Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! TR/Vundo.Gen and Google Redirect

Started by franckea , Aug 21 2011 07:13 AM

  • This topic is locked This topic is locked

#1
franckea
Posted 21 August 2011 - 07:13 AM

franckea

    New Member

  • Member
  • Pip
  • 3 posts
Hello,

My laptop has been infected with TR/Vundo.Gen for a couple of months. I was first informed from my university's TechCenter because while I was on the campus net a virus/worum tried to access the network from my computer. They informed me and then I ran the antivirus program AviraAntiVir Control which detected a trojan, but when it was to be quarantined these "files"/virus couldn't be removed: CLI.EXE, Explorer.EXE, and winlogon.exe the error number that came up when the files were not able to be removed was "Error Number 26003". My husband completely reinstalled my computer and I thought the problem had been solved. But a few weeks ago I started being redirected while trying to access different internet sites and not just through google. I then ran the Avira AntiVir program again and the same type of unremovable files were found, TR/Vundo.Gen. Since I don't have any real computer skills and I have heard about how difficult it is to remove this malware from a computer I am hoping that you guys will be able to help me, I would REALLY appreciate it. Thank you so much in advance for any help you guys can give me!

Below is my OTL Log (Quick Scan - Scan all users):

OTL logfile created on: 21.08.2011 15:07:24 - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Dokumente und Einstellungen\Brummer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

893,97 Mb Total Physical Memory | 437,87 Mb Available Physical Memory | 48,98% Memory free
2,12 Gb Paging File | 1,72 Gb Available in Paging File | 81,08% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 74,52 Gb Total Space | 58,54 Gb Free Space | 78,55% Space Free | Partition Type: NTFS

Computer Name: BRUMMER-PC | User Name: Brummer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011.08.21 14:42:54 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Brummer\Desktop\OTL.exe
PRC - [2011.08.20 13:10:47 | 000,195,072 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe
PRC - [2011.08.20 13:10:24 | 000,198,656 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Lokale Einstellungen\Temp\csrss.exe
PRC - [2011.08.20 13:10:03 | 000,193,024 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Microsoft\conhost.exe
PRC - [2011.07.03 14:57:48 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2011.02.04 13:10:16 | 000,196,912 | ---- | M] (Nitro PDF Software) -- C:\Programme\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
PRC - [2010.12.13 09:39:27 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2010.06.21 11:37:32 | 000,499,796 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2010.06.21 11:37:14 | 000,561,263 | ---- | M] () -- C:\Programme\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe
PRC - [2010.03.23 14:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2010.03.04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Programme\CDBurnerXP\NMSAccessU.exe
PRC - [2008.04.14 14:00:00 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007.09.05 22:24:20 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2006.07.27 15:19:00 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006.01.02 18:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Programme\ATI Technologies\ATI.ACE\CLI.exe


========== Modules (No Company Name) ==========

MOD - [2011.08.20 13:10:47 | 000,195,072 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe
MOD - [2011.08.20 13:10:24 | 000,198,656 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Lokale Einstellungen\Temp\csrss.exe
MOD - [2011.08.20 13:10:03 | 000,193,024 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Microsoft\conhost.exe
MOD - [2011.07.03 14:57:48 | 001,014,744 | ---- | M] () -- C:\Programme\Mozilla Firefox\js3250.dll
MOD - [2011.03.01 00:37:32 | 000,180,624 | ---- | M] () -- C:\WINDOWS\system32\Primomonnt.dll
MOD - [2011.01.08 17:30:00 | 011,800,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\41f436dae3c8146752d06130f7331527\System.Web.ni.dll
MOD - [2011.01.07 23:48:45 | 000,038,400 | ---- | M] () -- C:\WINDOWS\system32\opnNDTJD.dll
MOD - [2011.01.07 23:30:56 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\ab688d0f9f333ba117832726bfb589c1\System.Configuration.ni.dll
MOD - [2011.01.07 23:28:56 | 005,971,408 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011.01.07 22:42:47 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\a6dbe24cbfe3ab6b318ed3095cc572d8\System.Xml.ni.dll
MOD - [2011.01.07 22:42:40 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\439c466b60614915587c5273eaf0ca7f\System.Windows.Forms.ni.dll
MOD - [2011.01.07 22:42:23 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\dcc0244092fe52e6885b50be25ef3b31\System.Drawing.ni.dll
MOD - [2011.01.07 22:40:59 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2011.01.07 22:40:58 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2011.01.07 22:39:15 | 007,949,824 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\08ffa4d388d5f007869aa7651c458e7c\System.ni.dll
MOD - [2011.01.07 22:39:04 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7bffd7ff2009f421fe5d229927588496\mscorlib.ni.dll
MOD - [2010.11.10 13:49:38 | 000,301,056 | ---- | M] () -- C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.DEU
MOD - [2010.06.21 11:37:26 | 000,278,528 | ---- | M] () -- C:\Programme\TP-LINK\TP-LINK Wireless Client Utility\twculoc.dll
MOD - [2010.06.21 11:37:26 | 000,163,840 | ---- | M] () -- C:\Programme\TP-LINK\TP-LINK Wireless Client Utility\oemresloc.dll
MOD - [2010.06.21 11:37:22 | 000,077,824 | ---- | M] () -- C:\WINDOWS\system32\wgapiloc.dll
MOD - [2010.06.21 11:37:14 | 000,561,263 | ---- | M] () -- C:\Programme\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe
MOD - [2010.06.21 11:37:14 | 000,422,000 | ---- | M] () -- C:\WINDOWS\system32\wgapi.dll
MOD - [2010.06.17 15:27:02 | 000,355,688 | ---- | M] () -- C:\Programme\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2010.03.23 14:26:48 | 000,201,512 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll
MOD - [2010.03.04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Programme\CDBurnerXP\NMSAccessU.exe
MOD - [2008.06.04 08:53:14 | 000,026,624 | ---- | M] () -- C:\WINDOWS\system32\spd__l.dll
MOD - [2007.03.16 19:10:48 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011.02.04 13:10:16 | 000,196,912 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Programme\Nitro PDF\Reader\NitroPDFReaderDriverService.exe -- (NitroReaderDriverReadSpool)
SRV - [2010.12.13 09:39:27 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010.12.13 09:39:19 | 000,267,944 | ---- | M] (Avira GmbH) [Disabled | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010.08.09 04:04:02 | 000,131,888 | ---- | M] (Samsung Electronics CO., LTD.) [On_Demand | Stopped] -- C:\WINDOWS\System32\SUPDSvc.exe -- (Samsung UPD Service)
SRV - [2010.06.21 11:37:32 | 000,499,796 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2010.03.23 14:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Programme\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010.03.04 23:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Programme\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2010.02.19 14:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009.03.21 16:06:58 | 000,163,025 | RHS- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\joogcq.dll -- (cfkveeg)
SRV - [2006.10.26 20:49:34 | 000,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2011.01.08 18:27:19 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010.12.13 09:39:39 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010.07.28 05:45:30 | 001,756,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athuw.sys -- (AR9271)
DRV - [2010.06.21 11:37:32 | 000,058,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2010.06.17 15:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010.03.23 14:15:36 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009.11.12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009.03.18 19:08:10 | 000,103,744 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2008.11.16 19:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007.11.14 20:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007.03.16 19:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007.02.16 02:56:49 | 000,011,984 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2007.01.18 21:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006.11.15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006.11.11 18:25:20 | 000,066,944 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\thdudf.sys -- (thdudf)
DRV - [2006.10.11 22:43:56 | 001,777,152 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006.07.27 15:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006.07.02 00:30:28 | 000,043,520 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005.07.22 12:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005.07.22 12:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005.07.22 12:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1454471165-630328440-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.update.mi...ault.aspx?ln=de
IE - HKU\S-1-5-21-1454471165-630328440-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1454471165-630328440-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51455

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:2.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 51455
FF - prefs.js..network.proxy.type: 1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Programme\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Programme\Mozilla Firefox\components [2011.08.08 18:43:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2011.07.03 14:57:56 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Programme\Mein Gutscheincode Finder\Firefox [2011.05.14 10:44:41 | 000,000,000 | ---D | M]

[2011.01.07 22:03:53 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Mozilla\Extensions
[2011.08.21 13:32:44 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Mozilla\Firefox\Profiles\hfb9lava.default\extensions
[2011.01.07 23:01:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Mozilla\Firefox\Profiles\hfb9lava.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.08.21 13:32:44 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2011.01.07 23:32:49 | 000,000,000 | ---D | M] (Skype extension) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011.01.10 20:47:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011.01.07 23:17:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011.01.07 23:16:56 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAMME\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011.05.14 10:44:41 | 000,000,000 | ---D | M] (Mein Gutscheincode Finder) -- C:\PROGRAMME\MEIN GUTSCHEINCODE FINDER\FIREFOX
[2011.01.07 23:16:55 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\mozilla firefox\plugins\npdeployJava1.dll
[2011.05.17 13:56:24 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.05.17 13:56:24 | 000,002,344 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml
[2011.05.17 13:56:24 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml
[2011.05.17 13:56:24 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml
[2011.05.17 13:56:24 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2011.01.10 19:23:22 | 000,000,894 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Mein Gutscheincode Finder zeigt automatisch Shopping-Gutscheine an mit denen Sie beim Online-Einkauf sparen können.) - {1ED16E0A-E8C4-40A0-8BC2-79485D21F796} - C:\Programme\Mein Gutscheincode Finder\Internet Explorer\x86\ConversionOneIE.dll (Conversion One GmbH)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnNDTJD.dll ()
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [ATICCC] C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [conhost] C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Microsoft\conhost.exe ()
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Programme\Gemeinsame Dateien\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [TWCU] C:\Programme\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe ()
F3 - HKU\S-1-5-21-1454471165-630328440-1417001333-1003 WinNT: Load - (C:\DOKUME~1\Brummer\LOKALE~1\Temp\csrss.exe) - C:\Dokumente und Einstellungen\Brummer\Lokale Einstellungen\Temp\csrss.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1454471165-630328440-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1294428518093 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1294430826500 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1454471165-630328440-1417001333-1003 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1454471165-630328440-1417001333-1003 Winlogon: Shell - (C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe) - C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\opnNDTJD: DllName - opnNDTJD.dll - C:\WINDOWS\System32\opnNDTJD.dll ()
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Brummer\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Brummer\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnNDTJD.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011.01.07 18:26:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{12f95714-5e8e-11e0-9c0a-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{12f95714-5e8e-11e0-9c0a-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{12f95714-5e8e-11e0-9c0a-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{3aa4fb26-7e08-11e0-9c3d-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{3aa4fb26-7e08-11e0-9c3d-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3aa4fb26-7e08-11e0-9c3d-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{44788bfe-1cdb-11e0-9b28-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{44788bfe-1cdb-11e0-9b28-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{44788bfe-1cdb-11e0-9b28-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{7868f6d8-81d2-11e0-9c47-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{7868f6d8-81d2-11e0-9c47-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7868f6d8-81d2-11e0-9c47-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{9e74a6be-6b8a-11e0-9c24-8b319a5cf334}\Shell - "" = AutoRun
O33 - MountPoints2\{9e74a6be-6b8a-11e0-9c24-8b319a5cf334}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9e74a6be-6b8a-11e0-9c24-8b319a5cf334}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{a0093f1d-1a7b-11e0-9afe-b836f53cc618}\Shell - "" = AutoRun
O33 - MountPoints2\{a0093f1d-1a7b-11e0-9afe-b836f53cc618}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a0093f1d-1a7b-11e0-9afe-b836f53cc618}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{ec459642-54b9-11e0-9bde-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{ec459642-54b9-11e0-9bde-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ec459642-54b9-11e0-9bde-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{f2d12456-99a4-11e0-9c8d-971d401db034}\Shell - "" = AutoRun
O33 - MountPoints2\{f2d12456-99a4-11e0-9c8d-971d401db034}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f2d12456-99a4-11e0-9c8d-971d401db034}\Shell\AutoRun\command - "" = "G:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{f2d12457-99a4-11e0-9c8d-971d401db034}\Shell - "" = AutoRun
O33 - MountPoints2\{f2d12457-99a4-11e0-9c8d-971d401db034}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f2d12457-99a4-11e0-9c8d-971d401db034}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.08.21 14:42:54 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Brummer\Desktop\OTL.exe
[2011.08.21 14:21:10 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Brummer\Eigene Dateien\Kopie von BRDHA
[2011.08.19 09:18:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Brummer\Desktop\EigenOrdner
[2011.08.19 08:40:45 | 000,306,320 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
[2011.08.17 15:05:28 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Brummer\Eigene Dateien\VerhandlungsdemokratieHA.Data
[2011.08.11 14:52:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Brummer\Eigene Dateien\BRDHA
[2011.01.13 20:54:50 | 063,293,952 | ---- | C] (Microsoft Corporation) -- C:\Programme\EndNote-X4.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.08.21 14:47:00 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011.08.21 14:42:54 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Brummer\Desktop\OTL.exe
[2011.08.21 14:37:42 | 000,085,768 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\C67A.C0D
[2011.08.21 14:26:00 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011.08.21 14:24:00 | 000,000,250 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011.08.21 12:51:43 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011.08.21 12:51:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011.08.21 02:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-BRUMMER-PC-Brummer.job
[2011.08.20 13:10:47 | 000,195,072 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe
[2011.08.19 08:40:46 | 000,306,320 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
[2011.08.18 14:33:34 | 000,012,326 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Eigene Dateien\VerhandlungsdemokratieHA.enl
[2011.08.09 20:05:45 | 000,002,243 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Skype.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.08.17 15:05:28 | 000,012,326 | ---- | C] () -- C:\Dokumente und Einstellungen\Brummer\Eigene Dateien\VerhandlungsdemokratieHA.enl
[2011.07.04 18:09:54 | 000,195,072 | ---- | C] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe
[2011.07.04 18:09:34 | 000,085,768 | ---- | C] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\C67A.C0D
[2011.07.01 11:32:59 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2011.04.06 18:14:57 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\hpgt34.dll
[2011.02.10 06:03:48 | 000,000,306 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2011.01.13 19:38:05 | 023,756,800 | ---- | C] () -- C:\Programme\McAfee_8.7i_20100713.exe
[2011.01.12 10:53:17 | 008,081,408 | ---- | C] () -- C:\Programme\vpnclient-win-msi-5.0.07.0290-k9.exe
[2011.01.12 01:22:10 | 000,061,952 | ---- | C] () -- C:\Dokumente und Einstellungen\Brummer\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.01.11 20:26:54 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011.01.10 20:28:22 | 000,075,776 | ---- | C] () -- C:\WINDOWS\cadkasdeinst01e.exe
[2011.01.10 20:18:25 | 000,259,888 | ---- | C] () -- C:\WINDOWS\SUPDRun.exe
[2011.01.10 20:18:24 | 000,283,136 | ---- | C] () -- C:\WINDOWS\System32\DscPnt.dll
[2011.01.10 20:18:24 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\spd__l.dll
[2011.01.10 20:18:21 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\spd__ci.exe
[2011.01.10 19:35:09 | 000,080,896 | ---- | C] () -- C:\WINDOWS\cadkasdeinst01.exe
[2011.01.08 00:44:58 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\nnnoOhGx.dll
[2011.01.07 23:49:21 | 000,001,159 | ---- | C] () -- C:\WINDOWS\System32\wvUoOGXO.dll
[2011.01.07 23:48:45 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\opnNDTJD.dll
[2011.01.07 23:35:06 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011.01.07 23:26:12 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2011.01.07 22:03:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011.01.07 21:04:13 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2011.01.07 21:04:04 | 000,422,000 | ---- | C] () -- C:\WINDOWS\System32\wgapi.dll
[2011.01.07 21:04:04 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\wgapiloc.dll
[2011.01.07 20:49:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2011.01.07 20:49:17 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2011.01.07 20:49:17 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2011.01.07 20:35:00 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2011.01.07 20:34:59 | 000,136,650 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011.01.07 20:01:27 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011.01.07 18:29:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011.01.07 18:22:33 | 000,021,740 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011.01.07 18:08:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011.01.07 18:06:41 | 003,518,136 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.03.23 14:26:48 | 000,201,512 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2010.03.23 14:17:40 | 000,197,416 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008.04.14 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008.04.14 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008.04.14 14:00:00 | 000,451,948 | ---- | C] () -- C:\WINDOWS\System32\perfh007.dat
[2008.04.14 14:00:00 | 000,435,594 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008.04.14 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008.04.14 14:00:00 | 000,269,480 | ---- | C] () -- C:\WINDOWS\System32\perfi007.dat
[2008.04.14 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008.04.14 14:00:00 | 000,163,025 | RHS- | C] () -- C:\WINDOWS\System32\joogcq.dll
[2008.04.14 14:00:00 | 000,081,150 | ---- | C] () -- C:\WINDOWS\System32\perfc007.dat
[2008.04.14 14:00:00 | 000,068,490 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008.04.14 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008.04.14 14:00:00 | 000,034,478 | ---- | C] () -- C:\WINDOWS\System32\perfd007.dat
[2008.04.14 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008.04.14 14:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008.04.14 14:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008.04.14 14:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008.04.14 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011.01.08 18:26:29 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Canneverbe Limited
[2011.01.08 18:30:05 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\DAEMON Tools Lite
[2011.07.01 11:34:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nitro PDF
[2011.01.10 22:08:40 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\regid.1986-12.com.adobe
[2011.01.07 23:55:52 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SlySoft
[2011.01.31 16:31:50 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Thomson.ResearchSoft.Installers
[2011.01.07 21:02:59 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TP-LINK
[2011.01.15 17:25:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\avc
[2011.01.15 17:24:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\AVCWare
[2011.01.10 20:28:33 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\CAD-KAS
[2011.01.08 18:26:28 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Canneverbe Limited
[2011.01.08 18:30:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\DAEMON Tools
[2011.01.08 18:31:36 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\DAEMON Tools Lite
[2011.01.08 18:30:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\DAEMON Tools Pro
[2011.02.15 12:15:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\EndNote
[2011.01.15 18:19:31 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\GetRightToGo
[2011.07.01 11:35:34 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Nitro PDF
[2011.07.01 11:32:59 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\OpenCandy
[2011.01.10 21:21:49 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\OpenOffice.org
[2011.01.15 18:22:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Pavtube
[2011.08.03 14:28:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\PrimoPDF
[2011.07.17 12:37:35 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\UseNeXT
[2011.01.15 17:19:21 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Xilisoft
[2011.08.21 14:26:00 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011.08.21 14:24:00 | 000,000,250 | -H-- | M] () -- C:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011.08.21 14:47:00 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
Gammo
Posted 21 August 2011 - 08:05 AM

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Hi,

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
SRV - [2009.03.21 16:06:58 | 000,163,025 | RHS- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\joogcq.dll -- (cfkveeg)
IE - HKU\S-1-5-21-1454471165-630328440-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1454471165-630328440-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51455
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 51455
FF - prefs.js..network.proxy.type: 1
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnNDTJD.dll ()
O4 - HKLM..\Run: [conhost] C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\Microsoft\conhost.exe ()
F3 - HKU\S-1-5-21-1454471165-630328440-1417001333-1003 WinNT: Load - (C:\DOKUME~1\Brummer\LOKALE~1\Temp\csrss.exe) - C:\Dokumente und Einstellungen\Brummer\Lokale Einstellungen\Temp\csrss.exe ()
O20 - HKU\S-1-5-21-1454471165-630328440-1417001333-1003 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1454471165-630328440-1417001333-1003 Winlogon: Shell - (C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe) - C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe ()
O20 - Winlogon\Notify\opnNDTJD: DllName - opnNDTJD.dll - C:\WINDOWS\System32\opnNDTJD.dll ()
O28 - HKLM ShellExecuteHooks: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnNDTJD.dll ()
O33 - MountPoints2\{12f95714-5e8e-11e0-9c0a-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{12f95714-5e8e-11e0-9c0a-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{12f95714-5e8e-11e0-9c0a-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{3aa4fb26-7e08-11e0-9c3d-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{3aa4fb26-7e08-11e0-9c3d-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3aa4fb26-7e08-11e0-9c3d-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{44788bfe-1cdb-11e0-9b28-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{44788bfe-1cdb-11e0-9b28-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{44788bfe-1cdb-11e0-9b28-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{7868f6d8-81d2-11e0-9c47-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{7868f6d8-81d2-11e0-9c47-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7868f6d8-81d2-11e0-9c47-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{9e74a6be-6b8a-11e0-9c24-8b319a5cf334}\Shell - "" = AutoRun
O33 - MountPoints2\{9e74a6be-6b8a-11e0-9c24-8b319a5cf334}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9e74a6be-6b8a-11e0-9c24-8b319a5cf334}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{a0093f1d-1a7b-11e0-9afe-b836f53cc618}\Shell - "" = AutoRun
O33 - MountPoints2\{a0093f1d-1a7b-11e0-9afe-b836f53cc618}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a0093f1d-1a7b-11e0-9afe-b836f53cc618}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{ec459642-54b9-11e0-9bde-74ea3a90d3ca}\Shell - "" = AutoRun
O33 - MountPoints2\{ec459642-54b9-11e0-9bde-74ea3a90d3ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ec459642-54b9-11e0-9bde-74ea3a90d3ca}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{f2d12456-99a4-11e0-9c8d-971d401db034}\Shell - "" = AutoRun
O33 - MountPoints2\{f2d12456-99a4-11e0-9c8d-971d401db034}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f2d12456-99a4-11e0-9c8d-971d401db034}\Shell\AutoRun\command - "" = "G:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{f2d12457-99a4-11e0-9c8d-971d401db034}\Shell - "" = AutoRun
O33 - MountPoints2\{f2d12457-99a4-11e0-9c8d-971d401db034}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f2d12457-99a4-11e0-9c8d-971d401db034}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011.08.21 14:47:00 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011.08.21 14:37:42 | 000,085,768 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\C67A.C0D
[2011.08.21 14:26:00 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011.08.21 14:24:00 | 000,000,250 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011.08.20 13:10:47 | 000,195,072 | ---- | M] () -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\dwm.exe
[2011.01.08 00:44:58 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\nnnoOhGx.dll
[2011.01.07 23:49:21 | 000,001,159 | ---- | C] () -- C:\WINDOWS\System32\wvUoOGXO.dll
[2011.01.07 23:48:45 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\opnNDTJD.dll
[2011.07.01 11:32:59 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Brummer\Anwendungsdaten\OpenCandy

:Services

:Reg

:Files
ipconfig /flushdns /c
C:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
D:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
F:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
H:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
I:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
J:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665

:Commands
[purity]
[resethosts]
[emptytemp]
[emptyflash]
[createrestorepoint]
[reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done





Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

#3
franckea
Posted 21 August 2011 - 10:53 AM

franckea

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hello,

I am not sure if this is what was supposed to happen or not, which is why I am replying than going on further. I opened OTL and copy and pasted the text that you gave me into the box at the bottom. I have a german version of OTL, so I might have clicked the wrong button, it said "fix" in red and was directly below "scan" and kiddy corner from quick scan. But as soon as I pressed the Fix button my computer screen went blue and I received a text that said an important process or thread had been broken off or ended and now the system had to end. Is this normal and should I continue with Combofix? thank you!
  • 0

#4
Gammo
Posted 21 August 2011 - 10:58 AM

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
No, that's definitely not normal. Please delete your copy of OTL.exe from the desktop. Then download the latest version of OTL and try running the fix again.

If it gives you the same problem again, please continue with ComboFix. :)
  • 0

#5
franckea
Posted 21 August 2011 - 11:35 AM

franckea

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thank you for your quick response. I deleted the OTL file and then emptied my trash. Now I can't download any OTL files, and not just the .exe - but also the .scr and .com files aren't working either and I have tried a couple of different links from more than one site. It downloads and then the file either has 0 Bytes or when I try to open it I receive an error message that the file is invalid. Is there a way to fix this or should I try and have my operating system reinstalled again? Again thank you so much for your help
  • 0

#6
Gammo
Posted 21 August 2011 - 12:09 PM

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
http://oldtimer.geekstogo.com/OTL.exe
Doesn't that link work? If not, please reboot your PC and try downloading OTL again afterwards.

If you then still can't download OTL, please continue with the ComboFix instructions. :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP