Ultimate Defender nervt

Thema ist geschlossen!
Thema ist geschlossen!
#0
05.02.2008, 15:56
Member

Themenstarter

Beiträge: 21
#16 ziemlich kryptische zeichen, soll ich den hex code posten?

hier der avz log:

Code

AVZ Antiviral Toolkit log; AVZ version is 4.29
Scanning started at 05.02.2008 15:54:57
Database loaded: signatures - 148310, NN profile(s) - 2, microprograms of healing - 55, signature database released 03.02.2008 20:36
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 68697
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Recovery: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->7C883FEC
Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->7C883F9C
Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->7C883FB0
Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->7C883FD8
Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->7C883FC4
IAT modification detected: LoadLibraryA - 7C883F9C<>7C801D77
IAT modification detected: GetProcAddress - 7C883FEC<>7C80ADA0
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055B6E0
   KiST = 89DAD008 (297)
>>> Attention, KiST table is moved ! (80503940(284)->89DAD008(297))
Function NtClose (19) intercepted (805BAF64->AD11CCB0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (80622104->AD110540), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateProcess (2F) intercepted (805CFAD4->AD11C9C0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateProcessEx (30) intercepted (805CFA1E->AD11CB40), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateSection (32) intercepted (805A9E9E->AD11D5B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (805C3698->AD11D230), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (805CF8BC->AD11DF10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (80622594->AD110660), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80622764->AD1106E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805BC940->AD11CE00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80622944->AD110770), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (80622BAE->AD110820), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtFlushKey (4F) intercepted (80622E18->AD1108D0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtInitializeRegistry (5C) intercepted (806200DC->AD110950), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadKey (62) intercepted (80623E34->AD1111F0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadKey2 (63) intercepted (80623A7E->AD110970), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtNotifyChangeKey (6F) intercepted (80623DFE->AD110A70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (80578FD0->BA4B7FF0), hook C:\WINDOWS\system32\Drivers\kl1.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (8062349A->AD110B50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805C9CFE->AD11C7B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenSection (7D) intercepted (805A8EC2->AD11D400), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (806237BE->AD110C50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (806212D2->AD110D00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQuerySystemInformation (AD) intercepted (8060F89C->AD11DBC0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (806201BE->AD110DB0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtRenameKey (C0) intercepted (80621B2A->BA62100A), hook C:\WINDOWS\system32\Drivers\SSI.SYS
Function NtReplaceKey (C1) intercepted (80623CE4->AD110E60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (8062050C->AD110EF0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtResumeThread (CE) intercepted (805D31FE->AD11DEC0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (806205AE->AD110F80), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (805CFFF6->AD11E230), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationFile (E0) intercepted (80579E38->AD11EAE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationKey (E2) intercepted (80620E9E->AD111010), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationProcess (E4) intercepted (805CC748->AD1222A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (805BE9AA->AD11AA30), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (806207C4->AD1110B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805D3138->AD11DE70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805D1226->AD11DA10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtUnloadKey (107) intercepted (80620A8C->AD1111B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (805B2E0C->AD11CCD0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (804EAE80) - machine code modification Method of JmpTo. jmp AD11EF00 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804EF808) - machine code modification Method of JmpTo. jmp AD11F400 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 40, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
>>> Danger - possible CPU address substitution[1].IDT[01] = [B9C594F6] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
>>> Danger - possible CPU address substitution[1].IDT[03] = [B9C5959C] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Analysis for CPU 2
>>> Danger - possible CPU address substitution[2].IDT[01] = [B9C594F6] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
>>> Danger - possible CPU address substitution[2].IDT[03] = [B9C5959C] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Checking IDT and SYSENTER - complete
>>>> Process masking detected 1036 c:\windows\system32\braviax.exe
1.4 Searching for masking processes and drivers
Checking not performed: the extended monitoring driver (AVZPM) is not installed
2. Scanning memory
Number of processes found: 44
Number of modules loaded: 510
Memory checking - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\PROGS\FRAPS\FRAPS.DLL --> Suspicion for a Keylogger or Trojan DLL
C:\PROGS\FRAPS\FRAPS.DLL>>> Behavioral analysis:
  1. Reacts to events: keyboard, all events
C:\PROGS\FRAPS\FRAPS.DLL>>> Neural net: file with probability 10.40% like a typical keyboard/mouse events interceptor
C:\Progs\Xfire\xfire_toucan_29828.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Progs\Xfire\xfire_toucan_29828.dll>>> Behavioral analysis:
  1. Reacts to events: keyboard, all events
C:\Progs\Xfire\xfire_toucan_29828.dll>>> Neural net: file with probability 8.72% like a typical keyboard/mouse events interceptor
C:\Programme\Bonjour\mdnsNSP.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Programme\Bonjour\mdnsNSP.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "cru629.dat"
Danger - process debugger "taskmgr.exe" = ""C:\PROGS\PROCEXP.EXE""
Checking complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed TermService (Terminaldienste)
>> Services: potentially dangerous service allowed Schedule (Taskplaner)
>> Services: potentially dangerous service allowed mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Security: automatic logon is enabled
Checking complete
9. Troubleshooting wizard
>>  The debugger of system process is found
Checking complete
Files scanned: 554, extracted from archives: 0, malicious programs found 0, suspicions - 0
Scanning finished at 05.02.2008 15:55:34
Time of scanning: 00:00:37
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Seitenanfang Seitenende
05.02.2008, 17:53
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#17 ««

Zitat

C:\WINDOWS\system32\drivers

02.02.2008 22:27 29.184 beep.sys
lasse prüfen:
http://www.virustotal.com/de/
C:\WINDOWS\system32\drivers\beep.sys

--------------------

mache folgendes: wende noch mal GV-Killer an - starte nicht neu !

Zitat

C:\WINDOWS\cru629.dat
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\braviax.exe

versuche noch mal Combofix anzuwenden
+ poste den report
http://virus-protect.org/artikel/tools/combofix.html


«««
Bitdefender (Online) - löscht einiges...
http://virus-protect.org/onlinescan.html

Zitat

Bitdefender (Online)
C:\WINDOWS\braviax.exe
Infected with: Generic.Malware.Yd!dld!sp.11C598DB
C:\WINDOWS\braviax.exe
Deleted

C:\WINDOWS\system32\dllcache\beep.sys
Infected with: Generic.Malware.P!.67AF4A2F

C:\WINDOWS\system32\drivers\beep.sys
Infected with: Generic.Malware.P!.67AF4A2F

Panda-Onlinescan
Virus:Rootkit/Agent.HML Disinfected C:\WINDOWS\system32\drivers\ip6fw.sys
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\users32.dat
Adware:Adware/UltimateDefender Not disinfected C:\WINDOWS\system32\winivstr.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\68iEPFV6.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\dllcache\beep.sys
Possible Virus. Not disinfected C:\WINDOWS\system32\drivers\beep.sys
der beep.sys -Treiber spielt bestimmt auch eine Rolle beim ganzen - ich würde wirklich gern das Log von Combofix sehen ;)

und dr.web löscht bestimmt auch (im abgesicherten Modus scannen)
http://virus-protect.org/cureit.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
05.02.2008, 19:26
Member

Themenstarter

Beiträge: 21
#18 gv-killer:
Logfile GV_Killer_02.txt v7.0.6 - Copyright © GV_Soft Guido Vaesen
Rapport datum: 05.02.2008 18:50:16 log van M3t0r , Beheerder van deze computer
Platform: Windows XP Home SP2 DEU Normale modus

BEGIN Geplande taken-----------------------------------------------------------------
C:\WINDOWS\tasks\1-Klick-Wartung.job
EINDE Geplande taken-----------------------------------------------------------------


Lijst Notify keys--------------------------------------------------------------------
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify
AtiExtEvent Ati2evxx.dll
klogon C:\WINDOWS\system32\klogon.dll
WRNotifier WRLogonNTF.dll
Einde Notify keys--------------------------------------------------------------------

Verklaring Errorcodes----------------------------------------------------------------
code 00 : Bestand is verwijderd.
code 53 : Bestand of map werd niet gevonden op uw PC.
code 70 : Bestand was in gebruik.
code 75 : Services zijn nog geladen of bestand in gebruik.
code M0 : Map is verwijderd.
code ML : Map is volledig leeg gemaakt.
code MN : Map werd niet gevonden op uw PC, is niet leeg gemaakt.
code MV : Map werd niet gevonden op uw PC, is niet verwijderd.
code K0 : Register key is verwijderd.
Einde Errorcodes--------------------------------------------------------------------

BEGIN Inhoud van Input.txt-----------------------------------------------------------
C:\WINDOWS\cru629.dat
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\braviax.exe
EINDE Inhoud van Input.txt-----------------------------------------------------------

00 C:\WINDOWS\cru629.dat
00 C:\WINDOWS\braviax.exe
0 C:\WINDOWS\system32\users32.dat
00 C:\WINDOWS\system32\winivstr.exe
00 C:\WINDOWS\system32\cru629.dat
0 C:\WINDOWS\system32\braviax.exe

;1676416-OEM-0056172-87621=WD-WCAPZ339752350

;EINDE GV_Killer ---------------------------------------------------------------------
[/code] virus-total:

Code

Datei beep.sys empfangen 2008.02.05 18:49:01 (CET)
Status: Beendet
Ergebnis: 8/32 (25.00%)
Filter Filter
Drucken der Ergebnisse Drucken der Ergebnisse
Antivirus     Version     letzte aktualisierung     Ergebnis
AhnLab-V3     2008.2.6.10     2008.02.05     -
AntiVir     7.6.0.62     2008.02.05     -
Authentium     4.93.8     2008.02.05     -
Avast     4.7.1098.0     2008.02.04     Win32:Agent-RHK
AVG     7.5.0.516     2008.02.05     BackDoor.Ntrootkit.X
BitDefender     7.2     2008.02.05     Generic.Malware.P!.B01B2086
CAT-QuickHeal     9.00     2008.02.04     (Suspicious) - DNAScan
ClamAV     0.92     2008.02.05     -
DrWeb     4.44.0.09170     2008.02.05     -
eSafe     7.0.15.0     2008.01.28     -
eTrust-Vet     31.3.5512     2008.02.05     Win32/Eldycow!generic
Ewido     4.0     2008.02.05     -
FileAdvisor     1     2008.02.05     -
Fortinet     3.14.0.0     2008.02.05     -
F-Prot     4.4.2.54     2008.02.04     -
F-Secure     6.70.13260.0     2008.02.05     -
Ikarus     T3.1.1.20     2008.02.05     -
Kaspersky     7.0.0.125     2008.02.05     -
McAfee     5222     2008.02.04     -
Microsoft     1.3204     2008.02.05     -
NOD32v2     2850     2008.02.05     -
Norman     5.80.02     2008.02.05     -
Panda     9.0.0.4     2008.02.04     -
Prevx1     V2     2008.02.05     Heuristic: Suspicious File With Anti-Security Technology
Rising     20.29.22.00     2008.01.30     -
Sophos     4.26.0     2008.02.05     -
Sunbelt     2.2.907.0     2008.02.05     -
Symantec     10     2008.02.05     Hacktool.Rootkit
TheHacker     6.2.9.209     2008.02.05     -
VBA32     3.12.6.0     2008.02.05     -
VirusBuster     4.3.26:9     2008.02.05     -
Webwasher-Gateway     6.6.2     2008.02.05     Win32.Malware.gen!80 (suspicious)
edit:
combofix funktionierte nicht richtig, auch nach rename, hab dann mal fix polices versucht, tats auch nicht, und jetzt die logs mit dss erstellt, hoffe das geht auch:
main.txt:[code]Deckard's System Scanner v20071014.68
Run by M3t0r on 2008-02-05 19:31:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
29: 2008-02-05 18:31:11 UTC - RP29 - Deckard's System Scanner Restore Point
28: 2008-02-04 16:59:39 UTC - RP28 - Logitech SetPoint Mouse and Keyboard Device Drivers
27: 2008-02-03 20:43:21 UTC - RP27 - Installed CSSVista
26: 2008-02-03 14:33:36 UTC - RP26 - Installierte(s) Kaspersky Anti-Virus 6.0.
25: 2008-02-03 14:14:04 UTC - RP25 - Systemprüfpunkt


-- First Restore Point --
1: 2008-01-16 14:01:12 UTC - RP1 - Systemprüfpunkt


Backed up registry hives.
Performed disk cleanup.

[color=red]System Drive C: has 23 GiB (less than 15%) free.[/color]


-- HijackThis (run as M3t0r.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31:31, on 05.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\IRW.exe
C:\Programme\Boot Camp\KbdMgr.exe
C:\Programme\Mediafour\MacDrive\MDDiskProtect.exe
C:\Programme\Gemeinsame Dateien\Mediafour\MACVNTFY.EXE
C:\Progs\iTunes\iTunesHelper.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Progs\RocketDock\RocketDock.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGS\PROCEXP.EXE
C:\Dokumente und Einstellungen\M3t0r\Desktop\Downloads\abc.exe
C:\PROGRA~1\HIJACK~1\M3t0r.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Programme\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Programme\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Programme\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Programme\Gemeinsame Dateien\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Progs\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Progs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [Steam] "c:\progs\steam\steam.exe" -silent
O4 - HKCU\..\Run: [RocketDock] "C:\Progs\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Fraps] C:\PROGS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Miranda IM] C:\Progs\Miranda7\miranda32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Progs\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD24D78D-DB3C-4A06-B55E-6DFA866D988F}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Progs\xampp\apache\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple-Time-Server (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\Progs\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Progs\xampp\service.exe

--
End of file - 5923 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080203-154642-524 O20 - AppInit_DLLs: cru629.dat
backup-20080203-204505-383 O20 - AppInit_DLLs: cru629.dat


-- File Associations -----------------------------------------------------------

[COLOR=red].ini - Notepad++_file - DefaultIcon - C:\Customizing\ICO's\Mac\Filetypes\colored-Code.ico[/COLOR]
[COLOR=red].ini - Notepad++_file - shell\open\command - "C:\Progs\Notepad++\notepad++.exe" "%1"[/COLOR]
[COLOR=red].js - Notepad++_file - DefaultIcon - C:\Customizing\ICO's\Mac\Filetypes\colored-Code.ico[/COLOR]
[COLOR=red].js - Notepad++_file - shell\open\command - "C:\Progs\Notepad++\notepad++.exe" "%1"[/COLOR]
[COLOR=red].txt - Notepad++_file - DefaultIcon - C:\Customizing\ICO's\Mac\Filetypes\colored-Code.ico[/COLOR]
[COLOR=red].txt - Notepad++_file - shell\open\command - "C:\Progs\Notepad++\notepad++.exe" "%1"[/COLOR]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 MDPMGRNT - c:\windows\system32\drivers\mdpmgrnt.sys <Not Verified; Mediafour Corporation; Mediafour Disk Partition Manager>
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 SSI - c:\windows\system32\drivers\ssi.sys <Not Verified; Webroot Software (www.webroot.com); SpySweeper>
R1 MDFSYSNT - c:\windows\system32\drivers\mdfsysnt.sys <Not Verified; Mediafour Corporation; MacDrive>
R2 KeyAgent - c:\windows\system32\drivers\keyagent.sys <Not Verified; Apple Inc.; Boot Camp>
R2 MacHALDriver (Mac HAL) - c:\windows\system32\drivers\machaldriver.sys <Not Verified; Apple Inc.; >

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\programme\gemeinsame dateien\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (Bonjour-Dienst) - c:\programme\bonjour\mdnsresponder.exe <Not Verified; Apple Inc.; Bonjour>

S3 Apache2.2 - "c:\progs\xampp\apache\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
S3 FLEXnet Licensing Service - "c:\programme\gemeinsame dateien\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 mysql - c:\progs\xampp\mysql\bin\mysqld-nt.exe --defaults-file=c:\progs\xampp\mysql\bin\my.cnf mysql
S3 XAMPP (XAMPP Service) - c:\progs\xampp\service.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM-Bus-Controller
Device ID: PCI\VEN_8086&DEV_283E&SUBSYS_00A0106B&REV_03\3&B1BFB68&0&FB
Manufacturer:
Name: SM-Bus-Controller
PNP Device ID: PCI\VEN_8086&DEV_283E&SUBSYS_00A0106B&REV_03\3&B1BFB68&0&FB
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-02-04 18:34:20 422 --a------ C:\WINDOWS\Tasks\1-Klick-Wartung.job


-- Files created between 2008-01-05 and 2008-02-05 -----------------------------

2008-02-05 19:27:38 0 d-------- C:\327882R2FWJFW
2008-02-05 18:24:41 0 d-------- C:\WINDOWS\LastGood
2008-02-05 15:18:57 6656 -----n--- C:\WINDOWS\system32\users32.dat
2008-02-05 15:18:19 11264 -----n--- C:\WINDOWS\system32\braviax.exe

2008-02-05 15:09:04 0 d-------- C:\Programme\GV_Killer
2008-02-04 13:29:45 0 d-------- C:\Programme\Gemeinsame Dateien\LogiShared
2008-02-04 13:28:31 69632 --a------ C:\WINDOWS\system32\KemXML.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-02-04 13:28:31 110592 --a------ C:\WINDOWS\system32\KemWnd.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-02-04 13:28:31 135168 --a------ C:\WINDOWS\system32\KemUtil.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-02-04 13:28:31 163840 --a------ C:\WINDOWS\system32\kemutb.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-02-04 13:28:19 0 d-------- C:\Programme\Gemeinsame Dateien\Logitech
2008-02-04 13:28:04 0 d-------- C:\Programme\Logitech
2008-02-03 16:19:32 0 d-------- C:\Programme\CCleaner
2008-02-03 15:33:50 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-03 15:33:50 74908 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-03 15:33:39 0 d-------- C:\Programme\Kaspersky Lab
2008-02-03 15:33:38 37408 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-03 15:33:38 757792 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-03 12:30:08 0 d-------- C:\Programme\Hijack This
2008-02-03 12:27:17 3508 --a------ C:\Start_.cmd
2008-02-03 12:05:32 657805 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-02-03 12:05:32 69632 --a------ C:\WINDOWS\system32\remove.exe
2008-02-02 23:42:57 1460 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-02 22:58:26 102912 --a------ C:\WINDOWS\system32\islzma.dll
2008-02-02 22:58:26 78336 --a------ C:\WINDOWS\system32\drivers\ssi.sys <Not Verified; Webroot Software (www.webroot.com); SpySweeper>
2008-02-02 22:58:24 0 d-------- C:\Programme\Webroot
2008-01-29 14:30:25 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-01-29 14:30:25 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-01-29 14:29:01 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2008-01-29 14:29:01 5632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2008-01-29 14:29:01 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2008-01-29 14:29:00 0 d-------- C:\WINDOWS\system32\Futuremark
2008-01-29 14:28:26 0 d-------- C:\Programme\Futuremark
2008-01-28 12:40:20 0 d-------- C:\Programme\iPod
2008-01-28 12:39:22 0 d-------- C:\Programme\Gemeinsame Dateien\Apple
2008-01-28 12:10:32 0 d-------- C:\Programme\Gemeinsame Dateien\Adobe Systems Shared
2008-01-22 18:32:11 0 d-------- C:\WINDOWS\Sun
2008-01-22 17:28:07 0 d-------- C:\Programme\Java
2008-01-22 17:21:06 0 d-------- C:\Programme\Gemeinsame Dateien\Java
2008-01-21 13:43:43 0 d-------- C:\.Spotlight-V100
2008-01-20 21:47:50 0 d-------- C:\.Trashes
2008-01-20 19:23:36 0 -ra------ C:\logwmemory.bin
2008-01-18 19:04:00 5120 --a------ C:\WINDOWS\system32\BReWErS.dll
2008-01-17 22:53:49 0 d-------- C:\Programme\Apple Software Update
2008-01-14 20:44:31 0 d-------- C:\Programme\QuickTime
2008-01-14 20:11:59 0 d-------- C:\Programme\Bonjour
2008-01-14 20:04:33 0 d-------- C:\Programme\Gemeinsame Dateien\Macrovision Shared
2008-01-14 20:00:05 0 d-------- C:\Programme\Gemeinsame Dateien\Adobe
2008-01-14 15:34:44 0 d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-01-14 14:22:57 0 d-------- C:\Programme\ATI Technologies
2008-01-12 14:14:37 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-11 23:27:49 0 d-------- C:\Programme\MSXML 4.0
2008-01-05 17:21:11 0 d--hs---- C:\WINDOWS\ftpcache
2008-01-05 00:02:57 0 d-------- C:\Programme\Gemeinsame Dateien\Blizzard Entertainment


-- Find3M Report ---------------------------------------------------------------

2008-02-05 18:52:15 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Xfire
2008-02-05 18:26:10 0 dr------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Brother
2008-02-05 15:18:54 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\WTablet
2008-02-05 14:23:14 23 --a------ C:\WINDOWS\popcinfot.dat
2008-02-05 11:56:35 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Hamachi
2008-02-04 18:11:30 0 d--h----- C:\Programme\InstallShield Installation Information
2008-02-04 17:51:02 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\uTorrent
2008-02-04 13:29:55 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Logitech
2008-02-04 13:29:46 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Leadertech
2008-02-04 13:29:45 0 d-------- C:\Programme\Gemeinsame Dateien
2008-02-03 21:44:16 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\MozillaControl
2008-02-02 22:58:24 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Webroot
2008-02-02 22:50:49 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\CCleanup
2008-01-28 12:40:34 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Apple Computer
2008-01-28 12:15:18 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Adobe
2008-01-22 18:30:27 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Sun
2008-01-21 09:59:37 405448 --a------ C:\WINDOWS\system32\perfh007.dat
2008-01-21 09:59:37 70778 --a------ C:\WINDOWS\system32\perfc007.dat
2008-01-20 19:21:40 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Soldat
2008-01-20 18:06:49 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\InstallShield
2008-01-17 20:36:17 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Axialis
2008-01-14 17:27:21 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\dvdcss
2008-01-14 16:28:01 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Earthsim
2008-01-14 15:35:28 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\TuneUp Software
2008-01-14 14:28:15 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\ATI
2008-01-12 11:01:10 219648 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Betriebssystem Microsoft® Windows®>
2008-01-09 16:41:55 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\CDZilla
2008-01-05 12:07:13 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\vlc
2008-01-04 23:53:52 0 d-------- C:\Programme\uTorrent
2008-01-04 23:40:03 0 d-------- C:\Programme\Gemeinsame Dateien\Mediafour
2008-01-04 23:38:49 0 d-------- C:\Programme\Mediafour
2008-01-04 22:33:17 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Real
2008-01-04 15:58:45 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Winamp
2008-01-03 20:53:36 86016 -ra------ C:\WINDOWS\system32\MACDRAPI.DLL <Not Verified; Mediafour Corporation; Mediafour MacDrive>
2008-01-03 18:28:22 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Mozilla
2008-01-03 18:28:22 6148 -----n--- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\.DS_Store
2008-01-03 17:01:18 0 d-------- C:\Programme\Gemeinsame Dateien\InstallShield
2008-01-03 17:00:52 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\DAEMON Tools
2008-01-03 16:59:30 0 d-------- C:\Programme\DAEMON Tools Lite
2008-01-03 15:11:42 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Notepad++
2008-01-02 16:09:10 4 --a------ C:\loadcounter.dat
2008-01-02 16:06:49 555 --a------ C:\WINDOWS\eReg.dat
2008-01-02 15:24:54 0 d-------- C:\Programme\Tablet
2008-01-01 23:59:59 0 d-------- C:\Programme\Gemeinsame Dateien\xing shared
2008-01-01 23:59:57 0 d-------- C:\Programme\Gemeinsame Dateien\Real
2008-01-01 23:59:45 0 d-------- C:\Programme\Real
2008-01-01 23:48:40 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Macromedia
2008-01-01 23:36:30 0 d-------- C:\Programme\Messenger
2008-01-01 22:18:12 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\WinRAR
2008-01-01 20:45:03 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Sierra
2008-01-01 20:43:22 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-01 19:27:19 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\teamspeak2
2008-01-01 16:27:29 0 d-------- C:\Programme\VLC
2008-01-01 16:18:09 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Talkback
2008-01-01 16:18:04 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-01 15:09:58 0 d-------- C:\Programme\Intel
2008-01-01 15:09:43 0 d-------- C:\Programme\Boot Camp
2008-01-01 15:08:32 0 d-------- C:\Programme\Motorola
2008-01-01 15:08:07 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-01-01 15:08:07 0 d-------- C:\Programme\Realtek
2008-01-01 15:07:43 0 d-------- C:\Programme\SigmaTel
2008-01-01 15:06:32 0 d-------- C:\Programme\DIFX
2008-01-01 15:02:44 0 d-------- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Identities
2008-01-01 14:59:46 0 d-------- C:\Programme\microsoft frontpage
2008-01-01 14:59:28 0 -rahs---- C:\MSDOS.SYS
2008-01-01 14:59:28 0 -rahs---- C:\IO.SYS
2008-01-01 14:59:28 0 --a------ C:\CONFIG.SYS
2008-01-01 14:59:28 0 --a------ C:\AUTOEXEC.BAT
2008-01-01 14:58:34 0 d--h----- C:\Programme\WindowsUpdate
2008-01-01 14:58:31 0 d-------- C:\Programme\Online-Dienste
2008-01-01 14:57:33 0 d-------- C:\Programme\Gemeinsame Dateien\Dienste
2008-01-01 14:57:28 0 d-------- C:\Programme\Gemeinsame Dateien\MSSoap
2008-01-01 14:57:16 0 d-------- C:\Programme\Movie Maker
2008-01-01 14:56:40 21740 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-01 14:56:07 0 d-------- C:\Programme\Online Services
2008-01-01 14:55:58 0 d-------- C:\Programme\MSN Gaming Zone
2008-01-01 14:55:46 0 d-------- C:\Programme\Windows NT
2008-01-01 14:44:51 0 d-------- C:\Programme\Gemeinsame Dateien\ODBC
2008-01-01 14:44:48 0 d-------- C:\Programme\Gemeinsame Dateien\SpeechEngines
2008-01-01 14:44:20 62 --ahs---- C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\desktop.ini
2007-12-05 14:17:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-12-05 04:05:14 368640 --a------ C:\WINDOWS\system32\ATIDEMGX.dll <Not Verified; Advanced Micro Devices, Inc.; Catalyst® Control Centre>
2007-12-05 04:04:08 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon WindowsNT Display Driver>
2007-12-05 03:56:02 147456 --a------ C:\WINDOWS\system32\atipdlxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2007-12-05 03:55:50 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll <Not Verified; ATI Technologies, Inc.; ATI Driver Interface Component>
2007-12-05 03:55:42 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe <Not Verified; ATI Technologies, Inc.; ATI Default Resolution Update>
2007-12-05 03:55:34 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll <Not Verified; ATI Technologies, Inc.; ATI External Device Utility>
2007-12-05 03:55:20 122880 --a------ C:\WINDOWS\system32\ati2evxx.dll <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2007-12-05 03:54:55 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll <Not Verified; ATI Technologies Inc.; ATI Display Driver Utilities>
2007-12-05 03:53:58 495616 --a------ C:\WINDOWS\system32\ati2evxx.exe <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2007-12-05 03:53:09 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2007-12-05 03:48:51 9535488 --a------ C:\WINDOWS\system32\atioglx2.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2007-12-05 03:44:54 3175584 --a------ C:\WINDOWS\system32\ati3duag.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon DirectX Universal Driver>
2007-12-05 03:33:47 1640192 --a------ C:\WINDOWS\system32\ativvaxx.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon Video Acceleration Universal Driver>
2007-12-05 03:33:27 887724 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-12-05 03:19:34 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2007-12-05 03:19:14 385024 --a------ C:\WINDOWS\system32\atikvmag.dll <Not Verified; ATI Technologies Inc.; Virtual Command And Memory Manager>
2007-12-05 03:17:21 17408 --a------ C:\WINDOWS\system32\atitvo32.dll <Not Verified; ATI Technologies Inc.; ATI RageTheater/ImpacTV COM interface>
2007-12-05 03:14:59 180224 --a------ C:\WINDOWS\system32\atiok3x2.dll <Not Verified; ATI Technologies Inc.; Ring 0 x2 Component>
2007-12-05 03:11:18 499712 --a------ C:\WINDOWS\system32\ati2cqag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2007-11-06 15:19:00 158080 --a------ C:\WINDOWS\system32\atiicdxx.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [08.10.2007 20:59 C:\WINDOWS\RTHDCPL.exe]
"IRW"="C:\WINDOWS\system32\IRW.exe" [08.10.2007 20:56]
"Apple_KbdMgr"="C:\Programme\Boot Camp\KbdMgr.exe" [08.10.2007 22:06]
"MDDiskProtect.exe"="C:\Programme\Mediafour\MacDrive\MDDiskProtect.exe" [15.04.2005 21:54]
"MediafourGettingStartedWithMacDrive6"="C:\Programme\Mediafour\MacDrive\MacDrive.exe" [03.01.2008 20:53]
"Mediafour Mac Volume Notifications"="C:\Programme\Gemeinsame Dateien\Mediafour\MACVNTFY.exe" [03.01.2008 20:53]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10.11.2006 12:35]
"QuickTime Task"="C:\Progs\QuickTime\QTTask.exe" [10.01.2008 15:27]
"iTunesHelper"="C:\Progs\iTunes\iTunesHelper.exe" [15.01.2008 03:22]
"braviax"="braviax.exe" [05.02.2008 15:18 C:\WINDOWS\system32\braviax.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\progs\steam\steam.exe" [01.01.2008 16:36]
"RocketDock"="C:\Progs\RocketDock\RocketDock.exe" [02.09.2007 13:58]
"DAEMON Tools Lite"="C:\Programme\DAEMON Tools Lite\daemon.exe" [03.01.2008 14:54]
"Fraps"="C:\PROGS\FRAPS\FRAPS.EXE" [15.06.2005 15:57]
"Miranda IM"="C:\Progs\Miranda7\miranda32.exe" [01.10.2007 16:01]

C:\Dokumente und Einstellungen\M3t0r\Startmen\Programme\Autostart\
Adobe Gamma.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [16.03.2005 20:16:50]
Xfire.lnk - C:\Progs\Xfire\xfire.exe [31.01.2008 03:02:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=26 (0x1a)
"NoRecentDocsHistory"=1 (0x1)
"NoExpandedNewMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
Debugger="C:\PROGS\PROCEXP.EXE"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"braviax"=C:\WINDOWS\system32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\
mountpoints2\{990f321e-c8f3-11dc-81ef-001b63b959b5}]
AutoRun\command- J:\PStart.exe

*Newly Created Service* - BROTHER_XP_SPL_SERVICE
*Newly Created Service* - UTIWMJU0



-- End of Deckard's System Scanner: finished at 2008-02-05 19:32:05 ------------
extra.txt:[code]Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: German

CPU 0: Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz
CPU 1: Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz
Percentage of Memory in Use: 16%
Physical Memory (total/avail): 3054.14 MiB / 2549.09 MiB
Pagefile Memory (total/avail): 4405.48 MiB / 4013.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.84 MiB

C: is Fixed (NTFS) - 197.9 GiB total, 23 GiB free.
D: is Fixed (HFSJ) - 99.88 GiB total, 59.7 GiB free.
E: is CDROM (No Media)
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is Fixed (FAT32) - 27.93 GiB total, 10.86 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD3200AAJS-40RYA0 - 298.09 GiB - 3 partitions
\PARTITION0 - Unknown - 200.02 MiB
\PARTITION1 - Installierbares Dateisystem - 99.88 GiB - D:
\PARTITION2 (bootable) - Installierbares Dateisystem - 197.9 GiB - C:

\\.\PHYSICALDRIVE1 - TOSHIBA MK3021GAS USB Device - 27.95 GiB - 1 partition
\PARTITION0 - Unknown - 27.95 GiB - I:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.



[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\uTorrent\\uTorrent.exe"="C:\\Programme\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Games\\Crysis\\Bin32\\Crysis.exe"="C:\\Games\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe
"="C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:
Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:pnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:pnkBstrB"
"C:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\\Games\\Stronghold 2\\Stronghold2.exe"="C:\\Games\\Stronghold 2\\Stronghold2.exe:*:Enabled:Stronghold 2"
"C:\\Programme\\Bonjour\\mDNSResponder.exe"="C:\\Programme\\Bonjour\\
mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Progs\\iTunes\\iTunes.exe"="C:\\Progs\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Games\\Battlefield 2\\BF2.exe"="C:\\Games\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"


-- Environment Variables


-- User Profiles ---------------------------------------------------------------

M3t0r (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Programme\Gemeinsame Dateien\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /X{57922B53-02D4-4DFC-AC24-A3519DC1F49A}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class;)ISPLAY -clean
µTorrent --> "C:\Programme\uTorrent\uTorrent.exe" /UNINSTALL
Axialis IconWorkshop 6.10 --> C:\Progs\IconWorkshop\UnInstall.exe "IconWorkshop" "IconWorkshop.exe"
Battlefield 2(TM) --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x7 -removeonly
Battlefield Vietnam(TM) --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{E35B3C63-E958-4E31-A178-95D22024109A}\setup.exe" -l0x7
Battlefield Vietnam: WW2 Mod --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{F989306B-9287-444F-AE73-E30C7E4AF0F5}\setup.exe" -l0x7
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Boot Camp-Dienste --> MsiExec.exe /I{F0E45628-1218-4865-A516-8E8A54272ADC}
Call of Duty(R) 4 - Modern Warfare(TM) --> C:\Programme\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0407
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch --> C:\Programme\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
CCleaner (remove only) --> "C:\Programme\CCleaner\uninst.exe"
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Command & Conquer Die ersten 10 Jahre --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{66D6F3BD-CA23-41A4-9FA3-96B26B32528D}\setup.exe" -l0x7 -removeonly
Counter-Strike --> "C:\Progs\Steam\steam.exe" steam://uninstall/10
Counter-Strike: Source --> "C:\Progs\Steam\steam.exe" steam://uninstall/240
Crysis(R) --> MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
Crysis(R) Tournament Map Pack --> MsiExec.exe /X{63DAD698-7FB0-4094-BDD5-342AB1763D11}
CSSVista --> MsiExec.exe /I{E89EC3F2-1B87-4397-B3E3-E666CDE4768C}
Day of Defeat --> "C:\Progs\Steam\steam.exe" steam://uninstall/30
Empire Earth II --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{DF315348-721C-40B8-BAE2-58C6C7D935A2}\setup.exe" -l0x7 -removeonly
Fraps (remove only) --> "C:\Progs\Fraps\uninstall.exe"
Gothic III Demo --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{9F1941D2-45A2-4CA6-8041-EA2B10CD2ECD}\setup.exe" -l0x7 -removeonly
GV_Killer 7.0.6 --> "C:\Programme\GV_Killer\unins000.exe"
Half-Life 2 --> "C:\Progs\Steam\steam.exe" steam://uninstall/220
Hamachi 1.0.2.5 --> C:\Progs\Hamachi\uninstall.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hijack This 2.0.2 --> "C:\Programme\Hijack This\unins000.exe"
HijackThis 2.0.2 --> "C:\PROGRA~1\HIJACK~1\HijackThis.exe" /uninstall
Home Front V2 --> C:\Games\BFV\Mods\Uninstal.exe
Hotfix für Windows XP (KB935448) --> "C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
IconTweaker --> "C:\Progs\IconTweaker\Uninstall.exe"
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Development Kit 6 Update 4 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160040}
Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
KhalInstallWrapper --> MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
Logitech Registration --> MsiExec.exe /I{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}
Logitech SetPoint --> C:\Programme\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0007 -removeonly
Lost Planet: Extreme Condition --> "C:\Progs\Steam\steam.exe" steam://uninstall/6510
MacDrive 6 --> MsiExec.exe /I {EE4E7E75-A4A6-4C3D-9F70-C276FA43205A}
Magic DVD Ripper V5.2 --> "C:\Progs\MagicDVDRipper\unins000.exe"
Microsoft Halo --> "C:\Games\Halo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.11) --> C:\Progs\Firefox\uninstall\helper.exe
Notepad++ --> C:\Progs\Notepad++\uninstall.exe
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Peggle Extreme --> "C:\Progs\Steam\steam.exe" steam://uninstall/3483
Playboy - The Mansion --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{58D4AE57-ACDE-4A07-9BBD-34B15D54526C}\Setup.exe" -l0x7 -removeonly
Portal --> "C:\Progs\Steam\steam.exe" steam://uninstall/400
PunkBuster für Battlefield Vietnam --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{D07643A3-CE41-4286-8C78-EB9C83E76DDB}\setup.exe" -l0x7
PunkBuster Services --> C:\WINDOWS\system32\pbsvc.exe -u
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealPlayer --> C:\Programme\Gemeinsame Dateien\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x7 -removeonly
RocketDock 1.3.5 --> "C:\Progs\RocketDock\unins000.exe"
Silo 2.0.5 --> MsiExec.exe /I{53ADD828-62F6-4A3C-A31C-127363293653}
SimCity 4 --> C:\Games\SimCity 4\EAUninstall.exe
Soldat 1.4.2 --> "C:\Games\Soldat\unins000.exe"
Source SDK Base --> "C:\Progs\Steam\steam.exe" steam://uninstall/215
SpellForce --> C:\Games\SPELLF~1\unwise.exe C:\Games\SPELLF~1\install.log
Spy Sweeper --> "C:\Programme\Webroot\Spy Sweeper\unins000.exe"
Steam(TM) --> C:\Progs\Steam\UNWISE.EXE C:\Progs\Steam\INSTALL.LOG
Stronghold 2 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{16D2C649-CBA8-44EE-B730-12584667D487}\setup.exe" -l0x7 -removeonly
Team Fortress 2 --> "C:\Progs\Steam\steam.exe" steam://uninstall/440
TeamSpeak 2 RC2 --> C:\Progs\Teamspeak\unins000.exe
TuneUp Utilities 2008 --> MsiExec.exe
VideoLAN VLC media player 0.8.6d --> C:\Programme\VLC\uninstall.exe
Wacom Tablett --> C:\Programme\Tablet\Wacom\Remove.exe /u
WarRock --> C:\Programme\InstallShield Installation Information\{00D15456-F679-4AD4-8BD2-56450D4C3F72}\setup.exe -runfromtemp -l0x0009 -removeonly
Winamp --> "C:\Progs\Winamp\UninstWA.exe"
Windows XP-Hotfix - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
WinRAR --> C:\Progs\WinRAR\uninstall.exe
World of Warcraft --> C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\WORLD OF WARCRAFT\Uninstall.exe
Worms World Party --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{9A200E68-D5F4-4E70-910F-2871753A0E2B}\setup.exe"
X3 Bonuspaket 3.1.04 --> "C:\Games\X3 Reunion\unins000.exe"
X3 Reunion --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0B744987-A39E-45E5-B930-11EDBDFE3003}\setup.exe" -l0x7 -removeonly
Xfire (remove only) --> "C:\Progs\Xfire\uninst.exe"
Zero Hour Reborn The Last Stand --> MsiExec.exe /I{24AEE00B-90C1-4254-8D1E-53CDBAE2187C}


-- Application Event Log -------------------------------------------------------

Event Record #/Type494 / Error
Event Submitted/Written: 02/05/2008 06:45:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Fehlgeschlagene Anwendung miranda32.exe, Version 0.7.0.48, fehlgeschlagenes Modul unknown, Version 0.0.0.0, Fehleradresse 0x6356756d.
Das medienspezifische Ereignis für [miranda32.exe!ws!] wird verarbeitet.

Event Record #/Type493 / Error
Event Submitted/Written: 02/05/2008 03:31:45 PM
Event ID/Source: 1000 / Application Error
Event Description:
Fehlgeschlagene Anwendung photoshop.exe, Version 10.0.1.0, fehlgeschlagenes Modul gdiplus.dll, Version 5.1.3102.2180, Fehleradresse 0x00103166.
Das medienspezifische Ereignis für [photoshop.exe!ws!] wird verarbeitet.

Event Record #/Type486 / Error
Event Submitted/Written: 02/05/2008 11:18:57 AM
Event ID/Source: 1000 / Application Error
Event Description:
Fehlgeschlagene Anwendung miranda32.exe, Version 0.7.0.48, fehlgeschlagenes Modul unknown, Version 0.0.0.0, Fehleradresse 0x6356756d.
Das medienspezifische Ereignis für [miranda32.exe!ws!] wird verarbeitet.

Event Record #/Type479 / Error
Event Submitted/Written: 02/04/2008 09:37:31 PM
Event ID/Source: 1000 / Application Error
Event Description:
Fehlgeschlagene Anwendung vlc.exe, Version 0.8.6.0, fehlgeschlagenes Modul unknown, Version 0.0.0.0, Fehleradresse 0x6356756d.
Das medienspezifische Ereignis für [vlc.exe!ws!] wird verarbeitet.

Event Record #/Type475 / Error
Event Submitted/Written: 02/04/2008 03:29:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Fehlgeschlagene Anwendung winamp.exe, Version 5.5.1.1763, fehlgeschlagenes Modul gen_ff.dll, Version 0.0.0.0, Fehleradresse 0x0005a4d1.
Das medienspezifische Ereignis für [winamp.exe!ws!] wird verarbeitet.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3512 / Error
Event Submitted/Written: 02/05/2008 07:31:41 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
Der Dienst "BrSplService" hat einen ungültigen aktuellen Status gemeldet: 0

Event Record #/Type3511 / Error
Event Submitted/Written: 02/05/2008 07:27:46 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
Der Hauptsuchdienst erhielt eine Serverankündigung vom Computer "BUTTERBROTDOSE",
der der Hauptsuchdienst der Domäne für den NetBT_Tcpip_{D73FE9CD-AEF0-Transport zu sein scheint.
Der Hauptsuchdienst wurde beendet oder es wird eine Auswahl erzwungen.

Event Record #/Type3510 / Error
Event Submitted/Written: 02/05/2008 06:37:12 PM
Event ID/Source: 6004 / EventLog
Event Description:
Ein Treiberpaket, das vom E/A-Teilsystem empfangen wurde, war ungültig. Die Daten sind
das Paket.

Event Record #/Type3509 / Error
Event Submitted/Written: 02/05/2008 06:37:17 PM
Event ID/Source: 6004 / EventLog
Event Description:
Ein Treiberpaket, das vom E/A-Teilsystem empfangen wurde, war ungültig. Die Daten sind
das Paket.

Event Record #/Type3508 / Error
Event Submitted/Written: 02/05/2008 06:37:32 PM
Event ID/Source: 6004 / EventLog
Event Description:
Ein Treiberpaket, das vom E/A-Teilsystem empfangen wurde, war ungültig. Die Daten sind
das Paket.



-- End of Deckard's System Scanner: finished at 2008-02-05 19:32:05 ------------

Edit:ich hab grade den bit defender onlinescan gestartet, sollte ich auch noch andere nehmen?
Dieser Beitrag wurde am 05.02.2008 um 19:42 Uhr von M3t0r editiert.
Seitenanfang Seitenende
05.02.2008, 20:03
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#19 «««
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

UTIWMJU0

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

beep.sys

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.
-----------------------------------------------------------------------


ist fuer mich...........

Zitat

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|braviax

Files to delete:
C:\WINDOWS\cru629.dat
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
05.02.2008, 22:01
Member

Themenstarter

Beiträge: 21
#20 1.:

Code

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 05.02.2008 21:58:56 for strings:
;  'utiwmjuo'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


; End Of The Log...
2.:

Code

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 05.02.2008 22:00:19 for strings:
;  'beep.sys'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"g"="C:\\WINDOWS\\system32\\drivers\\beep.sys"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\system32\\drivers\\beep.sys"

; End Of The Log...
Seitenanfang Seitenende
06.02.2008, 10:33
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#21 M3t0r

1.
klick Start -> Ausführen>> schreibe rein: Services.msc und Klick OK!

"Eigenschaften" >> klick "Stop" >> Starttyp "deaktiviert"

UTIWMJU0

-------------------------------------------------------------

2.
Start --> Ausführen --> reinkopieren (wenn eine Fehlermeldung kommt...ignorieren) --> klicke O.K.

sc delete UTIWMJU0

--------------------------------------------------------------

3.
Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag
und wähle fix checked

Zitat

O4 - HKLM\..\Run: [braviax] braviax.exe

O20 - AppInit_DLLs: cru629.dat
2.
http://virus-protect.org/artikel/tools/otmoveIt.html
Download OTMoveIt zum Desktop

öffne: OTMoveIt.exe

Kopiere rein: im linken Fenster ,wo steht: Paste List of Files/Folders to be moved

alle unterstehende

Zitat

C:\327882R2FWJFW
C:\WINDOWS\Prefetch\WINIVSTR.EXE-23267575.pf
C:\Start_.cmd
C:\WINDOWS\cru629.dat
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
Klicke auf den Roten MoveIt!

Wenn das Tool fertig ist wird ein Log erstellt (*******_******.log *steht für Datum und Zeit

In Datei C:\_OTMoveIt\MovedFiles\
Mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
«««

4.
PC neustarten

5.
dann mache im abgesicherten Modus den scan mit dr.web + poste hier den report
http://virus-protect.org/cureit.html
---

es wäre toll, wenn du im abgesicherten Modus das LOG von Combofix erstellen könntest !!! - versuche es mal !!! - abspeichern, und dann im Normalmodus posten


+
noch mal zum überpruefen posten:
http://virus-protect.org/datfindcompl.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
06.02.2008, 13:39
Member

Themenstarter

Beiträge: 21
#22 den service find ich nicht, der steht da nich drin, vlt wegen dem bitdefender scan den ich hab machen lassen:

Code

Scanned File
    

Status

C:\System Volume Information\_restore{C1AE7513-A786-466B-805C-8BE8FD8E5A57}\RP29\A0009522.sys
    

Infected with: Generic.Malware.P!.B01B2086

C:\System Volume Information\_restore{C1AE7513-A786-466B-805C-8BE8FD8E5A57}\RP29\A0009522.sys
    

Disinfection failed

C:\System Volume Information\_restore{C1AE7513-A786-466B-805C-8BE8FD8E5A57}\RP29\A0009522.sys
    

Deleted

C:\System Volume Information\_restore{C1AE7513-A786-466B-805C-8BE8FD8E5A57}\RP29\A0009523.sys
    

Infected with: Generic.Malware.P!.B01B2086

C:\System Volume Information\_restore{C1AE7513-A786-466B-805C-8BE8FD8E5A57}\RP29\A0009523.sys
    

Disinfection failed

C:\System Volume Information\_restore{C1AE7513-A786-466B-805C-8BE8FD8E5A57}\RP29\A0009523.sys
    

Deleted

C:\WINDOWS\system32\braviax.exe
    

Infected with: Generic.Malware.Yd!dld!sp.2F81D3A5

C:\WINDOWS\system32\braviax.exe
    

Disinfection failed

C:\WINDOWS\system32\braviax.exe
    

Delete failed
allerdings ist das icon immernoch, ich werd jetzt mal den rest aus der liste abarbeiten...


edit: hier kam grad ein interer server fehler->? war was los?

aufjedenfall ist die download seite von dem MoveIt Down->404

villeicht für euch interessant: http://www.bleepingcomputer.com/forums/topic128463.html

Edit: ich hab jetzt den 2er verwendet, die beschreibung von eurer seite passt auch noch ziemlich genau:

Code

C:\327882R2FWJFW moved successfully.
C:\WINDOWS\Prefetch\WINIVSTR.EXE-23267575.pf moved successfully.
C:\Start_.cmd moved successfully.
File/Folder C:\WINDOWS\cru629.dat not found.
File/Folder C:\WINDOWS\braviax.exe not found.
C:\WINDOWS\system32\users32.dat moved successfully.
File/Folder C:\WINDOWS\system32\winivstr.exe not found.
File/Folder C:\WINDOWS\system32\cru629.dat not found.
C:\WINDOWS\system32\braviax.exe moved successfully.
File/Folder C:\WINDOWS\system32\dllcache\beep.sys not found.
File/Folder C:\WINDOWS\system32\drivers\beep.sys not found.

OTMoveIt2 v1.0.17 log created on 02062008_134758
Dieser Beitrag wurde am 06.02.2008 um 13:48 Uhr von M3t0r editiert.
Seitenanfang Seitenende
06.02.2008, 14:04
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#23 danke fuer den Hinweis ..man kann gar nicht so schnell schauen, wie sich die links veraendern ;)
du kannst mir bitte mal einen Gefallen tun und deine Comboscan.exe hier als Anhang hochladen ..die ist naemlich auch down und ich habe sie nicht auf dem server /nicht auf dem Rechner ;)

nun scanne bitte im abgesicherten Modus mit dr.web + poste den report
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
06.02.2008, 14:37
Member

Themenstarter

Beiträge: 21
#24 ich denk ma du meinst die comobofix.exe, weil comboscan hab ich nie verwendet, wenns das überhaupt gibt

edit: ich hab die umbennant damit der virus die nicht blockt...

btw: der scan ist grade bei 70%

edit:der scan ist durch, ich hab aber nur auf bericht gestellt
hier der log:

Code

Process.exe;C:\Dokumente und Einstellungen\M3t0r\Desktop\Downloads\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Dokumente und Einstellungen\M3t0r\Desktop\Downloads\SmitfraudFix;Tool.ShutDown.11;;
Process.exe;C:\Progs\Firefox\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Progs\Firefox\SmitfraudFix;Tool.ShutDown.11;;
pv.exe;C:\Progs\xampp\apache\bin;Program.PrcView.3725;;
A0007429.exe;C:\System Volume Information\_restore{C1AE7513-A786-466B-805C-8BE8FD8E5A57}\RP24;Tool.ShutDown.11;;
A0007497.exe;C:\System Volume Information\_restore{C1AE7513-A786-466B-805C-8BE8FD8E5A57}\RP26;Tool.Prockill;;
Dieser Beitrag wurde am 06.02.2008 um 16:30 Uhr von M3t0r editiert.
Seitenanfang Seitenende
06.02.2008, 15:42
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#25

Zitat

combofix funktionierte nicht richtig, auch nach rename, hab dann mal fix polices versucht, tats auch nicht, und jetzt die logs mit dss erstellt, hoffe das geht auch:
main.txt:[code]Deckard's System Scanner v20071014.68
- letztere, hast du noch die installations-Datei ???
Combofix macht keine Probleme, aber comboscan - Deckard's System Scanner... macht sie ;)

nimm die kombinationsfix.exe bitte wieder aus dem anhang ;)
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
06.02.2008, 15:43
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#26 wenn dann der scan mit dr.web beendet ist, poste bitte das log + ein neues Log von HijackThis
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
06.02.2008, 16:34
Member

Themenstarter

Beiträge: 21
#27 so:der dr.web log ist oben in dem beitrag drinn

Combofix:

Code

ComboFix 08-02.05.3 - M3t0r 2008-02-06 15:13:39.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1031.18.2522 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\M3t0r\Desktop\Downloads\KombinationsFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((   Weitere L”schungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\etc\.protected

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


(((((((((((((((((((((((   Dateien erstellt von 2008-01-06 bis 2008-02-06  ))))))))))))))))))))))))))))))
.

2008-02-06 13:54 . 2008-02-06 13:54    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\DoctorWeb
2008-02-06 13:47 . 2008-02-06 13:47    <DIR>    d--------    C:\_OTMoveIt
2008-02-05 19:36 . 2008-02-06 07:19    <DIR>    d--------    C:\WINDOWS\BDOSCAN8
2008-02-05 19:36 . 2008-02-05 19:36    <DIR>    d---s----    C:\Dokumente und Einstellungen\M3t0r\UserData
2008-02-05 19:30 . 2008-02-05 19:30    <DIR>    d--------    C:\Deckard
2008-02-05 18:27 . 2008-02-05 18:27    40    --a------    C:\WINDOWS\BO6050.INI
2008-02-05 18:26 . 2008-02-05 18:26    <DIR>    dr-------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Brother
2008-02-05 18:24 . 2008-02-05 18:35    456    --a------    C:\WINDOWS\BRWMARK.INI
2008-02-05 18:24 . 2008-02-05 18:24    184    --a------    C:\WINDOWS\system32\brsvc01a.bsi
2008-02-05 18:24 . 2008-02-05 18:24    30    --a------    C:\WINDOWS\system32\brss01a.ini
2008-02-05 18:24 . 2008-02-05 18:35    26    --a------    C:\WINDOWS\BRPP2KA.INI
2008-02-05 15:09 . 2008-02-05 15:09    <DIR>    d--------    C:\Programme\GV_Killer
2008-02-05 15:09 . 2004-03-08 23:00    152,848    --a------    C:\WINDOWS\system32\COMDLG32.OCX
2008-02-05 15:09 . 2001-09-07 11:00    59,904    --a------    C:\WINDOWS\system32\wbemdisp.tlb
2008-02-04 13:29 . 2008-02-04 13:29    <DIR>    d--------    C:\Programme\Gemeinsame Dateien\LogiShared
2008-02-04 13:29 . 2008-02-04 13:29    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Logitech
2008-02-04 13:29 . 2008-02-04 13:29    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Leadertech
2008-02-04 13:28 . 2008-02-04 13:28    <DIR>    d--------    C:\Programme\Logitech
2008-02-04 13:28 . 2008-02-04 13:28    <DIR>    d--------    C:\Programme\Gemeinsame Dateien\Logitech
2008-02-04 13:28 . 2008-02-04 13:28    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Logitech
2008-02-04 13:28 . 2007-04-23 04:00    163,840    --a------    C:\WINDOWS\system32\kemutb.dll
2008-02-04 13:28 . 2007-04-23 04:00    135,168    --a------    C:\WINDOWS\system32\KemUtil.dll
2008-02-04 13:28 . 2007-04-23 04:00    110,592    --a------    C:\WINDOWS\system32\KemWnd.dll
2008-02-04 13:28 . 2007-04-23 04:00    69,632    --a------    C:\WINDOWS\system32\KemXML.dll
2008-02-04 13:28 . 2007-04-11 15:32    56,080    --a------    C:\WINDOWS\KHALMNPR.Exe
2008-02-04 13:28 . 2007-04-11 15:32    36,112    --a------    C:\WINDOWS\system32\drivers\LMouFilt.Sys
2008-02-04 13:28 . 2007-04-11 15:32    34,832    --a------    C:\WINDOWS\system32\drivers\LHidFilt.Sys
2008-02-04 13:28 . 2008-02-04 13:28    0    --ah-----    C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-02-04 13:27 . 2008-02-04 13:27    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LogiShrd
2008-02-03 21:44 . 2008-02-03 21:44    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\MozillaControl
2008-02-03 16:19 . 2008-02-03 16:19    <DIR>    d--------    C:\Programme\[url="http://www.ccleaner.de"]CCleaner[/url]
2008-02-03 15:33 . 2008-02-03 15:33    <DIR>    d--------    C:\Programme\Kaspersky Lab
2008-02-03 15:33 . 2008-02-03 15:33    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-02-03 15:33 . 2008-02-06 15:24    1,064,992    --ahs----    C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-03 15:33 . 2008-02-03 15:33    74,908    --a------    C:\WINDOWS\system32\drivers\klick.dat
2008-02-03 15:33 . 2008-02-03 15:33    74,396    --a------    C:\WINDOWS\system32\drivers\klin.dat
2008-02-03 15:33 . 2008-02-06 13:50    37,408    --ahs----    C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-03 15:33 . 2008-02-06 13:50    13,508    --ahs----    C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-03 15:33 . 2008-02-06 13:50    4,484    --ahs----    C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-03 12:30 . 2008-02-06 13:41    <DIR>    d--------    C:\Programme\Hijack This
2008-02-03 12:27 . 2006-02-28 13:00    401,408    --a------    C:\kmd.exe
2008-02-03 12:05 . 2008-02-03 12:12    657,805    --a------    C:\WINDOWS\system32\RVAXO.bat
2008-02-03 12:05 . 2001-10-01 14:51    69,632    --a------    C:\WINDOWS\system32\remove.exe
2008-02-02 23:42 . 2008-02-05 10:08    1,460    --a------    C:\WINDOWS\system32\tmp.reg
2008-02-02 22:58 . 2008-02-02 22:58    <DIR>    d--------    C:\Programme\Webroot
2008-02-02 22:58 . 2008-02-02 22:58    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Webroot
2008-02-02 22:58 . 2008-02-02 22:58    <DIR>    d--------    C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Webroot
2008-02-02 22:58 . 2004-02-11 18:27    102,912    --a------    C:\WINDOWS\system32\islzma.dll
2008-02-02 22:58 . 2006-01-25 10:54    78,336    --a------    C:\WINDOWS\system32\drivers\ssi.sys
2008-02-02 22:49 . 2008-02-02 22:50    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\CCleanup
2008-02-02 12:52 . 2008-02-05 11:56    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Hamachi
2008-02-02 12:52 . 2008-02-02 13:16    25,280    --a------    C:\WINDOWS\system32\drivers\hamachi.sys
2008-01-31 03:02 . 2008-01-31 03:02    54,608    --a------    C:\WINDOWS\system32\xfcodec.dll
2008-01-29 14:30 . 2008-01-29 14:30    262,144    --a------    C:\WINDOWS\system32\wrap_oal.dll
2008-01-29 14:30 . 2008-01-29 14:30    86,016    --a------    C:\WINDOWS\system32\OpenAL32.dll
2008-01-29 14:29 . 2008-01-29 14:29    <DIR>    d--------    C:\WINDOWS\system32\Futuremark
2008-01-29 14:29 . 2004-10-25 20:02    21,664    --a------    C:\WINDOWS\system32\drivers\Entech.sys
2008-01-29 14:29 . 1999-11-02 10:01    6,173    --a------    C:\WINDOWS\system32\drivers\Entech.vxd
2008-01-29 14:29 . 2004-06-22 15:44    5,632    --a------    C:\WINDOWS\system32\drivers\Entech64.sys
2008-01-29 14:29 . 2001-11-19 19:05    3,972    --a------    C:\WINDOWS\system32\drivers\PciBus.sys
2008-01-29 14:28 . 2008-01-29 14:28    <DIR>    d--------    C:\Programme\Futuremark
2008-01-28 12:40 . 2008-01-28 12:40    <DIR>    d--------    C:\Programme\iPod
2008-01-28 12:40 . 2008-01-28 12:40    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Apple Computer
2008-01-28 12:39 . 2008-01-28 12:39    <DIR>    d--------    C:\Programme\Gemeinsame Dateien\Apple
2008-01-28 12:10 . 2008-01-28 12:10    <DIR>    d--------    C:\Programme\Gemeinsame Dateien\Adobe Systems Shared
2008-01-28 12:10 . 2008-01-28 12:10    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe Systems
2008-01-25 12:40 . 2008-02-06 15:24    54,156    --ah-----    C:\WINDOWS\QTFont.qfn
2008-01-25 12:40 . 2008-01-25 12:40    1,409    --a------    C:\WINDOWS\QTFont.for
2008-01-22 18:33 . 2008-01-22 18:33    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\cridmanager
2008-01-22 18:32 . 2008-01-22 18:32    <DIR>    d--------    C:\WINDOWS\Sun
2008-01-22 18:31 . 2007-09-24 23:31    69,632    --a------    C:\WINDOWS\system32\javacpl.cpl
2008-01-22 17:28 . 2008-01-22 18:31    <DIR>    d--------    C:\Programme\Java
2008-01-22 17:21 . 2008-01-22 17:21    <DIR>    d--------    C:\Programme\Gemeinsame Dateien\Java
2008-01-20 21:47 . 2008-01-20 21:47    4,096    ---------    C:\._.Trashes
2008-01-20 19:23 . 2008-01-20 19:23    0    -ra------    C:\logwmemory.bin
2008-01-20 19:21 . 2008-01-20 19:21    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Soldat
2008-01-20 18:06 . 2008-01-20 18:06    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\InstallShield
2008-01-18 19:04 . 2008-01-18 19:04    5,120    --a------    C:\WINDOWS\system32\BReWErS.dll
2008-01-18 15:32 . 2008-01-19 23:33    499    --a------    C:\WINDOWS\my.ini
2008-01-18 11:27 . 2008-01-25 23:43    <DIR>    d-a------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-01-17 22:54 . 2008-01-28 12:40    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple Computer
2008-01-17 22:53 . 2008-01-17 22:53    <DIR>    d--------    C:\Programme\Apple Software Update
2008-01-17 21:24 . 2008-01-17 21:24    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\IconTweaker
2008-01-17 20:36 . 2008-01-17 20:36    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Axialis
2008-01-14 21:30 . 2008-01-14 21:30    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FLEXnet
2008-01-14 20:44 . 2008-01-14 20:44    <DIR>    d--------    C:\Programme\QuickTime
2008-01-14 20:44 . 2007-02-20 16:04    2,463,976    --a------    C:\WINDOWS\system32\NPSWF32.dll
2008-01-14 20:44 . 2007-02-20 16:04    190,696    --a------    C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-14 20:11 . 2008-01-28 12:40    <DIR>    d--------    C:\Programme\Bonjour
2008-01-14 20:04 . 2008-01-14 20:04    <DIR>    d--------    C:\Programme\Gemeinsame Dateien\Macrovision Shared
2008-01-14 20:00 . 2008-01-28 12:13    <DIR>    d--------    C:\Programme\Gemeinsame Dateien\Adobe
2008-01-14 16:28 . 2008-01-14 16:28    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Earthsim
2008-01-14 15:35 . 2008-01-14 15:35    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\TuneUp Software
2008-01-14 15:35 . 2008-01-14 15:35    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software
2008-01-14 15:35 . 2008-01-14 15:35    306,432    --a------    C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-14 15:35 . 2007-12-20 10:41    29,440    --a------    C:\WINDOWS\system32\uxtuneup.dll
2008-01-14 15:34 . 2008-01-14 15:34    <DIR>    d--------    C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-01-14 15:24 . 2008-01-14 16:28    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Earthsim
2008-01-14 14:28 . 2008-01-14 14:28    <DIR>    d--------    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\ATI
2008-01-14 14:28 . 2008-01-14 14:28    <DIR>    d--------    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ATI

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 15:25    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\WTablet
2008-02-05 22:08    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Xfire
2008-02-05 17:52    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\DAEMON Tools
2008-02-04 17:11    ---------    d--h--w    C:\Programme\InstallShield Installation Information
2008-02-04 16:51    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\uTorrent
2008-01-28 17:43    ---------    d-----w    C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\WTablet
2008-01-28 11:06    ---------    d-----w    C:\Programme\Gemeinsame Dateien\Blizzard Entertainment
2008-01-18 17:54    66,872    ----a-w    C:\WINDOWS\system32\PnkBstrA.exe
2008-01-12 10:01    219,648    ----a-w    C:\WINDOWS\system32\uxtheme.dll
2008-01-05 11:07    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\vlc
2008-01-04 22:53    ---------    d-----w    C:\Programme\uTorrent
2008-01-04 22:40    ---------    d-----w    C:\Programme\Gemeinsame Dateien\Mediafour
2008-01-04 22:38    ---------    d-----w    C:\Programme\Mediafour
2008-01-04 14:58    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Winamp
2008-01-03 19:53    86,016    ----a-r    C:\WINDOWS\system32\MACDRAPI.DLL
2008-01-03 16:01    ---------    d-----w    C:\Programme\Gemeinsame Dateien\InstallShield
2008-01-03 15:59    ---------    d-----w    C:\Programme\DAEMON Tools Lite
2008-01-03 15:56    715,248    ----a-w    C:\WINDOWS\system32\drivers\sptd.sys
2008-01-03 14:11    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Notepad++
2008-01-02 15:09    4    ----a-w    C:\loadcounter.dat
2008-01-02 14:24    ---------    d-----w    C:\Programme\Tablet
2008-01-01 22:59    499,712    ----a-w    C:\WINDOWS\system32\msvcp71.dll
2008-01-01 22:59    348,160    ----a-w    C:\WINDOWS\system32\msvcr71.dll
2008-01-01 22:59    ---------    d-----w    C:\Programme\Real
2008-01-01 22:59    ---------    d-----w    C:\Programme\Gemeinsame Dateien\xing shared
2008-01-01 22:59    ---------    d-----w    C:\Programme\Gemeinsame Dateien\Real
2008-01-01 19:45    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Sierra
2008-01-01 19:43    43,520    ----a-w    C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-01 18:27    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\teamspeak2
2008-01-01 15:38    ---------    d-----w    C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Xfire
2008-01-01 15:27    ---------    d-----w    C:\Programme\VLC
2008-01-01 15:18    ---------    d-----w    C:\Dokumente und Einstellungen\M3t0r\Anwendungsdaten\Talkback
2008-01-01 14:09    ---------    d-----w    C:\Programme\Intel
2008-01-01 14:09    ---------    d-----w    C:\Programme\Boot Camp
2008-01-01 14:08    315,392    ----a-w    C:\WINDOWS\HideWin.exe
2008-01-01 14:08    0    ---ha-w    C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-01 14:08    ---------    d-----w    C:\Programme\Realtek
2008-01-01 14:08    ---------    d-----w    C:\Programme\Motorola
2008-01-01 14:07    ---------    d-----w    C:\Programme\SigmaTel
2008-01-01 14:06    ---------    d-----w    C:\Programme\DIFX
2008-01-01 14:06    ---------    d-----w    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple
2008-01-01 13:59    ---------    d-----w    C:\Programme\microsoft frontpage
2008-01-01 13:58    ---------    d-----w    C:\Programme\Online-Dienste
2008-01-01 13:57    ---------    d-----w    C:\Programme\Gemeinsame Dateien\MSSoap
2008-01-01 13:57    ---------    d-----w    C:\Programme\Gemeinsame Dateien\Dienste
2008-01-01 13:44    ---------    d-----w    C:\Programme\Gemeinsame Dateien\SpeechEngines
2008-01-01 13:44    ---------    d-----w    C:\Programme\Gemeinsame Dateien\ODBC
2007-12-05 13:17    593,920    ------w    C:\WINDOWS\system32\ati2sgag.exe
2007-12-05 03:05    368,640    ----a-w    C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04    269,312    ----a-w    C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56    147,456    ----a-w    C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55    43,520    ----a-w    C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55    26,112    ----a-w    C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55    122,880    ----a-w    C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55    122,880    ----a-w    C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54    307,200    ----a-w    C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53    53,248    ----a-w    C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53    495,616    ----a-w    C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48    9,535,488    ----a-w    C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44    3,175,584    ----a-w    C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33    1,640,192    ----a-w    C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19    5,435,392    ----a-w    C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19    385,024    ----a-w    C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17    17,408    ----a-w    C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:14    180,224    ----a-w    C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11    499,712    ----a-w    C:\WINDOWS\system32\ati2cqag.dll
2007-11-07 09:27    729,600    ----a-w    C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\progs\steam\steam.exe" [2008-01-01 16:36 1266936]
"RocketDock"="C:\Progs\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"DAEMON Tools Lite"="C:\Programme\DAEMON Tools Lite\daemon.exe" [2008-01-03 14:54 486856]
"Fraps"="C:\PROGS\FRAPS\FRAPS.EXE" [2005-06-15 15:57 2793472]
"Miranda IM"="C:\Progs\Miranda7\miranda32.exe" [2007-10-01 16:01 550994]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-10-08 20:56 147456]
"Apple_KbdMgr"="C:\Programme\Boot Camp\KbdMgr.exe" [2007-10-08 22:06 419120]
"MDDiskProtect.exe"="C:\Programme\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 21:54 106496]
"MediafourGettingStartedWithMacDrive6"="C:\Programme\Mediafour\MacDrive\MacDrive.exe" [2008-01-03 20:53 86016]
"Mediafour Mac Volume Notifications"="C:\Programme\Gemeinsame Dateien\Mediafour\MACVNTFY.exe" [2008-01-03 20:53 61440]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"QuickTime Task"="C:\Progs\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Progs\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 26 (0x1a)
"NoExpandedNewMenu"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"braviax"=C:\WINDOWS\system32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 15:57]
R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2006-01-25 10:54]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-13 19:53]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-08 22:04]
R2 AppleTimeSrv;Apple-Time-Server;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-08 22:05]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-08 20:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-08 20:56]
R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 11:40]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2006-02-28 13:00]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-10-08 20:56]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-10-08 20:56]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-08 20:56]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11]
S3 Apache2.2;Apache2.2;"C:\Progs\xampp\apache\bin\apache.exe" [2007-12-21 03:00]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-10-08 20:56]
S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-14 15:35]
S3 XAMPP;XAMPP Service;C:\Progs\xampp\service.exe [2007-12-21 03:01]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{990f321e-c8f3-11dc-81ef-001b63b959b5}]
\Shell\AutoRun\command - J:\PStart.exe

.
Inhalt des "geplante Tasks" Ordners
"2008-02-04 17:34:20 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- C:\Progs\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 16:25:08
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Progs\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Progs\Xfire\xfire.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Programme\iPod\bin\iPodService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-02-06 16:28:41 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-06 15:28:38
.
2008-01-21 08:59:48    --- E O F ---  
Hijackthis:

Code

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:33, on 06.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\IRW.exe
C:\Programme\Boot Camp\KbdMgr.exe
C:\Programme\Mediafour\MacDrive\MDDiskProtect.exe
C:\Programme\Gemeinsame Dateien\Mediafour\MACVNTFY.EXE
C:\Progs\iTunes\iTunesHelper.exe
C:\progs\steam\steam.exe
C:\Progs\RocketDock\RocketDock.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\PROGS\FRAPS\FRAPS.EXE
C:\Progs\Miranda7\miranda32.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Progs\Xfire\xfire.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Progs\Firefox\firefox.exe
C:\Programme\Hijack This\abc.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Programme\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Programme\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Programme\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Programme\Gemeinsame Dateien\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Progs\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Progs\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "c:\progs\steam\steam.exe" -silent
O4 - HKCU\..\Run: [RocketDock] "C:\Progs\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Fraps] C:\PROGS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Miranda IM] C:\Progs\Miranda7\miranda32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Progs\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD24D78D-DB3C-4A06-B55E-6DFA866D988F}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Progs\xampp\apache\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple-Time-Server (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\Progs\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Progs\xampp\service.exe

--
End of file - 6264 bytes
looks clean, werd ma neustarten und gucken ob's wieder da ist

zu der installations datei:
das ding mit dem weißen kreuz auf grünem hintergrund, die alternative zu combofix?


Edit: nach nem neustart ohne irgendein desinfections programm ist das icon immernoch weg, scheint also auskuriert zu sein

danke nochmal an pinguin und arnold
Dieser Beitrag wurde am 06.02.2008 um 16:57 Uhr von M3t0r editiert.
Seitenanfang Seitenende
06.02.2008, 17:58
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#28 Hallo

uff.. das sieht ja gut aus ;) - gut, dass du die combofix doch noch anwenden konntest.

««
/otmoveIt
klicken: CleanUp! button
http://virus-protect.org/artikel/tools/otmoveIt.html
cleanup.txt wird vom Internet geladen (von Firewall zulassen!)
Begin cleanup process? klicke: Yes.

««
mache noch einen Onlinescan mit Panda-Total-Scan
http://virus-protect.org/onlinescan.html

+ poste den scanreport hier
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
06.02.2008, 22:11
Member

Themenstarter

Beiträge: 21
#29 sacn:

Incident

C:\RECYCLER\S-1-5-21-1177238915-573735546-682003330-1004\Dc2\Process.exe
Virus:Trj/Rebooter.J
C:\RECYCLER\S-1-5-21-1177238915-573735546-682003330-1004\Dc2\Reboot.exe

Potentially unwanted tool:Application/SuperFast

C:\RECYCLER\S-1-5-21-1177238915-573735546-682003330-1004\Dc2\restart.exe

was die im firefox ordner zu suchen haben weis ich auch nichz *schulter
zuck*
Seitenanfang Seitenende
06.02.2008, 23:33
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#30 nun, ich denke, es ist alles wieder i.o. ;)
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: