Bka-Trojaner OTL.txt

galli · 01.08.2011, 14:31

Servus,

also vorab, ich hab es geschafft diesen miesen Plagegeist zu deaktiveren und ihn mir Avira zu löschen. Nun soll er sich aber in einigen Registries eingenistet haben, also hab ich grad OTLPE durchlaufen lassen.

OTL.txt

OTL logfile created on: 01.08.2011 15:17:18 - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = F:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 66,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 80,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288,58 Gb Total Space | 186,29 Gb Free Space | 64,55% Space Free | Partition Type: NTFS
Drive D: | 291,58 Gb Total Space | 194,95 Gb Free Space | 66,86% Space Free | Partition Type: NTFS
Drive F: | 436,59 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: GALLI-PC | User Name: Galli
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (RoxLiveShare9)
SRV - [2011.06.13 20:20:04 | 001,036,104 | ---- | M] (Lavasoft) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009.08.05 23:16:36 | 000,185,089 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009.05.07 02:01:00 | 000,368,640 | R--- | M] (AVM Berlin) [Auto] -- C:\Programme\avmwlanstick\WLanNetService.exe -- (AVM WLAN Connection Service)
SRV - [2009.04.30 13:23:26 | 000,090,112 | ---- | M] () [Auto] -- C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)
SRV - [2008.12.12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008.09.24 14:32:48 | 000,935,208 | ---- | M] (Nero AG) [Auto] -- C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008.04.25 13:30:26 | 000,024,576 | ---- | M] () [Auto] -- C:\Programme\Acer\Empowering Technology\Service\ETService.exe -- (ETService)
SRV - [2008.03.04 23:38:34 | 000,500,784 | ---- | M] (Egis Incorporated) [Auto] -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2008.01.29 12:25:10 | 000,598,016 | ---- | M] () [Auto] -- C:\Programme\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2008.01.29 12:24:46 | 000,163,840 | ---- | M] () [Auto] -- C:\Programme\bin32\nSvcIp.exe -- (nSvcIp)
SRV - [2008.01.25 18:49:04 | 000,269,448 | ---- | M] (CyberLink) [Auto] -- C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe -- (Acer HomeMedia Connect Service)
SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007.11.21 13:17:02 | 000,017,408 | ---- | M] () [Auto] -- D:\Hercules\Audio\DJ Console Series\HerculesDJControlMP3.EXE -- (HerculesDJControlMP3)
SRV - [2007.09.04 10:14:34 | 000,087,344 | ---- | M] (AVM Berlin) [Auto] -- C:\Program Files\FRITZ!DSL\IGDCTRL.EXE -- (IGDCTRL)
SRV - [2007.04.25 14:18:48 | 000,537,520 | ---- | M] ( ) [Auto] -- C:\Windows\System32\lxbvcoms.exe -- (lxbv_device)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (ZDPSp60)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (NPPTNT2)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - File not found [Kernel | On_Demand] -- -- (GGSAFERDriver)
DRV - File not found [Kernel | On_Demand] -- -- (cpuz132)
DRV - [2010.07.10 06:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010.05.06 13:58:06 | 000,141,312 | ---- | M] (© Guillemot R&D, 2010. All rights reserved.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\HDJMidi.sys -- (HDJMidi)
DRV - [2010.05.06 13:58:02 | 000,135,168 | ---- | M] (© Guillemot R&D, 2010. All rights reserved.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\HDJBulk.sys -- (Bulk)
DRV - [2009.12.07 19:27:35 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009.08.12 21:21:32 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2009.06.22 20:32:40 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2009.05.11 10:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.05.08 01:02:30 | 000,724,992 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2009.05.07 02:01:00 | 000,265,088 | ---- | M] (AVM GmbH) [Kernel | On_Demand] -- C:\Windows\System32\drivers\fwlanusb.sys -- (FWLANUSB)
DRV - [2009.04.23 02:02:00 | 000,440,832 | ---- | M] (AVM GmbH) [Kernel | On_Demand] -- C:\Windows\System32\drivers\fwlanusbn.sys -- (fwlanusbn)
DRV - [2009.04.23 02:02:00 | 000,004,352 | ---- | M] (AVM Berlin) [Kernel | On_Demand] -- C:\Windows\System32\drivers\avmeject.sys -- (avmeject)
DRV - [2009.03.30 10:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2009.02.13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008.12.12 18:05:18 | 000,026,416 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\Windows\System32\drivers\purendis.sys -- (purendis)
DRV - [2008.12.12 18:05:18 | 000,024,880 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\Windows\System32\drivers\pnarp.sys -- (pnarp)
DRV - [2008.09.29 18:12:04 | 000,012,832 | ---- | M] (Acer, Inc.) [Kernel | Auto] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008.07.29 05:45:00 | 000,904,192 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\athrusb.sys -- (athrusb)
DRV - [2008.06.23 16:43:46 | 000,094,624 | ---- | M] (AlcaTech) [Kernel | Boot] -- C:\Windows\System32\drivers\mmrtkrnl.sys -- (MMRTKRNL)
DRV - [2008.04.22 02:49:00 | 000,043,552 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008.01.29 07:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008.01.25 14:02:02 | 000,140,832 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2008.01.09 13:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand] -- C:\Windows\System32\drivers\seehcri.sys -- (seehcri)
DRV - [2007.12.10 15:22:22 | 000,110,120 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\s3017unic.sys -- (s3017unic) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM)
DRV - [2007.12.10 15:22:22 | 000,100,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\s3017obex.sys -- (s3017obex)
DRV - [2007.12.10 15:22:20 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\s3017mgmt.sys -- (s3017mgmt) Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM)
DRV - [2007.12.10 15:22:20 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\s3017nd5.sys -- (s3017nd5) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS)
DRV - [2007.12.10 15:22:18 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\s3017mdm.sys -- (s3017mdm)
DRV - [2007.12.10 15:22:18 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\s3017mdfl.sys -- (s3017mdfl)
DRV - [2007.12.10 15:22:14 | 000,083,880 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\s3017bus.sys -- (s3017bus) Sony Ericsson Device 3017 driver (WDM)
DRV - [2007.10.12 10:53:10 | 000,013,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2004.11.22 16:58:31 | 000,014,342 | ---- | M] (Intellon Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\usbethmp.sys -- (A_USBETHMP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.arcor.de
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.arcor.de
IE - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://www.arcor.de
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.arcor.de
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.arcor.de

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=1&o=vp32&d=1006&m=aspire_x3200
IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://global.acer.com [binary data]
IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.arcor.de
IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://global.acer.com [binary data]
IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://vshare.toolbarhome.com/?hp=df
IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = fritz.box;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Web Search..."
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "arcor.de"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
FF - prefs.js..keyword.URL: "hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Programme\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Programme\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Programme\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Programme\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Programme\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\Galli\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Galli\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.08.01 17:47:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2009.01.28 19:19:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Galli\AppData\Roaming\mozilla\Extensions
[2011.07.27 18:40:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Galli\AppData\Roaming\mozilla\Firefox\Profiles\eknkn4w3.default\extensions
[2011.03.25 13:08:03 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Galli\AppData\Roaming\mozilla\Firefox\Profiles\eknkn4w3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.04.17 18:44:00 | 000,000,000 | ---D | M] (vShare) -- C:\Users\Galli\AppData\Roaming\mozilla\Firefox\Profiles\eknkn4w3.default\extensions\vshare@toolbar
[2011.04.17 18:44:08 | 000,001,592 | ---- | M] () -- C:\Users\Galli\AppData\Roaming\Mozilla\Firefox\Profiles\eknkn4w3.default\searchplugins\web-search.xml
[2011.08.01 17:47:35 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
File not found (No name found) --
[2011.07.08 09:31:38 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010.01.01 10:00:00 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2010.01.01 10:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010.01.01 10:00:00 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2010.01.01 10:00:00 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2010.01.01 10:00:00 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2010.01.01 10:00:00 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.01.15 18:32:43 | 000,000,131 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 85.14.219.81 nProtect.lineage2.com
O1 - Hosts: 85.14.219.81 l2authd.lineage2.com
O1 - Hosts: 85.14.219.81 l2testauthd.lineage2.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\S-1-5-21-3002554494-329026871-3762224266-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O4 - HKLM..\Run: [Ad-Watch] C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [AVMWlanClient] File not found
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [Hercules DJ Series] D:\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe (Hercules®)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [PCMMediaSharing] C:\Programme\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [WarReg_PopUp] C:\Programme\Acer\WR_PopUp\WarReg_PopUp.exe (Acer Incorporated)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3002554494-329026871-3762224266-1000..\Run: [4E3E0230AEBB4E96] File not found
O4 - HKU\S-1-5-21-3002554494-329026871-3762224266-1000..\Run: [4W1W8B7AUZVD3V8JOOHRRADD] File not found
O4 - HKU\S-1-5-21-3002554494-329026871-3762224266-1000..\Run: [4Y3Y0C3AUF7XXVYVHHYMYXK] File not found
O4 - HKU\S-1-5-21-3002554494-329026871-3762224266-1000..\Run: [avupdate] File not found
O4 - HKU\S-1-5-21-3002554494-329026871-3762224266-1000..\Run: [Ricycle.Bin.exe] File not found
O4 - HKU\.DEFAULT..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe ()
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: ICQ7.4 - {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - C:\Programme\ICQ7.4\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.4 - {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - C:\Programme\ICQ7.4\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Programme\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Galli\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Galli\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006.03.24 13:06:41 | 000,000,053 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{07e7ea70-9194-11de-96e1-001d72a96e23}\Shell - "" = AutoRun
O33 - MountPoints2\{07e7ea70-9194-11de-96e1-001d72a96e23}\Shell\AutoRun\command - "" = E:\pushinst.exe
O33 - MountPoints2\{bc21f761-ee11-11dd-997d-001d72a96e23}\Shell\AutoRun\command - "" = G:\WDSetup.exe
O33 - MountPoints2\{bf5a5e6f-58ab-11db-8edb-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{bf5a5e6f-58ab-11db-8edb-806e6f6e6963}\Shell\AutoRun\command - "" = F:\reatogoMenu.exe -- [2005.07.16 23:36:50 | 000,240,128 | R--- | M] ()
O33 - MountPoints2\{f991fb55-56bf-11df-8042-001d72a96e23}\Shell - "" = AutoRun
O33 - MountPoints2\{f991fb55-56bf-11df-8042-001d72a96e23}\Shell\AutoRun\command - "" = E:\pushinst.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.08.01 17:47:34 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011.07.13 10:37:34 | 002,043,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011.07.13 10:37:30 | 000,375,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2011.07.13 10:37:30 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll
[2010.02.05 15:25:27 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpe3350.dll
[2009.03.05 18:53:21 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxbvserv.dll
[2009.03.05 18:53:21 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxbvusb1.dll
[2009.03.05 18:53:21 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxbvhbn3.dll
[2009.03.05 18:53:21 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxbvpmui.dll
[2009.03.05 18:53:21 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxbvlmpm.dll
[2009.03.05 18:53:21 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxbvinpa.dll
[2009.03.05 18:53:21 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxbviesc.dll
[2009.03.05 18:53:21 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxbvih.exe
[2009.03.05 18:53:21 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXBVhcp.dll
[2009.03.05 18:53:21 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxbvprox.dll
[2009.03.05 18:53:21 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxbvpplc.dll
[2009.03.05 18:53:20 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxbvcomc.dll
[2009.03.05 18:53:20 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxbvcoms.exe
[2009.03.05 18:53:20 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxbvcomm.dll
[2009.03.05 18:53:20 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxbvcfg.exe
[2008.07.22 10:01:25 | 000,049,152 | ---- | C] ( ) -- C:\Windows\Interop.IWshRuntimeLibrary.dll
[5 C:\Users\Galli\AppData\Local\*.tmp files -> C:\Users\Galli\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.08.01 17:47:36 | 000,000,874 | ---- | M] () -- C:\Users\Galli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011.08.01 17:47:36 | 000,000,862 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011.08.01 15:17:00 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.08.01 15:06:12 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.08.01 15:06:11 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.08.01 15:06:11 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.08.01 15:06:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.08.01 15:06:04 | 2951,143,424 | -HS- | M] () -- C:\hiberfil.sys
[2011.08.01 00:39:37 | 000,001,356 | ---- | M] () -- C:\Users\Galli\AppData\Local\d3d9caps.dat
[2011.07.29 04:57:15 | 000,000,000 | ---- | M] () -- C:\Users\Galli\AppData\Local\{F47207D9-8D19-4AB1-B736-CAF710E8CAC1}
[2011.07.27 12:51:25 | 000,217,088 | ---- | M] () -- C:\Users\Galli\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.07.25 21:50:43 | 000,000,597 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft.lnk
[2011.07.22 12:41:51 | 000,114,900 | ---- | M] () -- C:\Users\Galli\Desktop\Klausurergebisse_Pfingsten_2011.pdf
[2011.07.19 20:20:04 | 000,000,474 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2011.07.17 18:08:09 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.07.17 18:08:09 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.07.17 18:08:09 | 000,126,248 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.07.17 18:08:09 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.07.14 13:23:54 | 001,578,680 | ---- | M] () -- C:\Users\Galli\Desktop\GKT%202%20___MB--Skript--Einzahlungsbeleg%202011.pdf
[2011.07.14 13:15:41 | 000,297,504 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011.07.08 13:24:50 | 000,000,317 | ---- | M] () -- C:\Windows\lexstat.ini
[2011.07.04 00:40:31 | 000,000,166 | ---- | M] () -- C:\Users\Galli\AppData\Roaming\default.rss
[5 C:\Users\Galli\AppData\Local\*.tmp files -> C:\Users\Galli\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.08.01 17:47:36 | 000,000,874 | ---- | C] () -- C:\Users\Galli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011.08.01 17:47:36 | 000,000,862 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011.07.29 04:57:15 | 000,000,000 | ---- | C] () -- C:\Users\Galli\AppData\Local\{F47207D9-8D19-4AB1-B736-CAF710E8CAC1}
[2011.07.22 12:41:51 | 000,114,900 | ---- | C] () -- C:\Users\Galli\Desktop\Klausurergebisse_Pfingsten_2011.pdf
[2011.07.14 13:23:54 | 001,578,680 | ---- | C] () -- C:\Users\Galli\Desktop\GKT%202%20___MB--Skript--Einzahlungsbeleg%202011.pdf
[2011.06.16 01:56:53 | 000,045,202 | ---- | C] () -- C:\Users\Galli\AppData\Roaming\room_v3.dat
[2011.04.04 00:09:42 | 000,046,706 | ---- | C] () -- C:\Users\Galli\AppData\Roaming\room.dat
[2011.03.09 21:05:28 | 000,000,306 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010.11.12 17:20:18 | 000,094,180 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2010.06.05 20:33:58 | 000,000,783 | ---- | C] () -- C:\Windows\NTIWVEDT.INI
[2010.05.03 16:30:46 | 000,016,037 | ---- | C] () -- C:\Windows\System32\drivers\fwlanusbn.bin
[2010.04.20 17:52:52 | 000,013,931 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat
[2009.09.30 15:14:49 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2009.09.30 15:14:49 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2009.09.30 15:14:49 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2009.09.24 14:57:47 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.09.24 14:57:47 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009.08.25 20:16:03 | 000,097,360 | ---- | C] () -- C:\Windows\System32\drivers\Fwusb1b.bin
[2009.08.12 20:44:39 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009.06.18 11:08:57 | 000,015,872 | ---- | C] () -- C:\Windows\System32\InsDrvZD64.DLL
[2009.06.16 20:23:18 | 000,015,880 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2009.04.09 11:32:38 | 000,000,166 | ---- | C] () -- C:\Users\Galli\AppData\Roaming\default.rss
[2009.04.09 11:32:17 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009.04.07 22:37:12 | 000,004,767 | ---- | C] () -- C:\Windows\Irremote.ini
[2009.04.07 14:14:35 | 000,000,000 | ---- | C] () -- C:\Users\Galli\AppData\Local\rx_image.Cache
[2009.04.06 13:53:14 | 000,000,010 | ---- | C] () -- C:\Windows\popcinfo.dat
[2009.03.11 21:13:28 | 000,000,085 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009.03.05 18:53:21 | 000,413,696 | ---- | C] () -- C:\Windows\System32\lxbvutil.dll
[2009.03.05 18:53:21 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXBVinst.dll
[2009.02.16 22:39:57 | 000,002,126 | ---- | C] () -- C:\Windows\wininit.ini
[2009.02.09 13:44:55 | 000,000,317 | ---- | C] () -- C:\Windows\lexstat.ini
[2009.02.04 14:56:44 | 000,001,356 | ---- | C] () -- C:\Users\Galli\AppData\Local\d3d9caps.dat
[2009.01.31 07:52:40 | 000,217,088 | ---- | C] () -- C:\Users\Galli\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.01.28 19:34:59 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009.01.28 19:19:22 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2009.01.28 17:40:37 | 000,028,672 | ---- | C] () -- C:\Windows\System32\InsDrvZD.dll
[2009.01.28 17:40:36 | 001,155,163 | ---- | C] () -- C:\Windows\System32\odSupp_M.dll
[2009.01.28 17:40:36 | 000,040,960 | ---- | C] () -- C:\Windows\System32\ZDWlan.dll
[2009.01.28 17:40:36 | 000,040,960 | ---- | C] () -- C:\Windows\System32\PassAPP.dll
[2009.01.28 17:40:36 | 000,036,867 | ---- | C] () -- C:\Windows\System32\ZySecurity.dll
[2009.01.28 17:40:36 | 000,036,352 | ---- | C] () -- C:\Windows\System32\uninst_Zyxel.exe
[2009.01.28 17:40:36 | 000,024,576 | ---- | C] () -- C:\Windows\System32\ZyDelReg.exe
[2008.05.09 11:54:41 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIOFM4.dll
[2008.05.09 11:54:41 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN5.dll
[2008.05.09 11:16:47 | 000,487,424 | ---- | C] () -- C:\Windows\System32\INT15.dll
[2008.05.09 11:07:26 | 000,001,694 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2008.05.09 11:07:26 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2008.05.09 11:07:26 | 000,000,008 | ---- | C] () -- C:\Windows\System32\drivers\rtkhdaud.dat
[2008.05.09 10:55:35 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008.01.21 09:15:58 | 000,628,504 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2008.01.21 09:15:58 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2008.01.21 09:15:58 | 000,126,248 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2008.01.21 09:15:58 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2007.02.22 19:32:00 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxbvcoin.dll
[2006.11.02 14:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 14:47:37 | 000,297,504 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 12:33:01 | 000,595,798 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 12:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 12:33:01 | 000,103,872 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 12:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 12:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 10:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 10:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 09:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006.10.11 00:32:41 | 000,000,044 | ---- | C] () -- C:\Windows\Acer(Normal).ini
[2006.10.11 00:32:41 | 000,000,042 | ---- | C] () -- C:\Windows\Acer(Wide).ini
[2005.10.26 04:12:10 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxbvvs.dll
[2005.07.15 20:35:56 | 000,831,488 | ---- | C] () -- C:\Windows\System32\libeay32.dll
[2005.07.15 20:35:56 | 000,159,744 | ---- | C] () -- C:\Windows\System32\ssleay32.dll
[2005.05.25 10:07:26 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxbvcnv4.dll
[2001.12.26 16:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001.09.03 23:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001.07.30 16:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001.07.23 22:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2008.05.09 11:28:28 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\Acer GameZone Console
[2009.07.09 12:18:12 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\AlcaTech
[2011.04.10 18:42:18 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\DAEMON Tools Lite
[2010.04.20 00:10:55 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\FRITZ!
[2009.06.17 16:05:41 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\Gaijin Ent
[2011.07.27 18:44:09 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\ICQ
[2009.02.16 17:33:14 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\ImgBurn
[2009.02.10 21:09:53 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\LimeWire
[2009.04.06 12:57:58 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\NetMedia Providers
[2009.04.06 12:57:58 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\Publish Providers
[2011.04.10 19:20:09 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\The Creative Assembly
[2011.05.16 20:13:00 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\TS3Client
[2011.06.13 13:54:31 | 000,000,000 | ---D | M] -- C:\Users\Galli\AppData\Roaming\Unity
[2009.07.09 12:16:21 | 000,000,000 | ---D | M] -- C:\ProgramData\AlcaTech
[2009.01.28 17:28:19 | 000,000,000 | -HSD | M] -- C:\ProgramData\Anwendungsdaten
[2006.11.02 15:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2009.02.11 18:27:36 | 000,000,000 | ---D | M] -- C:\ProgramData\BVRP Software
[2011.04.10 18:39:14 | 000,000,000 | ---D | M] -- C:\ProgramData\DAEMON Tools Lite
[2006.11.02 15:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2006.11.02 15:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2009.01.28 17:28:19 | 000,000,000 | -HSD | M] -- C:\ProgramData\Dokumente
[2010.10.26 15:42:03 | 000,000,000 | ---D | M] -- C:\ProgramData\Driver Whiz
[2009.03.11 21:13:43 | 000,000,000 | ---D | M] -- C:\ProgramData\Elaborate Bytes
[2008.05.09 11:55:49 | 000,000,000 | ---D | M] -- C:\ProgramData\eSobi
[2009.01.28 17:28:19 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favoriten
[2006.11.02 15:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2008.05.09 11:29:07 | 000,000,000 | ---D | M] -- C:\ProgramData\FloodLightGames
[2009.06.16 20:41:33 | 000,000,000 | ---D | M] -- C:\ProgramData\InterAction studios
[2009.06.17 15:32:09 | 000,000,000 | ---D | M] -- C:\ProgramData\JollyBear
[2009.04.08 15:18:38 | 000,000,000 | ---D | M] -- C:\ProgramData\LightScribe
[2009.04.06 13:53:54 | 000,000,000 | ---D | M] -- C:\ProgramData\Oberon Games
[2010.04.20 17:52:52 | 000,000,000 | ---D | M] -- C:\ProgramData\Ralink Driver
[2006.11.02 15:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2009.01.28 17:28:19 | 000,000,000 | -HSD | M] -- C:\ProgramData\Startmenü
[2009.07.09 20:35:25 | 000,000,000 | ---D | M] -- C:\ProgramData\TEMP
[2006.11.02 15:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2009.01.28 17:28:19 | 000,000,000 | -HSD | M] -- C:\ProgramData\Vorlagen
[2008.05.09 11:43:55 | 000,000,000 | ---D | M] -- C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2010.11.10 22:52:51 | 000,000,000 | ---D | M] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009.11.11 14:20:10 | 000,000,000 | ---D | M] -- C:\ProgramData\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009.06.16 20:19:22 | 000,000,000 | -H-D | M] -- C:\ProgramData\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2011.07.19 20:20:04 | 000,000,474 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2011.08.01 14:25:33 | 000,032,514 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 48 bytes -> C:\Windows:C7C06C678783F85C
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:8173A019
@Alternate Data Stream - 106 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:4F636E25
< End of report >

braucht ihr nun noch irgendwas?

grüße
galli

cosinus · 01.08.2011, 14:40

Zitat:

also hab ich grad OTLPE durchlaufen lassen.

Funktioniert Windows denn nicht mehr normal? OTLPE bitte nur nutzen, wenn das installierte Windows nicht mehr bedienbar ist.

galli · 01.08.2011, 17:12

Also wie gesagt, ich hab es geschafft, den trojaner zu deaktivieren und dann mit Avira runterzupfeffern. Der Rechner läuft jetzt wieder normal, nur soll der Trojaner ja angeblich Spuren hinterlassen und einigen Registries befallen haben. Wie bekomm ich meinen PC denn jetzt wieder clean, ohne zu formatieren?

grüße
galli

cosinus · 02.08.2011, 08:41

Wenn der Rechner erstmal läuft brauchst du kein OTLPE.

Bitte routinemäßig einen Vollscan mit Malwarebytes machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten!

galli · 02.08.2011, 12:16

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Datenbank Version: 7353

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

02.08.2011 13:13:53
mbam-log-2011-08-02 (13-13-51).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 329180
Laufzeit: 1 Stunde(n), 5 Minute(n), 39 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 4
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 2
Infizierte Dateien: 3

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ricycle.Bin.exe (Trojan.SpyEyes) -> Value: Ricycle.Bin.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4W1W8B7AUZVD3V8JOOHRRADD (Trojan.SpyEyes) -> Value: 4W1W8B7AUZVD3V8JOOHRRADD -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4E3E0230AEBB4E96 (Trojan.SpyEyes) -> Value: 4E3E0230AEBB4E96 -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AUF7XXVYVHHYMYXK (Trojan.SpyEyes) -> Value: 4Y3Y0C3AUF7XXVYVHHYMYXK -> No action taken.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
c:\Recycle.Bin (Trojan.Spyeyes) -> No action taken.
c:\Ricycle.Bin (Trojan.SpyEyes) -> No action taken.

Infizierte Dateien:
c:\Recycle.Bin\0018e05f94108c9 (Trojan.Spyeyes) -> No action taken.
c:\Recycle.Bin\config.bin (Trojan.Spyeyes) -> No action taken.
c:\Ricycle.Bin\config.bin (Trojan.SpyEyes) -> No action taken.

cosinus · 02.08.2011, 12:38

Zitat:

c:\Ricycle.Bin (Trojan.SpyEyes)

Machst du Onlinebanking oder ähnliche kritische Sachen an diesem versuechten Rechner?

galli · 03.08.2011, 00:17

Ne, hab ich alles eingestellt, weil es mir zu unsicher ist

Komm ich ums formatieren nicht rum?

cosinus · 03.08.2011, 09:18

Wenn du weiterhin mit diesem Rechner OnlineBanking machen willst bzw. das wieder vorhast, solltest du eine Neuinstallation machen.
Nach der Neuinstallation und Absicherung unbedingt alle Passwörter ändern.

galli · 03.08.2011, 14:07

Werd ich tun.
Vielen Dank Arne!

Gruß
galli

02.08.2011, 08:41	#4
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Bka-Trojaner OTL.txt Wenn der Rechner erstmal läuft brauchst du kein OTLPE. Bitte routinemäßig einen Vollscan mit Malwarebytes machen und Log posten. Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss! Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten! __________________ Logfiles bitte immer in CODE-Tags posten

03.08.2011, 09:18	#8
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Bka-Trojaner OTL.txt Wenn du weiterhin mit diesem Rechner OnlineBanking machen willst bzw. das wieder vorhast, solltest du eine Neuinstallation machen. Nach der Neuinstallation und Absicherung unbedingt alle Passwörter ändern. __________________ Logfiles bitte immer in CODE-Tags posten

01.08.2011, 17:12	#3
galli	Bka-Trojaner OTL.txt Also wie gesagt, ich hab es geschafft, den trojaner zu deaktivieren und dann mit Avira runterzupfeffern. Der Rechner läuft jetzt wieder normal, nur soll der Trojaner ja angeblich Spuren hinterlassen und einigen Registries befallen haben. Wie bekomm ich meinen PC denn jetzt wieder clean, ohne zu formatieren? grüße galli __________________

03.08.2011, 00:17	#7
galli	Bka-Trojaner OTL.txt Ne, hab ich alles eingestellt, weil es mir zu unsicher ist Komm ich ums formatieren nicht rum?

03.08.2011, 14:07	#9
galli	Bka-Trojaner OTL.txt Werd ich tun. Vielen Dank Arne! Gruß galli

Bka-Trojaner OTL.txt

Plagegeister aller Art und deren Bekämpfung: Bka-Trojaner OTL.txt