TechSpot

Been infected due to recent Java security flaw - anything left?

Solved
By chmsta
Sep 4, 2012
Topic Status:
Not open for further replies.
  1. Hi guys. Sunday late night my PC got infected with somekind of malicious software while surfing. (Java was not up to date, because we just came back from holidays) AntiVir responded to something, but it was already to late. PC rebootet by itself, afterwards I couldnt access anything. The Desktop was just some white explorer like window which stated that the connection to some site could not be established. Nothing else could be done. After searching a bit with my notebook, I tried some things in hope of getting rid of the problem.. which I kind of did, I'm just not sure if I was able to remove everything that has been infected. Hopefully you can help me here.

    What did I do after I noticed the infection?

    I used my notebook to search for a solution. Finally I created a Kaspersky Rescue Disk on a USB Stick and used it to scan my system. Although it found some things and removed them, the problem still existed. I then booted Windows in safe mode, deinstalled many things I wasnt using anymore and by accident also found a so called ja.exe in the autostart of windows. I deleted it. After a reboot the problem was gone. I installed some other kinds of anti-virus tools since then, and all of them find nothing suspicious at all. But I still wasnt sure if there is not something left over, so I started searching again. I stumbled across a tool called aswMBR and used it. I scanned my system with some of the programs also listed here on your site, created logs and tried to find something suspicious. But well I finally do realize, I dont know what the hell I'm actually looking for, let alone what to do to resolve any issues. I'm totally paranoid right know and kind of freaking out.. help me please.

    I read your 5-step Viruses/Spyware/Malware Preliminary Removal Instructions, just not sure if it makes any sense following them now, since I already did so many things... so I'm just going to post the logs I created during my panic attack.


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-09-03 16:46:35
    -----------------------------
    16:46:35.382 OS Version: Windows 6.1.7601 Service Pack 1
    16:46:35.382 Number of processors: 4 586 0x402
    16:46:35.382 ComputerName: STELLA-PC UserName: Stella
    16:46:35.975 Initialize success
    16:47:08.081 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
    16:47:08.081 Disk 0 Vendor: AMD_____ 1.10 Size: 953805MB BusType: 8
    16:47:08.081 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000061
    16:47:08.097 Disk 1 Vendor: SAMSUNG_ 1AA0 Size: 953869MB BusType: 8
    16:47:08.097 Disk 0 MBR read successfully
    16:47:08.112 Disk 0 MBR scan
    16:47:08.112 Disk 0 Windows 7 default MBR code
    16:47:08.128 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    16:47:08.144 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 199900 MB offset 206848
    16:47:08.159 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 753803 MB offset 409602048
    16:47:08.159 Disk 0 scanning sectors +1953390592
    16:47:08.190 Disk 0 scanning C:\Windows\system32\drivers
    16:47:12.777 Service scanning
    16:47:22.620 Modules scanning
    16:47:28.798 Disk 0 trace - called modules:
    16:47:28.814 ntkrnlpa.exe CLASSPNP.SYS disk.sys storport.sys halmacpi.dll amdsbs.sys
    16:47:28.814 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d68a78]
    16:47:28.814 3 CLASSPNP.SYS[8c1c959e] -> nt!IofCallDriver -> \Device\00000060[0x85d6bc68]
    16:47:28.829 Scan finished successfully
    16:48:09.342 Disk 0 MBR has been saved successfully to "D:\Eigene Dateien\Desktop\MBR.dat"
    16:48:09.358 The log file has been saved successfully to "D:\Eigene Dateien\Desktop\aswMBR.txt"



    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-09-03 17:05:50
    -----------------------------
    17:05:50.278 OS Version: Windows 6.1.7601 Service Pack 1
    17:05:50.278 Number of processors: 4 586 0x402
    17:05:50.278 ComputerName: STELLA-PC UserName: Stella
    17:06:03.834 Initialize success
    17:06:08.974 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
    17:06:08.974 Disk 0 Vendor: AMD_____ 1.10 Size: 953805MB BusType: 8
    17:06:08.974 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000061
    17:06:08.989 Disk 1 Vendor: SAMSUNG_ 1AA0 Size: 953869MB BusType: 8
    17:06:08.989 Disk 0 MBR read successfully
    17:06:08.989 Disk 0 MBR scan
    17:06:08.989 Disk 0 Windows 7 default MBR code
    17:06:08.989 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    17:06:09.005 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 199900 MB offset 206848
    17:06:09.021 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 753803 MB offset 409602048
    17:06:09.021 Disk 0 scanning sectors +1953390592
    17:06:09.052 Disk 0 scanning C:\Windows\system32\drivers
    17:06:13.420 Service scanning
    17:06:22.983 Modules scanning
    17:06:32.951 Disk 0 trace - called modules:
    17:06:32.967 ntkrnlpa.exe CLASSPNP.SYS disk.sys storport.sys halmacpi.dll amdsbs.sys nvlddmkm.sys dxgkrnl.sys dxgmms1.sys
    17:06:32.967 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d66030]
    17:06:32.982 3 CLASSPNP.SYS[8c1bf59e] -> nt!IofCallDriver -> \Device\00000060[0x866698f0]
    17:06:32.982 Scan finished successfully
    17:06:46.920 Verifying
    17:06:56.951 Disk 0 Windows 601 MBR fixed successfully
    17:07:06.935 Disk 0 MBR has been saved successfully to "D:\Eigene Dateien\Desktop\MBR.dat"
    17:07:06.951 The log file has been saved successfully to "D:\Eigene Dateien\Desktop\aswMBR1.txt"


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-09-03 21:44:47
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000060 AMD_____ rev.1.10
    Running: eckchk3u.exe; Driver: C:\Users\Stella\AppData\Local\Temp\pwdiqpod.sys


    ---- System - GMER 1.0.15 ----

    SSDT 927E02F6 ZwCreateSection
    SSDT 927E0300 ZwRequestWaitReplyPort
    SSDT 927E02FB ZwSetContextThread
    SSDT 927E0305 ZwSetSecurityObject
    SSDT 927E030A ZwSystemDebugControl
    SSDT 927E0297 ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 836853C9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 836BED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 836C5EAC 4 Bytes [F6, 02, 7E, 92] {TEST BYTE [EDX], 0x7e; XCHG EDX, EAX}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 836C6208 4 Bytes [00, 03, 7E, 92] {ADD [EBX], AL; JLE 0xffffffffffffff96}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 836C624C 4 Bytes [FB, 02, 7E, 92] {STI ; ADD BH, [ESI-0x6e]}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 836C62C8 4 Bytes [05, 03, 7E, 92]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 836C631C 4 Bytes [0A, 03, 7E, 92] {OR AL, [EBX]; JLE 0xffffffffffffff96}
    .text ...
    ? System32\drivers\afhnhk.sys Das System kann den angegebenen Pfad nicht finden. !
    ? C:\Users\Stella\AppData\Local\Temp\aswMBR.sys Das System kann die angegebene Datei nicht finden. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Bind ????????????????t???????????????? ?????????????????????-????????????????????? ?????????????????????1??L????????? ???????????? ?????????????????????1????????????&???????????????????????? ?????????????????????1????????????????????? ?????????????????????1????????????????????????????????????usb\class_08&subclass_06&prot_50????usb.inf???????&?????????p ????N????????????D????????????????????????? ?????????????????????1????????????????????????????????? ?????????????????????1????????????????????????????? ?????s?6??????????????????????????????? ?????????????????????1????????????????????????????????????????? ?????????????????????1??????????????????????N?????????????????????????????????????????????? ?????????????????????1????????????&???????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1????????????????????{4d36e967-e325-11ce-bfc1-08002be10318}\0010?????????????? ?????????????????????1????????????????????????????????? ?????????????????????1?????????????????????I?I?I?I?I?
    Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Route ????????\??\USB#VID_0830&PID_8002#1d479af1d22cef66f1b0674bda41b52f02acd63c#{a5dcbf10-6530-11d2-901f-00c04fb951ed}f??usb.inf:Generic.Section.NTx86:Composite.Dev:6.1.7601.17514:usb\composite????? ?????????????????????1????????????????????? ?????????????????????1????????????????????????????@usb.inf,%generic.mfg%;(Standard-USB-Hostcontroller)????RDPDR???????????monitor.inf?????hid_device??Im??????????t???????????????????????????? x?????????????????{36fc9e60-c465-11cf-8056-444553540000}\0022??????????????????????????9??????{4d36e967-e325-11ce-bfc1-08002be10318}\0001??????????????????????t??????t???????????????????????????????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????????;?;???;?;?;???????;?;?;?;???;???;?????;?;???????4?4)/?????;?;??**?????;???4???? ??;????H????????;?;?;?;??? ???????? ????;???;?;???;?;??Y????4???????;?????;Y??4????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ????
    Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Export ????????{d4dd8694-6edb-55f6-8e47-bd15c13787fc}?-10???????????s?????ssb???????????p???p????N?????????????????{4d36e967-e325-11ce-bfc1-08002be10318}????????X?????????????{4d36e967-e325-11ce-bfc1-08002be10318}\0005??e???? ??????d???e????????`??????w?g?w??@disk.inf,%genmanufacturer%;(Standardlaufwerke)?ic??????????????????.NT???????D?????????????????BUFFALO USB Flash Disk USB Device???????????????????????????ic??? ???????g??????????? ??????????????:\??? 4??????D??????????USBSTOR\Disk?USBSTOR\RAW??????N??????2?????Dtc??? ?????????????????????-??.???????????????????sd73??? ?????????????????????-?????????????????????????n??? ?????????????????????-????????N?????????????N??????0??????{03d25b69-c4c9-11df-aa8d-b1fa34548778}?? ???? ?????????????????????-?????????????????f??????????????????????????????????usb\class_08&subclass_06&prot_50??????N???????????D???????N??????4??????????????????????????? ???????;?????????????,????????????&????????????????????}??????????????????????????????????? \?????????????????????????????s??
    Reg HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Bind ????????????????? ?????????????????????1????????????&???????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1?????????????????????????????????????$??????????????????????????????????????????????????????????????????????????????????????? ?????????????????????1????????????????????? ?????? ??????????????1??????????????????????,???????????????????????????????????x?????? ?????????????????????1????????????????????????????????????????? ?????????????????????1????????:???????????????????????????????????????????????????????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1?????????????????????$??????????????????????????????machine.inf?????????????????????? ?????????????????????1?????????????????????????????????????????y??????s???? ?????????????????????1????????0?????????????:???????????h?????system32\DRIVERS\netbios.sys????????????? ?????????????????????1????????????????????? ?????????????????????1?????????????????????????????:?
    Reg HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Route ?????|??????????t????????????B??????????????????????????? ???????????????????????????????.??op??????????????????????????USB\VID_0830&PID_8002&REV_0316&MI_01?USB\VID_0830&PID_8002&MI_01?????????:??t?????????????????????????????????????????2??????????????????????????????????????????1???????????????????"?????s67??????????.NT??????????????????????????????????????????????????????????:???????????????????????t??????????????????????USB\Class_ff&SubClass_47&Prot_11?USB\Class_ff&SubClass_47?USB\Class_ff??11??USB\VID_1130&PID_0001&REV_0100?USB\VID_1130&PID_0001????????????????????????? `??????????????????????????I??A???????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????????????????????????????????????????????????????????1?1)/??????????**?????????1???? ???????H??????????????????:???????? ????1???????????????1?????1???????1?????????????????????????????????????n??ts????????????b????????????e????????????????????????????????????6.1.7601.17514?0.1??6to4mp.ndi?
    Reg HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Export ??P?4m??????????????????????????????????6.1.7600.16385??????? ??????????????????????????????????????.NT?.N???????????????????????????????????????????D??? ????D??????????????????8??????????????s???????????????????????????? ???????????????????????????????????????????????8???8??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????????G?G???G?G?G???????G?G?G?G???G???G?????G?G???????9?9)/?????G?G??**?????G???9???? ??G????H????????G?G?G?G???????????? ????G???G?G???G?G??Y????9???????G?????GY??9????{4d36e96e-e325-11ce-bfc1-08002be10318}\0012??????????????????????????????s??t.???????????x??\????????????????/??????????????????????????????????????????hidserv.inf?????????????????????????os??????????????????????????????????6???????????????????????????????????????????????????????????????????????????cdrom_install???????????????????????????????? ??????????????????????????? ???3??Nicht-PnP-Monitor (Standard)????PnP-Monitor (Standard)?????????????????????????????

    ---- EOF - GMER 1.0.15 ----




    Hopefully you can help me. Sorry for my englisch, its not my native language. Thanks for any help in advance.
     
  2. chmsta

    chmsta TS Rookie Topic Starter

    OTL logfile created on: 04.09.2012 10:37:09 - Run 2
    OTL by OldTimer - Version 3.2.59.1 Folder = D:\Eigene Dateien\Desktop
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

    3,24 Gb Total Physical Memory | 2,85 Gb Available Physical Memory | 87,81% Memory free
    6,48 Gb Paging File | 6,11 Gb Available in Paging File | 94,26% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 195,21 Gb Total Space | 137,20 Gb Free Space | 70,28% Space Free | Partition Type: NTFS
    Drive D: | 736,14 Gb Total Space | 127,06 Gb Free Space | 17,26% Space Free | Partition Type: NTFS
    Drive F: | 4,37 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF

    Computer Name: STELLA-PC | User Name: Stella | Logged in as Administrator.
    Boot Mode: SafeMode | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012.09.03 13:33:36 | 000,598,528 | ---- | M] (OldTimer Tools) -- D:\Eigene Dateien\Desktop\OTL.exe
    PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


    ========== Modules (No Company Name) ==========


    ========== Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService)
    SRV - File not found [Disabled | Stopped] -- D:\Auction Studio\Database Server\bin\fb_inet_server.exe -- (FirebirdServerauctionstudio)
    SRV - [2012.08.28 21:23:55 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012.08.21 11:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2011.10.15 10:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2011.10.15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2010.11.20 14:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
    SRV - [2010.11.20 14:18:03 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
    SRV - [2010.10.20 18:41:22 | 000,067,904 | ---- | M] (Nalpeiron Ltd.) [Auto | Stopped] -- C:\Windows\System32\NLSSRV32.EXE -- (nlsX86cc)
    SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
    SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\VBoxNetFlt.sys -- (VBoxNetFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbdev.sys -- (hwusbdev)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbnet.sys -- (ewusbnet)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\dsNcAdpt.sys -- (dsNcAdpt)
    DRV - [2012.08.21 11:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2012.08.21 11:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2012.08.21 11:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2012.08.21 11:13:14 | 000,058,680 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2012.08.21 11:13:14 | 000,044,784 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
    DRV - [2012.08.21 11:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2011.10.15 10:53:00 | 010,327,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2011.04.26 11:21:06 | 000,026,624 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
    DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
    DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
    DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
    DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
    DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
    DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
    DRV - [2010.05.15 16:46:44 | 000,863,616 | ---- | M] (ITE Technologies ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AF9035HB.sys -- (AF9035HB)
    DRV - [2009.12.17 16:02:34 | 000,099,152 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
    DRV - [2009.09.23 10:41:58 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
    DRV - [2007.01.12 11:20:38 | 000,093,056 | ---- | M] (C-Media Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cmiucr.SYS -- (CMISTOR)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 55 F3 1D A0 D5 59 CD 01 [binary data]
    IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.suggest.enabled: false
    FF - prefs.js..browser.startup.homepage: "http://google.de/"
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..extensions.enabledItems: youtube2mp3@mondayx.de:1.0.7
    FF - prefs.js..network.proxy.type: 0
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll File not found
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012.09.03 23:39:56 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.09.21 11:20:06 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]

    [2009.09.10 19:00:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stella\AppData\Roaming\mozilla\Extensions
    [2012.08.30 08:29:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stella\AppData\Roaming\mozilla\Firefox\Profiles\pwfurc0d.default\extensions
    [2012.08.15 02:25:58 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\Stella\AppData\Roaming\mozilla\Firefox\Profiles\pwfurc0d.default\extensions\ich@maltegoetz.de
    [2012.06.27 11:11:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012.09.03 23:39:56 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
    [2012.08.30 08:29:23 | 000,527,328 | ---- | M] () (No name found) -- C:\USERS\STELLA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PWFURC0D.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
    [2011.09.05 00:29:08 | 000,011,510 | ---- | M] () (No name found) -- C:\USERS\STELLA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PWFURC0D.DEFAULT\EXTENSIONS\YOUTUBE2MP3@MONDAYX.DE.XPI
    [2012.08.28 21:23:55 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012.02.16 10:36:59 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2012.06.27 11:26:07 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
    [2012.08.28 21:23:55 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012.06.27 11:26:07 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
    [2012.06.27 11:26:07 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
    [2012.06.27 11:26:07 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
    [2012.06.27 11:26:07 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

    O1 HOSTS File: ([2011.07.02 04:20:27 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized File not found
    O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O13 - gopher Prefix: missing
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O33 - MountPoints2\{45e98e34-c1eb-11e0-a74b-0024219c6709}\Shell - "" = AutoRun
    O33 - MountPoints2\{45e98e34-c1eb-11e0-a74b-0024219c6709}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{6d251ca2-136e-11e1-a709-002127fb2726}\Shell - "" = AutoRun
    O33 - MountPoints2\{6d251ca2-136e-11e1-a709-002127fb2726}\Shell\AutoRun\command - "" = E:\INSTALL.EXE
    O33 - MountPoints2\{8fff3137-e836-11df-b7be-a9f58e0b8f5e}\Shell - "" = AutoRun
    O33 - MountPoints2\{8fff3137-e836-11df-b7be-a9f58e0b8f5e}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{8fff3145-e836-11df-b7be-f89ffda93813}\Shell - "" = AutoRun
    O33 - MountPoints2\{8fff3145-e836-11df-b7be-f89ffda93813}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{9873c652-cc75-11df-b0ea-a80981197aa9}\Shell - "" = AutoRun
    O33 - MountPoints2\{9873c652-cc75-11df-b0ea-a80981197aa9}\Shell\AutoRun\command - "" = G:\setup.exe AUTORUN=1
    O33 - MountPoints2\{d437815f-6b8b-11e0-8fb7-002127fb2726}\Shell - "" = AutoRun
    O33 - MountPoints2\{d437815f-6b8b-11e0-8fb7-002127fb2726}\Shell\AutoRun\command - "" = G:\AutoRun.exe
    O33 - MountPoints2\{d437816b-6b8b-11e0-8fb7-002127fb2726}\Shell - "" = AutoRun
    O33 - MountPoints2\{d437816b-6b8b-11e0-8fb7-002127fb2726}\Shell\AutoRun\command - "" = G:\AutoRun.exe
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012.09.04 08:43:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
    [2012.09.04 08:43:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
    [2012.09.04 08:43:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2012.09.04 08:40:36 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- D:\Eigene Dateien\Desktop\spybotsd162.exe
    [2012.09.03 23:40:14 | 000,355,632 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2012.09.03 23:40:14 | 000,021,256 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2012.09.03 23:40:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2012.09.03 23:40:11 | 000,044,784 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr2.sys
    [2012.09.03 23:40:10 | 000,054,232 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2012.09.03 23:40:09 | 000,729,752 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2012.09.03 23:40:08 | 000,058,680 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2012.09.03 23:39:52 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
    [2012.09.03 23:39:51 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2012.09.03 23:39:44 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2012.09.03 23:39:44 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2012.09.03 16:46:28 | 004,731,392 | ---- | C] (AVAST Software) -- D:\Eigene Dateien\Desktop\aswMBR.exe
    [2012.09.03 16:25:14 | 000,598,528 | ---- | C] (OldTimer Tools) -- D:\Eigene Dateien\Desktop\OTL.exe
    [2012.09.03 15:48:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [2012.09.03 11:51:41 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
    [2012.08.15 14:29:58 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
    [2012.08.15 14:29:57 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
    [2012.08.15 14:29:57 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
    [2012.08.15 14:29:57 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
    [2012.08.15 14:29:56 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
    [2012.08.15 14:29:56 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
    [2012.08.15 14:29:56 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
    [2012.08.15 13:13:19 | 000,400,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\srcore.dll
    [2012.08.15 13:13:18 | 002,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
    [2012.08.15 13:13:15 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browcli.dll
    [2012.08.11 18:21:10 | 000,000,000 | ---D | C] -- D:\Eigene Dateien\Documents\gegl-0.0
    [2012.08.06 18:38:11 | 000,000,000 | ---D | C] -- D:\Eigene Dateien\Desktop\pics
    [2012.03.18 16:29:08 | 076,763,504 | ---- | C] (Apple Inc.) -- C:\Users\Stella\iTunes64Setup.exe

    ========== Files - Modified Within 30 Days ==========

    [2012.09.04 10:35:21 | 000,801,342 | ---- | M] () -- C:\Windows\System32\perfh007.dat
    [2012.09.04 10:35:21 | 000,181,122 | ---- | M] () -- C:\Windows\System32\perfc007.dat
    [2012.09.04 10:30:47 | 2610,757,632 | -HS- | M] () -- C:\hiberfil.sys
    [2012.09.04 08:40:55 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- D:\Eigene Dateien\Desktop\spybotsd162.exe
    [2012.09.04 00:46:11 | 000,015,872 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012.09.04 00:46:11 | 000,015,872 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012.09.03 23:45:25 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
    [2012.09.03 23:40:15 | 000,002,039 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2012.09.03 23:40:08 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2012.09.03 23:37:42 | 093,654,616 | ---- | M] () -- D:\Eigene Dateien\Desktop\avast_free_antivirus_setup.exe
    [2012.09.03 21:29:20 | 000,080,384 | ---- | M] () -- D:\Eigene Dateien\Desktop\MBRCheck.exe
    [2012.09.03 20:42:14 | 000,302,592 | ---- | M] () -- D:\Eigene Dateien\Desktop\eckchk3u.exe
    [2012.09.03 17:07:06 | 000,000,512 | ---- | M] () -- D:\Eigene Dateien\Desktop\MBR.dat
    [2012.09.03 16:44:08 | 004,731,392 | ---- | M] (AVAST Software) -- D:\Eigene Dateien\Desktop\aswMBR.exe
    [2012.09.03 16:22:47 | 000,126,200 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012.09.03 16:22:47 | 000,004,252 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012.09.03 15:48:23 | 000,000,592 | ---- | M] () -- C:\Windows\tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
    [2012.09.03 15:27:59 | 000,000,592 | ---- | M] () -- C:\Windows\tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job
    [2012.09.03 13:33:36 | 000,598,528 | ---- | M] (OldTimer Tools) -- D:\Eigene Dateien\Desktop\OTL.exe
    [2012.08.21 11:13:15 | 000,729,752 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2012.08.21 11:13:15 | 000,355,632 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2012.08.21 11:13:15 | 000,054,232 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2012.08.21 11:13:14 | 000,058,680 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2012.08.21 11:13:14 | 000,044,784 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr2.sys
    [2012.08.21 11:13:13 | 000,021,256 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2012.08.21 11:12:33 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
    [2012.08.21 11:12:23 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2012.08.17 19:12:03 | 001,445,677 | ---- | M] () -- D:\Eigene Dateien\Desktop\bu_info_alteleipziger.pdf
    [2012.08.16 14:46:33 | 000,221,632 | ---- | M] () -- D:\Eigene Dateien\Desktop\Meldebogen_2012.pdf
    [2012.08.15 14:46:40 | 000,319,832 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012.08.12 14:14:59 | 000,116,665 | ---- | M] () -- D:\Eigene Dateien\Desktop\IMG_1005.JPG
    [2012.08.11 18:23:45 | 000,007,813 | ---- | M] () -- C:\Users\Stella\.recently-used.xbel
    [2012.08.07 13:20:44 | 000,000,217 | ---- | M] () -- D:\Eigene Dateien\Desktop\Yousofe_Payambar_44.wmv
    [2012.08.07 13:20:37 | 052,736,000 | ---- | M] () -- D:\Eigene Dateien\Desktop\Yousofe_Payambar_44.wmv.part
    [2012.08.06 18:37:56 | 009,754,909 | ---- | M] () -- D:\Eigene Dateien\Desktop\pics.zip
    [2012.08.06 02:55:18 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
    [2012.08.05 22:36:57 | 000,051,223 | ---- | M] () -- C:\Users\Public\Documents\rechnung.pdf

    ========== Files Created - No Company Name ==========

    [2012.09.03 23:40:15 | 000,002,039 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2012.09.03 23:35:46 | 093,654,616 | ---- | C] () -- D:\Eigene Dateien\Desktop\avast_free_antivirus_setup.exe
    [2012.09.03 21:30:51 | 000,080,384 | ---- | C] () -- D:\Eigene Dateien\Desktop\MBRCheck.exe
    [2012.09.03 21:30:48 | 000,302,592 | ---- | C] () -- D:\Eigene Dateien\Desktop\eckchk3u.exe
    [2012.09.03 16:48:09 | 000,000,512 | ---- | C] () -- D:\Eigene Dateien\Desktop\MBR.dat
    [2012.09.03 15:48:23 | 000,000,592 | ---- | C] () -- C:\Windows\tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
    [2012.09.03 15:27:59 | 000,000,592 | ---- | C] () -- C:\Windows\tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job
    [2012.08.17 19:12:03 | 001,445,677 | ---- | C] () -- D:\Eigene Dateien\Desktop\bu_info_alteleipziger.pdf
    [2012.08.16 14:46:33 | 000,221,632 | ---- | C] () -- D:\Eigene Dateien\Desktop\Meldebogen_2012.pdf
    [2012.08.11 18:23:45 | 000,007,813 | ---- | C] () -- C:\Users\Stella\.recently-used.xbel
    [2012.08.11 01:04:41 | 000,116,665 | ---- | C] () -- D:\Eigene Dateien\Desktop\IMG_1005.JPG
    [2012.08.07 12:51:16 | 052,736,000 | ---- | C] () -- D:\Eigene Dateien\Desktop\Yousofe_Payambar_44.wmv.part
    [2012.08.07 12:51:16 | 000,000,217 | ---- | C] () -- D:\Eigene Dateien\Desktop\Yousofe_Payambar_44.wmv
    [2012.08.06 18:37:28 | 009,754,909 | ---- | C] () -- D:\Eigene Dateien\Desktop\pics.zip
    [2012.08.05 22:36:54 | 000,051,223 | ---- | C] () -- C:\Users\Public\Documents\rechnung.pdf
    [2012.03.20 17:52:14 | 000,016,111 | ---- | C] () -- C:\Users\Stella\Unbenannt 1.odt
    [2011.10.15 01:54:52 | 000,321,856 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe
    [2011.06.10 06:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
    [2011.04.18 13:34:36 | 000,002,413 | ---- | C] () -- C:\Users\Stella\AppData\Roaming\MPQEditor.ini
    [2011.04.16 17:34:40 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2011.01.08 05:25:41 | 420,372,268 | ---- | C] () -- C:\Users\Stella\ts3_recording_11_01_08_4_25_38.wav
    [2010.11.25 21:25:29 | 000,038,291 | ---- | C] () -- C:\Users\Stella\Rechnung A2550 R2514 - 2010-11-16.pdf
    [2010.11.03 19:07:55 | 000,036,864 | ---- | C] () -- C:\Windows\System32\Del_Drv.exe
    [2010.01.28 15:37:29 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

    ========== LOP Check ==========

    [2009.09.24 18:09:39 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Bullzip
    [2011.11.23 17:04:14 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\DAEMON Tools Lite
    [2010.11.02 12:03:56 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Downloaded Installations
    [2011.07.24 00:03:49 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\DVDVideoSoft
    [2011.07.23 22:44:55 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\DVDVideoSoftIEHelpers
    [2011.04.25 08:41:23 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\EAC
    [2009.09.15 17:53:36 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\GHISLER
    [2012.07.27 17:33:09 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\gtk-2.0
    [2011.07.01 20:21:46 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Juniper Networks
    [2012.06.25 17:41:39 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\MediaProSoft Free YouTube to FLV Converter
    [2010.11.02 12:08:30 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Nitro PDF
    [2010.03.28 03:34:23 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Notepad++
    [2009.09.24 18:17:10 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\OpenOffice.org
    [2012.01.26 03:22:14 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Opera
    [2011.08.08 22:37:18 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\PingBuster
    [2011.04.18 14:21:41 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Publish Providers
    [2011.04.21 11:14:19 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Sony
    [2011.04.27 00:06:36 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Sony Creative Software Inc
    [2009.09.11 01:39:10 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\TeamViewer
    [2011.09.21 11:20:10 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Thunderbird
    [2012.08.29 19:45:16 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\TS3Client
    [2012.07.05 19:50:21 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\WindSolutions
    [2012.08.01 09:09:00 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2012.09.03 15:48:23 | 000,000,592 | ---- | M] () -- C:\Windows\Tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
    [2012.09.03 15:27:59 | 000,000,592 | ---- | M] () -- C:\Windows\Tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences

    < End of report >

    OTL Extras logfile created on: 04.09.2012 10:37:09 - Run 2
    OTL by OldTimer - Version 3.2.59.1 Folder = D:\Eigene Dateien\Desktop
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

    3,24 Gb Total Physical Memory | 2,85 Gb Available Physical Memory | 87,81% Memory free
    6,48 Gb Paging File | 6,11 Gb Available in Paging File | 94,26% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 195,21 Gb Total Space | 137,20 Gb Free Space | 70,28% Space Free | Partition Type: NTFS
    Drive D: | 736,14 Gb Total Space | 127,06 Gb Free Space | 17,26% Space Free | Partition Type: NTFS
    Drive F: | 4,37 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF

    Computer Name: STELLA-PC | User Name: Stella | Logged in as Administrator.
    Boot Mode: SafeMode | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [open] -- Reg Error: Key error.
    htmlfile [opennew] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
    http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Mozilla Corporation)
    https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Mozilla Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Applications\iexplore.exe [open] -- Reg Error: Key error.
    CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
    "{7032B400-11EC-11E0-A9BF-0013D3D69929}" = MSVCRT Redists
    "{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9C2F9B2C-1585-43AD-9EF9-48AAD60DFC04}" = Microsoft IntelliPoint 8.1
    "{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}" = Paint.NET v3.5.8
    "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.1) - Deutsch
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 285.62
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 285.62
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 285.62
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller-Treiber 285.62
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.5.20
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{C911A0C2-2236-3164-AA47-F2566C01AE5E}" = Microsoft .NET Framework 4 Extended DEU Language Pack
    "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "avast" = avast! Free Antivirus
    "C-Media Card Reader Driver USB2.0" = C-Media Card Reader Driver USB2.0
    "GPL Ghostscript 8.70" = GPL Ghostscript 8.70
    "LameACM" = Lame ACM MP3 Codec
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Microsoft .NET Framework 4 Extended DEU Language Pack" = Microsoft .NET Framework 4 Extended DEU Language Pack
    "Microsoft IntelliPoint 8.1" = Microsoft IntelliPoint 8.1
    "Mozilla Firefox 15.0 (x86 de)" = Mozilla Firefox 15.0 (x86 de)
    "Mozilla Thunderbird (6.0.2)" = Mozilla Thunderbird (6.0.2)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "Notepad++" = Notepad++
    "NVIDIA Display Control Panel" = NVIDIA Display Control Panel
    "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
    "Opera 12.02.1578" = Opera 12.02
    "TeamSpeak 3 Client" = TeamSpeak 3 Client
    "Totalcmd" = Total Commander (Remove or Repair)
    "VLC media player" = VLC media player 2.0.2
    "Winamp" = Winamp
    "WinGimp-2.0_is1" = GIMP 2.6.11
    "WinRAR archiver" = WinRAR

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = VSS | ID = 12292
    Description =

    Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = VSS | ID = 8193
    Description =

    Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = System Restore | ID = 8193
    Description =

    Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = System Restore | ID = 8211
    Description =

    Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = VSS | ID = 13
    Description =

    Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = VSS | ID = 12292
    Description =

    Error - 04.09.2012 03:56:42 | Computer Name = Stella-PC | Source = RasClient | ID = 20227
    Description =

    Error - 04.09.2012 04:25:31 | Computer Name = Stella-PC | Source = VSS | ID = 13
    Description =

    Error - 04.09.2012 04:25:31 | Computer Name = Stella-PC | Source = VSS | ID = 12292
    Description =

    Error - 04.09.2012 04:35:21 | Computer Name = Stella-PC | Source = Microsoft-Windows-LoadPerf | ID = 3002
    Description = Der Textzeichenfolgenwert zur Beschreibung des Leistungsindikators
    in der Registrierung ist falsch formatiert. Die falsch formatierte Zeichenfolge
    ist "Number of WMI High Performance provider returned by WMI Adapter". Das erste
    DWORD im Datenbereich enthält den Indexwert für die falsch formatierte Zeichenfolge,
    während das zweite und dritte DWORD im Datenbereich die letzten gültigen Indexwerte
    enthalten.

    [ Media Center Events ]
    Error - 05.05.2011 22:59:35 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 04:59:35 - Fehler beim Herstellen der Internetverbindung. 04:59:35
    - Serververbindung konnte nicht hergestellt werden..

    Error - 05.05.2011 22:59:45 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 04:59:40 - Fehler beim Herstellen der Internetverbindung. 04:59:40
    - Serververbindung konnte nicht hergestellt werden..

    Error - 08.05.2011 22:59:04 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 04:59:04 - Fehler beim Herstellen der Internetverbindung. 04:59:04
    - Serververbindung konnte nicht hergestellt werden..

    Error - 08.05.2011 22:59:14 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 04:59:09 - Fehler beim Herstellen der Internetverbindung. 04:59:09
    - Serververbindung konnte nicht hergestellt werden..

    Error - 08.05.2011 23:59:22 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 05:59:22 - Fehler beim Herstellen der Internetverbindung. 05:59:22
    - Serververbindung konnte nicht hergestellt werden..

    Error - 08.05.2011 23:59:29 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 05:59:27 - Fehler beim Herstellen der Internetverbindung. 05:59:27
    - Serververbindung konnte nicht hergestellt werden..

    Error - 09.05.2011 00:59:36 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 06:59:36 - Fehler beim Herstellen der Internetverbindung. 06:59:36
    - Serververbindung konnte nicht hergestellt werden..

    Error - 09.05.2011 00:59:42 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 06:59:41 - Fehler beim Herstellen der Internetverbindung. 06:59:41
    - Serververbindung konnte nicht hergestellt werden..

    Error - 09.05.2011 02:01:40 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 08:01:40 - Fehler beim Herstellen der Internetverbindung. 08:01:40
    - Serververbindung konnte nicht hergestellt werden..

    Error - 09.05.2011 02:01:46 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
    Description = 08:01:45 - Fehler beim Herstellen der Internetverbindung. 08:01:45
    - Serververbindung konnte nicht hergestellt werden..

    [ System Events ]
    Error - 04.09.2012 04:31:24 | Computer Name = Stella-PC | Source = DCOM | ID = 10005
    Description =

    Error - 04.09.2012 04:31:24 | Computer Name = Stella-PC | Source = DCOM | ID = 10005
    Description =

    Error - 04.09.2012 04:31:24 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
    Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
    Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

    Error - 04.09.2012 04:31:24 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
    Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
    Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

    Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
    Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
    Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

    Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
    Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
    Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

    Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
    Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
    Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

    Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
    Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
    Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

    Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
    Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
    Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

    Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
    Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
    Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068


    < End of report >
     
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
     
  4. chmsta

    chmsta TS Rookie Topic Starter

    Hi thanks for the fast response. I cant download the file you linked, because Avast Antivirus (which I installed after the infection) is blocking it. What should I do?
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Right click on Avast icon, mouseover avast! shields control, and select Disable for 1 hour.

    Then, try the scan again. If you go to browse the internet right after, right-click on Avast icon, mouseover avast! shields control and Enable protection.
     
  6. chmsta

    chmsta TS Rookie Topic Starter

    # AdwCleaner v2.000 - Datei am 09/05/2012 um 16:26:55 erstellt
    # Aktualisiert am 30/08/2012 von Xplode
    # Betriebssystem : Windows 7 Professional Service Pack 1 (32 bits)
    # Benutzer : Stella - STELLA-PC
    # Normaler Modus : Normal
    # Ausgeführt unter : D:\Eigene Dateien\Desktop\adwcleaner.exe
    # Option [Suche]


    **** [Dienste] ****


    ***** [Dateien / Ordner] *****


    ***** [Registrierungsdatenbank] *****

    Schlüssel Gefunden : HKCU\Software\Softonic

    ***** [Internet Browser] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Die Registrierungsdatenbank ist sauber.

    -\\ Mozilla Firefox v15.0 (de)

    Profilname : default
    Datei : C:\Users\Stella\AppData\Roaming\Mozilla\Firefox\Profiles\pwfurc0d.default\prefs.js

    [OK] Die Datei ist sauber.

    -\\ Opera v12.2.1578.0

    Datei : C:\Users\Stella\AppData\Roaming\Opera\Opera\operaprefs.ini

    [OK] Die Datei ist sauber.

    *************************

    AdwCleaner[R1].txt - [1053 octets] - [05/09/2012 16:23:15]
    AdwCleaner[R2].txt - [986 octets] - [05/09/2012 16:26:55]

    ########## EOF - C:\AdwCleaner[R2].txt - [1045 octets] ##########
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
     
  8. chmsta

    chmsta TS Rookie Topic Starter

    ComboFix says that the avast antivirus and antispyware real-time-scanners are still active, although I deactivated the program following the instructions from your link.. what should I do? run combofix nevertheless or?

    edit: okay I couldnt stop combifix, its running the scan right now.. hopefully it'll work anyways, I'm sure I deactivated avast antivirus the way it was described and the sys tray icon is currently showing that it is not active
     
  9. chmsta

    chmsta TS Rookie Topic Starter

    ComboFix 12-09-06.04 - Stella 07/09/2012 14:23:40.1.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.3320.2559 [GMT 2:00]
    ausgeführt von:: d:\eigene dateien\Desktop\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Neuer Wiederherstellungspunkt wurde erstellt
    .
    .
    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\pkunzip.pif
    c:\windows\pkzip.pif
    c:\windows\security\Database\tmp.edb
    c:\windows\system32\drivers\etc\hosts.ics
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2012-08-07 bis 2012-09-07 ))))))))))))))))))))))))))))))
    .
    .
    2012-09-07 11:55 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1168A916-856F-42D7-865E-80B474A181FA}\mpengine.dll
    2012-09-04 06:43 . 2012-09-07 12:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-09-04 06:43 . 2012-09-07 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-09-03 21:40 . 2012-08-21 09:13 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-09-03 21:40 . 2012-08-21 09:13 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-09-03 21:40 . 2012-08-21 09:13 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-09-03 21:40 . 2012-08-21 09:13 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-09-03 21:40 . 2012-08-21 09:13 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-09-03 21:40 . 2012-08-21 09:13 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-09-03 21:39 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
    2012-09-03 21:39 . 2012-08-21 09:12 227648 ----a-w- c:\windows\system32\aswBoot.exe
    2012-09-03 21:39 . 2012-09-03 21:39 -------- d-----w- c:\programdata\AVAST Software
    2012-09-03 21:39 . 2012-09-03 21:39 -------- d-----w- c:\program files\AVAST Software
    2012-09-03 13:48 . 2012-09-03 13:48 -------- d-----w- c:\program files\Common Files\Skype
    2012-09-03 09:51 . 2012-09-03 12:28 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-08-28 19:23 . 2012-08-28 19:23 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
    2012-08-15 11:13 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
    2012-08-15 11:13 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
    2012-08-15 11:13 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
    2012-08-15 11:13 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
    2012-08-15 11:13 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
    2012-08-15 11:13 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
    2012-08-15 11:13 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-03 21:45 . 2011-06-06 16:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-06 00:55 . 2012-03-31 12:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-03 11:46 . 2010-12-05 17:13 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-28 19:23 . 2011-09-21 09:01 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:12 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmiboot]
    2007-02-07 10:02 65536 ----a-w- c:\windows\cmiboot.exe
    .
    R3 AF9035HB;AF9035 Hybrid Device;c:\windows\system32\Drivers\AF9035HB.sys [x]
    R3 CMISTOR;CMIUCR.SYS CM320/CM220 Card Reader Driver;c:\windows\system32\DRIVERS\cmiucr.SYS [x]
    R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
    R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
    R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    R4 FirebirdServerauctionstudio;Firebird Server - auctionstudio;d:\auction studio\Database Server\bin\fb_inet_server.exe [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [x]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2012-09-03 c:\windows\Tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
    - c:\program files\Opera\opera.exe [2011-02-02 21:13]
    .
    2012-09-03 c:\windows\Tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job
    - c:\program files\Opera\opera.exe [2011-02-02 21:13]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    FF - ProfilePath - c:\users\Stella\AppData\Roaming\Mozilla\Firefox\Profiles\pwfurc0d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.de/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - Entfernte verwaiste Registrierungseinträge - - - -
    .
    HKCU-Run-Skype - c:\program files\Skype\\Phone\Skype.exe
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    AddRemove-GPL Ghostscript 8.70 - c:\program files\gs\uninstgs.exe
    .
    .
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Zeit der Fertigstellung: 2012-09-07 14:28:22
    ComboFix-quarantined-files.txt 2012-09-07 12:28
    .
    Vor Suchlauf: 11 Verzeichnis(se), 147,277,885,440 Bytes frei
    Nach Suchlauf: 14 Verzeichnis(se), 147,433,549,824 Bytes frei
    .
    - - End Of File - - 10E4DBAC41F791CD2780F5349A8F044E
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.


    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
     
  11. chmsta

    chmsta TS Rookie Topic Starter

    ComboFix 12-09-06.04 - Stella 10/09/2012 14:04:28.2.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.3320.2364 [GMT 2:00]
    ausgeführt von:: d:\eigene dateien\Desktop\ComboFix.exe
    Benutzte Befehlsschalter :: d:\eigene dateien\Desktop\CFScript.txt.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Neuer Wiederherstellungspunkt wurde erstellt
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2012-08-10 bis 2012-09-10 ))))))))))))))))))))))))))))))
    .
    .
    2012-09-10 12:09 . 2012-09-10 12:09 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-09-10 12:09 . 2012-09-10 12:09 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-07 12:28 . 2012-09-10 12:09 -------- d-----w- c:\users\Stella\AppData\Local\temp
    2012-09-07 11:55 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1168A916-856F-42D7-865E-80B474A181FA}\mpengine.dll
    2012-09-04 06:43 . 2012-09-07 12:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-09-04 06:43 . 2012-09-07 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-09-03 21:40 . 2012-08-21 09:13 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-09-03 21:40 . 2012-08-21 09:13 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-09-03 21:40 . 2012-08-21 09:13 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-09-03 21:40 . 2012-08-21 09:13 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-09-03 21:40 . 2012-08-21 09:13 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-09-03 21:40 . 2012-08-21 09:13 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-09-03 21:39 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
    2012-09-03 21:39 . 2012-08-21 09:12 227648 ----a-w- c:\windows\system32\aswBoot.exe
    2012-09-03 21:39 . 2012-09-03 21:39 -------- d-----w- c:\programdata\AVAST Software
    2012-09-03 21:39 . 2012-09-03 21:39 -------- d-----w- c:\program files\AVAST Software
    2012-09-03 13:48 . 2012-09-03 13:48 -------- d-----w- c:\program files\Common Files\Skype
    2012-09-03 09:51 . 2012-09-03 12:28 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-08-28 19:23 . 2012-08-28 19:23 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
    2012-08-15 11:13 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
    2012-08-15 11:13 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
    2012-08-15 11:13 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
    2012-08-15 11:13 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
    2012-08-15 11:13 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
    2012-08-15 11:13 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
    2012-08-15 11:13 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-03 21:45 . 2011-06-06 16:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-06 00:55 . 2012-03-31 12:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-03 11:46 . 2010-12-05 17:13 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-28 19:23 . 2011-09-21 09:01 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:12 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmiboot]
    2007-02-07 10:02 65536 ----a-w- c:\windows\cmiboot.exe
    .
    R3 AF9035HB;AF9035 Hybrid Device;c:\windows\system32\Drivers\AF9035HB.sys [x]
    R3 CMISTOR;CMIUCR.SYS CM320/CM220 Card Reader Driver;c:\windows\system32\DRIVERS\cmiucr.SYS [x]
    R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
    R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
    R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    R4 FirebirdServerauctionstudio;Firebird Server - auctionstudio;d:\auction studio\Database Server\bin\fb_inet_server.exe [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [x]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2012-09-03 c:\windows\Tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
    - c:\program files\Opera\opera.exe [2011-02-02 21:13]
    .
    2012-09-03 c:\windows\Tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job
    - c:\program files\Opera\opera.exe [2011-02-02 21:13]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    FF - ProfilePath - c:\users\Stella\AppData\Roaming\Mozilla\Firefox\Profiles\pwfurc0d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.de/
    FF - prefs.js: network.proxy.type - 0
    .
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Zeit der Fertigstellung: 2012-09-10 14:09:50
    ComboFix-quarantined-files.txt 2012-09-10 12:09
    ComboFix2.txt 2012-09-07 12:28
    .
    Vor Suchlauf: 13 Verzeichnis(se), 147,482,918,912 Bytes frei
    Nach Suchlauf: 14 Verzeichnis(se), 147,420,516,352 Bytes frei
    .
    - - End Of File - - CAEDAB423C37F894957171D6D2E315C7


    # AdwCleaner v2.001 - Datei am 09/10/2012 um 14:16:01 erstellt
    # Aktualisiert am 09/09/2012 von Xplode
    # Betriebssystem : Windows 7 Professional Service Pack 1 (32 bits)
    # Benutzer : Stella - STELLA-PC
    # Bootmodus : Normal
    # Ausgeführt unter : D:\Eigene Dateien\Desktop\adwcleaner.exe
    # Option [Suche]


    **** [Dienste] ****


    ***** [Dateien / Ordner] *****


    ***** [Registrierungsdatenbank] *****

    Schlüssel Gefunden : HKCU\Software\Softonic

    ***** [Internet Browser] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Die Registrierungsdatenbank ist sauber.

    -\\ Mozilla Firefox v15.0 (de)

    Profilname : default
    Datei : C:\Users\Stella\AppData\Roaming\Mozilla\Firefox\Profiles\pwfurc0d.default\prefs.js

    [OK] Die Datei ist sauber.

    -\\ Opera v12.2.1578.0

    Datei : C:\Users\Stella\AppData\Roaming\Opera\Opera\operaprefs.ini

    [OK] Die Datei ist sauber.

    *************************

    AdwCleaner[R1].txt - [1053 octets] - [05/09/2012 16:23:15]
    AdwCleaner[R2].txt - [1114 octets] - [05/09/2012 16:26:55]
    AdwCleaner[R3].txt - [1041 octets] - [10/09/2012 14:16:01]

    ########## EOF - C:\AdwCleaner[R3].txt - [1101 octets] ##########
     
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
     
  13. chmsta

    chmsta TS Rookie Topic Starter

    No threats were found.
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! If there are no more issues, then we shall finish up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  15. chmsta

    chmsta TS Rookie Topic Starter

    Hi, thanks for your help!

    I couldnt create a Restore Point. It says something like "Unexpected Error in Properties Page - Error in the Systemrecovery. (0x81000203). Close the Properties Page and repeat the process."

    This error always comes up, even after a reboot. When I boot in safe mode, there is no option to create a restore point. I noticed something else in safe mode though, I dont know if it is important in any way.. when I boot in safe mode, I can see 4 usb mass storage drives. I cant see these drives when I boot windows normally. Maybe they are some leftovers from daemon tools I had installed a while ago, maybe I didnt uninstall it properly?

    Anyways I skipped the system restore point creation and did the other points as asked. Heres the log:

    Results of screen317's Security Check version 0.99.50
    Windows 7 Service Pack 1 x86
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware Version 1.62.0.1300
    CCleaner
    Adobe Flash Player 11.4.402.265
    Mozilla Firefox (15.0)
    ````````Process Check: objlist.exe by Laurent````````
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:
    ````````````````````End of Log``````````````````````
     
  16. chmsta

    chmsta TS Rookie Topic Starter

    I booted windows in safe mode again and tried to manually uninstall those 4 drives, but they just keep reappearing by themself.
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You need to enable the services for system restore, to do that follow the steps provided below.
    1. Click on Start button, now type in services.msc in the search programs and files and hit enter.
    2. Now you need to check for the “volume shadow copy” service present in the services windows.
    3. After selecting the “volume shadow copy” service you need to right click on the service and select properties and make the startup type as automatic and start the service.
    4. Click ok, restart the computer and check for the issue.
    Also ensure that you disable any antivirus program on your computer and create a restore point before performing the above steps.
    Creating system restore point manually:
    1. Open System by clicking the Start button, clicking Control Panel, clicking System and Maintenance, and then clicking System.
    2. In the left pane, click System Protection If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
    3. Click the System Protection tab, and then click Create.
    4. In the System Protection dialog box, type a description, and then click Create.

    Info from here

    Please download Listparts
    Run the tool,
    check the "list BCD" box
    click "Scan" and post the log (Result.txt) it makes.
     
  18. chmsta

    chmsta TS Rookie Topic Starter

    ListParts by Farbar Version: 10-08-2012
    Ran by Stella (administrator) on 12-09-2012 at 20:23:41
    Windows 7 (X86)
    Running From: D:\Eigene Dateien\Desktop
    Language: 0407
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 22%
    Total physical RAM: 3319.75 MB
    Available physical RAM: 2582.89 MB
    Total Pagefile: 6637.79 MB
    Available Pagefile: 5924.57 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1965.73 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:195.21 GB) (Free:138.37 GB) NTFS
    2 Drive d: () (Fixed) (Total:736.14 GB) (Free:126.47 GB) NTFS

    Datentr„ger ### Status Gr”áe Frei Dyn GPT
    --------------- ------------- ------- ------- --- ---
    Datentr„ger 0 Online 931 GB 0 B
    Datentr„ger 1 Offline 931 GB 64 MB
    Datentr„ger 2 Kein Medium 0 B 0 B
    Datentr„ger 3 Kein Medium 0 B 0 B
    Datentr„ger 4 Kein Medium 0 B 0 B
    Datentr„ger 5 Kein Medium 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Typ GrӇe Offset
    ------------- ---------------- ------- -------
    Partition 1 Prim„r 100 MB 1024 KB
    Partition 2 Prim„r 195 GB 101 MB
    Partition 3 Prim„r 736 GB 195 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Typ : 07
    Versteckt: Nein
    Aktiv : Ja

    Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 System-rese NTFS Partition 100 MB Fehlerfre System (partition with boot components)

    ======================================================================================================

    Disk: 0
    Partition 2
    Typ : 07
    Versteckt: Nein
    Aktiv : Nein

    Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 195 GB Fehlerfre Startpar

    ======================================================================================================

    Disk: 0
    Partition 3
    Typ : 07
    Versteckt: Nein
    Aktiv : Nein

    Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D NTFS Partition 736 GB Fehlerfre

    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Typ GrӇe Offset
    ------------- ---------------- ------- -------
    Partition 1 Prim„r 100 MB 1024 KB
    Partition 2 Prim„r 195 GB 101 MB
    Partition 3 Prim„r 736 GB 195 GB

    ======================================================================================================

    Disk: 1
    Partition 1
    Typ : 07
    Versteckt: Nein
    Aktiv : Ja

    Dieser Partition ist kein Volume zugewiesen.

    ======================================================================================================

    Disk: 1
    Partition 2
    Typ : 07
    Versteckt: Nein
    Aktiv : Nein

    Dieser Partition ist kein Volume zugewiesen.

    ======================================================================================================

    Disk: 1
    Partition 3
    Typ : 07
    Versteckt: Nein
    Aktiv : Nein

    Dieser Partition ist kein Volume zugewiesen.

    ======================================================================================================

    Windows-Start-Manager
    ---------------------
    Bezeichner {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device partition=\Device\HarddiskVolume1
    description Windows Boot Manager
    locale de-DE
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {0f01e371-9e2c-11de-9033-b7bc93c74439}
    resumeobject {0f01e370-9e2c-11de-9033-b7bc93c74439}
    displayorder {0f01e371-9e2c-11de-9033-b7bc93c74439}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30

    Windows-Startladeprogramm
    -------------------------
    Bezeichner {0f01e371-9e2c-11de-9033-b7bc93c74439}
    device partition=C:
    path \Windows\system32\winload.exe
    description Windows 7
    locale de-DE
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoverysequence {0f01e372-9e2c-11de-9033-b7bc93c74439}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {0f01e370-9e2c-11de-9033-b7bc93c74439}
    nx OptIn

    Windows-Startladeprogramm
    -------------------------
    Bezeichner {0f01e372-9e2c-11de-9033-b7bc93c74439}
    device ramdisk=[C:]\Recovery\0f01e372-9e2c-11de-9033-b7bc93c74439\Winre.wim,{0f01e373-9e2c-11de-9033-b7bc93c74439}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    osdevice ramdisk=[C:]\Recovery\0f01e372-9e2c-11de-9033-b7bc93c74439\Winre.wim,{0f01e373-9e2c-11de-9033-b7bc93c74439}
    systemroot \windows
    nx OptIn
    winpe Yes
    custom:46000010 Yes

    Wiederaufnahme aus dem Ruhezustand
    ----------------------------------
    Bezeichner {0f01e370-9e2c-11de-9033-b7bc93c74439}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale de-DE
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice partition=C:
    filepath \hiberfil.sys
    pae Yes
    debugoptionenabled No

    Windows-Speichertestprogramm
    ----------------------------
    Bezeichner {b2721d73-1db4-4c62-bf78-c548a880142d}
    device partition=\Device\HarddiskVolume1
    path \boot\memtest.exe
    description Windows-Speicherdiagnose
    locale de-DE
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    EMS-Einstellungen
    -----------------
    Bezeichner {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debuggereinstellungen
    ---------------------
    Bezeichner {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM-Defekte
    -----------
    Bezeichner {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Globale Einstellungen
    ---------------------
    Bezeichner {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Startladeprogramm-Einstellungen
    -------------------------------
    Bezeichner {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    {7ff607e0-4395-11db-b0de-0800200c9a66}

    Hypervisoreinstellungen
    -------------------
    Bezeichner {7ff607e0-4395-11db-b0de-0800200c9a66}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Einstellungen zur Ladeprogrammfortsetzung
    -----------------------------------------
    Bezeichner {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Ger„teoptionen
    --------------
    Bezeichner {0f01e373-9e2c-11de-9033-b7bc93c74439}
    description Ramdisk Options
    ramdisksdidevice partition=C:
    ramdisksdipath \Recovery\0f01e372-9e2c-11de-9033-b7bc93c74439\boot.sdi


    ****** End Of Log ******
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! I'm checking in with the developer, Farbar, to see what he says about your translation there. Will be back soon!
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Thanks for waiting.

    How did the System Restore fixes go?
     
  21. chmsta

    chmsta TS Rookie Topic Starter

    Hi, thanks for all your help.

    I tried everything they said from the site you linked, nothing worked. I still cant create a system restore point and its the same error which comes up every time I try.

    I wont be at home for the weekend, I'll be back on monday.. I cant reply to anything until then.
     
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let me know when you return, and we'll resume.

    Marked as inactive.
     
  23. chmsta

    chmsta TS Rookie Topic Starter

    Hi.. I'm back.

    Creating a System Restore Point still doesnt work, but to be honest I never created a system restore point before.. so I dont know if this problem maybe existed even prior to the infection and therefore it may not be related to that at all. The issue with the extra drives in safe mode, still bugs me alot.. I keep wondering what is causing that, you got any ideas regarding that?
     
  24. chmsta

    chmsta TS Rookie Topic Starter

    Ok I finally figured out how to create a system restore point following these instructions from here :

    I didnt even need to restart the computer, creating a system restore point worked right away. So only the issue with the drives remains, any thoughts on that?
     
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We've declared no problem on the drives, no infections, etc...

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.