-16 12:52 . 2010-05-16 12:53 -------- d-----w- C:\gmer
2010-05-16 09:54 . 2010-05-16 09:54 -------- d-----w- C:\downloads
2010-05-15 15:37 . 2010-05-15 15:37 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\SUPERAntiSpyware.com
2010-05-15 15:37 . 2010-05-15 15:37 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2010-05-15 11:55 . 2010-05-20 17:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Malwarebytes
2010-05-14 21:33 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-05-14 21:33 . 2010-05-14 21:33 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-05-14 21:33 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 21:05 . 2010-05-14 21:05 -------- d-sh--w- c:\dokumente und einstellungen\NetworkService\IETldCache
2010-05-09 20:02 . 2010-05-09 20:02 -------- d-----w- c:\programme\WinPcap
2010-05-01 19:33 . 2010-03-17 20:53 180224 ----a-w- c:\windows\system32\QTCF.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 12:32 . 2008-04-02 06:33 -------- d-----w- c:\programme\FindAndRunRobot
2010-05-21 11:13 . 2008-04-01 16:21 -------- d-----w- c:\programme\DcUpdater
2010-05-21 11:09 . 2010-02-15 19:03 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2010-05-21 10:36 . 2008-04-02 10:06 -------- d-----w- c:\programme\Mozilla Thunderbird
2010-05-21 10:36 . 2009-12-10 19:31 -------- d-----w- c:\dokumente und einstellungen\LocalService\Anwendungsdaten\VMware
2010-05-21 10:36 . 2009-12-10 19:31 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\VMware
2010-05-21 06:57 . 2008-04-02 07:45 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Babylon
2010-05-20 21:53 . 2008-04-02 08:01 -------- d-----w- c:\programme\Unlocker
2010-05-20 21:09 . 2008-04-01 17:11 -------- d-----w- c:\programme\e
2010-05-20 20:30 . 2009-11-06 21:33 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Spotify
2010-05-20 17:45 . 2008-04-21 06:08 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google Updater
2010-05-20 14:27 . 2009-07-09 19:00 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\vlc
2010-05-20 14:26 . 2008-08-21 08:08 -------- d-----w- c:\programme\Zoom Player
2010-05-19 20:27 . 2008-07-31 07:27 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\foobar2000
2010-05-18 04:53 . 2008-04-02 07:45 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Babylon
2010-05-18 04:53 . 2008-04-02 07:51 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\Orbit
2010-05-16 21:14 . 2008-04-02 07:51 -------- d-----w- c:\programme\Orbitdownloader
2010-05-16 21:05 . 2009-11-06 19:02 -------- d-----w- c:\programme\Replay Media Catcher
2010-05-16 21:04 . 2008-11-15 00:46 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-05-16 21:04 . 2008-11-15 00:46 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-05-16 09:23 . 2008-04-02 07:15 -------- d-----w- c:\programme\Gemeinsame Dateien\Adobe
2010-05-15 16:08 . 2008-04-08 17:24 -------- d-----w- c:\programme\xchat
2010-05-15 10:19 . 2008-08-29 14:22 -------- d-----w- c:\programme\CCleaner
2010-05-15 10:05 . 2008-04-18 08:45 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\uTorrent
2010-05-14 21:00 . 2008-04-18 08:45 -------- d-----w- c:\programme\uTorrent
2010-05-13 19:36 . 2009-12-10 19:52 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\VMware
2010-05-12 11:24 . 2008-04-08 17:24 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\X-Chat 2
2010-05-11 16:37 . 2008-07-31 07:27 -------- d-----w- c:\programme\foobar2000
2010-05-08 09:37 . 2001-08-23 12:00 85920 ----a-w- c:\windows\system32\perfc007.dat
2010-05-08 09:37 . 2001-08-23 12:00 461490 ----a-w- c:\windows\system32\perfh007.dat
2010-05-07 12:49 . 2008-04-10 13:06 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2010-05-07 12:49 . 2009-06-05 16:53 -------- d-----w- c:\programme\Microsoft Visual Studio 9.0
2010-05-02 15:23 . 2009-12-05 10:01 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\uTorrent.public
2010-05-01 19:35 . 2008-04-02 07:32 -------- d-----w- c:\programme\QT Lite
2010-04-24 08:38 . 2008-04-01 22:30 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\XnView
2010-04-22 17:08 . 2008-04-02 07:43 18432 ----a-w- d:\arbeitsdaten\anwendungsdaten_lokal\GDIPFONTCACHEV1.DAT
2010-04-17 12:55 . 2009-10-23 16:15 -------- d-----w- d:\arbeitsdaten\anwendungsdaten\dvdcss
2010-04-08 17:07 . 2009-05-06 18:15 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Rosetta Stone
2010-04-04 12:50 . 2008-04-02 07:42 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\FLEXnet
2010-04-02 06:47 . 2010-02-05 21:18 -------- d-----w- c:\programme\Bonjour
2010-04-02 05:59 . 2010-04-02 05:59 -------- d-----w- c:\programme\JetBrains
2010-03-31 12:26 . 2010-03-31 12:26 -------- d-----w- c:\programme\Common Files
2010-03-31 12:25 . 2010-03-31 12:25 -------- d-----w- c:\programme\VMware
2010-03-30 10:17 . 2008-04-01 20:27 -------- d-----w- c:\programme\2BrightSparks
2010-03-30 10:17 . 2008-04-01 15:21 -------- d-----w- c:\programme\Java
2010-03-29 19:53 . 2010-03-29 19:53 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-03-29 19:53 . 2010-03-29 19:53 -------- d-----w- c:\programme\Gemeinsame Dateien\Acronis
2010-03-29 19:53 . 2010-03-29 19:53 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-03-29 19:53 . 2010-03-29 19:53 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-03-29 19:53 . 2010-03-29 19:53 158272 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-03-29 19:53 . 2010-03-29 19:53 -------- d-----w- c:\programme\Acronis
2010-03-10 06:15 . 2008-01-30 20:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 10:05 . 2009-02-24 19:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:15 . 2008-01-30 20:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-01-30 20:50 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-16 17:51 . 2008-08-07 06:37 443 ----a-w- c:\programme\Gemeinsame Dateien\fnp_registrations.xml
2009-01-23 08:12 . 2008-08-07 06:37 655624 ----a-w- c:\programme\Gemeinsame Dateien\FNPLicensingService.exe
2008-05-19 15:28 . 2008-05-19 15:28 23 --sha-w- c:\windows\system32\faaacbeaf7_z.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung [Reg Loading Points] ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Directory Opus Desktop Dblclk"="c:\programme\GPSoftware\Directory Opus\dopusrt.exe" [2010-03-17 271840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"IE7"="advpack.dll" [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\programme\GPSoftware\Directory Opus\dopuslib.dll" [2010-03-17 838104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.Defrag"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=3 (0x3)
"HDDlife HDD Access service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Programme\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Programme\\xchat\\xchat.exe"=
"c:\\Programme\\Spotify\\spotify.exe"=
"c:\\Programme\\Gemeinsame Dateien\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Programme\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Programme\\gnucash\\bin\\gconfd-2.exe"=
"c:\\Programme\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"c:\\Programme\\Orbitdownloader\\orbitnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [18.4.2008 08:22 39472]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [29.3.2010 21:53 911680]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [6.9.2008 16:35 123280]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20.10.2009 20:19 50704]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22.1.2010 22:14 70704]
S0 qduc;qduc;c:\windows\system32\drivers\agnqct.sys --> c:\windows\system32\drivers\agnqct.sys [?]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [30.1.2008 22:53 9472]
S1 SASDIFSV;SASDIFSV;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASDIFSV.SYS --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASKUTIL.sys --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 gupdate1c98d46984b34e4;Google Update Service (gupdate1c98d46984b34e4);c:\programme\Google\Update\GoogleUpdate.exe [12.2.2009 21:17 133104]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\programme\Common Files\VMware\USB\vmware-usbarbitrator.exe [22.1.2010 21:00 563760]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [29.3.2010 21:53 160288]
S3 GEST Service;GEST Service for program management.;c:\programme\GIGABYTE\GEST\GSvr.exe [11.4.2008 12:18 47624]
S3 PORTMON;PORTMON;\??\d:\programme\essentiell\SysinternalsSuite\PORTMSYS.SYS --> d:\programme\essentiell\SysinternalsSuite\PORTMSYS.SYS [?]
S3 Ramdisk;Windows RAM-Laufwerktreiber;c:\windows\system32\drivers\ramdisk.sys [19.4.2000 23:00 20736]
S3 SASENUM;SASENUM;\??\d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASENUM.SYS --> d:\arbeit~1\WIN_OR~1\wintemp\SAS_SelfExtract\SASENUM.SYS [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\d:\arbeit~1\WIN_OR~1\wintemp\TCCpuInfo.sys --> d:\arbeit~1\WIN_OR~1\wintemp\TCCpuInfo.sys [?]
S3 usbsnoop;usbsnoop (display);c:\windows\system32\drivers\usbsnoop.sys --> c:\windows\system32\drivers\usbsnoop.sys [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [25.6.2009 18:25 31952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4.8.2004 00:58 14336]
S4 afcdpsrv;Acronis Nonstop Backup service;c:\programme\Gemeinsame Dateien\Acronis\CDP\afcdpsrv.exe [29.3.2010 21:53 2480048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7.4.2008 09:19 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners [Contents of the 'Scheduled Tasks' folder]

2010-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-21 10:18]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-02-12 19:17]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-02-12 19:17]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004Core.job
- d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\GoogleUpdate.exe [2009-02-12 20:01]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1960408961-725345543-1004UA.job
- d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\GoogleUpdate.exe [2009-02-12 20:01]

2010-05-16 c:\windows\Tasks\SyncBackSE Supermemo-Backup lokal.job
- c:\programme\2BrightSparks\SyncBackSE\SyncBackSE.exe [2008-04-01 13:59]
.
.
------- Zusätzlicher Suchlauf [Supplementary Scan] -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://regalyzer/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 80.67.172.70:8118
IE: &Download by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/204
IE: An vorhandene PDF-Datei anfügen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programme\Orbitdownloader\orbitmxt.dll/202
IE: In Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: RF - Formular ausfüllen - file://c:\programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RF - Formular speichern - file://c:\programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Translate with &Babylon - c:\programme\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
LSP: c:\programme\VMware\VMware Workstation\vsocklib.dll
TCP: {DEECFAB6-361B-4AE7-A3B5-6EB19C668F00} = 192.168.1.1
Handler: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - c:\programme\Gemeinsame Dateien\BinarySense\hlAPP.dll
FF - ProfilePath - d:\arbeitsdaten\anwendungsdaten\Mozilla\Firefox\Profiles\x6ppvo6a.default\
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programme\Microsoft Research\HDView for Firefox\nphdview.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten\Mozilla\plugins\npoctoshape.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten_lokal\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\arbeitsdaten\anwendungsdaten_lokal\myVRnpapi\npmyvr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programme\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programme\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- Dateityp-Verknüpfung -------
.
txtfile="c:\programme\e\e.exe" "%1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 14:42
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel [Locked registry keys] ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1960408961-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ed,ec,cd,4b,66,8a,ad,81,a0,a4,a6,2e,2c,71,4a,73,db,35,04,fd,c8,e4,9f,
17,93,cd,eb,4d,d3,c5,ae,11,dc,06,07,ed,b4,1e,b2,06,a0,7c,1e,e8,22,dd,cb,84,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\–€|ÿÿÿÿK•€|é•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs [DLLs Loaded Under Running Processes] ---------------------

- - - - - - - > 'winlogon.exe'(1184)
c:\programme\Gemeinsame Dateien\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3352)
c:\programme\GPSoftware\Directory Opus\dopushlp.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Zeit der Fertigstellung: 2010-05-21 14:46:02
ComboFix-quarantined-files.txt 2010-05-21 12:45
ComboFix2.txt 2010-05-20 08:09

Vor Suchlauf: 1.745.666.048 Bytes frei
Nach Suchlauf: 1.764.655.104 Bytes frei

- - End Of File - - B92E9BBFAF436C1D44EA43CDE0294E05





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users