|
Plagegeister aller Art und deren Bekämpfung: Trojaner Win32:Cybota und Win32:KonarWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
07.12.2011, 11:06 | #1 |
| Trojaner Win32:Cybota und Win32:Konar Hallo, hoffe auf Eure Hilfe. Habe hier ein Laptop wo Avast folgende Virenwarnung gefunden hat. Avast Meldung: C:/Users/.../AppData/Roaming/3D0E4/lvvm.exe = Bedrohung Win32:Cybota " /C3FA2/lvvm.exe = " " /chrome.exe = " " / Microsoft/1D3B/113F.exe=Bedroh. Win32:Konar " / " /71DA/63A3.exe = Bedroh. Win32:Konar Die Bedrohung wird als hoch eingestuft. Hab alles gelöscht aber das Ding hat sich in die Registry eingegraben. Hab einen Cleaner drüber laufen lassen und dann ging alles wieder. Nach einem Neustart ging das Internet nicht und der Virenscanner Avast hat "keine Bedrohung" gefunden. Das Ding ist aber noch vorhanden. In der Zwischenzeit kann ich das Laptop nur noch im abgesicherten Modus hochfahren wo die Datei von dem Trojaner (dwm.exe) in der DateiListe nicht gefunden wird. Im normalen Modus bleibt der Monitor schwarz und bei einer letzten Suche der Datei dwm.exe wurde diese mehrfach angezeigt. Nix geht mehr. Find ich bei Euch Hilfe? Ich bin kein Computerfreak ich arbeite nur damit. Würde mich über aussagekräftige und für mich verständliche Rückmeldungen freuen. Hab die Software "Malware" mit einem anderen Rechner gedownloadet aber wie bekomm ich die auf den Rechner im abgesicherten Modus? Das Laptop arbeitet mit Windows Vista 32Bit Version. Grüße Geändert von cabriolady (07.12.2011 um 11:13 Uhr) |
07.12.2011, 11:30 | #2 |
| Trojaner Win32:Cybota und Win32:Konar Hallo,
__________________beim Booten F8 drücken, abgesicherter Modus auswählen... Würde den Laptop vom Internet trennen.... Dann entweder MAM auf USB-Stick kopieren oder mit OTL zusammen auf CD brennen... Malwarebytes Antimalware (MAM) Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen") Fullscan und alles bereinigen lassen! Log posten. OTL Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop * Doppelklick auf die OTL.exe * Vista/Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen * Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output * Unter Extra Registry, wähle bitte Use SafeList * Klicke nun auf Run Scan links oben * Wenn der Scan beendet wurde werden 2 Logfiles erstellt * Poste die Logfiles hier in den Thread. chris
__________________ |
07.12.2011, 17:11 | #3 |
| Trojaner Win32:Cybota und Win32:Konar Hallo,
__________________Meldung: eine Netzwerkverbindung im abgesicherten Modus ist nicht möglich. d.h. Malware kann ich so nicht aktualisieren. Das Laptop startet im normalen Modus überhaupt nicht mehr bzw. bootet nicht mehr hoch nach Eingabe des Kennworts. Da geht nix mehr Bei der OTL Software kommt Laufwerk F: (CD Laufwerk)Extras.txt kann nicht gefunden werden. Möchten Sie eine neue Datei erstellen? Es werden keine Logfiles erstellt. Da sind nur 2 leere neue Seiten. |
07.12.2011, 17:34 | #4 |
| Trojaner Win32:Cybota und Win32:Konar Hi, lässt sich MAM den starten? Dann einfach mal ohne update suchen lassen... Dr. Web-Live-CD Lade Dir das Abbild (Dr.Web CureIt! —) runter (jeweils die neuste Version, z. Z. http://download.geo.drweb.com/pub/dr...livecd-600.iso) und brenne es auf CD/DVD. Stelle dann im BIOS die Bootreihenfolge um (zuerst von CD booten), boote dann von der erstellten CD und starte Dr. Web Live CD (default). Lass dann alle Festplatten untersuchen... Bei Funden bitte Name und Pfad notieren, bevor du sie von Dr. Web beseitigen lässt... Weiter Anweisungen: Dr.Web CureIt! — Chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
07.12.2011, 17:56 | #5 |
| Trojaner Win32:Cybota und Win32:Konar Hallo, ja MAM läßt sich starten und sucht bereits schon. Wenn was gefunden wurde was damit machen? Und was mach ich mit dem OTL? |
07.12.2011, 18:07 | #6 |
| Trojaner Win32:Cybota und Win32:Konar Hi, poste das LOG von MAM und lass dann alles bereinigen! Bei OTL, kopiere es auf die Festplatte und starte es von dort... chris
__________________ --> Trojaner Win32:Cybota und Win32:Konar |
07.12.2011, 18:14 | #7 |
| Trojaner Win32:Cybota und Win32:Konar Hoofe MAM findet was aber ich vermute ganz stark nicht. Wenn man im abgesicherten Modus reinging fand man in der Registry nix von dem dwm.exe. Im normalen Modus (den ich ja nicht mehr starten kann) fand man das Ding in einigen Registrys. Ich versuch einfach mein Glück und sobald ich was habe poste ich es hier rein. Auf jeden Fall schon mal Danke :-) |
07.12.2011, 18:26 | #8 |
| Trojaner Win32:Cybota und Win32:Konar Hi, mal sehen... Auf jeden Fall das LOG von MAM und dann die beiden Logs von OTL posten.... Aber lass jetzt erstmal MAM im Fullscan drüberlaufen... chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
07.12.2011, 18:29 | #9 |
| Trojaner Win32:Cybota und Win32:Konar Jetzt hat es funktioniert mit dem OTL. Anbei die Dateien EXTRAS OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 07.12.2011 18:17:42 - Run 3 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Program Files Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,99 Gb Total Physical Memory | 1,27 Gb Available Physical Memory | 63,91% Memory free 4,23 Gb Paging File | 3,70 Gb Available in Paging File | 87,56% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 116,37 Gb Total Space | 68,08 Gb Free Space | 58,50% Space Free | Partition Type: NTFS Drive D: | 1,88 Gb Total Space | 1,86 Gb Free Space | 99,03% Space Free | Partition Type: FAT32 Drive E: | 115,05 Gb Total Space | 109,70 Gb Free Space | 95,35% Space Free | Partition Type: NTFS Drive F: | 10,31 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS Computer Name: UTEUNDARMIN-PC | User Name: Ute und Armin | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [dm Fotowelt] -- "C:\Users\Ute und Armin\Desktop\dm foto\dm Fotowelt\dm Fotowelt.exe" "%1" () Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] "" = "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0D0C856E-BF62-4C92-B003-CA9740A15D6C}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{10C1760C-A9D2-403E-8265-FC259EBC2927}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{39F9E015-5297-436E-A160-9C064829E120}" = dir=in | app=c:\program files\skype\phone\skype.exe | "{65FDCF04-543F-4DA7-A0BB-EDDB726FBE69}" = protocol=6 | dir=in | app=c:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe | "{682679A1-08CE-4DC2-9BB0-9BC65A3102FB}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{729B0A3E-D0E9-4B8F-887F-CF987A182CD3}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "{77EA3867-ADF6-4B7B-B62A-4E9848B31672}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{86EAC92A-6CF3-4428-9F2E-991EA287930A}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{A0A5489B-81E2-422D-8B7B-FC0CCDB20F85}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "{ABA5649E-569E-41B8-83F9-656EDC02D5D6}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "{C6558D43-4C78-4046-A283-9FDBDF1C168C}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{EC832347-8477-4634-AEBA-EBF97FBE388B}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "{FC475BF4-F6D8-464C-882D-05850819CA4D}" = protocol=17 | dir=in | app=c:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe | "TCP Query User{0635000C-B484-4CDD-9E19-65C6CBCD330D}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "TCP Query User{06FB5A43-6E5E-4901-83B4-5B42584F567B}C:\program files\icq7.2\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "TCP Query User{823A981F-0E37-4613-A0DA-45752FCA9E29}C:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe | "TCP Query User{92C476B1-A73E-4BE1-9CB6-089A5A40DA89}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "TCP Query User{C4C4A240-59C9-45EC-A2BB-B8E0ECC3A60F}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | "TCP Query User{DF27F50C-DC58-4BC9-9158-0E9EE9C7A933}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | "UDP Query User{2456008B-F9F7-4261-8160-1B8FAEDAD00B}C:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe | "UDP Query User{48633591-CBDE-4481-92B1-7BCF484D8FB5}C:\program files\icq7.2\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "UDP Query User{67049245-FE32-4CD6-850D-3C9C52A41E15}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "UDP Query User{AC1D6B3C-8946-4CF8-94D9-1B26A94EDF5D}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | "UDP Query User{ACB577D2-1372-4063-AF61-6BA0646CB8ED}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | "UDP Query User{BF66B0EA-7919-4A4B-A95E-26DDA2799B2C}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 29 "{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3 "{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password "{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features "{56995235-B76E-44A6-BA17-8FF13D3F907A}" = TOSHIBA Benutzerhandbücher "{5980B928-1C95-4B3E-957B-B02D8147FF9E}" = Desktop SMS "{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator "{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center "{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2 "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TRDCReminder "{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}" = TOSHIBA ConfigFree "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista "{895722FE-25FE-4854-95AC-B0C42F9DBEDA}" = REALTEK RTL8187B Wireless LAN Driver "{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-A81000000003}" = Adobe Reader 8.1.0 - Deutsch "{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser "{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator "{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1 "{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader "{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9-Reihe "{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA "{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "avast" = avast! Free Antivirus "Cleaning Suite_is1" = Cleaning Suite v2.1 "dm Fotowelt" = dm Fotowelt "Firebird SQL Server D" = Firebird SQL Server - MAGIX Edition 2.0.0.1 (D) "fotobook Maker_is1" = fotobook Maker 2.0 "Fotokalender" = Softwarenetz Fotokalender "Google Desktop" = Google Desktop "HDMI" = Intel(R) Graphics Media Accelerator Driver "ICQToolbar" = ICQ Toolbar "InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center "InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TRDCReminder "InstallShield_{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher "InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package "Lexmark_HostCD" = Lexmark Software deinstallieren "MAGIX Digital Foto Maker SE D" = MAGIX Digital Foto Maker SE 4.1.0.835 (D) "MAGIX Foto Suite D" = MAGIX Foto Suite 1.12.0.89 (D) "MAGIX Online Druck Service D" = MAGIX Online Druck Service 2.3.2.0 (D) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.2.1300 "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mozilla Thunderbird (2.0.0.19)" = Mozilla Thunderbird (2.0.0.19) "myphotobook" = myphotobook 3.5 "Picasa2" = Picasa 2 "SynTPDeinstKey" = Synaptics Pointing Device Driver "Windows Media Encoder 9" = Windows Media Encoder 9-Reihe ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Dropbox" = Dropbox ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 15.06.2011 16:59:08 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 15.06.2011 16:59:10 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 15.06.2011 16:59:11 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 15.06.2011 16:59:31 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 16.06.2011 08:11:10 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 16.06.2011 08:11:10 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 16.06.2011 08:11:56 | Computer Name = UteundArmin-PC | Source = WinMgmt | ID = 10 Description = Error - 16.06.2011 12:14:36 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 16.06.2011 12:14:36 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 16.06.2011 12:15:32 | Computer Name = UteundArmin-PC | Source = WinMgmt | ID = 10 Description = [ System Events ] Error - 07.12.2011 11:56:19 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 11:56:38 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 11:56:38 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 11:57:32 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 11:57:32 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 11:58:50 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 11:58:50 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 12:14:59 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 12:14:59 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001 Description = Error - 07.12.2011 13:16:34 | Computer Name = UteundArmin-PC | Source = DCOM | ID = 10005 Description = < End of report > OTL OTL Logfile: Code:
ATTFilter OTL logfile created on: 07.12.2011 18:17:42 - Run 3 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Program Files Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,99 Gb Total Physical Memory | 1,27 Gb Available Physical Memory | 63,91% Memory free 4,23 Gb Paging File | 3,70 Gb Available in Paging File | 87,56% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 116,37 Gb Total Space | 68,08 Gb Free Space | 58,50% Space Free | Partition Type: NTFS Drive D: | 1,88 Gb Total Space | 1,86 Gb Free Space | 99,03% Space Free | Partition Type: FAT32 Drive E: | 115,05 Gb Total Space | 109,70 Gb Free Space | 95,35% Space Free | Partition Type: NTFS Drive F: | 10,31 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS Computer Name: UTEUNDARMIN-PC | User Name: Ute und Armin | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Programme\OTL.exe File not found PRC - C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Limited) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) ========== Modules (No Company Name) ========== ========== Win32 Services (SafeList) ========== SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software) SRV - (SAVAdminService) -- C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Limited) SRV - (SAVService) -- C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Limited) SRV - (ICQ Service) -- C:\Programme\ICQ6Toolbar\ICQ Service.exe () SRV - (TNaviSrv) -- C:\Programme\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation) SRV - (TosCoSrv) -- c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation) SRV - (ConfigFree Service) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION) SRV - (TOSHIBA SMART Log Service) -- c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe (TOSHIBA Corporation) SRV - (TODDSrv) -- C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation) SRV - (UleadBurningHelper) -- C:\Programme\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.) SRV - (FirebirdServerMAGIXInstance) -- C:\Programme\MAGIX\Common\Database\bin\fbserver.exe (MAGIX®) ========== Driver Services (SafeList) ========== DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software) DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software) DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software) DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software) DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software) DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software) DRV - (SAVOnAccess) -- C:\Windows\System32\drivers\savonaccess.sys (Sophos Limited) DRV - (SophosBootDriver) -- C:\Windows\System32\drivers\SophosBootDriver.sys (Sophos Plc) DRV - (SKMScan) -- C:\Windows\System32\drivers\skmscan.sys (Sophos Plc) DRV - (tos_sps32) -- C:\Windows\system32\DRIVERS\tos_sps32.sys (TOSHIBA Corporation) DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation) DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation ) DRV - (RTL8187B) -- C:\Windows\System32\drivers\rtl8187B.sys (Realtek Semiconductor Corporation ) DRV - (TVALZ) -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS (TOSHIBA Corporation) DRV - (FwLnk) -- C:\Windows\System32\drivers\FwLnk.sys (TOSHIBA Corporation) DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems) DRV - (tdcmdpst) -- C:\Windows\System32\drivers\tdcmdpst.sys (TOSHIBA Corporation.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dsl-start.computerbild.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\URLSearchHook: - No CLSID value found IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009.02.27 20:22:21 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009.02.27 20:22:16 | 000,000,000 | ---D | M] (Talkback) -- C:\PROGRAM FILES\MOZILLA THUNDERBIRD\EXTENSIONS\TALKBACK@MOZILLA.ORG O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.) O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [Toshiba Registration] C:\Programme\TOSHIBA\Registration\ToshibaRegistration.exe (Toshiba) O4 - HKLM..\Run: [TPwrMain] C:\Programme\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation) O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - Startup: C:\Users\Ute und Armin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Ute und Armin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra Button: eBay - Der weltweite Online Marktplatz - {76577871-04EC-495E-A12B-91F7C3600AFA} - hxxp://rover.ebay.com/rover/1/707-44556-9400-3/4 File not found O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} - hxxp://www.amazon.de/exec/obidos/redirect-home?tag=Toshibadebholink-21&site=home File not found O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D97559DB-A3B1-4C2F-99BF-56DA1BF09137}: NameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EC1F5D21-8E17-4839-B679-102D41344AFA}: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) -C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) -C:\Programme\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited) O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\Ute und Armin\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O24 - Desktop BackupWallPaper: C:\Users\Ute und Armin\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011.12.07 18:16:43 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Program Files\OTL.exe [2011.12.07 17:54:30 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2011.12.07 16:57:42 | 000,000,000 | ---D | C] -- C:\Users\Ute und Armin\AppData\Roaming\Malwarebytes [2011.12.07 16:55:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2011.12.07 16:55:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2011.12.07 16:55:34 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2011.12.07 16:55:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2011.12.07 09:53:31 | 000,000,000 | ---D | C] -- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1} [2011.12.07 09:47:49 | 000,000,000 | ---D | C] -- C:\Users\Ute und Armin\AppData\Local\Sophos [2011.12.06 19:30:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos [2011.12.06 19:30:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Cisco Systems [2011.12.06 19:30:45 | 000,030,744 | ---- | C] (Sophos Limited) -- C:\Windows\System32\SophosBootTasks.exe [2011.12.06 19:30:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Sophos [2011.12.06 19:30:25 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos [2011.12.06 19:30:20 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2011.12.06 19:28:21 | 000,123,680 | ---- | C] (Sophos Limited) -- C:\Windows\System32\drivers\savonaccess.sys [2011.12.06 19:28:21 | 000,031,736 | ---- | C] (Sophos Plc) -- C:\Windows\System32\drivers\skmscan.sys [2011.12.06 19:28:21 | 000,022,536 | ---- | C] (Sophos Plc) -- C:\Windows\System32\drivers\SophosBootDriver.sys [2011.12.06 19:28:12 | 000,000,000 | ---D | C] -- C:\savw_100_sa [2011.12.06 18:11:56 | 000,000,000 | ---D | C] -- C:\Windows\Sun [2011.12.06 18:10:41 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com [2011.12.06 18:06:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun [2011.12.06 18:00:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Ask [2011.12.06 18:00:00 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll [2011.12.06 18:00:00 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe [2011.12.06 18:00:00 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe [2011.12.06 18:00:00 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe [2011.12.06 12:13:02 | 000,000,000 | ---D | C] -- C:\Users\Ute und Armin\AppData\Roaming\ASCOMP Software [2011.12.06 12:12:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ASCOMP Software [2011.12.06 12:12:58 | 000,000,000 | ---D | C] -- C:\Program Files\ASCOMP Software [2011.12.06 11:59:26 | 000,000,000 | ---D | C] -- C:\Users\Ute und Armin\AppData\Local\PackageAware [2011.12.05 18:22:09 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2011.12.05 18:22:09 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll [2011.12.05 18:22:09 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll [2011.12.05 18:22:08 | 000,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll [2011.12.05 18:22:08 | 000,125,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll [2011.12.05 18:22:08 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll [2011.12.05 18:22:08 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2011.12.05 18:22:08 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\corpol.dll [2011.12.05 18:22:07 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2011.12.05 18:22:07 | 000,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll [2011.12.05 18:22:07 | 000,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll [2011.12.05 18:22:07 | 000,183,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll [2011.12.05 18:22:07 | 000,034,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll [2011.12.05 18:22:06 | 000,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll [2011.12.05 18:22:06 | 000,193,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll [2011.12.05 18:22:06 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll [2011.12.05 18:22:06 | 000,094,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll [2011.12.05 18:22:06 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll [2011.12.05 18:22:06 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll [2011.12.05 18:22:06 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll [2011.12.05 18:22:05 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll [2011.12.05 18:22:05 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2011.12.05 18:22:05 | 000,208,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WinFXDocObj.exe [2011.12.05 18:22:05 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe [2011.12.05 18:22:05 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe [2011.12.05 18:22:04 | 000,445,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll [2011.12.05 18:22:04 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll [2011.12.05 18:22:03 | 000,391,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll [2011.12.05 18:22:03 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2011.12.05 18:22:01 | 003,698,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat [2011.12.05 18:22:01 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec [2011.12.05 18:22:01 | 000,169,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe [2011.12.05 18:22:00 | 000,132,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2011.12.05 18:22:00 | 000,109,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PDMSetup.exe [2011.12.05 18:22:00 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll [2011.12.05 18:22:00 | 000,107,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe [2011.12.05 18:22:00 | 000,107,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe [2011.12.05 18:22:00 | 000,103,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetDepNx.exe [2011.12.05 18:21:52 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe [2011.12.05 18:21:50 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2010.06.06 14:15:07 | 000,348,160 | ---- | C] ( ) -- C:\Windows\System32\lexlog.dll [2006.10.20 14:09:00 | 000,540,672 | ---- | C] ( ) -- C:\Windows\System32\LMABO2PI.EXE [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2011.12.07 17:54:30 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2011.12.07 17:22:42 | 000,002,637 | ---- | M] () -- C:\Users\Ute und Armin\Desktop\Microsoft Office Word 2003.lnk [2011.12.07 17:22:22 | 000,002,665 | ---- | M] () -- C:\Users\Ute und Armin\Desktop\Microsoft Office Excel 2003.lnk [2011.12.07 16:55:41 | 000,000,911 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.12.07 16:47:41 | 000,627,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2011.12.07 16:47:41 | 000,595,386 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2011.12.07 16:47:41 | 000,125,870 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2011.12.07 16:47:41 | 000,103,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2011.12.07 16:29:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2011.12.07 16:09:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Program Files\OTL.exe [2011.12.07 15:10:10 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2011.12.07 15:10:10 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2011.12.06 19:50:35 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2011.12.06 19:45:20 | 000,000,442 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{2A1A6F84-2C7C-483F-8D7F-446F5BE8D0FB}.job [2011.12.06 19:22:00 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2011.12.06 17:38:42 | 000,476,136 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2011.12.06 12:12:59 | 000,001,967 | ---- | M] () -- C:\Users\Public\Desktop\Cleaning Suite.lnk [2011.12.05 18:54:53 | 000,000,948 | ---- | M] () -- C:\Users\Ute und Armin\Desktop\Dropbox.lnk [2011.12.05 18:54:53 | 000,000,928 | ---- | M] () -- C:\Users\Ute und Armin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2011.12.05 17:32:09 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt [2011.11.28 19:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr [2011.11.28 19:01:23 | 000,199,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe [2011.11.28 18:53:53 | 000,435,032 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys [2011.11.28 18:53:35 | 000,314,456 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys [2011.11.28 18:52:19 | 000,034,392 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys [2011.11.28 18:52:16 | 000,052,952 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys [2011.11.28 18:52:07 | 000,055,128 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys [2011.11.28 18:51:50 | 000,020,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys [2011.11.17 19:58:34 | 000,030,744 | ---- | M] (Sophos Limited) -- C:\Windows\System32\SophosBootTasks.exe [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2011.12.07 16:55:41 | 000,000,911 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.12.06 12:12:59 | 000,001,967 | ---- | C] () -- C:\Users\Public\Desktop\Cleaning Suite.lnk [2011.12.05 18:42:20 | 000,000,442 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{2A1A6F84-2C7C-483F-8D7F-446F5BE8D0FB}.job [2011.12.05 18:22:04 | 000,057,667 | ---- | C] () -- C:\Windows\System32\ieuinit.inf [2009.11.30 18:55:31 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2009.04.14 10:00:57 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI [2009.03.01 09:00:39 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2009.03.01 09:00:39 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2009.02.27 20:22:22 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat [2009.02.12 17:09:33 | 000,000,016 | -H-- | C] () -- C:\Users\Ute und Armin\AppData\Roaming\mxfilerelatedcache.mxc2 [2009.02.12 17:09:33 | 000,000,016 | -H-- | C] () -- C:\Users\Ute und Armin\AppData\Local\mxfilerelatedcache.mxc2 [2009.02.12 17:09:32 | 000,000,016 | -H-- | C] () -- C:\ProgramData\mxfilerelatedcache.mxc2 [2009.01.27 21:48:07 | 000,007,680 | ---- | C] () -- C:\Users\Ute und Armin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008.02.22 10:34:00 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI [2008.02.18 16:58:18 | 000,006,642 | ---- | C] () -- C:\Windows\mgxoschk.ini [2008.02.18 16:44:09 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll [2008.02.18 16:44:09 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll [2008.02.18 16:44:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll [2008.02.18 16:44:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll [2008.02.18 16:44:09 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll [2008.02.18 16:44:09 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll [2008.02.18 15:57:01 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll [2008.02.18 15:55:43 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll [2008.02.18 15:55:43 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll [2008.02.18 15:55:43 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll [2008.02.18 15:55:43 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll [2008.01.21 08:15:58 | 000,627,756 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2008.01.21 08:15:58 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2008.01.21 08:15:58 | 000,125,870 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2008.01.21 08:15:58 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2006.11.02 13:47:37 | 000,476,136 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 11:33:01 | 000,595,386 | ---- | C] () -- C:\Windows\System32\perfh009.dat [2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat [2006.11.02 11:33:01 | 000,103,460 | ---- | C] () -- C:\Windows\System32\perfc009.dat [2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat [2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat [2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT [2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat [2006.10.20 14:09:00 | 000,233,472 | ---- | C] () -- C:\Windows\System32\LMABO2B1.DLL [2006.10.20 14:09:00 | 000,003,878 | ---- | C] () -- C:\Windows\System32\LMABO2D$.INI < End of report > |
07.12.2011, 18:32 | #10 | |
| Trojaner Win32:Cybota und Win32:Konar Und die Malware ist auch durch. Wie vermutet keinen Fund. Wenn ich jetzt in den normalen Modus rein könnte wär da bestimmt was. Zitat:
|
07.12.2011, 18:48 | #11 |
| Trojaner Win32:Cybota und Win32:Konar Hi, sehr seltsam, im Log taucht auch nichts auf. Kannst Du dich über einen anderen Usern anmelden, bzw. funktioniert der Taskmanger oder die Commandline (CMD)? Das deutet auf einen Treiber hin, der im Safemode nicht geladen wird. Bitte OTL nachmal laufen lassen, aber das Häkchen bei "Scann all users setzten... und
Code:
ATTFilter netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys mv61xx.sys winlogon.exe userinit.exe WS2_32.dll /md5stop c:\windows\system32\drivers\*.sys /lockedfiles c:\windows\system32\*.dll /lockedfiles %systemroot%\*. /mp /s %PROGRAMFILES%\*. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs CREATERESTOREPOINT
chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
Themen zu Trojaner Win32:Cybota und Win32:Konar |
abgesicherten, avast, cleaner, cybota/konar trojaner, datei, folge, gelöscht, hochfahren, internet, laptop, malware, meldung, monitor, monitor schwarz, neustart, nicht gefunden, rechner, registry, scan, scanner, software, suche, trojaner, virenscanner, vista 32bit, warnung, win, win32 |