WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Something is wrong

Started by fred_trumper , Nov 10 2010 03:46 PM

This topic is locked

18 replies to this topic

#1 fred_trumper

New Member

Authentic Member
17 posts

Posted 10 November 2010 - 03:46 PM

Hello,

I'm using mozilla firefox. Each time I open a new link it seems to be loaded twice: once for a very short moment, then the screen gets white and then the second version appears (and seems to be ok).

Thank you for your help,

Fred

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:30:41, on 10.11.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\VMware\VMware Player\vmware-authd.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Programme\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\Apoint2K\ApMsgFwd.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\MMEDIA\TV Jukebox 3.1\tvjbMonitor.exe
C:\Programme\Apoint2K\Apntex.exe
C:\Programme\Lenovo\HOTKEY\TPONSCR.exe
C:\Programme\Lenovo\Zoom\TpScrex.exe
C:\Programme\VMware\VMware Player\hqtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\msicia32.exe,C:\WINDOWS\system32\appconf32.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {ED0CF0C8-62F1-4865-A3FD-2E2A2B50FAFA} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88} - C:\WINDOWS\system32\AcroIEHelpe022.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPHOTKEY] C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tvjbmonitor] C:\Programme\MMEDIA\TV Jukebox 3.1\tvjbMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Programme\VMware\VMware Player\hqtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-21-2123242984-1412381841-181542594-1249\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2123242984-1412381841-181542594-1249\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10i_Plugin.exe -update plugin (User '?')
O4 - HKUS\S-1-5-21-2123242984-1412381841-181542594-1295\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2123242984-1412381841-181542594-1694\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-2123242984-1412381841-181542594-1249 Startup: OpenOffice.org 2.4.lnk = C:\Programme\OpenOffice.org 2.4\program\quickstart.exe (User '?')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Senden an Bluetooth - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\programme\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\programme\vmware\vmware player\vsocklib.dll
O16 - DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} (CeWe Color AG & Co. OHG Control) - https://as.photoprin...geUploader6.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.kwsoft.de
O17 - HKLM\Software\..\Telephony: DomainName = hq.kwsoft.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.124,93.188.160.204
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Programme\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programme\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 11730 bytes

Advertisements

Register to Remove

#2 RPMcMurphy

MalwareTeam Emeritus

Authentic Member
2,326 posts

Posted 10 November 2010 - 10:43 PM

Hello and welcome to WhatTheTech. Please follow these guidelines while we work on your PC:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Any underlined text in my posts indicates a clickable link.
If you have any questions at all, please stop and ask before proceeding.

Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.pif

Disable any script blocking protection (How to Disable your Security Programs)
Double click DDS icon to run the tool (may take up to 3 minutes to run)
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.

---------------------------------------------------

Post the contents of the DDS.txt report in your next reply
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Download GMER Rootkit Scanner from here to your desktop.

Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you have trouble running GEMR:

Make sure that your security software is disabled
Uncheck the box next to "Files" this time also
If you still can't run it, try in the Safe Mode

Please include the following in your next post:

DDS.txt and Attach.txt logs

GMER log

If you are being helped and you haven't replied within 5 days your topic will be closed as inactive.

ASAP & UNITE Member - Proud Graduate of the WTT Classroom

The help you receive here is free. If you wish to show your appreciation, then you may [url="https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=RPMcMurphy%40whatthetech%2ecom&lc=US&item_name=RPMcMurphy¤cy_code=USD&bn=PP%2dDonationsBF%3abtn_donate_SM%2egif%3aNonHosted""][/url]

#3 fred_trumper

New Member

Authentic Member
17 posts

Posted 11 November 2010 - 09:49 AM

DDS won't run. A command prompt opens and some explanations are shown, that's all. Attached you will find the Gmer log.

Attached Files

Gmer.txt 90.11KB 315 downloads

#4 RPMcMurphy

MalwareTeam Emeritus

Authentic Member
2,326 posts

Posted 11 November 2010 - 10:04 AM

Delete your current copy of DDS and get a new one here. It is normal to see a black box with some dialog while it is running.

#5 fred_trumper

New Member

Authentic Member
17 posts

Posted 11 November 2010 - 11:49 AM

I got the new copy of DDS and started it. This time there is a completely black command prompt - and nothing happens. Maybe my last text was too short: nothing happens for more than an hour.

#6 RPMcMurphy

MalwareTeam Emeritus

Authentic Member
2,326 posts

Posted 11 November 2010 - 06:25 PM

Give this one a try:

Posted Image

Download OTL to your desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and paste them into your next post.

Please include the following in your next post:

OTL and Extras logs

#7 fred_trumper

New Member

Authentic Member
17 posts

Posted 12 November 2010 - 12:41 AM

OTL.txt:

OTL logfile created on: 12.11.2010 07:29:52 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 77,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 90,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 232,87 Gb Total Space | 97,07 Gb Free Space | 41,68% Space Free | Partition Type: NTFS

Computer Name: NB-WINTERMEYER | User Name: winter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010.11.12 07:27:16 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\OTL.exe
PRC - [2010.09.21 01:42:38 | 000,064,048 | ---- | M] (VMware, Inc.) -- C:\Programme\VMware\VMware Player\hqtray.exe
PRC - [2010.09.21 01:42:06 | 000,113,200 | ---- | M] (VMware, Inc.) -- C:\Programme\VMware\VMware Player\vmware-authd.exe
PRC - [2010.09.21 01:41:38 | 000,334,384 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
PRC - [2010.09.21 01:41:34 | 000,404,016 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
PRC - [2010.09.21 00:42:44 | 000,539,184 | ---- | M] (VMware, Inc.) -- C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe
PRC - [2010.05.25 09:57:26 | 000,349,528 | ---- | M] (Broadcom Corporation.) -- C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
PRC - [2010.05.14 10:44:46 | 000,248,552 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
PRC - [2008.04.14 07:52:46 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007.11.22 15:09:26 | 000,181,536 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\TpShocks.exe
PRC - [2007.10.16 18:33:00 | 000,037,424 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\TPHDEXLG.exe
PRC - [2007.08.03 16:10:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007.07.05 15:05:04 | 000,065,536 | ---- | M] (Lenovo ) -- C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
PRC - [2007.07.05 15:04:18 | 000,114,688 | ---- | M] (Lenovo ) -- C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
PRC - [2007.07.05 15:03:32 | 000,184,320 | ---- | M] (Lenovo ) -- C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
PRC - [2007.07.05 14:58:40 | 000,413,696 | ---- | M] (Lenovo ) -- C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
PRC - [2007.07.05 14:51:48 | 000,126,976 | ---- | M] (Lenovo ) -- C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
PRC - [2007.05.31 11:02:06 | 000,036,400 | ---- | M] (Lenovo) -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2007.04.16 11:33:18 | 000,647,168 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007.04.16 11:21:20 | 000,983,040 | ---- | M] (Intel Corporation ) -- C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007.04.16 11:17:58 | 000,487,424 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007.04.16 11:14:24 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007.03.09 06:49:42 | 000,066,176 | ---- | M] (Lenovo Group Limited) -- C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2007.03.08 05:16:48 | 000,073,776 | ---- | M] (Lenovo Group Limited) -- C:\Programme\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2007.02.08 13:19:44 | 000,536,576 | ---- | M] (Lenovo Group Limited) -- C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
PRC - [2007.02.08 13:19:36 | 001,118,208 | ---- | M] (Lenovo Group Limited) -- c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
PRC - [2007.02.08 13:11:32 | 000,569,344 | ---- | M] () -- C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
PRC - [2007.02.08 13:09:58 | 000,950,272 | ---- | M] (Lenovo Group Limited) -- C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
PRC - [2007.02.08 13:00:06 | 000,022,016 | ---- | M] () -- C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe
PRC - [2007.02.08 11:40:16 | 000,045,056 | ---- | M] () -- C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe
PRC - [2006.12.26 16:08:48 | 000,053,248 | ---- | M] () -- C:\Programme\MMEDIA\TV Jukebox 3.1\tvjbMonitor.exe
PRC - [2006.09.06 08:39:10 | 000,091,688 | ---- | M] (Lenovo Group Limited) -- C:\Programme\Lenovo\ZOOM\TpScrex.exe
PRC - [2005.02.22 15:32:14 | 000,038,912 | ---- | M] () -- C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
PRC - [2003.06.19 22:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

========== Modules (SafeList) ==========

MOD - [2010.11.12 07:27:16 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\OTL.exe
MOD - [2010.10.14 17:30:06 | 000,050,688 | -H-- | M] () -- C:\WINDOWS\system32\asr_ay32.dll
MOD - [2010.08.23 17:11:46 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009.01.14 16:37:00 | 001,486,848 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2009.01.14 16:37:00 | 000,311,296 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwrsde.dll
MOD - [2009.01.14 16:37:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010.09.21 01:42:06 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Programme\VMware\VMware Player\vmware-authd.exe -- (VMAuthdService)
SRV - [2010.09.21 01:41:38 | 000,334,384 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2010.09.21 01:41:34 | 000,404,016 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2010.09.21 00:42:44 | 000,539,184 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Programme\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2010.08.19 12:57:14 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Programme\VMware\VMware Player\vmware-ufad.exe -- (ufad-ws60)
SRV - [2010.05.25 09:57:26 | 000,349,528 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2009.06.02 09:10:08 | 000,637,952 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Programme\Nokia\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007.10.16 18:33:00 | 000,037,424 | ---- | M] (Lenovo.) [Auto | Running] -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2007.08.03 16:10:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007.07.05 15:05:04 | 000,065,536 | ---- | M] (Lenovo ) [Auto | Running] -- C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2007.07.05 15:03:32 | 000,184,320 | ---- | M] (Lenovo ) [Auto | Running] -- C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc)
SRV - [2007.05.31 11:02:06 | 000,036,400 | ---- | M] (Lenovo) [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2007.04.16 11:33:18 | 000,647,168 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007.04.16 11:21:20 | 000,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Programme\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007.04.16 11:14:24 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007.02.08 13:19:36 | 001,118,208 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2007.02.08 13:11:32 | 000,569,344 | ---- | M] () [Auto | Running] -- C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2007.02.08 13:09:58 | 000,950,272 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2007.02.08 11:40:16 | 000,045,056 | ---- | M] () [Auto | Running] -- C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe -- (tvtnetwk)
SRV - [2005.11.14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005.02.22 15:32:14 | 000,038,912 | ---- | M] () [Auto | Running] -- C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2003.06.19 22:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\nsnimusm.sys -- (nsnimusm)
DRV - [2010.10.28 08:29:01 | 000,008,832 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi)
DRV - [2010.09.21 01:42:46 | 000,070,704 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2010.09.21 01:42:44 | 000,854,064 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2010.09.21 01:41:08 | 000,024,624 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2010.09.21 01:40:08 | 000,032,688 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2010.09.21 01:40:04 | 000,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2010.09.21 00:42:32 | 000,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2010.09.20 22:18:14 | 000,016,560 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2010.08.19 12:56:38 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Programme\VMware\VMware Player\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2010.06.11 15:26:58 | 000,459,776 | ---- | M] (AfaTech ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AF9035BDA.SYS -- (AF9035BDA)
DRV - [2010.06.01 12:51:58 | 000,051,752 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2010.06.01 12:51:56 | 000,993,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2009.03.31 10:08:50 | 004,202,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009.03.18 10:59:56 | 000,241,296 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2009.02.09 07:37:56 | 000,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009.02.09 07:37:48 | 000,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009.02.09 07:37:46 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009.02.09 07:37:46 | 000,017,664 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009.01.14 16:37:00 | 006,620,064 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008.08.26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008.04.14 00:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008.04.14 00:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008.04.13 23:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2008.04.13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008.03.15 10:47:41 | 000,033,536 | ---- | M] (Lenovo) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tvtfilter.sys -- (tvtfilter)
DRV - [2008.03.15 10:46:32 | 000,007,012 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pmemnt.sys -- (pmem)
DRV - [2007.12.06 17:22:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2007.10.25 06:19:00 | 000,153,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007.10.16 18:33:00 | 000,103,472 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2007.10.16 18:32:00 | 000,019,504 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007.08.08 12:42:00 | 000,045,568 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007.07.30 03:54:00 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007.07.30 02:42:00 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007.05.31 11:01:30 | 000,021,424 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2007.05.22 15:59:38 | 000,030,336 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2007.05.22 08:59:34 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2007.04.13 05:08:26 | 000,306,176 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007.04.02 11:24:08 | 000,004,224 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.sys -- (IBMTPCHK)
DRV - [2007.03.29 15:19:36 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007.03.14 22:10:02 | 000,011,152 | ---- | M] (UPEK Inc.) [Kernel | Auto | Running] -- C:\Programme\Gemeinsame Dateien\ThinkVantage Fingerprint Software\Drivers\smihlp.sys -- (smihlp) SMI Helper Driver (smihlp)
DRV - [2007.03.14 21:50:08 | 000,040,848 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2007.02.12 18:36:54 | 000,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007.02.08 12:30:28 | 000,017,664 | ---- | M] (Lenovo Group Limited) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tvtpktfilter.sys -- (TVTPktFilter)
DRV - [2006.12.22 03:56:00 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006.12.22 03:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006.12.22 03:55:00 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006.10.23 02:23:28 | 000,017,778 | ---- | M] (IBM Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2006.03.01 03:30:00 | 000,089,472 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2006.02.02 05:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006.02.02 05:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006.02.02 05:20:00 | 000,086,652 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006.02.02 05:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006.02.02 05:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006.02.02 05:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006.02.02 05:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005.11.18 12:02:50 | 000,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005.11.18 12:02:10 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005.11.18 05:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005.11.08 09:27:20 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
DRV - [2005.05.17 10:20:08 | 000,015,872 | ---- | M] (Atmel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atmeltpm.sys -- (atmeltpm)
DRV - [2002.07.17 08:05:10 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2001.08.18 13:22:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001.08.18 04:33:12 | 000,322,432 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\G400m.sys -- (G400)
DRV - [2001.08.17 23:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001.08.17 23:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001.08.17 23:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001.08.17 23:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001.08.17 23:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001.08.17 22:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001.08.17 22:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001.08.17 22:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001.08.17 22:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001.08.17 22:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001.08.17 22:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001.08.17 22:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001.08.17 22:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001.08.17 22:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001.08.17 12:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audiotreiber-Installationsdienst (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkpad [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkpad [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {E78313ED-E64C-451B-9B5F-8A66A8D08A64}:2.5.10.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {ED0CF0C8-62F1-4865-A3FD-2E2A2B50FAFA}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - HKLM\software\mozilla\Firefox\Extensions\\{ED0CF0C8-62F1-4865-A3FD-2E2A2B50FAFA}: C:\WINDOWS\system32\5008 [2010.11.10 20:17:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Programme\CheckPoint\ZAForceField\TrustChecker
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.10.28 13:16:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.10.28 13:16:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Programme\Mozilla Thunderbird\components [2010.10.27 17:22:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Programme\Mozilla Thunderbird\plugins

[2009.01.11 00:08:11 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Mozilla\Extensions
[2010.11.10 20:24:12 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Mozilla\Firefox\Profiles\d2bx4crh.default\extensions
[2010.07.09 17:26:58 | 000,000,000 | ---D | M] (FireFox accelerator) -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Mozilla\Firefox\Profiles\d2bx4crh.default\extensions\{E78313ED-E64C-451B-9B5F-8A66A8D08A64}
[2010.11.11 09:31:26 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.10.28 13:13:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010.09.15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.10.27 17:16:21 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2009.09.21 11:24:16 | 000,001,329 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\crawlersrch.xml
[2010.10.27 17:16:21 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.10.27 17:16:21 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.10.27 17:16:21 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.10.27 17:16:21 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.07.24 08:01:00 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {ED0CF0C8-62F1-4865-A3FD-2E2A2B50FAFA} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88} - C:\WINDOWS\system32\AcroIEHelpe022.dll (Adobe Systems, Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe (Lenovo )
O4 - HKLM..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo )
O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BLOG] C:\Programme\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Programme\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TPHOTKEY] C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (Lenovo.)
O4 - HKLM..\Run: [tvjbmonitor] C:\Programme\MMEDIA\TV Jukebox 3.1\tvjbMonitor.exe ()
O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [VMware hqtray] C:\Programme\VMware\VMware Player\hqtray.exe (VMware, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Senden an Bluetooth - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Programme\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Programme\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O16 - DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} https://as.photoprin...geUploader6.cab (CeWe Color AG & Co. OHG Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.kwsoft.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.124,93.188.160.204
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\saphtmlp {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Programme\SAP\FrontEnd\Controls\SAPHTMLP.DLL (SAP AG, Walldorf)
O18 - Protocol\Handler\sapr3 {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Programme\SAP\FrontEnd\Controls\SAPHTMLP.DLL (SAP AG, Walldorf)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\msicia32.exe) - C:\WINDOWS\System32\msicia32.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\appconf32.exe) - C:\WINDOWS\system32\appconf32.exe ()
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\WINDOWS\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\ACNotify: DllName - ACNotify.dll - C:\Programme\ThinkPad\ConnectUtilities\ACNotify.dll (Lenovo )
O20 - Winlogon\Notify\psfus: DllName - C:\WINDOWS\system32\psqlpwd.dll - C:\WINDOWS\system32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\tpfnf2: DllName - C:\Programme\Lenovo\HOTKEY\notifyf2.dll - C:\Programme\Lenovo\HOTKEY\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - C:\Programme\Lenovo\HOTKEY\tphklock.dll - C:\Programme\Lenovo\HOTKEY\tphklock.dll ()
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.01.27 03:18:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: cmdlhelp - (C:\WINDOWS\system32\asr_ay32.dll) - C:\WINDOWS\system32\asr_ay32.dll ()
O36 - AppCertDlls: cmmoname - (C:\WINDOWS\asr_tify.dll) - C:\WINDOWS\asr_tify.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.11.12 07:27:14 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\OTL.exe
[2010.11.10 22:29:07 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\HiJackThis.exe
[2010.11.10 20:17:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\5008
[2010.11.04 10:45:19 | 000,000,000 | ---D | C] -- C:\Janitos
[2010.10.28 16:55:22 | 000,334,384 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\vmnetdhcp.exe
[2010.10.28 16:55:21 | 000,404,016 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\vmnat.exe
[2010.10.28 16:55:20 | 000,026,288 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\drivers\vmnetuserif.sys
[2010.10.28 16:54:59 | 000,760,368 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\vnetlib.dll
[2010.10.28 16:54:45 | 000,024,624 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\drivers\VMkbd.sys
[2010.10.28 16:54:20 | 000,000,000 | ---D | C] -- C:\Programme\Common Files
[2010.10.28 13:13:46 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sun
[2010.10.28 12:52:33 | 001,247,032 | ---- | C] (JAM Software) -- C:\WINDOWS\TreeSize.exe
[2010.10.28 08:29:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010.10.27 17:13:51 | 000,000,000 | ---D | C] -- C:\Programme\Adobe
[2010.10.27 17:12:41 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2009.07.24 12:17:54 | 000,731,200 | ---- | C] (JAM Software) -- C:\Programme\TreeSizeFree.exe
[2009.07.24 09:59:54 | 000,645,160 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Programme\autoruns.exe
[2008.03.15 10:24:44 | 000,167,936 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll
[2008.03.15 10:24:44 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.11.12 07:27:16 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\OTL.exe
[2010.11.12 07:22:12 | 000,246,302 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010.11.12 07:22:10 | 000,184,118 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010.11.12 07:22:07 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2010.11.12 07:21:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.11.12 07:20:54 | 2145,693,696 | -HS- | M] () -- C:\hiberfil.sys
[2010.11.11 18:39:38 | 000,630,272 | ---- | M] () -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\dds.pif
[2010.11.11 09:20:49 | 000,246,302 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010.11.11 09:19:07 | 000,006,166 | RHS- | M] () -- C:\Dokumente und Einstellungen\All Users\ntuser.pol
[2010.11.11 08:04:58 | 000,296,448 | ---- | M] () -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\53irmh0k.exe
[2010.11.10 22:29:13 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\HiJackThis.exe
[2010.11.10 20:11:15 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.11.03 18:04:43 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.10.30 18:01:59 | 000,000,360 | ---- | M] () -- C:\WINDOWS\System32\urhtps.dat
[2010.10.30 16:34:46 | 000,000,513 | ---- | M] () -- C:\WINDOWS\wiso.ini
[2010.10.28 16:54:39 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010.10.28 16:54:35 | 000,470,892 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.10.28 16:54:35 | 000,452,954 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.10.28 16:54:35 | 000,089,810 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.10.28 16:54:35 | 000,076,482 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.10.28 16:54:34 | 000,001,742 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\VMware Player.lnk
[2010.10.28 08:29:01 | 000,008,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\wmiacpi.sys
[2010.10.27 17:25:28 | 000,000,222 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010.10.24 21:00:30 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.10.16 10:14:19 | 000,302,032 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.10.15 12:09:31 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010.10.14 17:30:06 | 000,050,688 | -H-- | M] () -- C:\WINDOWS\System32\asr_ay32.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.11.11 18:39:28 | 000,630,272 | ---- | C] () -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\dds.pif
[2010.11.11 08:04:57 | 000,296,448 | ---- | C] () -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop\53irmh0k.exe
[2010.11.03 18:04:43 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.10.28 16:54:34 | 000,001,742 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\VMware Player.lnk
[2010.10.27 17:25:28 | 000,000,222 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010.10.26 13:21:55 | 2145,693,696 | -HS- | C] () -- C:\hiberfil.sys
[2010.10.10 14:29:02 | 000,050,688 | -H-- | C] () -- C:\WINDOWS\System32\asr_ay32.dll
[2010.06.11 15:28:25 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010.05.25 09:57:38 | 002,860,384 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2010.04.20 19:39:08 | 000,000,083 | ---- | C] () -- C:\WINDOWS\muserr.ini
[2010.04.19 20:26:47 | 000,002,327 | ---- | C] () -- C:\WINDOWS\musi.ini
[2009.08.14 12:15:24 | 000,000,060 | ---- | C] () -- C:\WINDOWS\crackpdf.INI
[2009.07.04 13:45:29 | 000,000,513 | ---- | C] () -- C:\WINDOWS\wiso.ini
[2008.11.27 15:36:26 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008.07.23 14:14:15 | 000,000,146 | ---- | C] () -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
[2008.06.20 10:31:25 | 000,000,467 | ---- | C] () -- C:\WINDOWS\saplogon.ini
[2008.06.20 10:28:55 | 000,095,744 | ---- | C] () -- C:\WINDOWS\System32\h5rtf32.dll
[2008.06.20 10:28:55 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\h5tool32.dll
[2008.06.20 10:28:54 | 001,064,960 | ---- | C] () -- C:\WINDOWS\System32\h5krnl32.dll
[2008.06.20 10:28:54 | 000,188,928 | ---- | C] () -- C:\WINDOWS\System32\h5icon32.dll
[2008.06.20 10:28:54 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\h5menu32.dll
[2008.06.20 10:28:46 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\vtssm32.dll
[2008.05.19 19:22:37 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.04.24 15:24:47 | 000,000,489 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008.04.16 14:35:46 | 000,000,054 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008.04.14 10:15:17 | 000,000,277 | ---- | C] () -- C:\WINDOWS\WINCMD.INI
[2008.03.15 11:09:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008.03.15 10:46:07 | 000,004,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.sys
[2008.03.15 10:39:47 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008.03.15 10:30:23 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008.03.15 10:30:23 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008.03.15 10:30:23 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008.03.15 10:30:22 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008.03.15 10:24:44 | 009,598,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2008.03.15 10:24:44 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2uvc.ini
[2008.03.15 10:22:43 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2008.03.15 10:06:20 | 000,008,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\wmiacpi.sys
[2007.01.16 16:12:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006.09.05 14:20:36 | 000,079,400 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2006.01.27 18:18:01 | 000,000,849 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006.01.27 18:05:14 | 000,002,963 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006.01.26 18:09:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001.11.14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2000.09.08 16:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll

========== LOP Check ==========

[2009.07.04 13:38:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Buhl Data Service GmbH
[2008.03.15 10:53:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lenovo
[2009.07.18 10:01:36 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier
[2009.08.13 13:55:45 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NokiaMusic
[2009.08.13 13:57:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PC Suite
[2008.03.15 10:45:28 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PC-Doctor
[2008.03.15 10:53:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\UIB
[2008.04.14 11:18:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\XPhone20
[2008.12.16 23:49:27 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Agnef
[2010.03.17 22:15:44 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Amazon
[2009.04.02 23:03:12 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Azar
[2009.07.04 13:46:05 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Buhl Data Service
[2010.07.09 17:16:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\CheckPoint
[2009.08.12 21:36:23 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\DeepBurner
[2010.10.10 00:43:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Dypyyf
[2010.09.04 01:11:27 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Ecsa
[2010.10.10 00:50:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Ehohli
[2009.10.04 21:37:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Epuc
[2010.10.10 03:01:17 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Fulu
[2010.06.14 02:31:52 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Gekeun
[2009.10.23 11:55:28 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Hoseiz
[2010.10.10 03:01:17 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Ilgui
[2010.10.10 03:01:30 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Imcyle
[2010.10.10 00:43:40 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Ipxob
[2008.03.15 10:53:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Lenovo
[2010.10.14 21:22:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Mizeov
[2010.02.14 13:07:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Nseries
[2010.10.14 21:22:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Nyyzi
[2010.10.10 03:01:26 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Ochaez
[2010.10.10 03:01:17 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Onykot
[2010.02.14 13:00:45 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\PC Suite
[2010.10.24 20:59:41 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Seyw
[2010.02.15 08:47:20 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Subversion
[2010.07.15 18:44:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Sufyom
[2010.10.10 03:01:35 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Tayv
[2008.10.06 11:03:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Thunderbird
[2010.10.10 03:01:16 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Usyb
[2010.02.27 02:22:39 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Wubayk
[2009.09.26 05:43:10 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Xexiv
[2009.06.03 02:25:23 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Xonuba
[2009.05.18 09:56:47 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\XPhone20
[2010.10.10 03:01:16 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Xuuvun
[2010.10.10 03:01:16 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Ybirl
[2010.10.10 03:01:16 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Ycly
[2009.02.12 10:47:05 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Yqsii
[2010.10.10 00:43:40 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Yrudm
[2010.11.12 07:22:07 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========

< End of report >

Extra.txt:

OTL Extras logfile created on: 12.11.2010 07:29:52 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 77,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 90,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 232,87 Gb Total Space | 97,07 Gb Free Space | 41,68% Space Free | Partition Type: NTFS

Computer Name: NB-WINTERMEYER | User Name: winter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Programme\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Programme\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
"\\serie-m\m\bin\mtbnfycli.exe:10.1.0.0/16:enabled:MTB-Notifier" = \\serie-m\m\bin\mtbnfycli.exe:10.1.0.0/16:enabled:MTB-Notifier

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 10.1.0.0/16

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = 10.1.0.0/16

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = 10.1.0.0/16

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"5985:TCP" = 5985:TCP:*:Disabled:Windows-Remoteverwaltung
"80:TCP" = 80:TCP:*:Disabled:Windows-Remoteverwaltung - Kompatibilitätsmodus (HTTP eingehend)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Dokumente und Einstellungen\admin-2\Lokale Einstellungen\Temp\OraInstall2008-04-14_11-37-36AM\jre\1.4.2\bin\javaw.exe" = C:\Dokumente und Einstellungen\admin-2\Lokale Einstellungen\Temp\OraInstall2008-04-14_11-37-36AM\jre\1.4.2\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:Programm zur Dateiübertragung -- (Microsoft Corporation)
"C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- ()
"C:\Programme\workbench\workbench.exe" = C:\Programme\workbench\workbench.exe:*:Enabled:workbench -- ()
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer -- (Microsoft Corporation)
"C:\Programme\VMware\VMware Player\vmware-authd.exe" = C:\Programme\VMware\VMware Player\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- File not found
"C:\Programme\Bonjour\mDNSResponder.exe" = C:\Programme\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- File not found
"C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- ()
"C:\Programme\eclipse\eclipse.exe" = C:\Programme\eclipse\eclipse.exe:*:Enabled:eclipse -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer -- (Microsoft Corporation)
"C:\Programme\VMware\VMware Player\vmware-authd.exe" = C:\Programme\VMware\VMware Player\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00BA866C-F2A2-4BB9-A308-3DFA695B6F7C}" = Java DB 10.5.3.0
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{075473F5-846A-448B-BCB3-104AA1760205}" = RecordNow Data
"{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)
"{0C973594-7DDF-4BD0-84ED-3517F7622037}" = PC Connectivity Solution
"{0D06066D-69E5-4B7E-8409-86F221E7AEFA}" = Octava SD4
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{15D91706-6ADF-44CF-9D7D-FF2D8ACD2C6F}" = LS_HSI
"{1B14B0C3-2D60-477C-A1FE-B88E60948854}" = OpenOffice.org 2.4
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2218B96C-ABA2-45D9-A0B4-56B71F5303DB}" = Nokia Ovi Suite
"{22E348D3-2DBB-4948-8168-66A98256E3A7}" = netclient
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 22
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2DFB5485-A3EF-4298-9280-4AF80C9F4BE9}" = Microsoft SQL Server VSS Writer
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{32A3A4F4-B792-11D6-A78A-00B0D0160170}" = Java™ SE Development Kit 6 Update 17
"{32A3A4F4-B792-11D6-A78A-00B0D0160210}" = Java™ SE Development Kit 6 Update 21
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Integrated Camera
"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK
"{41894269-0DD1-4C85-B3DD-1EB41B07621D}" = ThinkVantage Fingerprint Software 5.6
"{42B74521-4706-412A-9A27-AED12B83E886}" = Nokia Ovi Application Installer
"{45D4F727-43B5-49CD-B474-B9866A8F4FB8}" = Nokia Map Loader
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage System für aktiven Festplattenschutz
"{46B70DEB-97B3-4E38-B746-EC16905E6A8F}" = WISO Sparbuch 2010
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52D02A2B-03D2-4E34-A358-DC5D951FD296}" = Nokia Connectivity Cable Driver
"{547DCEC7-DD2A-47E9-82C7-5CF1EAB526DA}" = Microsoft SQL Server Native Client
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6442DEDF-AC2F-4CBA-85DE-42E459C5006C}" = Nokia Ovi Content Copier
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6D36E55D-E2D6-4617-9DE6-AB1A012C8EE2}" = XPhone 2.x
"{6EB6C056-02BB-453E-8448-EC90B9794180}" = Nokia Multimedia Common Components 2.4
"{7035F31B-20DA-4522-B0DB-3CA18B46DD77}" = Nokia Music
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7EB114D8-207F-45AE-BABD-1669715F2630}" = ThinkVantage Access Connections
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = ThinkPad Bluetooth with Enhanced Data Rate Software
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}" = Windows Support Tools
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90280407-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional mit FrontPage
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{926C96FB-9D0A-4504-8000-C6D3A4A3118E}" = Java DB 10.4.2.1
"{9292B96D-B693-4F07-B5FE-21CCDC7CB4AF}" = Nokia Photos
"{9309DD7E-EBFE-3C95-8B47-30D3A012F606}" = Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - DEU
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ThinkPad UltraNav Driver
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Energie-Manager
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A53A11EA-0095-493F-86FA-A15E8A86A405}" = VMware Player
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = RecordNow Audio
"{AC76BA86-7AD7-1031-7B44-A82000000003}" = Adobe Reader 8.2.5 - Deutsch
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = RecordNow Copy
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B23EC9D9-93D7-47D7-878D-5D75890B72B3}" = TextWorkBench
"{B334D9AE-1393-423E-97C0-3BDC3360E692}" = Sonic Icons for Lenovo
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{BD868C41-BB9B-4AA7-A3F1-DB1FA1A02610}" = psqlODBC
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF7C98E4-8813-4508-8297-79F35C0D3B50}" = InfoPrint AFP Workbench Viewer
"{D1973749-F5E7-40EB-B528-F2B78685B9FF}" = essvcpt
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare Software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers
"{DD791F83-EF60-4D31-8DEB-B2FD44D0640F}" = M/TEXT Print WorkBench
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EA9C480D-BB9D-4F8F-9C7D-41034633568D}" = Citrix ICA-Client
"{EE899171-9FBD-4650-A1C2-A937342B57A9}" = InfoPrint AFP Workbench Viewer
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F151F2B3-0C32-44D3-90E2-E639B8024622}" = Rescue and Recovery
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F3F1D08D-ABEF-4528-8383-54C46369EBB6}" = TV Jukebox 3.1
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F705E3E1-A471-426B-9A09-73429F3418EE}" = System Migration Assistant
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{F9EA1C47-64A6-45E4-9A80-8CC1575B971D}" = Nokia Ovi System Utilities
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"3CACB583EF817A2B8D1C5C0747505F911EAD1803" = Windows Driver Package - Broadcom (BTWUSB) BTW (12/19/2006 5.1.0.2900)
"3ED5D2ADDDB58B2D47B0133B989EE0BAEAC0A30C" = Windows Driver Package - Broadcom (BTWDNDIS) Net (10/03/2006 5.1.0.2400)
"3F3636E311EF6302AA0FD4E15A7FE39C5E240A7E" = Windows Driver Package - Broadcom (btwmodem) Modem (10/03/2006 5.1.0.2400)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows-Treiberpaket - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"545FAB1A3508003E71885551FF8D3273CE17FE6F" = Windows Driver Package - Broadcom (btwhid) HIDClass (11/28/2006 5.1.0.2700)
"5F70674AC9EDD12C24BE5DB07E99A9CDB4A9E91E" = Windows Driver Package - Broadcom (BTDriver) Ports (10/03/2006 5.1.0.2400)
"71D887CCEBAFF7D3BB673555FF2D2BA13A1430F3" = Windows Driver Package - Broadcom (btkrnl) BTW (02/27/2007 5.1.0.3100)
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amyuni PDF Converter" = Amyuni PDF Converter
"BDE" = Borland Database Engine
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"D3D2FEA878CEAD236C7DC04EEBFE171A019D5A76" = Windows Driver Package - Broadcom (btwmodem) Modem (10/03/2006 5.1.0.2400)
"EEBD6BCFDD1ECA8535C1D7E09534F1D988EC2899" = Windows Driver Package - WIDCOMM Image (10/03/2006 5.1.0.2400)
"F1D5FA9C3CFD2F42634593E62560D8FADE330B8A" = Windows Driver Package - Broadcom Corp. (btaudio) Media (01/11/2007 5.1.0.2900)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MTEXT43sta" = M/TEXT 4.3 Standalone
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia Ovi Application Installer" = Nokia Ovi Application Installer 6.85.3011
"Nokia Ovi Content Copier" = Nokia Ovi Content Copier 6.85.3011
"Nokia Ovi System Utilities" = Nokia Ovi System Utilities 6.85.3018
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"OnScreenDisplay" = Anzeige am Bildschirm
"PC-Doctor 5 for Windows" = PC-Doctor 5 für Windows
"PCMCIAPW" = ThinkPad PC Card Power Policy
"Picasa2" = Picasa 2
"Power Management Driver" = ThinkPad Power Management Driver
"ProInst" = Intel® PROSet/Wireless Software
"PROSet" = Intel® Network Connections Drivers
"Remove Multimedia Center" = Remove Multimedia Center
"SAPFrontend" = SAP Front End
"Siemens CAP TAPI Service Provider" = Siemens CAP TAPI Service Provider
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"TN3270 Plus" = TN3270 Plus
"VMware_Player" = VMware Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00C58EBE-223E-4AB6-8AE9-38F27F4420BD}" = WISO Sparbuch 2009

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11.11.2010 02:26:19 | Computer Name = NB-WINTERMEYER | Source = AutoEnrollment | ID = 15
Description = Die automatische Zertifikatregistrierung für "lokaler Computer" konnte
keine Verbindung zum Active Directory (0x8007054b) herstellen. Die angegebene Domäne
ist nicht vorhanden oder es konnte keine Verbindung hergestellt werden. Die Registrierung
wird nicht durchgeführt.

Error - 11.11.2010 02:45:00 | Computer Name = NB-WINTERMEYER | Source = Userenv | ID = 1054
Description = Der Domänencontrollername für das Computernetzwerk konnte nicht ermittelt
werden. (Die angegebene Domäne ist nicht vorhanden oder es konnte keine Verbindung
hergestellt werden. ). Die Verarbeitung der Gruppenrichtlinie wurde abgebrochen.

Error - 11.11.2010 02:45:01 | Computer Name = NB-WINTERMEYER | Source = AutoEnrollment | ID = 15
Description = Die automatische Zertifikatregistrierung für "lokaler Computer" konnte
keine Verbindung zum Active Directory (0x8007054b) herstellen. Die angegebene Domäne
ist nicht vorhanden oder es konnte keine Verbindung hergestellt werden. Die Registrierung
wird nicht durchgeführt.

Error - 11.11.2010 09:03:37 | Computer Name = NB-WINTERMEYER | Source = Userenv | ID = 1054
Description = Der Domänencontrollername für das Computernetzwerk konnte nicht ermittelt
werden. (Der Host war bei einem Socketvorgang nicht erreichbar. ). Die Verarbeitung
der Gruppenrichtlinie wurde abgebrochen.

Error - 11.11.2010 13:35:30 | Computer Name = NB-WINTERMEYER | Source = Userenv | ID = 1054
Description = Der Domänencontrollername für das Computernetzwerk konnte nicht ermittelt
werden. (Die angegebene Domäne ist nicht vorhanden oder es konnte keine Verbindung
hergestellt werden. ). Die Verarbeitung der Gruppenrichtlinie wurde abgebrochen.

Error - 11.11.2010 13:35:30 | Computer Name = NB-WINTERMEYER | Source = AutoEnrollment | ID = 15
Description = Die automatische Zertifikatregistrierung für "lokaler Computer" konnte
keine Verbindung zum Active Directory (0x8007054b) herstellen. Die angegebene Domäne
ist nicht vorhanden oder es konnte keine Verbindung hergestellt werden. Die Registrierung
wird nicht durchgeführt.

Error - 12.11.2010 02:17:01 | Computer Name = NB-WINTERMEYER | Source = Userenv | ID = 1054
Description = Der Domänencontrollername für das Computernetzwerk konnte nicht ermittelt
werden. (Die angegebene Domäne ist nicht vorhanden oder es konnte keine Verbindung
hergestellt werden. ). Die Verarbeitung der Gruppenrichtlinie wurde abgebrochen.

Error - 12.11.2010 02:17:01 | Computer Name = NB-WINTERMEYER | Source = AutoEnrollment | ID = 15
Description = Die automatische Zertifikatregistrierung für "lokaler Computer" konnte
keine Verbindung zum Active Directory (0x8007054b) herstellen. Die angegebene Domäne
ist nicht vorhanden oder es konnte keine Verbindung hergestellt werden. Die Registrierung
wird nicht durchgeführt.

Error - 12.11.2010 02:21:26 | Computer Name = NB-WINTERMEYER | Source = Userenv | ID = 1054
Description = Der Domänencontrollername für das Computernetzwerk konnte nicht ermittelt
werden. (Die angegebene Domäne ist nicht vorhanden oder es konnte keine Verbindung
hergestellt werden. ). Die Verarbeitung der Gruppenrichtlinie wurde abgebrochen.

Error - 12.11.2010 02:21:28 | Computer Name = NB-WINTERMEYER | Source = AutoEnrollment | ID = 15
Description = Die automatische Zertifikatregistrierung für "lokaler Computer" konnte
keine Verbindung zum Active Directory (0x8007054b) herstellen. Die angegebene Domäne
ist nicht vorhanden oder es konnte keine Verbindung hergestellt werden. Die Registrierung
wird nicht durchgeführt.

[ System Events ]
Error - 11.11.2010 15:22:28 | Computer Name = NB-WINTERMEYER | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb der
nächsten 119 Minuten wird kein Versuch unternommen, eine Verbindung mit der Quelle
herzustellen. Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 11.11.2010 16:35:47 | Computer Name = NB-WINTERMEYER | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb der
nächsten 14 Minuten wird kein Versuch unternommen, eine Verbindung mit der Quelle
herzustellen. Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 12.11.2010 02:17:01 | Computer Name = NB-WINTERMEYER | Source = NETLOGON | ID = 5719
Description = Es steht kein Domänencontroller für die Domäne KWSOFT aus folgendem
Grund zur Verfügung: %%1311. Stellen Sie sicher, dass der Computer mit dem Netzwerk
verbunden ist, und versuchen Sie es erneut. Wenden Sie sich an den Domänenadministrator,
wenn das Problem weiterhin besteht.

Error - 12.11.2010 02:17:11 | Computer Name = NB-WINTERMEYER | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb der
nächsten 14 Minuten wird kein Versuch unternommen, eine Verbindung mit der Quelle
herzustellen. Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 12.11.2010 02:17:11 | Computer Name = NB-WINTERMEYER | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb der
nächsten 15 Minuten wird kein Versuch unternommen, eine Verbindung mit der Quelle
herzustellen. Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 12.11.2010 02:21:26 | Computer Name = NB-WINTERMEYER | Source = NETLOGON | ID = 5719
Description = Es steht kein Domänencontroller für die Domäne KWSOFT aus folgendem
Grund zur Verfügung: %%1311. Stellen Sie sicher, dass der Computer mit dem Netzwerk
verbunden ist, und versuchen Sie es erneut. Wenden Sie sich an den Domänenadministrator,
wenn das Problem weiterhin besteht.

Error - 12.11.2010 02:21:34 | Computer Name = NB-WINTERMEYER | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb der
nächsten 15 Minuten wird kein Versuch unternommen, eine Verbindung mit der Quelle
herzustellen. Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 12.11.2010 02:21:34 | Computer Name = NB-WINTERMEYER | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb der
nächsten 15 Minuten wird kein Versuch unternommen, eine Verbindung mit der Quelle
herzustellen. Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 12.11.2010 02:22:54 | Computer Name = NB-WINTERMEYER | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb der
nächsten 14 Minuten wird kein Versuch unternommen, eine Verbindung mit der Quelle
herzustellen. Der NtpClient verfügt über keine Quelle mit genauer Zeit.

Error - 12.11.2010 02:29:30 | Computer Name = NB-WINTERMEYER | Source = W32Time | ID = 39452701
Description = Der Zeitanbieter "NtpClient" wurde für die Zeiterfassung von mehreren
Zeitquellen konfiguriert. Es ist jedoch Keine der Quellen verfügbar. Innerhalb der
nächsten 15 Minuten wird kein Versuch unternommen, eine Verbindung mit der Quelle
herzustellen. Der NtpClient verfügt über keine Quelle mit genauer Zeit.

< End of report >

#8 RPMcMurphy

MalwareTeam Emeritus

Authentic Member
2,326 posts

Posted 12 November 2010 - 11:17 AM

fred_trumper:

Posted Image

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:OTL
MOD - [2010.10.14 17:30:06 | 000,050,688 | -H-- | M] () -- C:\WINDOWS\system32\asr_ay32.dll
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\nsnimusm.sys -- (nsnimusm)
O2 - BHO: (no name) - {ED0CF0C8-62F1-4865-A3FD-2E2A2B50FAFA} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88} - C:\WINDOWS\system32\AcroIEHelpe022.dll (Adobe Systems, Incorporated)
O4 - HKLM..\Run: [] File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\msicia32.exe) - C:\WINDOWS\System32\msicia32.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\appconf32.exe) - C:\WINDOWS\system32\appconf32.exe ()
:Commands
[EmptyFlash]
[EmptyTemp]
[Purity]

Then click the Run Fix button at the top
Let the program run unhindered, it will reboot when it is done and produce a log

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

OTL Fix log

ComboFix log

#9 fred_trumper

New Member

Authentic Member
17 posts

Posted 14 November 2010 - 10:06 AM

RPMcMurphy, I appreciate your help. Below you will find the OTL Fix log and in the attachment the ComboFix log. I installed Microsoft Windows Recovery Console from the installation cd before I started ComboFix. ComboFix did not recognize that it was already installed. So ComboFix requested an internet connection, which I could't grant at that moment (weekend far away from home but your instructions on board). After clicking the ok button ComboFix ran on, booted the machine and after that produced the log file you find attached. All processes killed ========== OTL ========== Service nsnimusm stopped successfully! Service nsnimusm deleted successfully! File C:\WINDOWS\System32\drivers\nsnimusm.sys not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED0CF0C8-62F1-4865-A3FD-2E2A2B50FAFA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED0CF0C8-62F1-4865-A3FD-2E2A2B50FAFA}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}\ deleted successfully. C:\WINDOWS\system32\AcroIEHelpe022.dll moved successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\msicia32.exe deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\appconf32.exe deleted successfully. File move failed. C:\WINDOWS\system32\appconf32.exe scheduled to be moved on reboot. ========== COMMANDS ========== [EMPTYFLASH] User: admin-2 User: Administrator User: All Users User: Default User User: install ->Flash cache emptied: 456 bytes User: LocalService User: NetworkService User: otto User: winter ->Flash cache emptied: 17318 bytes User: winter.NB-WINTERMEYER ->Flash cache emptied: 2616768 bytes User: Wintermeyer Total Flash Files Cleaned = 3,00 mb [EMPTYTEMP] User: admin-2 ->Temp folder emptied: 294912 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: Administrator ->Temp folder emptied: 24867154 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->FireFox cache emptied: 0 bytes User: All Users User: Default User ->Temp folder emptied: 294912 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: install ->Temp folder emptied: 42973065 bytes ->Temporary Internet Files folder emptied: 33180 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Flash cache emptied: 0 bytes User: LocalService ->Temp folder emptied: 2209432 bytes ->Temporary Internet Files folder emptied: 32969 bytes User: NetworkService ->Temp folder emptied: 2206520 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: otto ->Temp folder emptied: 295184 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: winter ->Temp folder emptied: 1052916617 bytes ->Temporary Internet Files folder emptied: 33180 bytes ->Java cache emptied: 48742234 bytes ->FireFox cache emptied: 52762284 bytes ->Flash cache emptied: 0 bytes User: winter.NB-WINTERMEYER ->Temp folder emptied: 244616271 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Java cache emptied: 50362482 bytes ->FireFox cache emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Wintermeyer ->Temp folder emptied: 298078 bytes ->Temporary Internet Files folder emptied: 1307437 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 2676215 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 88517554 bytes RecycleBin emptied: 9746 bytes Total Files Cleaned = 1.541,00 mb OTL by OldTimer - Version 3.2.17.3 log created on 11142010_162748 Files\Folders moved on Reboot... C:\WINDOWS\system32\appconf32.exe moved successfully. C:\WINDOWS\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-1156.log moved successfully. Registry entries deleted on Reboot...

Attached Files

ComboFix.txt 18.06KB 287 downloads

#10 RPMcMurphy

MalwareTeam Emeritus

Authentic Member
2,326 posts

Posted 14 November 2010 - 04:12 PM

fred_trumper:

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
dir /a /s "c:\windows\system32\5008" > log.txt
notepad log.txt
del log.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this: Posted Image

Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

Posted Image

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please post the results.

Please include the following in your next post:

peek.bat log contents

MBAM log

Advertisements

Register to Remove

#11 fred_trumper

New Member

Authentic Member
17 posts

Posted 17 November 2010 - 12:30 PM

RPMcMurphy,

here is the result of peek.bat:
Datenträger in Laufwerk C: ist NB-WINTERMEYER
Volumeseriennummer: 200D-6783

Verzeichnis von c:\windows\system32\5008

10.11.2010 20:17 <DIR> .
10.11.2010 20:17 <DIR> ..
10.11.2010 20:17 <DIR> components
10.11.2010 20:17 539 install.rdf
1 Datei(en) 539 Bytes

Verzeichnis von c:\windows\system32\5008\components

10.11.2010 20:17 <DIR> .
10.11.2010 20:17 <DIR> ..
10.11.2010 20:17 77 AcroFF.txt
10.11.2010 20:17 195.920 AcroFF008.dll
2 Datei(en) 195.997 Bytes

Anzahl der angezeigten Dateien:
3 Datei(en) 196.536 Bytes
5 Verzeichnis(se), 117.030.682.624 Bytes frei

And this is the mbam log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 5138

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17.11.2010 19:26:04
mbam-log-2010-11-17 (19-26-04).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 213976
Laufzeit: 5 Minute(n), 36 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 9
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 1
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\linkrdr.aiebho (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\linkrdr.aiebho.1 (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\tst (Trojan.Banker) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
C:\WINDOWS\system32\xmldm (Stolen.Data) -> Quarantined and deleted successfully.

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

#12 RPMcMurphy

MalwareTeam Emeritus

Authentic Member
2,326 posts

Posted 17 November 2010 - 02:29 PM

fred_trumper:

How is your computer running now? Please do this next:

Posted Image

Please run ESET Online Scanner

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

How is your computer running?

ESET log

#13 fred_trumper

New Member

Authentic Member
17 posts

Posted 17 November 2010 - 04:33 PM

RPMcMurphy, the problem why I started this thread is still not solved. Each time I open a new link (mozilla firefox) it seems to be loaded twice: once for a very short moment, then the screen gets white and then the second version appears (and seems to be ok). ESET online scanner: I idid exactly what was written in the instructions. But the program didn't do what it was supposed to. After "Start" there was the initialisation and the update process, but after that the scan process started immediately. There was no chance to uncheck "Remove found threats". After the scan there was no "Detais tab". Instead "Scan result" were shown and accompanied by the message "Threads found and cleaned". The only option to get some logging information was to click the "list of found threats". This is was I will insert here: C:\Dokumente und Einstellungen\winter\Eigene Dateien\fwrc11.exe Win32/Adware.ErrorRepairPro application deleted - quarantined C:\Dokumente und Einstellungen\winter\Eigene Dateien\PRO-ver355.exe Win32/Adware.ErrorRepairPro application deleted - quarantined C:\Qoobox\Quarantine\C\Dokumente und Einstellungen\winter.NB-WINTERMEYER\Anwendungsdaten\Xexiv\oveh.exe.vir Win32/Spy.Zbot.YW trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP37\A0006595.exe a variant of Win32/Spy.Banker.UOR trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP37\A0006598.dll Win32/PSW.Papras.AW trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP38\A0006606.exe Win32/Spy.Zbot.ZR trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP38\A0006607.exe Win32/Spy.Zbot.ZR trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP41\A0007189.exe a variant of Win32/Spy.Banker.UOR trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP41\A0007194.dll a variant of Win32/Kryptik.HQY trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP41\A0014995.exe a variant of Win32/Spy.Banker.UOR trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP42\A0015827.sys Win32/Olmarik.ZC trojan cleaned - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP44\A0016297.exe a variant of Win32/Spy.Banker.URD trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP50\A0016346.exe Win32/Spy.Banker.UPY trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP50\A0017372.exe a variant of Win32/Spy.Banker.VZY trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP51\A0017452.exe a variant of Win32/Spy.Banker.VZY trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP51\A0017579.exe a variant of Win32/Spy.Banker.VZY trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{B991F27A-883F-42A9-A172-EAAB1D37FFFA}\RP53\A0017739.exe Win32/Spy.Zbot.YW trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{CDF1D4B2-B5B0-438E-81E2-52964F172A45}\RP25\A0023686.dll Win32/PSW.Papras.AW trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{CDF1D4B2-B5B0-438E-81E2-52964F172A45}\RP25\A0023687.dll Win32/PSW.Papras.AW trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{CDF1D4B2-B5B0-438E-81E2-52964F172A45}\RP25\A0023688.dll Win32/PSW.Papras.AW trojan cleaned by deleting - quarantined C:\WINDOWS\system32\asr_ay32.dll Win32/PSW.Papras.AW trojan cleaned by deleting - quarantined

#14 RPMcMurphy

MalwareTeam Emeritus

Authentic Member
2,326 posts

Posted 18 November 2010 - 08:22 PM

fred_trumper:

Please run DDS for me again and post the new DDS.txt file, (I don't need to see the Attach.txt log this time).

Please include the following in your next post:

DDS.txt log

#15 fred_trumper

New Member

Authentic Member
17 posts

Posted 19 November 2010 - 01:57 PM

RPMcMurphy: Attached you will find the requested l.ogfile

Attached Files

DDS.txt 12.87KB 244 downloads

Body Background

skin color theme