|
Plagegeister aller Art und deren Bekämpfung: Win32/Zbot -jetzt endgültig entfernt?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
15.12.2011, 15:04 | #1 |
| Win32/Zbot -jetzt endgültig entfernt? Hallo ihr Lieben! Ich entschuldige mich mal im Voraus für mein fehlendes Fachwissen und die laienhafte Darstellung meines Problems.. :/ Vor ca. einer Woche hat Security Essentials mir ein schwerwiegendes Problem, namentlich das erkannte Element "PWS:Win32/Zbot" angezeigt, das ich gleich entfernen habe lassen. Zusätzlich stand noch dabei: "Erkannte Elemente: containerfile:C:\Users\violeta\AppData\Local\Temp\ke64neqflzwy.exe file:C:\Users\violeta\AppData\Local\Temp\ke64neqflzwy.exe->(UPX) " Ich bin mir aber nicht sicher, ob der Trojaner jetzt vollständig entfernt wurde oder nicht und habe deshalb sicherheitshalber schon etliche Virenscans durchgeführt, die aber zu keinem Ergebnis gekommen sind. Nach eingehender Recherche bin ich dann auf "gmer" gestoßen, mit dem ich auch einen Scan nach Anleitung eines Antivirenforums gemacht habe. (Häkchen nur bei -Services, -Registry und -Files (und -ADS) gesetzt, Internetverbindung getrennt, alle anderen Programme während des Scans waren auch geschlossen) DAS ist dabei rausgekommen: GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2011-12-15 14:57:13 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0 Running: gmer.exe; Driver: C:\Users\violeta\AppData\Local\Temp\ugliifod.sys ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LazyCheckPointUpdateInterval 86400 ---- EOF - GMER 1.0.15 ---- Nicht viel, aber doch verunsichert mich das jetzt extrem, zumal mein Pc sich wirklich seltsam verhält (Programme auf dem Desktop "blinken"), gestern ist er z.B. aus heiterem Himmel einfach abgestürzt, was vorher noch nie passiert ist... Es wäre wirklich toll, wenn mir jemand helfen könnte, alleine schaff ich das nicht... Vielen Dank im Voraus, Liebe Grüße, Violeta |
15.12.2011, 16:13 | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Zbot -jetzt endgültig entfernt? Bitte nun routinemäßig einen Vollscan mit Malwarebytes machen und Log posten.
__________________Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss! Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten! ESET Online Scanner
__________________ |
15.12.2011, 19:17 | #3 | ||||
| Win32/Zbot -jetzt endgültig entfernt? Das ist das Ergebnis vom Malwarebytes-Scan:
__________________Zitat:
Zitat:
Nun das Ergebnis vom ESET-Scan: Zitat:
Ach ja und außerdem wird mir seit vorhin ständig eine Meldung von Windows angezeigt, und wenn ich auf Problemlösung klicke, steht dort: Zitat:
|
15.12.2011, 19:40 | #4 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Zbot -jetzt endgültig entfernt? CustomScan mit OTL Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %ALLUSERSPROFILE%\Application Data\*. %ALLUSERSPROFILE%\Application Data\*.exe /s %APPDATA%\*. %APPDATA%\*.exe /s %SYSTEMDRIVE%\*.exe /md5start wininit.exe userinit.exe eventlog.dll scecli.dll netlogon.dll cngaudit.dll ws2ifsl.sys sceclt.dll ntelogon.dll winlogon.exe logevent.dll user32.DLL iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys /md5stop %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles CREATERESTOREPOINT
__________________ Logfiles bitte immer in CODE-Tags posten |
15.12.2011, 21:00 | #5 |
| Win32/Zbot -jetzt endgültig entfernt? So, hab ich gemacht: OTL Logfile: Code:
ATTFilter OTL logfile created on: 12/15/2011 8:44:05 PM - Run 1 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\violeta\Desktop Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1.96 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 47.82% Memory free 3.92 Gb Paging File | 2.67 Gb Available in Paging File | 68.14% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 121.96 Gb Total Space | 93.84 Gb Free Space | 76.94% Space Free | Partition Type: NTFS Drive D: | 95.83 Gb Total Space | 51.13 Gb Free Space | 53.35% Space Free | Partition Type: NTFS Computer Name: VIOLETA-PC | User Name: violeta | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011/12/15 20:37:15 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\violeta\Desktop\OTL.exe PRC - [2011/10/04 01:23:07 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\javaw.exe PRC - [2011/08/31 17:00:48 | 001,047,208 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe PRC - [2011/04/27 14:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe PRC - [2011/02/26 06:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009/11/04 05:11:48 | 000,835,072 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe PRC - [2009/10/26 12:53:14 | 000,091,136 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe PRC - [2009/10/13 11:03:04 | 000,716,800 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe PRC - [2009/10/07 02:31:56 | 002,246,144 | ---- | M] (SEC) -- C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe PRC - [2009/08/13 20:58:10 | 000,044,312 | ---- | M] () -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe PRC - [2009/07/24 05:46:14 | 000,650,920 | ---- | M] () -- C:\PROGRA~1\samsung\SAMSUN~2\SUPNOT~1.EXE PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009/06/03 12:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe PRC - [2009/04/15 15:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe ========== Modules (No Company Name) ========== MOD - [2011/12/15 14:03:35 | 000,035,608 | ---- | M] () -- C:\Program Files\JAP\japdll.dll MOD - [2009/07/24 05:46:14 | 000,650,920 | ---- | M] () -- C:\PROGRA~1\samsung\SAMSUN~2\SUPNOT~1.EXE MOD - [2009/06/03 12:59:14 | 000,013,096 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll MOD - [2009/06/03 12:59:02 | 000,619,816 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll MOD - [2009/05/13 09:51:26 | 000,155,648 | ---- | M] () -- C:\PROGRA~1\samsung\SAMSUN~2\HMXML.dll MOD - [2006/08/12 04:48:40 | 000,049,152 | ---- | M] () -- C:\Program Files\Samsung\Easy Display Manager\HookDllPS2.dll ========== Win32 Services (SafeList) ========== SRV - [2011/04/27 14:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv) SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc) SRV - [2009/08/13 20:58:10 | 000,044,312 | ---- | M] () [Auto | Running] -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe -- (OberonGameConsoleService) SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend) ========== Driver Services (SafeList) ========== DRV - [2011/12/15 10:37:31 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9E19DE79-5C13-4BA6-AD9B-0CDD0E3268BF}\MpKslea6aea91.sys -- (MpKslea6aea91) DRV - [2011/12/15 03:22:23 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9E19DE79-5C13-4BA6-AD9B-0CDD0E3268BF}\MpKsl1516d6d9.sys -- (MpKsl1516d6d9) DRV - [2011/04/27 14:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv) DRV - [2011/04/18 12:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon) DRV - [2009/11/06 21:53:58 | 001,227,776 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2009/09/28 10:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7) DRV - [2009/07/10 14:44:52 | 000,122,880 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = iGoogle IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "LEO Eng-Deu" FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/" FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/25 20:50:29 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/15 03:15:22 | 000,000,000 | ---D | M] [2011/08/23 21:11:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\violeta\AppData\Roaming\mozilla\Extensions [2011/08/30 23:13:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\violeta\AppData\Roaming\mozilla\Firefox\Profiles\jl9khlly.default\extensions [2011/11/25 20:50:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\extensions [2011/11/25 20:50:28 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011/10/02 11:41:05 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2011/10/02 11:41:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2011/10/02 11:41:05 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2011/10/02 11:41:05 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2011/10/02 11:41:05 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2011/10/02 11:41:05 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4 - HKLM..\Run: [APLangApp] C:\Program Files\AnyPC Client\APLangApp.exe (DoctorSoft) O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink) O4 - HKLM..\Run: [fsi] C:\Program Files\Phoenix Technologies Ltd\FailSafe\FailSafeLauncher.exe () O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe (CyberLink Corp.) O4 - HKLM..\Run: [RemoteControl8] C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.) O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\Run: [UpdatePPShortCut] C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A6C5C720-85C2-4D89-AACC-13159181637A}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - C:\windows\System32\ias.dll (Microsoft Corporation) NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found SafeBootMin: AppMgmt - Service SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: HelpSvc - Service SafeBootMin: mcmscsvc - Service SafeBootMin: MCODS - Service SafeBootMin: MsMpSvc - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation) SafeBootMin: NTDS - File not found SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: sacsvr - Service SafeBootMin: SCSI Class - Driver Group SafeBootMin: System Bus Extender - Driver Group SafeBootMin: vmms - Service SafeBootMin: WinDefend - C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation) SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices SafeBootNet: AppMgmt - Service SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: HelpSvc - Service SafeBootNet: mcmscsvc - Service SafeBootNet: MCODS - Service SafeBootNet: Messenger - Service SafeBootNet: MpfService - Service SafeBootNet: MsMpSvc - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation) SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: NTDS - File not found SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: rdsessmgr - Service SafeBootNet: sacsvr - Service SafeBootNet: SCSI Class - Driver Group SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: vmms - Service SafeBootNet: WinDefend - C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation) SafeBootNet: WudfUsbccidDriver - Driver SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.) CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2011/12/15 20:37:11 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\violeta\Desktop\OTL.exe [2011/12/15 17:29:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2011/12/15 17:12:19 | 002,322,184 | ---- | C] (ESET) -- C:\Users\violeta\Desktop\esetsmartinstaller_enu.exe [2011/12/15 14:07:49 | 000,000,000 | ---D | C] -- C:\Users\violeta\AppData\Roaming\JonDo [2011/12/15 14:03:19 | 000,000,000 | ---D | C] -- C:\Program Files\JAP [2011/11/20 02:41:56 | 000,000,000 | ---D | C] -- C:\Users\violeta\AppData\Roaming\PhotoScape [2011/11/20 02:41:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScape [2011/11/20 02:41:23 | 000,000,000 | ---D | C] -- C:\Program Files\Google ========== Files - Modified Within 30 Days ========== [2011/12/15 20:37:15 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\violeta\Desktop\OTL.exe [2011/12/15 20:25:53 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat [2011/12/15 19:51:03 | 000,001,100 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job [2011/12/15 17:36:24 | 000,014,512 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2011/12/15 17:36:24 | 000,014,512 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2011/12/15 17:12:21 | 002,322,184 | ---- | M] (ESET) -- C:\Users\violeta\Desktop\esetsmartinstaller_enu.exe [2011/12/15 16:24:38 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011/12/15 13:08:36 | 000,001,096 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job [2011/12/15 10:37:17 | 340,012,697 | ---- | M] () -- C:\windows\MEMORY.DMP [2011/12/15 10:37:16 | 1579,630,592 | -HS- | M] () -- C:\hiberfil.sys [2011/12/15 03:49:49 | 000,294,216 | ---- | M] () -- C:\Users\violeta\Desktop\gmer.zip [2011/12/15 03:22:21 | 000,350,288 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT [2011/12/10 15:19:12 | 000,555,312 | ---- | M] () -- C:\Users\violeta\Documents\parka.one [2011/12/10 02:24:22 | 000,000,036 | ---- | M] () -- C:\Users\violeta\AppData\Local\housecall.guid.cache [2011/12/04 02:31:45 | 000,652,778 | ---- | M] () -- C:\Users\violeta\Desktop\BSc_BWL_Studienfuehrer_Wintersemester_2010.pdf ========== Files Created - No Company Name ========== [2011/12/15 03:49:45 | 000,294,216 | ---- | C] () -- C:\Users\violeta\Desktop\gmer.zip [2011/12/10 15:19:12 | 000,555,312 | ---- | C] () -- C:\Users\violeta\Documents\parka.one [2011/12/10 02:24:22 | 000,000,036 | ---- | C] () -- C:\Users\violeta\AppData\Local\housecall.guid.cache [2011/12/04 02:31:45 | 000,652,778 | ---- | C] () -- C:\Users\violeta\Desktop\BSc_BWL_Studienfuehrer_Wintersemester_2010.pdf [2011/11/20 02:41:37 | 000,001,100 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job [2011/11/20 02:41:32 | 000,001,096 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job [2010/06/11 14:36:14 | 000,000,002 | ---- | C] () -- C:\windows\HotFixList.ini [2010/06/11 14:19:58 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe [2009/12/05 21:22:03 | 000,656,266 | ---- | C] () -- C:\windows\System32\perfh007.dat [2009/12/05 21:22:03 | 000,295,922 | ---- | C] () -- C:\windows\System32\perfi007.dat [2009/12/05 21:22:03 | 000,131,006 | ---- | C] () -- C:\windows\System32\perfc007.dat [2009/12/05 21:22:03 | 000,038,104 | ---- | C] () -- C:\windows\System32\perfd007.dat [2009/12/05 21:01:49 | 000,004,608 | ---- | C] () -- C:\windows\System32\HdmiCoin.dll [2009/12/05 21:01:48 | 000,982,220 | ---- | C] () -- C:\windows\System32\igkrng500.bin [2009/12/05 21:01:47 | 000,439,300 | ---- | C] () -- C:\windows\System32\igcompkrng500.bin [2009/12/05 21:01:47 | 000,134,592 | ---- | C] () -- C:\windows\System32\igfcg500.bin [2009/12/05 21:01:47 | 000,092,216 | ---- | C] () -- C:\windows\System32\igfcg500m.bin [2009/12/05 04:17:31 | 000,307,200 | ---- | C] () -- C:\windows\SetDisplayResolution.exe [2009/07/14 05:57:37 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat [2009/07/14 05:33:53 | 000,350,288 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT [2009/07/14 03:05:48 | 000,618,108 | ---- | C] () -- C:\windows\System32\perfh009.dat [2009/07/14 03:05:48 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat [2009/07/14 03:05:48 | 000,107,388 | ---- | C] () -- C:\windows\System32\perfc009.dat [2009/07/14 03:05:48 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat [2009/07/14 03:05:05 | 000,000,741 | ---- | C] () -- C:\windows\System32\NOISE.DAT [2009/07/14 03:04:11 | 000,215,943 | ---- | C] () -- C:\windows\System32\dssec.dat [2009/07/14 00:55:01 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin [2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll [2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll [2009/06/10 22:26:10 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat ========== LOP Check ========== [2011/09/28 03:54:32 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Go Go Gourmet [2011/12/15 14:07:50 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\JonDo [2011/11/20 02:54:30 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\PhotoScape [2009/07/14 05:53:46 | 000,013,706 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %ALLUSERSPROFILE%\Application Data\*. > < %ALLUSERSPROFILE%\Application Data\*.exe /s > < %APPDATA%\*. > [2011/08/23 21:03:58 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Adobe [2011/09/28 03:54:32 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Go Go Gourmet [2011/08/23 14:55:35 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Google [2011/08/29 19:03:25 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Help [2010/06/11 14:38:06 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Identities [2011/12/15 14:07:50 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\JonDo [2011/08/23 15:25:00 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Macromedia [2011/08/29 18:50:49 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Malwarebytes [2009/12/05 21:11:14 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Media Center Programs [2011/12/15 20:40:14 | 000,000,000 | --SD | M] -- C:\Users\violeta\AppData\Roaming\Microsoft [2011/08/23 21:11:10 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Mozilla [2011/11/20 02:54:30 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\PhotoScape [2011/12/15 20:36:19 | 000,000,000 | ---D | M] -- C:\Users\violeta\AppData\Roaming\Skype < %APPDATA%\*.exe /s > < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys [2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys [2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys [2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_bc1a57271cf2f285\AGP440.sys < MD5 for: ATAPI.SYS > [2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys [2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys [2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys [2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_df3f92057fcbe7a7\atapi.sys < MD5 for: CNGAUDIT.DLL > [2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll [2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll < MD5 for: EVENTLOG.DLL > [2007/05/17 13:34:04 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- C:\Program Files\CyberLink\PowerDirector\EventLog.dll < MD5 for: IASTOR.SYS > [2009/10/13 03:09:36 | 000,331,288 | ---- | M] (Intel Corporation) MD5=0BAA4115DFFFD6A6D809A89D65E1281A -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys [2009/10/13 03:09:36 | 000,331,288 | ---- | M] (Intel Corporation) MD5=0BAA4115DFFFD6A6D809A89D65E1281A -- C:\Windows\System32\drivers\iaStor.sys [2009/10/13 03:09:36 | 000,331,288 | ---- | M] (Intel Corporation) MD5=0BAA4115DFFFD6A6D809A89D65E1281A -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_x86_neutral_3f3653f13a033ed4\iaStor.sys [2009/10/13 03:16:40 | 000,409,624 | ---- | M] (Intel Corporation) MD5=BE7D72FCF442C26975942007E0831241 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys < MD5 for: IASTORV.SYS > [2011/03/11 06:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17577_none_b0daddb9e6380745\iaStorV.sys [2011/03/11 06:43:55 | 000,332,160 | ---- | M] (Intel Corporation) MD5=71F1A494FEDF4B33C02C4A6A28D6D9E9 -- C:\Windows\System32\drivers\iaStorV.sys [2011/03/11 06:43:55 | 000,332,160 | ---- | M] (Intel Corporation) MD5=71F1A494FEDF4B33C02C4A6A28D6D9E9 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_0033117673c16921\iaStorV.sys [2011/03/11 06:43:55 | 000,332,160 | ---- | M] (Intel Corporation) MD5=71F1A494FEDF4B33C02C4A6A28D6D9E9 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16778_none_aef580fde910b4b0\iaStorV.sys [2011/03/11 06:28:00 | 000,332,160 | ---- | M] (Intel Corporation) MD5=778D0E6D7D9EBA0C403BADBAAD41DB20 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.21680_none_b152a892ff64119f\iaStorV.sys [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys [2010/11/20 13:29:54 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_b118bc63e60a139a\iaStorV.sys [2011/03/11 06:52:21 | 000,332,160 | ---- | M] (Intel Corporation) MD5=B9039A34C2F8769490DCC494E2402445 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.20921_none_afae2d45020c148b\iaStorV.sys < MD5 for: NETLOGON.DLL > [2010/11/20 13:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_ffbf212e963c0162\netlogon.dll [2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll [2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll < MD5 for: NVSTOR.SYS > [2011/03/11 06:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_3ba44e691d6eb11d\nvstor.sys [2011/03/11 06:44:01 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4520B63899E867F354EE012D34E11536 -- C:\Windows\System32\drivers\nvstor.sys [2011/03/11 06:44:01 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4520B63899E867F354EE012D34E11536 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_38e464dbe521cc7f\nvstor.sys [2011/03/11 06:44:01 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4520B63899E867F354EE012D34E11536 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16778_none_39bef1ad20475e88\nvstor.sys [2011/03/11 06:28:10 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=66D468654A58594F5F3BA63D5AD5B1AF -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_3c1c1942369abb77\nvstor.sys [2011/03/11 06:52:25 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=8A7583A3B58D3EEB28BB26626526BC91 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.20921_none_3a779df43942be63\nvstor.sys [2010/11/20 13:30:06 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_3be22d131d40bd72\nvstor.sys [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys < MD5 for: SCECLI.DLL > [2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll [2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll [2010/11/20 13:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_3a154c47375d881d\scecli.dll < MD5 for: USER32.DLL > [2009/07/14 02:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\System32\user32.dll [2009/07/14 02:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll [2010/11/20 13:21:33 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll < MD5 for: USERINIT.EXE > [2010/11/20 13:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe [2009/07/14 02:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe [2009/07/14 02:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe < MD5 for: WININIT.EXE > [2009/07/14 02:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe [2009/07/14 02:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe < MD5 for: WINLOGON.EXE > [2009/10/28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe [2009/10/28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe [2009/10/28 06:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe [2010/11/20 13:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe [2009/07/14 02:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe < MD5 for: WS2IFSL.SYS > [2009/07/14 00:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\System32\drivers\ws2ifsl.sys [2009/07/14 00:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_4f5cf6f829213bb2\ws2ifsl.sys < %systemroot%\system32\drivers\*.sys /lockedfiles > [2011/04/18 12:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\windows\system32\drivers\MpNWMon.sys < %systemroot%\System32\config\*.sav > < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > ========== Alternate Data Streams ========== @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:A42A9F39 @Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:4CF61E54 < End of report > Und an dieser Stelle schon einmal vielen, vielen Dank, dass du mir hilfst... Das beruhigt mich ungemein! |
15.12.2011, 21:10 | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Zbot -jetzt endgültig entfernt? Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!) Code:
ATTFilter :OTL [2010/06/11 14:19:58 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:A42A9F39 @Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:4CF61E54 :Commands [emptytemp] [resethosts] Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet. Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt. Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!
__________________ --> Win32/Zbot -jetzt endgültig entfernt? |
15.12.2011, 21:26 | #7 | |
| Win32/Zbot -jetzt endgültig entfernt? Das kam jetzt dabei raus: Zitat:
|
15.12.2011, 21:42 | #8 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Zbot -jetzt endgültig entfernt? Bitte nun (im normalen Windows-Modus) dieses Tool von Kaspersky (TDSS-Killer) ausführen und das Log posten => http://www.trojaner-board.de/82358-t...entfernen.html Das Tool so einstellen wie unten im Bild angegeben - klick auf change parameters und setze die Haken wie im folgenden Screenshot abgebildet, Dann auf Start Scan klicken und wenn es durch ist auf den Button Report klicken um das Log anzuzeigen. Dieses bitte komplett posten. Wenn du das Log nicht findest oder den Inhalt kopieren und in dein Posting übertragen kannst, dann schau bitte direkt auf deiner Windows-Systempartition nach, da speichert der TDSS-Killer seine Logs. Hinweis: Bitte nichts voreilig mit dem TDSS-Killer löschen! Falls Objekte vom TDSS-Killer bemängelt werden, alle mit der Aktion "skip" behandeln und hier nur das Log posten! Falls du durch die Infektion auf deine Dokumente/Eigenen Dateien nicht zugreifen kannst, Verknüpfungen auf dem Desktop oder im Startmenü unter "alle Programme" fehlen, bitte unhide ausführen: Downloade dir bitte unhide.exe und speichere diese Datei auf deinem Desktop. Starte das Tool und es sollten alle Dateien und Ordner wieder sichtbar sein. ( Könnte eine Weile dauern ) Windows-Vista und Windows-7-User müssen das Tool per Rechtsklick als Administrator ausführen!
__________________ Logfiles bitte immer in CODE-Tags posten |
15.12.2011, 22:15 | #9 | |
| Win32/Zbot -jetzt endgültig entfernt?Zitat:
|
16.12.2011, 09:08 | #10 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Zbot -jetzt endgültig entfernt? Dann bitte jetzt CF ausführen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat! Solltest du nach der Ausführung von Combofix Probleme beim Starten von Anwendungen haben und Meldungen erhalten wie Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
16.12.2011, 17:22 | #11 |
| Win32/Zbot -jetzt endgültig entfernt? Das ist die Combofix-log-datei: Combofix Logfile: Code:
ATTFilter ComboFix 11-12-16.01 - violeta 16.12.2011 17:10:38.1.2 - x86 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.49.1031.18.2009.1335 [GMT 1:00] ausgeführt von:: c:\users\violeta\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\violeta\AppData\Roaming\Help\coredb\storage . . ((((((((((((((((((((((( Dateien erstellt von 2011-11-16 bis 2011-12-16 )))))))))))))))))))))))))))))) . . 2011-12-16 15:56 . 2011-12-16 15:56 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{709D3C17-05AD-4590-97C4-0ABB6C720162}\MpKsleaab3a2a.sys 2011-12-16 15:56 . 2011-12-16 15:56 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{709D3C17-05AD-4590-97C4-0ABB6C720162}\offreg.dll 2011-12-16 01:05 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{709D3C17-05AD-4590-97C4-0ABB6C720162}\mpengine.dll 2011-12-15 20:20 . 2011-12-15 20:20 -------- d-----w- C:\_OTL 2011-12-15 16:29 . 2011-12-15 16:29 -------- d-----w- c:\program files\ESET 2011-12-15 13:07 . 2011-12-15 13:07 -------- d-----w- c:\users\violeta\AppData\Roaming\JonDo 2011-11-20 01:41 . 2011-11-20 01:54 -------- d-----w- c:\users\violeta\AppData\Roaming\PhotoScape 2011-11-20 01:41 . 2011-11-20 01:41 -------- d-----w- c:\program files\Google . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-21 10:47 . 2011-08-24 16:09 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-10-11 13:20 . 2011-10-11 13:21 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{167D7102-12B4-4E13-BCBA-6B0AFD074548}\gapaengine.dll 2011-10-04 00:23 . 2011-10-04 00:23 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-09-29 15:43 . 2011-11-14 23:42 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys 2011-11-25 19:50 . 2011-08-23 20:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-21 8092192] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280] "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504] "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504] "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504] "RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-15 91432] "PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472] "UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408] "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-07-21 210216] "APLangApp"="c:\program files\AnyPC Client\APLangApp.exe" [2009-10-20 13312] "fsi"="c:\program files\Phoenix Technologies Ltd\FailSafe\FailSafeLauncher.exe" [2009-09-09 9728] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 174104] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 151064] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920] "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] . c:\users\violeta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R1 MpKsl7579a6ef;MpKsl7579a6ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FBAD419D-2966-41A4-9555-A3F98E809876}\MpKsl7579a6ef.sys [x] R1 MpKsld39f62b5;MpKsld39f62b5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CC677443-F83C-4737-9C50-8EFAE2A9C12F}\MpKsld39f62b5.sys [x] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-11-20 135664] R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-11-20 135664] R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024] R3 NisSrv;Microsoft-Netzwerkinspektion;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776] S1 MpKsleaab3a2a;MpKsleaab3a2a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{709D3C17-05AD-4590-97C4-0ABB6C720162}\MpKsleaab3a2a.sys [2011-12-16 29904] S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-13 44312] S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 122880] S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392] . . --- Andere Dienste/Treiber im Speicher --- . *NewlyCreated* - MPKSLEAAB3A2A . Inhalt des "geplante Tasks" Ordners . 2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-20 01:41] . 2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-20 01:41] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.de/ IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.178.1 FF - ProfilePath - c:\users\violeta\AppData\Roaming\Mozilla\Firefox\Profiles\jl9khlly.default\ FF - prefs.js: browser.search.selectedEngine - LEO Eng-Deu FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/ . - - - - Entfernte verwaiste Registrierungseinträge - - - - . Toolbar-Locked - (no file) SafeBoot-mcmscsvc SafeBoot-MCODS . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Zeit der Fertigstellung: 2011-12-16 17:16:28 ComboFix-quarantined-files.txt 2011-12-16 16:16 . Vor Suchlauf: 7 Verzeichnis(se), 101.148.250.112 Bytes frei Nach Suchlauf: 11 Verzeichnis(se), 100.822.503.424 Bytes frei . - - End Of File - - 768DC0F5BE269FC8AFD1C7A77B6C4379 Soll ich jetzt die drei Dateien, die bei Malwarebytes unter Quarantäne stehen, löschen? |
17.12.2011, 20:09 | #12 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Zbot -jetzt endgültig entfernt? Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen. Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst. Hinweis: Zum Entpacken von OSAM bitte WinRAR oder 7zip verwenden! Stell auch unbedingt den Virenscanner ab, besonders der Scanner von McAfee meldet oft einen Fehalarm in OSAM! Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).
__________________ Logfiles bitte immer in CODE-Tags posten |
18.12.2011, 02:12 | #13 | ||
| Win32/Zbot -jetzt endgültig entfernt? Gmer: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15641 - GMER - Rootkit Detector and Remover Rootkit scan 2011-12-17 22:38:56 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0 Running: gmer.exe; Driver: C:\Users\violeta\AppData\Local\Temp\ugliifod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C3A8A9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C5A2F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- OSAM: OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 Online Solutions. Complex Protection for Information Systems Saved at 23:01:27 on 17.12.2011 OS: Windows 7 Home Premium Edition (Build 7600), 32-bit Default Browser: Mozilla Corporation Firefox 8.0.1 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\windows\system32\FlashPlayerCPLApp.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "catchme" (catchme) - ? - C:\Users\violeta\AppData\Local\Temp\catchme.sys (File not found) "MpKsl6e890243" (MpKsl6e890243) - "Microsoft Corporation" - c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{261FE31E-B517-40A0-8F9F-10A94A95E936}\MpKsl6e890243.sys "MpKsl7579a6ef" (MpKsl7579a6ef) - ? - c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FBAD419D-2966-41A4-9555-A3F98E809876}\MpKsl7579a6ef.sys (File not found) "MpKsld39f62b5" (MpKsld39f62b5) - ? - c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CC677443-F83C-4737-9C50-8EFAE2A9C12F}\MpKsld39f62b5.sys (File not found) "ugliifod" (ugliifod) - ? - C:\Users\violeta\AppData\Local\Temp\ugliifod.sys (Hidden registry entry, rootkit activity | File not found) [Explorer] -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll {09A47860-11B0-4DA5-AFA5-26D86198A780} "EPP" - "Microsoft Corporation" - c:\PROGRA~1\MI8079~1\shellext.dll {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll {06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_26" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} "Java Plug-in 1.6.0_26" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_26" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_26.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll [Logon] -----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )----- "OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Shortcut exists | File exists) "desktop.ini" - ? - C:\Users\violeta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini -----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini -----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )----- "StartupPrograms" - ? - rdpclip (File not found) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "APLangApp" - "DoctorSoft" - "C:\Program Files\AnyPC Client\APLangApp.exe" "CLMLServer" - "CyberLink" - "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" "fsi" - ? - C:\Program Files\Phoenix Technologies Ltd\FailSafe\FailSafeLauncher.exe "Malwarebytes' Anti-Malware (reboot)" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript "MSC" - "Microsoft Corporation" - "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey "PDVD8LanguageShortcut" - "CyberLink Corp." - "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" "RemoteControl8" - "CyberLink Corp." - "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe" "UCam_Menu" - "CyberLink Corp." - "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0" "UpdateLBPShortCut" - "CyberLink Corp." - "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" "UpdateP2GoShortCut" - "CyberLink Corp." - "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" "UpdatePDRShortCut" - "CyberLink Corp." - "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0" "UpdatePPShortCut" - "CyberLink Corp." - "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0" "UpdatePSTShortCut" - "CyberLink Corp." - "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\windows\system32\msonpmon.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "@c:\Program Files\Microsoft Security Client\Antimalware\MpAsDesc.dll,-243" (NisSrv) - "Microsoft Corporation" - c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe "Cyberlink RichVideo Service(CRVS)" (RichVideo) - ? - C:\Program Files\CyberLink\Shared files\RichVideo.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "Google Update-Dienst (gupdatem)" (gupdatem) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe "Microsoft Antimalware Service" (MsMpSvc) - "Microsoft Corporation" - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "Oberon Media Game Console service" (OberonGameConsoleService) - ? - C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit Online Solutions :: Index[/QUOTE] aswMBR.txt: Zitat:
Zitat:
|
18.12.2011, 13:17 | #14 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Zbot -jetzt endgültig entfernt? Wir sollten den MBR fixen, sichere für den Fall der Fälle ALLE wichtigen Daten, auch wenn meistens alles glatt geht. Hinweis: Mach bitte NICHT den MBR-Fix, wenn du noch andere Betriebssysteme wie zB Ubuntu installiert hast, ein MBR-Fix mit Windows-Tools macht ein parallel installiertes (Dualboot) Linux unbootbar. Starte nach der Datensicherung aswmbr erneut und klick auf den Button FIXMBR. Anschließend Windows neu starten und ein neues Log mit aswMBR machen.
__________________ Logfiles bitte immer in CODE-Tags posten |
Themen zu Win32/Zbot -jetzt endgültig entfernt? |
anleitung, appdata, bli, desktop, device, driver, einfach, entfernen, entfernt, entfernt?, ergebnis, gmer, gmer ?, harddisk, hilfe bei virus, ide, internetverbindung, microsoft, namen, nicht sicher, programme, pws:win32/zbot, search, security, seltsam, software, temp, trojaner, verbindung, virus, win, win32 zbot, win32/zbot |