Solved Been infected due to recent Java security flaw - anything left?

[chmsta]

Hi guys. Sunday late night my PC got infected with somekind of malicious software while surfing. (Java was not up to date, because we just came back from holidays) AntiVir responded to something, but it was already to late. PC rebootet by itself, afterwards I couldnt access anything. The Desktop was just some white explorer like window which stated that the connection to some site could not be established. Nothing else could be done. After searching a bit with my notebook, I tried some things in hope of getting rid of the problem.. which I kind of did, I'm just not sure if I was able to remove everything that has been infected. Hopefully you can help me here.

What did I do after I noticed the infection?

I used my notebook to search for a solution. Finally I created a Kaspersky Rescue Disk on a USB Stick and used it to scan my system. Although it found some things and removed them, the problem still existed. I then booted Windows in safe mode, deinstalled many things I wasnt using anymore and by accident also found a so called ja.exe in the autostart of windows. I deleted it. After a reboot the problem was gone. I installed some other kinds of anti-virus tools since then, and all of them find nothing suspicious at all. But I still wasnt sure if there is not something left over, so I started searching again. I stumbled across a tool called aswMBR and used it. I scanned my system with some of the programs also listed here on your site, created logs and tried to find something suspicious. But well I finally do realize, I dont know what the hell I'm actually looking for, let alone what to do to resolve any issues. I'm totally paranoid right know and kind of freaking out.. help me please.

I read your 5-step Viruses/Spyware/Malware Preliminary Removal Instructions, just not sure if it makes any sense following them now, since I already did so many things... so I'm just going to post the logs I created during my panic attack.


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-03 16:46:35
-----------------------------
16:46:35.382 OS Version: Windows 6.1.7601 Service Pack 1
16:46:35.382 Number of processors: 4 586 0x402
16:46:35.382 ComputerName: STELLA-PC UserName: Stella
16:46:35.975 Initialize success
16:47:08.081 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
16:47:08.081 Disk 0 Vendor: AMD_____ 1.10 Size: 953805MB BusType: 8
16:47:08.081 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000061
16:47:08.097 Disk 1 Vendor: SAMSUNG_ 1AA0 Size: 953869MB BusType: 8
16:47:08.097 Disk 0 MBR read successfully
16:47:08.112 Disk 0 MBR scan
16:47:08.112 Disk 0 Windows 7 default MBR code
16:47:08.128 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
16:47:08.144 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 199900 MB offset 206848
16:47:08.159 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 753803 MB offset 409602048
16:47:08.159 Disk 0 scanning sectors +1953390592
16:47:08.190 Disk 0 scanning C:\Windows\system32\drivers
16:47:12.777 Service scanning
16:47:22.620 Modules scanning
16:47:28.798 Disk 0 trace - called modules:
16:47:28.814 ntkrnlpa.exe CLASSPNP.SYS disk.sys storport.sys halmacpi.dll amdsbs.sys
16:47:28.814 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d68a78]
16:47:28.814 3 CLASSPNP.SYS[8c1c959e] -> nt!IofCallDriver -> \Device\00000060[0x85d6bc68]
16:47:28.829 Scan finished successfully
16:48:09.342 Disk 0 MBR has been saved successfully to "D:\Eigene Dateien\Desktop\MBR.dat"
16:48:09.358 The log file has been saved successfully to "D:\Eigene Dateien\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-03 17:05:50
-----------------------------
17:05:50.278 OS Version: Windows 6.1.7601 Service Pack 1
17:05:50.278 Number of processors: 4 586 0x402
17:05:50.278 ComputerName: STELLA-PC UserName: Stella
17:06:03.834 Initialize success
17:06:08.974 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
17:06:08.974 Disk 0 Vendor: AMD_____ 1.10 Size: 953805MB BusType: 8
17:06:08.974 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000061
17:06:08.989 Disk 1 Vendor: SAMSUNG_ 1AA0 Size: 953869MB BusType: 8
17:06:08.989 Disk 0 MBR read successfully
17:06:08.989 Disk 0 MBR scan
17:06:08.989 Disk 0 Windows 7 default MBR code
17:06:08.989 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
17:06:09.005 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 199900 MB offset 206848
17:06:09.021 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 753803 MB offset 409602048
17:06:09.021 Disk 0 scanning sectors +1953390592
17:06:09.052 Disk 0 scanning C:\Windows\system32\drivers
17:06:13.420 Service scanning
17:06:22.983 Modules scanning
17:06:32.951 Disk 0 trace - called modules:
17:06:32.967 ntkrnlpa.exe CLASSPNP.SYS disk.sys storport.sys halmacpi.dll amdsbs.sys nvlddmkm.sys dxgkrnl.sys dxgmms1.sys
17:06:32.967 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d66030]
17:06:32.982 3 CLASSPNP.SYS[8c1bf59e] -> nt!IofCallDriver -> \Device\00000060[0x866698f0]
17:06:32.982 Scan finished successfully
17:06:46.920 Verifying
17:06:56.951 Disk 0 Windows 601 MBR fixed successfully
17:07:06.935 Disk 0 MBR has been saved successfully to "D:\Eigene Dateien\Desktop\MBR.dat"
17:07:06.951 The log file has been saved successfully to "D:\Eigene Dateien\Desktop\aswMBR1.txt"


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-03 21:44:47
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000060 AMD_____ rev.1.10
Running: eckchk3u.exe; Driver: C:\Users\Stella\AppData\Local\Temp\pwdiqpod.sys


---- System - GMER 1.0.15 ----

SSDT 927E02F6 ZwCreateSection
SSDT 927E0300 ZwRequestWaitReplyPort
SSDT 927E02FB ZwSetContextThread
SSDT 927E0305 ZwSetSecurityObject
SSDT 927E030A ZwSystemDebugControl
SSDT 927E0297 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 836853C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 836BED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 836C5EAC 4 Bytes [F6, 02, 7E, 92] {TEST BYTE [EDX], 0x7e; XCHG EDX, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1553 836C6208 4 Bytes [00, 03, 7E, 92] {ADD [EBX], AL; JLE 0xffffffffffffff96}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1597 836C624C 4 Bytes [FB, 02, 7E, 92] {STI ; ADD BH, [ESI-0x6e]}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1613 836C62C8 4 Bytes [05, 03, 7E, 92]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1667 836C631C 4 Bytes [0A, 03, 7E, 92] {OR AL, [EBX]; JLE 0xffffffffffffff96}
.text ...
? System32\drivers\afhnhk.sys Das System kann den angegebenen Pfad nicht finden. !
? C:\Users\Stella\AppData\Local\Temp\aswMBR.sys Das System kann die angegebene Datei nicht finden. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Bind ????????????????t???????????????? ?????????????????????-????????????????????? ?????????????????????1??L????????? ???????????? ?????????????????????1????????????&???????????????????????? ?????????????????????1????????????????????? ?????????????????????1????????????????????????????????????usb\class_08&subclass_06&prot_50????usb.inf???????&?????????p ????N????????????D????????????????????????? ?????????????????????1????????????????????????????????? ?????????????????????1????????????????????????????? ?????s?6??????????????????????????????? ?????????????????????1????????????????????????????????????????? ?????????????????????1??????????????????????N?????????????????????????????????????????????? ?????????????????????1????????????&???????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1????????????????????{4d36e967-e325-11ce-bfc1-08002be10318}\0010?????????????? ?????????????????????1????????????????????????????????? ?????????????????????1?????????????????????I?I?I?I?I?
Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Route ????????\??\USB#VID_0830&PID_8002#1d479af1d22cef66f1b0674bda41b52f02acd63c#{a5dcbf10-6530-11d2-901f-00c04fb951ed}f??usb.inf:Generic.Section.NTx86:Composite.Dev:6.1.7601.17514:usb\composite????? ?????????????????????1????????????????????? ?????????????????????1????????????????????????????@usb.inf,%generic.mfg%;(Standard-USB-Hostcontroller)????RDPDR???????????monitor.inf?????hid_device??Im??????????t???????????????????????????? x?????????????????{36fc9e60-c465-11cf-8056-444553540000}\0022??????????????????????????9??????{4d36e967-e325-11ce-bfc1-08002be10318}\0001??????????????????????t??????t???????????????????????????????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????????;?;???;?;?;???????;?;?;?;???;???;?????;?;???????4?4)/?????;?;??**?????;???4???? ??;????H????????;?;?;?;??? ???????? ????;???;?;???;?;??Y????4???????;?????;Y??4????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ????
Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Export ????????{d4dd8694-6edb-55f6-8e47-bd15c13787fc}?-10???????????s?????ssb???????????p???p????N?????????????????{4d36e967-e325-11ce-bfc1-08002be10318}????????X?????????????{4d36e967-e325-11ce-bfc1-08002be10318}\0005??e???? ??????d???e????????`??????w?g?w??@disk.inf,%genmanufacturer%;(Standardlaufwerke)?ic??????????????????.NT???????D?????????????????BUFFALO USB Flash Disk USB Device???????????????????????????ic??? ???????g??????????? ??????????????:\??? 4??????D??????????USBSTOR\Disk?USBSTOR\RAW??????N??????2?????Dtc??? ?????????????????????-??.???????????????????sd73??? ?????????????????????-?????????????????????????n??? ?????????????????????-????????N?????????????N??????0??????{03d25b69-c4c9-11df-aa8d-b1fa34548778}?? ???? ?????????????????????-?????????????????f??????????????????????????????????usb\class_08&subclass_06&prot_50??????N???????????D???????N??????4??????????????????????????? ???????;?????????????,????????????&????????????????????}??????????????????????????????????? \?????????????????????????????s??
Reg HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Bind ????????????????? ?????????????????????1????????????&???????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1?????????????????????????????????????$??????????????????????????????????????????????????????????????????????????????????????? ?????????????????????1????????????????????? ?????? ??????????????1??????????????????????,???????????????????????????????????x?????? ?????????????????????1????????????????????????????????????????? ?????????????????????1????????:???????????????????????????????????????????????????????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1?????????????????????$??????????????????????????????machine.inf?????????????????????? ?????????????????????1?????????????????????????????????????????y??????s???? ?????????????????????1????????0?????????????:???????????h?????system32\DRIVERS\netbios.sys????????????? ?????????????????????1????????????????????? ?????????????????????1?????????????????????????????:?
Reg HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Route ?????|??????????t????????????B??????????????????????????? ???????????????????????????????.??op??????????????????????????USB\VID_0830&PID_8002&REV_0316&MI_01?USB\VID_0830&PID_8002&MI_01?????????:??t?????????????????????????????????????????2??????????????????????????????????????????1???????????????????"?????s67??????????.NT??????????????????????????????????????????????????????????:???????????????????????t??????????????????????USB\Class_ff&SubClass_47&Prot_11?USB\Class_ff&SubClass_47?USB\Class_ff??11??USB\VID_1130&PID_0001&REV_0100?USB\VID_1130&PID_0001????????????????????????? `??????????????????????????I??A???????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????????????????????????????????????????????????????????1?1)/??????????**?????????1???? ???????H??????????????????:???????? ????1???????????????1?????1???????1?????????????????????????????????????n??ts????????????b????????????e????????????????????????????????????6.1.7601.17514?0.1??6to4mp.ndi?
Reg HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Export ??P?4m??????????????????????????????????6.1.7600.16385??????? ??????????????????????????????????????.NT?.N???????????????????????????????????????????D??? ????D??????????????????8??????????????s???????????????????????????? ???????????????????????????????????????????????8???8??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????????G?G???G?G?G???????G?G?G?G???G???G?????G?G???????9?9)/?????G?G??**?????G???9???? ??G????H????????G?G?G?G???????????? ????G???G?G???G?G??Y????9???????G?????GY??9????{4d36e96e-e325-11ce-bfc1-08002be10318}\0012??????????????????????????????s??t.???????????x??\????????????????/??????????????????????????????????????????hidserv.inf?????????????????????????os??????????????????????????????????6???????????????????????????????????????????????????????????????????????????cdrom_install???????????????????????????????? ??????????????????????????? ???3??Nicht-PnP-Monitor (Standard)????PnP-Monitor (Standard)?????????????????????????????

---- EOF - GMER 1.0.15 ----




Hopefully you can help me. Sorry for my englisch, its not my native language. Thanks for any help in advance.

 

[chmsta]

OTL logfile created on: 04.09.2012 10:37:09 - Run 2
OTL by OldTimer - Version 3.2.59.1 Folder = D:\Eigene Dateien\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,24 Gb Total Physical Memory | 2,85 Gb Available Physical Memory | 87,81% Memory free
6,48 Gb Paging File | 6,11 Gb Available in Paging File | 94,26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 195,21 Gb Total Space | 137,20 Gb Free Space | 70,28% Space Free | Partition Type: NTFS
Drive D: | 736,14 Gb Total Space | 127,06 Gb Free Space | 17,26% Space Free | Partition Type: NTFS
Drive F: | 4,37 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF

Computer Name: STELLA-PC | User Name: Stella | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.09.03 13:33:36 | 000,598,528 | ---- | M] (OldTimer Tools) -- D:\Eigene Dateien\Desktop\OTL.exe
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - File not found [Disabled | Stopped] -- D:\Auction Studio\Database Server\bin\fb_inet_server.exe -- (FirebirdServerauctionstudio)
SRV - [2012.08.28 21:23:55 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.08.21 11:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011.10.15 10:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011.10.15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010.11.20 14:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010.11.20 14:18:03 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2010.10.20 18:41:22 | 000,067,904 | ---- | M] (Nalpeiron Ltd.) [Auto | Stopped] -- C:\Windows\System32\NLSSRV32.EXE -- (nlsX86cc)
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\VBoxNetFlt.sys -- (VBoxNetFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbdev.sys -- (hwusbdev)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbnet.sys -- (ewusbnet)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2012.08.21 11:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012.08.21 11:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012.08.21 11:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012.08.21 11:13:14 | 000,058,680 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012.08.21 11:13:14 | 000,044,784 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2012.08.21 11:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011.10.15 10:53:00 | 010,327,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011.04.26 11:21:06 | 000,026,624 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.05.15 16:46:44 | 000,863,616 | ---- | M] (ITE Technologies ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AF9035HB.sys -- (AF9035HB)
DRV - [2009.12.17 16:02:34 | 000,099,152 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV - [2009.09.23 10:41:58 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2007.01.12 11:20:38 | 000,093,056 | ---- | M] (C-Media Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cmiucr.SYS -- (CMISTOR)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 55 F3 1D A0 D5 59 CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://google.de/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: youtube2mp3@mondayx.de:1.0.7
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll File not found
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012.09.03 23:39:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.09.21 11:20:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.28 21:23:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.03 15:38:57 | 000,000,000 | ---D | M]

[2009.09.10 19:00:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stella\AppData\Roaming\mozilla\Extensions
[2012.08.30 08:29:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stella\AppData\Roaming\mozilla\Firefox\Profiles\pwfurc0d.default\extensions
[2012.08.15 02:25:58 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\Stella\AppData\Roaming\mozilla\Firefox\Profiles\pwfurc0d.default\extensions\ich@maltegoetz.de
[2012.06.27 11:11:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012.09.03 23:39:56 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012.08.30 08:29:23 | 000,527,328 | ---- | M] () (No name found) -- C:\USERS\STELLA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PWFURC0D.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
[2011.09.05 00:29:08 | 000,011,510 | ---- | M] () (No name found) -- C:\USERS\STELLA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PWFURC0D.DEFAULT\EXTENSIONS\YOUTUBE2MP3@MONDAYX.DE.XPI
[2012.08.28 21:23:55 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.02.16 10:36:59 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012.06.27 11:26:07 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.08.28 21:23:55 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.06.27 11:26:07 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.06.27 11:26:07 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.06.27 11:26:07 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.06.27 11:26:07 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2011.07.02 04:20:27 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{45e98e34-c1eb-11e0-a74b-0024219c6709}\Shell - "" = AutoRun
O33 - MountPoints2\{45e98e34-c1eb-11e0-a74b-0024219c6709}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{6d251ca2-136e-11e1-a709-002127fb2726}\Shell - "" = AutoRun
O33 - MountPoints2\{6d251ca2-136e-11e1-a709-002127fb2726}\Shell\AutoRun\command - "" = E:\INSTALL.EXE
O33 - MountPoints2\{8fff3137-e836-11df-b7be-a9f58e0b8f5e}\Shell - "" = AutoRun
O33 - MountPoints2\{8fff3137-e836-11df-b7be-a9f58e0b8f5e}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{8fff3145-e836-11df-b7be-f89ffda93813}\Shell - "" = AutoRun
O33 - MountPoints2\{8fff3145-e836-11df-b7be-f89ffda93813}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{9873c652-cc75-11df-b0ea-a80981197aa9}\Shell - "" = AutoRun
O33 - MountPoints2\{9873c652-cc75-11df-b0ea-a80981197aa9}\Shell\AutoRun\command - "" = G:\setup.exe AUTORUN=1
O33 - MountPoints2\{d437815f-6b8b-11e0-8fb7-002127fb2726}\Shell - "" = AutoRun
O33 - MountPoints2\{d437815f-6b8b-11e0-8fb7-002127fb2726}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{d437816b-6b8b-11e0-8fb7-002127fb2726}\Shell - "" = AutoRun
O33 - MountPoints2\{d437816b-6b8b-11e0-8fb7-002127fb2726}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012.09.04 08:43:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012.09.04 08:43:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012.09.04 08:43:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012.09.04 08:40:36 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- D:\Eigene Dateien\Desktop\spybotsd162.exe
[2012.09.03 23:40:14 | 000,355,632 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012.09.03 23:40:14 | 000,021,256 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012.09.03 23:40:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2012.09.03 23:40:11 | 000,044,784 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr2.sys
[2012.09.03 23:40:10 | 000,054,232 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2012.09.03 23:40:09 | 000,729,752 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012.09.03 23:40:08 | 000,058,680 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012.09.03 23:39:52 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012.09.03 23:39:51 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2012.09.03 23:39:44 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012.09.03 23:39:44 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012.09.03 16:46:28 | 004,731,392 | ---- | C] (AVAST Software) -- D:\Eigene Dateien\Desktop\aswMBR.exe
[2012.09.03 16:25:14 | 000,598,528 | ---- | C] (OldTimer Tools) -- D:\Eigene Dateien\Desktop\OTL.exe
[2012.09.03 15:48:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012.09.03 11:51:41 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012.08.15 14:29:58 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012.08.15 14:29:57 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012.08.15 14:29:57 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012.08.15 14:29:57 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012.08.15 14:29:56 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012.08.15 14:29:56 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012.08.15 14:29:56 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012.08.15 13:13:19 | 000,400,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\srcore.dll
[2012.08.15 13:13:18 | 002,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012.08.15 13:13:15 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browcli.dll
[2012.08.11 18:21:10 | 000,000,000 | ---D | C] -- D:\Eigene Dateien\Documents\gegl-0.0
[2012.08.06 18:38:11 | 000,000,000 | ---D | C] -- D:\Eigene Dateien\Desktop\pics
[2012.03.18 16:29:08 | 076,763,504 | ---- | C] (Apple Inc.) -- C:\Users\Stella\iTunes64Setup.exe

========== Files - Modified Within 30 Days ==========

[2012.09.04 10:35:21 | 000,801,342 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.09.04 10:35:21 | 000,181,122 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.09.04 10:30:47 | 2610,757,632 | -HS- | M] () -- C:\hiberfil.sys
[2012.09.04 08:40:55 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- D:\Eigene Dateien\Desktop\spybotsd162.exe
[2012.09.04 00:46:11 | 000,015,872 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.09.04 00:46:11 | 000,015,872 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.09.03 23:45:25 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012.09.03 23:40:15 | 000,002,039 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012.09.03 23:40:08 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012.09.03 23:37:42 | 093,654,616 | ---- | M] () -- D:\Eigene Dateien\Desktop\avast_free_antivirus_setup.exe
[2012.09.03 21:29:20 | 000,080,384 | ---- | M] () -- D:\Eigene Dateien\Desktop\MBRCheck.exe
[2012.09.03 20:42:14 | 000,302,592 | ---- | M] () -- D:\Eigene Dateien\Desktop\eckchk3u.exe
[2012.09.03 17:07:06 | 000,000,512 | ---- | M] () -- D:\Eigene Dateien\Desktop\MBR.dat
[2012.09.03 16:44:08 | 004,731,392 | ---- | M] (AVAST Software) -- D:\Eigene Dateien\Desktop\aswMBR.exe
[2012.09.03 16:22:47 | 000,126,200 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.09.03 16:22:47 | 000,004,252 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.09.03 15:48:23 | 000,000,592 | ---- | M] () -- C:\Windows\tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
[2012.09.03 15:27:59 | 000,000,592 | ---- | M] () -- C:\Windows\tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job
[2012.09.03 13:33:36 | 000,598,528 | ---- | M] (OldTimer Tools) -- D:\Eigene Dateien\Desktop\OTL.exe
[2012.08.21 11:13:15 | 000,729,752 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012.08.21 11:13:15 | 000,355,632 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012.08.21 11:13:15 | 000,054,232 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2012.08.21 11:13:14 | 000,058,680 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012.08.21 11:13:14 | 000,044,784 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr2.sys
[2012.08.21 11:13:13 | 000,021,256 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012.08.21 11:12:33 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012.08.21 11:12:23 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2012.08.17 19:12:03 | 001,445,677 | ---- | M] () -- D:\Eigene Dateien\Desktop\bu_info_alteleipziger.pdf
[2012.08.16 14:46:33 | 000,221,632 | ---- | M] () -- D:\Eigene Dateien\Desktop\Meldebogen_2012.pdf
[2012.08.15 14:46:40 | 000,319,832 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.08.12 14:14:59 | 000,116,665 | ---- | M] () -- D:\Eigene Dateien\Desktop\IMG_1005.JPG
[2012.08.11 18:23:45 | 000,007,813 | ---- | M] () -- C:\Users\Stella\.recently-used.xbel
[2012.08.07 13:20:44 | 000,000,217 | ---- | M] () -- D:\Eigene Dateien\Desktop\Yousofe_Payambar_44.wmv
[2012.08.07 13:20:37 | 052,736,000 | ---- | M] () -- D:\Eigene Dateien\Desktop\Yousofe_Payambar_44.wmv.part
[2012.08.06 18:37:56 | 009,754,909 | ---- | M] () -- D:\Eigene Dateien\Desktop\pics.zip
[2012.08.06 02:55:18 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012.08.05 22:36:57 | 000,051,223 | ---- | M] () -- C:\Users\Public\Documents\rechnung.pdf

========== Files Created - No Company Name ==========

[2012.09.03 23:40:15 | 000,002,039 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012.09.03 23:35:46 | 093,654,616 | ---- | C] () -- D:\Eigene Dateien\Desktop\avast_free_antivirus_setup.exe
[2012.09.03 21:30:51 | 000,080,384 | ---- | C] () -- D:\Eigene Dateien\Desktop\MBRCheck.exe
[2012.09.03 21:30:48 | 000,302,592 | ---- | C] () -- D:\Eigene Dateien\Desktop\eckchk3u.exe
[2012.09.03 16:48:09 | 000,000,512 | ---- | C] () -- D:\Eigene Dateien\Desktop\MBR.dat
[2012.09.03 15:48:23 | 000,000,592 | ---- | C] () -- C:\Windows\tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
[2012.09.03 15:27:59 | 000,000,592 | ---- | C] () -- C:\Windows\tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job
[2012.08.17 19:12:03 | 001,445,677 | ---- | C] () -- D:\Eigene Dateien\Desktop\bu_info_alteleipziger.pdf
[2012.08.16 14:46:33 | 000,221,632 | ---- | C] () -- D:\Eigene Dateien\Desktop\Meldebogen_2012.pdf
[2012.08.11 18:23:45 | 000,007,813 | ---- | C] () -- C:\Users\Stella\.recently-used.xbel
[2012.08.11 01:04:41 | 000,116,665 | ---- | C] () -- D:\Eigene Dateien\Desktop\IMG_1005.JPG
[2012.08.07 12:51:16 | 052,736,000 | ---- | C] () -- D:\Eigene Dateien\Desktop\Yousofe_Payambar_44.wmv.part
[2012.08.07 12:51:16 | 000,000,217 | ---- | C] () -- D:\Eigene Dateien\Desktop\Yousofe_Payambar_44.wmv
[2012.08.06 18:37:28 | 009,754,909 | ---- | C] () -- D:\Eigene Dateien\Desktop\pics.zip
[2012.08.05 22:36:54 | 000,051,223 | ---- | C] () -- C:\Users\Public\Documents\rechnung.pdf
[2012.03.20 17:52:14 | 000,016,111 | ---- | C] () -- C:\Users\Stella\Unbenannt 1.odt
[2011.10.15 01:54:52 | 000,321,856 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe
[2011.06.10 06:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2011.04.18 13:34:36 | 000,002,413 | ---- | C] () -- C:\Users\Stella\AppData\Roaming\MPQEditor.ini
[2011.04.16 17:34:40 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011.01.08 05:25:41 | 420,372,268 | ---- | C] () -- C:\Users\Stella\ts3_recording_11_01_08_4_25_38.wav
[2010.11.25 21:25:29 | 000,038,291 | ---- | C] () -- C:\Users\Stella\Rechnung A2550 R2514 - 2010-11-16.pdf
[2010.11.03 19:07:55 | 000,036,864 | ---- | C] () -- C:\Windows\System32\Del_Drv.exe
[2010.01.28 15:37:29 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

========== LOP Check ==========

[2009.09.24 18:09:39 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Bullzip
[2011.11.23 17:04:14 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\DAEMON Tools Lite
[2010.11.02 12:03:56 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Downloaded Installations
[2011.07.24 00:03:49 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\DVDVideoSoft
[2011.07.23 22:44:55 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\DVDVideoSoftIEHelpers
[2011.04.25 08:41:23 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\EAC
[2009.09.15 17:53:36 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\GHISLER
[2012.07.27 17:33:09 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\gtk-2.0
[2011.07.01 20:21:46 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Juniper Networks
[2012.06.25 17:41:39 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\MediaProSoft Free YouTube to FLV Converter
[2010.11.02 12:08:30 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Nitro PDF
[2010.03.28 03:34:23 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Notepad++
[2009.09.24 18:17:10 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\OpenOffice.org
[2012.01.26 03:22:14 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Opera
[2011.08.08 22:37:18 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\PingBuster
[2011.04.18 14:21:41 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Publish Providers
[2011.04.21 11:14:19 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Sony
[2011.04.27 00:06:36 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Sony Creative Software Inc
[2009.09.11 01:39:10 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\TeamViewer
[2011.09.21 11:20:10 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\Thunderbird
[2012.08.29 19:45:16 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\TS3Client
[2012.07.05 19:50:21 | 000,000,000 | ---D | M] -- C:\Users\Stella\AppData\Roaming\WindSolutions
[2012.08.01 09:09:00 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012.09.03 15:48:23 | 000,000,592 | ---- | M] () -- C:\Windows\Tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
[2012.09.03 15:27:59 | 000,000,592 | ---- | M] () -- C:\Windows\Tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences

< End of report >

OTL Extras logfile created on: 04.09.2012 10:37:09 - Run 2
OTL by OldTimer - Version 3.2.59.1 Folder = D:\Eigene Dateien\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,24 Gb Total Physical Memory | 2,85 Gb Available Physical Memory | 87,81% Memory free
6,48 Gb Paging File | 6,11 Gb Available in Paging File | 94,26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 195,21 Gb Total Space | 137,20 Gb Free Space | 70,28% Space Free | Partition Type: NTFS
Drive D: | 736,14 Gb Total Space | 127,06 Gb Free Space | 17,26% Space Free | Partition Type: NTFS
Drive F: | 4,37 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF

Computer Name: STELLA-PC | User Name: Stella | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{7032B400-11EC-11E0-A9BF-0013D3D69929}" = MSVCRT Redists
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9C2F9B2C-1585-43AD-9EF9-48AAD60DFC04}" = Microsoft IntelliPoint 8.1
"{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}" = Paint.NET v3.5.8
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.1) - Deutsch
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller-Treiber 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.5.20
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C911A0C2-2236-3164-AA47-F2566C01AE5E}" = Microsoft .NET Framework 4 Extended DEU Language Pack
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"avast" = avast! Free Antivirus
"C-Media Card Reader Driver USB2.0" = C-Media Card Reader Driver USB2.0
"GPL Ghostscript 8.70" = GPL Ghostscript 8.70
"LameACM" = Lame ACM MP3 Codec
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended DEU Language Pack" = Microsoft .NET Framework 4 Extended DEU Language Pack
"Microsoft IntelliPoint 8.1" = Microsoft IntelliPoint 8.1
"Mozilla Firefox 15.0 (x86 de)" = Mozilla Firefox 15.0 (x86 de)
"Mozilla Thunderbird (6.0.2)" = Mozilla Thunderbird (6.0.2)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Notepad++" = Notepad++
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Opera 12.02.1578" = Opera 12.02
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"Totalcmd" = Total Commander (Remove or Repair)
"VLC media player" = VLC media player 2.0.2
"Winamp" = Winamp
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinRAR archiver" = WinRAR

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = VSS | ID = 12292
Description =

Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = VSS | ID = 8193
Description =

Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = System Restore | ID = 8193
Description =

Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = System Restore | ID = 8211
Description =

Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = VSS | ID = 13
Description =

Error - 03.09.2012 19:58:40 | Computer Name = Stella-PC | Source = VSS | ID = 12292
Description =

Error - 04.09.2012 03:56:42 | Computer Name = Stella-PC | Source = RasClient | ID = 20227
Description =

Error - 04.09.2012 04:25:31 | Computer Name = Stella-PC | Source = VSS | ID = 13
Description =

Error - 04.09.2012 04:25:31 | Computer Name = Stella-PC | Source = VSS | ID = 12292
Description =

Error - 04.09.2012 04:35:21 | Computer Name = Stella-PC | Source = Microsoft-Windows-LoadPerf | ID = 3002
Description = Der Textzeichenfolgenwert zur Beschreibung des Leistungsindikators
in der Registrierung ist falsch formatiert. Die falsch formatierte Zeichenfolge
ist "Number of WMI High Performance provider returned by WMI Adapter". Das erste
DWORD im Datenbereich enthält den Indexwert für die falsch formatierte Zeichenfolge,
während das zweite und dritte DWORD im Datenbereich die letzten gültigen Indexwerte
enthalten.

[ Media Center Events ]
Error - 05.05.2011 22:59:35 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 04:59:35 - Fehler beim Herstellen der Internetverbindung. 04:59:35
- Serververbindung konnte nicht hergestellt werden..

Error - 05.05.2011 22:59:45 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 04:59:40 - Fehler beim Herstellen der Internetverbindung. 04:59:40
- Serververbindung konnte nicht hergestellt werden..

Error - 08.05.2011 22:59:04 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 04:59:04 - Fehler beim Herstellen der Internetverbindung. 04:59:04
- Serververbindung konnte nicht hergestellt werden..

Error - 08.05.2011 22:59:14 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 04:59:09 - Fehler beim Herstellen der Internetverbindung. 04:59:09
- Serververbindung konnte nicht hergestellt werden..

Error - 08.05.2011 23:59:22 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 05:59:22 - Fehler beim Herstellen der Internetverbindung. 05:59:22
- Serververbindung konnte nicht hergestellt werden..

Error - 08.05.2011 23:59:29 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 05:59:27 - Fehler beim Herstellen der Internetverbindung. 05:59:27
- Serververbindung konnte nicht hergestellt werden..

Error - 09.05.2011 00:59:36 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 06:59:36 - Fehler beim Herstellen der Internetverbindung. 06:59:36
- Serververbindung konnte nicht hergestellt werden..

Error - 09.05.2011 00:59:42 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 06:59:41 - Fehler beim Herstellen der Internetverbindung. 06:59:41
- Serververbindung konnte nicht hergestellt werden..

Error - 09.05.2011 02:01:40 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 08:01:40 - Fehler beim Herstellen der Internetverbindung. 08:01:40
- Serververbindung konnte nicht hergestellt werden..

Error - 09.05.2011 02:01:46 | Computer Name = Stella-PC | Source = MCUpdate | ID = 0
Description = 08:01:45 - Fehler beim Herstellen der Internetverbindung. 08:01:45
- Serververbindung konnte nicht hergestellt werden..

[ System Events ]
Error - 04.09.2012 04:31:24 | Computer Name = Stella-PC | Source = DCOM | ID = 10005
Description =

Error - 04.09.2012 04:31:24 | Computer Name = Stella-PC | Source = DCOM | ID = 10005
Description =

Error - 04.09.2012 04:31:24 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

Error - 04.09.2012 04:31:24 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068

Error - 04.09.2012 04:31:25 | Computer Name = Stella-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068


< End of report >

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Also, include this scan:

Download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

 

[chmsta]

Hi thanks for the fast response. I cant download the file you linked, because Avast Antivirus (which I installed after the infection) is blocking it. What should I do?

 

[Jay Pfoutz]

Right click on Avast icon, mouseover avast! shields control, and select Disable for 1 hour.

Then, try the scan again. If you go to browse the internet right after, right-click on Avast icon, mouseover avast! shields control and Enable protection.

 

[chmsta]

# AdwCleaner v2.000 - Datei am 09/05/2012 um 16:26:55 erstellt
# Aktualisiert am 30/08/2012 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (32 bits)
# Benutzer : Stella - STELLA-PC
# Normaler Modus : Normal
# Ausgeführt unter : D:\Eigene Dateien\Desktop\adwcleaner.exe
# Option [Suche]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****

Schlüssel Gefunden : HKCU\Software\Softonic

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v15.0 (de)

Profilname : default
Datei : C:\Users\Stella\AppData\Roaming\Mozilla\Firefox\Profiles\pwfurc0d.default\prefs.js

[OK] Die Datei ist sauber.

-\\ Opera v12.2.1578.0

Datei : C:\Users\Stella\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [1053 octets] - [05/09/2012 16:23:15]
AdwCleaner[R2].txt - [986 octets] - [05/09/2012 16:26:55]

########## EOF - C:\AdwCleaner[R2].txt - [1045 octets] ##########

 

[Jay Pfoutz]

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

 

[chmsta]

ComboFix says that the avast antivirus and antispyware real-time-scanners are still active, although I deactivated the program following the instructions from your link.. what should I do? run combofix nevertheless or?

edit: okay I couldnt stop combifix, its running the scan right now.. hopefully it'll work anyways, I'm sure I deactivated avast antivirus the way it was described and the sys tray icon is currently showing that it is not active

 

[chmsta]

ComboFix 12-09-06.04 - Stella 07/09/2012 14:23:40.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.3320.2559 [GMT 2:00]
ausgeführt von:: d:\eigene dateien\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\security\Database\tmp.edb
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-08-07 bis 2012-09-07 ))))))))))))))))))))))))))))))
.
.
2012-09-07 11:55 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1168A916-856F-42D7-865E-80B474A181FA}\mpengine.dll
2012-09-04 06:43 . 2012-09-07 12:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-04 06:43 . 2012-09-07 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-03 21:40 . 2012-08-21 09:13 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-09-03 21:40 . 2012-08-21 09:13 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-09-03 21:40 . 2012-08-21 09:13 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-09-03 21:40 . 2012-08-21 09:13 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-09-03 21:40 . 2012-08-21 09:13 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-03 21:40 . 2012-08-21 09:13 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-09-03 21:39 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-09-03 21:39 . 2012-08-21 09:12 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-09-03 21:39 . 2012-09-03 21:39 -------- d-----w- c:\programdata\AVAST Software
2012-09-03 21:39 . 2012-09-03 21:39 -------- d-----w- c:\program files\AVAST Software
2012-09-03 13:48 . 2012-09-03 13:48 -------- d-----w- c:\program files\Common Files\Skype
2012-09-03 09:51 . 2012-09-03 12:28 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-28 19:23 . 2012-08-28 19:23 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-08-15 11:13 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 11:13 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 11:13 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 11:13 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 11:13 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 11:13 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-15 11:13 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-03 21:45 . 2011-06-06 16:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-06 00:55 . 2012-03-31 12:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 11:46 . 2010-12-05 17:13 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 19:23 . 2011-09-21 09:01 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmiboot]
2007-02-07 10:02 65536 ----a-w- c:\windows\cmiboot.exe
.
R3 AF9035HB;AF9035 Hybrid Device;c:\windows\system32\Drivers\AF9035HB.sys [x]
R3 CMISTOR;CMIUCR.SYS CM320/CM220 Card Reader Driver;c:\windows\system32\DRIVERS\cmiucr.SYS [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
R4 FirebirdServerauctionstudio;Firebird Server - auctionstudio;d:\auction studio\Database Server\bin\fb_inet_server.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Inhalt des "geplante Tasks" Ordners
.
2012-09-03 c:\windows\Tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
- c:\program files\Opera\opera.exe [2011-02-02 21:13]
.
2012-09-03 c:\windows\Tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job
- c:\program files\Opera\opera.exe [2011-02-02 21:13]
.
.
------- Zusätzlicher Suchlauf -------
.
FF - ProfilePath - c:\users\Stella\AppData\Roaming\Mozilla\Firefox\Profiles\pwfurc0d.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.de/
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKCU-Run-Skype - c:\program files\Skype\\Phone\Skype.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-GPL Ghostscript 8.70 - c:\program files\gs\uninstgs.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-09-07 14:28:22
ComboFix-quarantined-files.txt 2012-09-07 12:28
.
Vor Suchlauf: 11 Verzeichnis(se), 147,277,885,440 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 147,433,549,824 Bytes frei
.
- - End Of File - - 10E4DBAC41F791CD2780F5349A8F044E

 

[Jay Pfoutz]

ComboFix Script

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
  

  ClearJavaCache::

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
• Please post the contents of the log in your next reply.

Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

 

[chmsta]

ComboFix 12-09-06.04 - Stella 10/09/2012 14:04:28.2.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.3320.2364 [GMT 2:00]
ausgeführt von:: d:\eigene dateien\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: d:\eigene dateien\Desktop\CFScript.txt.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-08-10 bis 2012-09-10 ))))))))))))))))))))))))))))))
.
.
2012-09-10 12:09 . 2012-09-10 12:09 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-10 12:09 . 2012-09-10 12:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-07 12:28 . 2012-09-10 12:09 -------- d-----w- c:\users\Stella\AppData\Local\temp
2012-09-07 11:55 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1168A916-856F-42D7-865E-80B474A181FA}\mpengine.dll
2012-09-04 06:43 . 2012-09-07 12:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-04 06:43 . 2012-09-07 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-03 21:40 . 2012-08-21 09:13 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-09-03 21:40 . 2012-08-21 09:13 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-09-03 21:40 . 2012-08-21 09:13 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-09-03 21:40 . 2012-08-21 09:13 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-09-03 21:40 . 2012-08-21 09:13 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-03 21:40 . 2012-08-21 09:13 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-09-03 21:39 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-09-03 21:39 . 2012-08-21 09:12 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-09-03 21:39 . 2012-09-03 21:39 -------- d-----w- c:\programdata\AVAST Software
2012-09-03 21:39 . 2012-09-03 21:39 -------- d-----w- c:\program files\AVAST Software
2012-09-03 13:48 . 2012-09-03 13:48 -------- d-----w- c:\program files\Common Files\Skype
2012-09-03 09:51 . 2012-09-03 12:28 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-28 19:23 . 2012-08-28 19:23 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-08-15 11:13 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 11:13 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 11:13 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 11:13 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 11:13 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 11:13 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-15 11:13 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-03 21:45 . 2011-06-06 16:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-06 00:55 . 2012-03-31 12:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 11:46 . 2010-12-05 17:13 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 19:23 . 2011-09-21 09:01 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmiboot]
2007-02-07 10:02 65536 ----a-w- c:\windows\cmiboot.exe
.
R3 AF9035HB;AF9035 Hybrid Device;c:\windows\system32\Drivers\AF9035HB.sys [x]
R3 CMISTOR;CMIUCR.SYS CM320/CM220 Card Reader Driver;c:\windows\system32\DRIVERS\cmiucr.SYS [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
R4 FirebirdServerauctionstudio;Firebird Server - auctionstudio;d:\auction studio\Database Server\bin\fb_inet_server.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Inhalt des "geplante Tasks" Ordners
.
2012-09-03 c:\windows\Tasks\{47CF8298-97E3-4C46-B2F9-4D36FADB6E41}.job
- c:\program files\Opera\opera.exe [2011-02-02 21:13]
.
2012-09-03 c:\windows\Tasks\{9B5CCA02-3378-4F14-8389-CB50F9B59279}.job
- c:\program files\Opera\opera.exe [2011-02-02 21:13]
.
.
------- Zusätzlicher Suchlauf -------
.
FF - ProfilePath - c:\users\Stella\AppData\Roaming\Mozilla\Firefox\Profiles\pwfurc0d.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.de/
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-09-10 14:09:50
ComboFix-quarantined-files.txt 2012-09-10 12:09
ComboFix2.txt 2012-09-07 12:28
.
Vor Suchlauf: 13 Verzeichnis(se), 147,482,918,912 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 147,420,516,352 Bytes frei
.
- - End Of File - - CAEDAB423C37F894957171D6D2E315C7


# AdwCleaner v2.001 - Datei am 09/10/2012 um 14:16:01 erstellt
# Aktualisiert am 09/09/2012 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (32 bits)
# Benutzer : Stella - STELLA-PC
# Bootmodus : Normal
# Ausgeführt unter : D:\Eigene Dateien\Desktop\adwcleaner.exe
# Option [Suche]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****

Schlüssel Gefunden : HKCU\Software\Softonic

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v15.0 (de)

Profilname : default
Datei : C:\Users\Stella\AppData\Roaming\Mozilla\Firefox\Profiles\pwfurc0d.default\prefs.js

[OK] Die Datei ist sauber.

-\\ Opera v12.2.1578.0

Datei : C:\Users\Stella\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [1053 octets] - [05/09/2012 16:23:15]
AdwCleaner[R2].txt - [1114 octets] - [05/09/2012 16:26:55]
AdwCleaner[R3].txt - [1041 octets] - [10/09/2012 14:16:01]

########## EOF - C:\AdwCleaner[R3].txt - [1101 octets] ##########

 

[Jay Pfoutz]

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

 

[chmsta]

No threats were found.

 

[Jay Pfoutz]

Hi! If there are no more issues, then we shall finish up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

[chmsta]

Hi, thanks for your help!

I couldnt create a Restore Point. It says something like "Unexpected Error in Properties Page - Error in the Systemrecovery. (0x81000203). Close the Properties Page and repeat the process."

This error always comes up, even after a reboot. When I boot in safe mode, there is no option to create a restore point. I noticed something else in safe mode though, I dont know if it is important in any way.. when I boot in safe mode, I can see 4 usb mass storage drives. I cant see these drives when I boot windows normally. Maybe they are some leftovers from daemon tools I had installed a while ago, maybe I didnt uninstall it properly?

Anyways I skipped the system restore point creation and did the other points as asked. Heres the log:

Results of screen317's Security Check version 0.99.50
Windows 7 Service Pack 1 x86
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware Version 1.62.0.1300
CCleaner
Adobe Flash Player 11.4.402.265
Mozilla Firefox (15.0)
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````

 

[chmsta]

I booted windows in safe mode again and tried to manually uninstall those 4 drives, but they just keep reappearing by themself.

 

[Jay Pfoutz]

You need to enable the services for system restore, to do that follow the steps provided below.
1. Click on Start button, now type in services.msc in the search programs and files and hit enter.
2. Now you need to check for the “volume shadow copy” service present in the services windows.
3. After selecting the “volume shadow copy” service you need to right click on the service and select properties and make the startup type as automatic and start the service.
4. Click ok, restart the computer and check for the issue.
Also ensure that you disable any antivirus program on your computer and create a restore point before performing the above steps.
Creating system restore point manually:
1. Open System by clicking the Start button, clicking Control Panel, clicking System and Maintenance, and then clicking System.
2. In the left pane, click System Protection If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click the System Protection tab, and then click Create.
4. In the System Protection dialog box, type a description, and then click Create.

Info from here

Please download Listparts
Run the tool,
check the "list BCD" box
click "Scan" and post the log (Result.txt) it makes.

 

[chmsta]

ListParts by Farbar Version: 10-08-2012
Ran by Stella (administrator) on 12-09-2012 at 20:23:41
Windows 7 (X86)
Running From: D:\Eigene Dateien\Desktop
Language: 0407
************************************************************

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 3319.75 MB
Available physical RAM: 2582.89 MB
Total Pagefile: 6637.79 MB
Available Pagefile: 5924.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.73 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:195.21 GB) (Free:138.37 GB) NTFS
2 Drive d: () (Fixed) (Total:736.14 GB) (Free:126.47 GB) NTFS

Datentr„ger ### Status Gr”áe Frei Dyn GPT
--------------- ------------- ------- ------- --- ---
Datentr„ger 0 Online 931 GB 0 B
Datentr„ger 1 Offline 931 GB 64 MB
Datentr„ger 2 Kein Medium 0 B 0 B
Datentr„ger 3 Kein Medium 0 B 0 B
Datentr„ger 4 Kein Medium 0 B 0 B
Datentr„ger 5 Kein Medium 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Typ GrӇe Offset
------------- ---------------- ------- -------
Partition 1 Prim„r 100 MB 1024 KB
Partition 2 Prim„r 195 GB 101 MB
Partition 3 Prim„r 736 GB 195 GB

======================================================================================================

Disk: 0
Partition 1
Typ : 07
Versteckt: Nein
Aktiv : Ja

Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System-rese NTFS Partition 100 MB Fehlerfre System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Typ : 07
Versteckt: Nein
Aktiv : Nein

Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 195 GB Fehlerfre Startpar

======================================================================================================

Disk: 0
Partition 3
Typ : 07
Versteckt: Nein
Aktiv : Nein

Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 736 GB Fehlerfre

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Typ GrӇe Offset
------------- ---------------- ------- -------
Partition 1 Prim„r 100 MB 1024 KB
Partition 2 Prim„r 195 GB 101 MB
Partition 3 Prim„r 736 GB 195 GB

======================================================================================================

Disk: 1
Partition 1
Typ : 07
Versteckt: Nein
Aktiv : Ja

Dieser Partition ist kein Volume zugewiesen.

======================================================================================================

Disk: 1
Partition 2
Typ : 07
Versteckt: Nein
Aktiv : Nein

Dieser Partition ist kein Volume zugewiesen.

======================================================================================================

Disk: 1
Partition 3
Typ : 07
Versteckt: Nein
Aktiv : Nein

Dieser Partition ist kein Volume zugewiesen.

======================================================================================================

Windows-Start-Manager
---------------------
Bezeichner {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale de-DE
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {0f01e371-9e2c-11de-9033-b7bc93c74439}
resumeobject {0f01e370-9e2c-11de-9033-b7bc93c74439}
displayorder {0f01e371-9e2c-11de-9033-b7bc93c74439}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows-Startladeprogramm
-------------------------
Bezeichner {0f01e371-9e2c-11de-9033-b7bc93c74439}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale de-DE
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {0f01e372-9e2c-11de-9033-b7bc93c74439}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {0f01e370-9e2c-11de-9033-b7bc93c74439}
nx OptIn

Windows-Startladeprogramm
-------------------------
Bezeichner {0f01e372-9e2c-11de-9033-b7bc93c74439}
device ramdisk=[C:]\Recovery\0f01e372-9e2c-11de-9033-b7bc93c74439\Winre.wim,{0f01e373-9e2c-11de-9033-b7bc93c74439}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[C:]\Recovery\0f01e372-9e2c-11de-9033-b7bc93c74439\Winre.wim,{0f01e373-9e2c-11de-9033-b7bc93c74439}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Wiederaufnahme aus dem Ruhezustand
----------------------------------
Bezeichner {0f01e370-9e2c-11de-9033-b7bc93c74439}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale de-DE
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows-Speichertestprogramm
----------------------------
Bezeichner {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=\Device\HarddiskVolume1
path \boot\memtest.exe
description Windows-Speicherdiagnose
locale de-DE
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS-Einstellungen
-----------------
Bezeichner {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debuggereinstellungen
---------------------
Bezeichner {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM-Defekte
-----------
Bezeichner {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Globale Einstellungen
---------------------
Bezeichner {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Startladeprogramm-Einstellungen
-------------------------------
Bezeichner {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisoreinstellungen
-------------------
Bezeichner {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Einstellungen zur Ladeprogrammfortsetzung
-----------------------------------------
Bezeichner {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Ger„teoptionen
--------------
Bezeichner {0f01e373-9e2c-11de-9033-b7bc93c74439}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\0f01e372-9e2c-11de-9033-b7bc93c74439\boot.sdi


****** End Of Log ******

 

[Jay Pfoutz]

Hi! I'm checking in with the developer, Farbar, to see what he says about your translation there. Will be back soon!

 

[Jay Pfoutz]

Thanks for waiting.

How did the System Restore fixes go?

 

[chmsta]

Hi, thanks for all your help.

I tried everything they said from the site you linked, nothing worked. I still cant create a system restore point and its the same error which comes up every time I try.

I wont be at home for the weekend, I'll be back on monday.. I cant reply to anything until then.

 

[Jay Pfoutz]

Let me know when you return, and we'll resume.

Marked as inactive.

 

[chmsta]

Hi.. I'm back.

Creating a System Restore Point still doesnt work, but to be honest I never created a system restore point before.. so I dont know if this problem maybe existed even prior to the infection and therefore it may not be related to that at all. The issue with the extra drives in safe mode, still bugs me alot.. I keep wondering what is causing that, you got any ideas regarding that?

 

[chmsta]

Ok I finally figured out how to create a system restore point following these instructions from here :

Hi Gerry.

I've finally cracked it.

In Services I found an item "Microsoft software shadow copy provider"

I had previously been looking for "Volume shadow".

I enabled this and started it. I now have a system restore point.

You need to look for "Microsoft Software Shadow Copy Provider".

Select Start, Control Panel, Administrative Tools, Services. Scroll down the list of Services and place the cursor on "Microsoft Software Shadow Copy Provider". Right click and select Properties. On the General tab change the StartUp type to Manual and click on Apply and OK. Exit and restart your computer. Test by trying to create a Restore Point. If this is unsuccessful come back here was further assistance..

I didnt even need to restart the computer, creating a system restore point worked right away. So only the issue with the drives remains, any thoughts on that?

 

[Jay Pfoutz]

We've declared no problem on the drives, no infections, etc...

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?