![]() |
|
Log-Analyse und Auswertung: Rechner vermutlich mit SPYEYE oder ZEUS 2 befallenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
![]() | #1 |
| ![]() Rechner vermutlich mit SPYEYE oder ZEUS 2 befallen Schönen guten Morgen, mir bereitet das Online-Banking Probleme. Wenn ich mich anmelden will, werde ich umgeleitet. Nach Recherchen bei der Bank soll dabei wohl das mobileTan Verfahren manipuliert werden. Passiert ist noch nix. Habe entsprechend der Checkliste defrogger, OTL und GMER beutzt. Die entstandenen Files nachstehend. Leider hat OTL nur ein OTL.txt erzeugt, jedoch kein Extra.txt!? Code:
ATTFilter GMER 1.0.15.15640 - hxxp://www.gmer.net Rootkit scan 2011-07-06 08:30:22 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-22A7B0 rev.01.03B01 Running: 4n44ekn5.exe; Driver: C:\Users\ALEXAN~1\AppData\Local\Temp\ugtdapow.sys ---- System - GMER 1.0.15 ---- SSDT 917F08DE ZwCreateSection SSDT 917F08E3 ZwSetContextThread SSDT 917F087F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E5C589 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E81092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 340 82E88950 4 Bytes [DE, 08, 7F, 91] {FIMUL WORD [EAX]; JG 0xffffffffffffff95} .text ntkrnlpa.exe!RtlSidHashLookup + 6E0 82E88CF0 4 Bytes [E3, 08, 7F, 91] {JECXZ 0xa; JG 0xffffffffffffff95} .text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82E88DC8 4 Bytes [7F, 08, 7F, 91] {JG 0xa; JG 0xffffffffffffff95} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91818000, 0x2D5378, 0xE8000020] PAGE peauth.sys 9D47A02C 102 Bytes CALL A91A88BB ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2460] USER32.dll!TrackPopupMenu 76044B3B 5 Bytes JMP 5F4489D7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4108] ntdll.dll!LdrLoadDll 76F6F5B5 5 Bytes JMP 00C713F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0xDE 0xA0 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x52 0x4C 0x20 0xC4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0xBC 0x77 0x99 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0xDE 0xA0 0xEA ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x52 0x4C 0x20 0xC4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0xBC 0x77 0x99 ... Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ... ---- EOF - GMER 1.0.15 ---- Code:
ATTFilter OTL logfile created on: 06.07.2011 08:10:49 - Run 3 OTL by OldTimer - Version 3.2.26.0 Folder = C:\Users\Alexander\Desktop An unknown product (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,25 Gb Total Physical Memory | 2,19 Gb Available Physical Memory | 67,32% Memory free 6,50 Gb Paging File | 5,27 Gb Available in Paging File | 81,09% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 234,38 Gb Total Space | 11,98 Gb Free Space | 5,11% Space Free | Partition Type: NTFS Drive D: | 231,37 Gb Total Space | 47,86 Gb Free Space | 20,68% Space Free | Partition Type: NTFS Drive F: | 465,76 Gb Total Space | 433,53 Gb Free Space | 93,08% Space Free | Partition Type: NTFS Drive G: | 465,76 Gb Total Space | 465,66 Gb Free Space | 99,98% Space Free | Partition Type: NTFS Drive H: | 465,76 Gb Total Space | 295,49 Gb Free Space | 63,44% Space Free | Partition Type: NTFS Computer Name: PUETZ | User Name: Alexander | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Alexander\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\Programme\Real\RealPlayer\realplay.exe (RealNetworks, Inc.) PRC - C:\Programme\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.) PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH) PRC - C:\Windows\System32\atieclxx.exe (AMD) PRC - C:\Windows\System32\atiesrxx.exe (AMD) PRC - C:\Programme\Palm, Inc\novacom\x86\novacomd.exe () PRC - C:\Programme\SpeedFan\speedfan.exe (Almico Software (www.almico.com)) PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation) PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation) PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) ========== Modules (SafeList) ========== MOD - C:\Users\Alexander\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD) SRV - (NovacomD) -- C:\Programme\Palm, Inc\novacom\x86\novacomd.exe () SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (PinnacleSys.MediaServer) -- C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe (Pinnacle Systems) SRV - (FirebirdServerMAGIXInstance) -- C:\Programme\MAGIX\Common\Database\bin\fbserver.exe (MAGIX®) ========== Driver Services (SafeList) ========== DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH) DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH) DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys (Duplex Secure Ltd.) DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.) DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation) DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation) DRV - (WinUSB) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation) DRV - (RT61) -- C:\Windows\System32\drivers\rt61.sys (Ralink Technology, Corp.) DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH) DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (L1E) -- C:\Windows\System32\drivers\L1E60x86.sys (Atheros Communications, Inc.) DRV - (mv61xx) -- C:\Windows\system32\DRIVERS\mv61xx.sys (Marvell Semiconductor, Inc.) DRV - (DNE) -- C:\Windows\System32\drivers\dne2000.sys (Deterministic Networks, Inc.) DRV - (AsIO) -- C:\Windows\System32\drivers\AsIO.sys () DRV - (CVirtA) -- C:\Windows\System32\drivers\CVirtA.sys (Cisco Systems, Inc.) DRV - (speedfan) -- C:\Windows\system32\speedfan.sys (Windows (R) 2000 DDK provider) DRV - (MarvinBus) -- C:\Windows\System32\drivers\MarvinBus.sys (Pinnacle Systems GmbH) DRV - (PCLEPCI) -- C:\Windows\System32\drivers\Pclepci.sys (Pinnacle Systems GmbH) DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys () DRV - (giveio) -- C:\Windows\system32\giveio.sys () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-575108277-898839141-3153129286-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKU\S-1-5-21-575108277-898839141-3153129286-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 58 BD 25 4F 2A 3B CC 01 [binary data] IE - HKU\S-1-5-21-575108277-898839141-3153129286-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-575108277-898839141-3153129286-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "hxxp://mail.google.com/mail/?shva=1#inbox" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: 2020Player@2020Technologies.com:4.5.2.0 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.448: C:\Program Files\Win7codecs\rm\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Win7codecs\rm\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.06.24 14:54:01 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.06.24 14:54:01 | 000,000,000 | ---D | M] FF - HKCU\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.06.24 14:54:01 | 000,000,000 | ---D | M] FF - HKCU\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.06.24 14:54:01 | 000,000,000 | ---D | M] [2009.10.12 20:24:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alexander\AppData\Roaming\mozilla\Extensions [2011.07.05 10:45:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alexander\AppData\Roaming\mozilla\Firefox\Profiles\rfx88r3q.default\extensions [2010.07.25 18:18:36 | 000,000,000 | ---D | M] (20-20 3D Viewer) -- C:\Users\Alexander\AppData\Roaming\mozilla\Firefox\Profiles\rfx88r3q.default\extensions\2020Player@2020Technologies.com [2011.07.05 10:45:20 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2010.10.04 10:40:32 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2010.05.26 07:21:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2009.10.15 07:38:21 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [2010.05.26 07:21:56 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010.04.12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2010.07.22 18:29:17 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2010.07.22 18:29:18 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2010.07.22 18:29:18 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2010.07.22 18:29:18 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2010.07.22 18:29:18 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2011.07.05 18:21:14 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\Run: [TrayServer] C:\Programme\MAGIX\Video_deluxe_15_Premium\Trayserver.exe (MAGIX AG) O4 - Startup: C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SpeedFan.lnk = C:\Programme\SpeedFan\speedfan.exe (Almico Software (www.almico.com)) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-575108277-898839141-3153129286-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-575108277-898839141-3153129286-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutorun = 0 O7 - HKU\S-1-5-21-575108277-898839141-3153129286-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-575108277-898839141-3153129286-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010.04.26 20:45:14 | 000,000,122 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2010.12.27 16:30:15 | 000,000,000 | ---D | M] - C:\AUTOVIEW -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Webordner ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297) ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E78BFA60-5393-4C38-82AB-E8019E464EB4} - .NET Framework ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - File not found NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2011.07.05 18:24:16 | 000,000,000 | ---D | C] -- C:\Windows\temp [2011.07.05 18:23:52 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2011.07.05 18:14:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2011.07.05 18:14:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2011.07.05 18:14:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2011.07.05 18:14:14 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT [2011.07.05 18:14:13 | 000,000,000 | ---D | C] -- C:\ComboFix [2011.07.05 18:14:11 | 000,000,000 | ---D | C] -- C:\Qoobox [2011.07.05 18:10:34 | 004,132,182 | R--- | C] (Swearware) -- C:\Users\Alexander\Desktop\ComboFix.exe [2011.07.05 17:49:50 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Alexander\Desktop\OTL.exe [2011.07.05 14:49:38 | 000,000,000 | ---D | C] -- C:\Users\Alexander\AppData\Roaming\Malwarebytes [2011.07.05 14:48:36 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2011.07.05 14:48:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2011.07.05 14:48:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2011.07.05 14:48:32 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2011.07.05 14:48:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2011.07.05 14:23:41 | 000,000,000 | ---D | C] -- C:\Users\Alexander\AppData\Roaming\Avira [2011.07.04 18:17:15 | 000,000,000 | ---D | C] -- C:\Users\Alexander\Desktop\Broeckers_Provida [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2011.07.06 08:08:48 | 000,302,592 | ---- | M] () -- C:\Users\Alexander\Desktop\4n44ekn5.exe [2011.07.06 08:01:04 | 000,013,248 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2011.07.06 08:01:04 | 000,013,248 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2011.07.06 08:00:04 | 000,682,226 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2011.07.06 08:00:04 | 000,642,408 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2011.07.06 08:00:04 | 000,142,180 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2011.07.06 08:00:04 | 000,117,832 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2011.07.06 07:53:47 | 000,001,100 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2011.07.06 07:53:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2011.07.06 07:53:36 | 2616,496,128 | -HS- | M] () -- C:\hiberfil.sys [2011.07.06 07:52:21 | 000,000,020 | ---- | M] () -- C:\Users\Alexander\defogger_reenable [2011.07.06 07:51:24 | 000,050,477 | ---- | M] () -- C:\Users\Alexander\Desktop\Defogger.exe [2011.07.05 18:21:14 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2011.07.05 18:16:00 | 000,001,104 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2011.07.05 18:12:07 | 004,132,182 | R--- | M] (Swearware) -- C:\Users\Alexander\Desktop\ComboFix.exe [2011.07.05 17:50:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Alexander\Desktop\OTL.exe [2011.07.05 17:27:16 | 000,000,349 | ---- | M] () -- C:\Users\Public\Documents\PCLECHAL.INI [2011.07.05 14:48:36 | 000,001,072 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.07.04 15:25:54 | 000,004,096 | -H-- | M] () -- C:\Users\Alexander\AppData\Local\keyfile3.drm [2011.07.04 15:03:43 | 000,079,166 | ---- | M] () -- C:\Users\Alexander\Desktop\KZ Krad.pdf [2011.07.04 08:13:04 | 000,138,192 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys [2011.07.04 08:13:04 | 000,066,616 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys [2011.06.26 08:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2011.07.06 08:08:46 | 000,302,592 | ---- | C] () -- C:\Users\Alexander\Desktop\4n44ekn5.exe [2011.07.06 07:52:06 | 000,000,020 | ---- | C] () -- C:\Users\Alexander\defogger_reenable [2011.07.06 07:51:23 | 000,050,477 | ---- | C] () -- C:\Users\Alexander\Desktop\Defogger.exe [2011.07.05 18:14:18 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2011.07.05 18:14:18 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2011.07.05 18:14:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2011.07.05 18:14:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2011.07.05 18:14:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2011.07.05 14:48:36 | 000,001,072 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.07.04 15:03:42 | 000,079,166 | ---- | C] () -- C:\Users\Alexander\Desktop\KZ Krad.pdf [2011.02.08 17:06:01 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll [2010.12.14 17:25:34 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI [2010.06.05 14:13:45 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll [2010.05.05 18:24:40 | 000,000,046 | ---- | C] () -- C:\Windows\Speed.INI [2010.04.27 08:28:44 | 000,993,216 | ---- | C] () -- C:\Windows\System32\DVC.EXE [2010.04.27 08:28:44 | 000,167,424 | ---- | C] () -- C:\Windows\System32\lame_enc.dll [2010.04.27 08:28:44 | 000,086,016 | ---- | C] () -- C:\Windows\System32\DVResampleru.dll [2010.04.26 20:53:23 | 000,194,248 | ---- | C] () -- C:\Windows\System32\LTRFD13n.DLL [2010.04.26 20:49:53 | 000,000,097 | ---- | C] () -- C:\Users\Alexander\AppData\Local\fusioncache.dat [2010.04.09 18:39:07 | 000,004,096 | -H-- | C] () -- C:\Users\Alexander\AppData\Local\keyfile3.drm [2010.04.08 15:51:40 | 000,011,489 | ---- | C] () -- C:\Windows\Studio7.ini [2010.04.08 15:51:15 | 000,196,096 | ---- | C] () -- C:\Windows\System32\macd32.dll [2010.04.08 15:51:15 | 000,138,752 | ---- | C] () -- C:\Windows\System32\mase32.dll [2010.04.08 15:51:15 | 000,136,192 | ---- | C] () -- C:\Windows\System32\mamc32.dll [2010.04.08 15:51:15 | 000,057,856 | ---- | C] () -- C:\Windows\System32\masd32.dll [2010.04.08 15:51:15 | 000,027,648 | ---- | C] () -- C:\Windows\System32\ma32.dll [2010.04.06 15:59:53 | 000,237,568 | ---- | C] () -- C:\Windows\System32\qtmlClient.dll [2010.04.06 15:59:53 | 000,000,000 | ---- | C] () -- C:\Windows\Graffiti5.2Pin.ini [2010.04.06 14:20:06 | 000,056,320 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll [2010.03.16 14:47:22 | 000,120,320 | ---- | C] () -- C:\Users\Alexander\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.01.10 15:49:28 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll [2010.01.10 15:48:55 | 000,007,119 | ---- | C] () -- C:\Windows\mgxoschk.ini [2009.10.17 19:43:29 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll [2009.10.17 13:43:15 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini [2009.10.13 18:27:27 | 000,024,576 | ---- | C] () -- C:\Windows\System32\AsIO.dll [2009.10.13 18:27:26 | 000,012,400 | ---- | C] () -- C:\Windows\System32\drivers\AsIO.sys [2009.10.13 18:11:21 | 000,038,399 | ---- | C] () -- C:\Windows\Ascd_log.ini [2009.10.13 18:11:00 | 000,038,016 | ---- | C] () -- C:\Windows\Ascd_tmp.ini [2009.10.13 11:44:54 | 000,000,056 | ---- | C] () -- C:\Windows\System32\ezsidmv.dat [2009.10.13 10:10:27 | 000,112,688 | ---- | C] () -- C:\Windows\System32\shw32.dll [2009.10.13 10:10:27 | 000,039,095 | ---- | C] () -- C:\Windows\iccsigs.dat [2009.10.13 09:20:19 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI [2009.10.12 20:07:48 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2009.07.14 10:47:43 | 000,682,226 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2009.07.14 10:47:43 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2009.07.14 10:47:43 | 000,142,180 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2009.07.14 10:47:43 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2009.07.14 06:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2009.07.14 06:33:53 | 000,429,448 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2009.07.14 04:05:48 | 000,642,408 | ---- | C] () -- C:\Windows\System32\perfh009.dat [2009.07.14 04:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat [2009.07.14 04:05:48 | 000,117,832 | ---- | C] () -- C:\Windows\System32\perfc009.dat [2009.07.14 04:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat [2009.07.14 04:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT [2009.07.14 04:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat [2009.07.14 02:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe [2009.07.14 01:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll [2009.06.18 19:29:04 | 000,197,654 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat [2009.06.10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat [2009.02.18 17:55:22 | 000,294,912 | ---- | C] () -- C:\Windows\System32\ATIODE.exe [2009.02.03 20:52:04 | 000,045,056 | ---- | C] () -- C:\Windows\System32\ATIODCLI.exe [2007.12.28 17:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS [2004.08.13 09:56:20 | 000,005,810 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys [2004.03.11 01:26:10 | 000,406,016 | ---- | C] () -- C:\Windows\System32\PSDrvCheck.exe [2000.12.29 09:34:01 | 000,019,968 | ---- | C] () -- C:\Windows\System32\Cpuinf32.dll [1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys ========== LOP Check ========== [2009.11.01 17:33:52 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\CanuckSoftware [2009.11.09 20:12:22 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\DAEMON Tools Lite [2010.02.15 22:23:42 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\FileOpen [2010.05.06 20:41:03 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\Leadertech [2010.01.10 16:44:38 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\MAGIX [2010.04.07 12:20:48 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\proDAD [2010.01.10 16:54:46 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\Sony [2010.04.10 23:56:57 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\Topaz Moment [2010.03.16 14:54:23 | 000,000,000 | ---D | M] -- C:\Users\Alexander\AppData\Roaming\Win7codecs [2011.02.23 09:28:07 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*. > [2011.07.05 18:23:52 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN [2011.07.05 18:21:14 | 000,000,000 | ---D | M] -- C:\asdjhasuhas [2009.10.13 09:35:29 | 000,000,000 | ---D | M] -- C:\ATI [2010.12.27 16:30:15 | 000,000,000 | ---D | M] -- C:\AUTOVIEW [2009.10.12 21:05:36 | 000,000,000 | ---D | M] -- C:\Boot [2011.07.05 18:24:17 | 000,000,000 | ---D | M] -- C:\ComboFix [2011.06.06 09:11:21 | 000,000,000 | ---D | M] -- C:\Config.Msi [2009.07.14 06:53:55 | 000,000,000 | -HSD | M] -- C:\Documents and Settings [2009.10.12 20:14:23 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen [2009.10.13 17:30:59 | 000,000,000 | ---D | M] -- C:\HP CLJ3500 [2009.10.13 17:56:16 | 000,000,000 | ---D | M] -- C:\HP Color LaserJet 3500 [2009.10.13 18:11:44 | 000,000,000 | ---D | M] -- C:\Intel [2010.04.08 15:52:01 | 000,000,000 | ---D | M] -- C:\My Music [2009.07.14 04:37:05 | 000,000,000 | ---D | M] -- C:\PerfLogs [2011.07.05 14:48:32 | 000,000,000 | R--D | M] -- C:\Program Files [2011.07.05 14:48:35 | 000,000,000 | ---D | M] -- C:\ProgramData [2009.10.12 20:14:23 | 000,000,000 | -HSD | M] -- C:\Programme [2011.07.05 18:24:16 | 000,000,000 | ---D | M] -- C:\Qoobox [2009.10.12 20:14:23 | 000,000,000 | ---D | M] -- C:\Recovery [2011.07.06 08:11:27 | 000,000,000 | -HSD | M] -- C:\System Volume Information [2010.11.29 10:55:26 | 000,000,000 | ---D | M] -- C:\traffi [2009.10.12 20:14:31 | 000,000,000 | R--D | M] -- C:\Users [2011.07.05 18:24:16 | 000,000,000 | ---D | M] -- C:\Windows < %PROGRAMFILES%\*.exe > < %LOCALAPPDATA%\*.exe > < %systemroot%\*. /mp /s > < MD5 for: EXPLORER.EXE > [2011.02.26 07:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe [2009.07.14 03:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe [2011.02.26 07:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe [2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe [2011.02.26 07:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\ERDNT\cache\explorer.exe [2011.02.26 07:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\explorer.exe [2011.02.26 07:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe [2009.08.03 07:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe [2009.08.03 07:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe [2009.10.31 08:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe < MD5 for: REGEDIT.EXE > [2009.07.14 03:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\ERDNT\cache\regedit.exe [2009.07.14 03:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\regedit.exe [2009.07.14 03:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_f4050b883d2c3c08\regedit.exe < MD5 for: USERINIT.EXE > [2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\ERDNT\cache\userinit.exe [2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe [2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe < MD5 for: WININIT.EXE > [2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\ERDNT\cache\wininit.exe [2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe [2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe < MD5 for: WINLOGON.EXE > [2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\ERDNT\cache\winlogon.exe [2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe [2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe [2009.10.28 07:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe [2009.07.14 03:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-06 16:19:12 < > ========== Alternate Data Streams ========== @Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:2EF0B145 < End of report > |
Themen zu Rechner vermutlich mit SPYEYE oder ZEUS 2 befallen |
.dll, 0x00000001, alternate, antivir, avira, bonjour, c:\windows\system32\rundll32.exe, checkliste, defender, e-banking, excel, excel.exe, explorer, firefox, format, google earth, harddisk, langs, locker, logfile, mozilla, nodrives, ntdll.dll, otl.txt, plug-in, programme, realtek, registry, rundll, scan, sched.exe, secure, security, security update, software, sptd.sys, start menu, studio, system, taskhost.exe, temp, usb, version=1.0, winlogon.exe, wmp, zeus 2 |