|
Plagegeister aller Art und deren Bekämpfung: Windows-Verschlüsselungs TrojanerWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
25.04.2012, 20:58 | #1 |
| Windows-Verschlüsselungs Trojaner Hallo Ich habe leider auch diesen tollen email anhang geöffnet.(habe die email noch fals weiter leiten gewünscht ist) Im abgesicherten Modus konnte ich alle sicherheits Prgramme durchlaufen lassen die aber nichts gefunden haben.Darauf hin hatte ich eine Systemwiederherstellung gemacht und dann ging soweit erstmal wieder alles.Bis ich vor einer halben Stunde festgestellt habe das alle eignen Dateien und Bilder usw jetzt ein locked- davor stehen und die eigenartigsten sachen dahinter stehen haben wie zb jjnn , hhbb , zzll , zrss, usw bei jedem steht was anders dahinter.Mir sind nur die Bilder (sind die ersten 3 Jahre meiner Tochter bei) wichtig wenn man die irgentwie retten könnte würde ich mich sehr freuen. Ich hoffe ihr könnt mir helfen. Ich habe die anderen Beiträge zu diesem Thema gelesen und hab auch gesehen das ich nicht der einziegste bin dem das in den letzten 2Tagen passiert ist :-( . Und ein zweiter Rechner ist im moment leider nicht vorhanden. Hi Ich hatte jetzt die möglichkeit mir bei meinem Nachbar die cd (OTLPE)zu erstellen.Habe mit der jetzt meinen Rechner auch starten können aber wenn ich einen doppelklick auf das Icon OTLPE mache geht ein Fenster auf Browse for Folder und da weiß ich nicht was ich anklicken soll. |
26.04.2012, 07:42 | #2 | |||
/// Helfer-Team | Windows-Verschlüsselungs Trojaner Hallo und Herzlich Willkommen!
__________________Bevor wir unsere Zusammenarbeit beginnen, [Bitte Vollständig lesen]: Zitat:
Zitat:
wähle bitte My Computer -> C:\Windows -> klicke auf Ok Zitat:
** Möglichst nicht ins internet gehen, kein Online-Banking, File-sharing, Chatprogramme usw grußkira
__________________ |
26.04.2012, 09:54 | #3 |
| Windows-Verschlüsselungs Trojaner Hallo Kira erstmal Vielen Dank fuer deine Antwort ich hoffe das ich alles richtig gemacht habe.
__________________Code:
ATTFilter OTL logfile created on: 4/26/2012 12:36:00 PM - Run OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free 3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 911.48 Gb Total Space | 671.56 Gb Free Space | 73.68% Space Free | Partition Type: NTFS Drive D: | 20.01 Gb Total Space | 10.77 Gb Free Space | 53.81% Space Free | Partition Type: FAT32 Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO | User Name: SYSTEM Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days Using ControlSet: ControlSet001 ========== Win32 Services (SafeList) ========== SRV - [2012/03/07 13:05:44 | 000,918,880 | ---- | M] () [Auto] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe -- (vToolbarUpdater10.2.0) SRV - [2012/02/02 07:26:38 | 000,666,200 | ---- | M] () [Auto] -- C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVScanningService.exe -- (AV Engine Scanning Service) SRV - [2012/02/02 07:26:38 | 000,204,760 | ---- | M] () [Auto] -- C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVWatchService.exe -- (AV Watch Service) SRV - [2012/01/23 07:40:12 | 001,324,680 | ---- | M] (SPAMfighter ApS) [Auto] -- C:\Program Files\Fighters\FighterSuiteService.exe -- (Suite Service) SRV - [2011/06/28 17:03:07 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011/05/21 00:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService) SRV - [2011/03/28 10:15:04 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2011/01/06 20:00:40 | 000,361,288 | ---- | M] (TuneUp Software) [On_Demand] -- C:\Windows\System32\TuneUpDefragService.exe -- (TuneUp.Defrag) SRV - [2009/11/26 08:28:22 | 000,604,488 | ---- | M] (TuneUp Software) [Auto] -- C:\Windows\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc) SRV - [2009/01/26 10:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService) SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007/10/08 18:19:22 | 000,358,936 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand] -- -- (IpInIp) DRV - File not found [Kernel | Auto] -- -- (adfs) DRV - [2012/03/14 17:28:06 | 000,278,728 | ---- | M] () [Kernel | Auto] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt) DRV - [2012/03/14 17:28:06 | 000,025,416 | ---- | M] () [Kernel | Auto] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt) DRV - [2012/02/09 16:43:00 | 010,816,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2012/02/02 07:26:40 | 000,010,264 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\drivers\avfsfilter.sys -- (AVFSFilter) DRV - [2011/06/28 17:03:07 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2011/06/28 17:03:07 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2010/06/17 09:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009/02/13 06:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio) DRV - [2007/09/21 04:38:22 | 000,554,496 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u) DRV - [2007/04/13 07:22:56 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.babylon.com/?affID=110819&babsrc=HP_ss&mntrId=a2f009d3000000000000002421791008 IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\Wilko_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\System32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: File not found FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\10.2.0.3\ [2012/04/25 08:06:11 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/06 08:30:12 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/16 13:59:39 | 000,000,000 | ---D | M] [2010/03/18 08:12:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2010/01/15 21:15:29 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012/03/07 13:05:42 | 000,003,768 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012/04/26 03:10:16 | 000,002,313 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml [2010/01/15 21:15:29 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2010/01/15 21:15:29 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2010/01/15 21:15:29 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2010/01/15 21:15:29 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO) O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found. O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found. O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll () O2 - BHO: (DealPly) - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files\DealPly\DealPlyIE.dll (DealPly Technologies Ltd) O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll () O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.) O3 - HKU\Wilko_ON_C\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [CommonToolkitTray] C:\Program Files\Fighters\Tray\FightersTray.exe (SPAMfighter ApS) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation) O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe () O4 - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [SWPROguard] C:\Program Files\Fighters\SPYWAREfighter\swproTray.exe (SPAMfighter) O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe () O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\UpdatusUser_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\Wilko_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - Startup: Error locating startup folders. O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - File not found O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - File not found O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll () O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 0 O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2012/04/26 03:14:28 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Malwarebytes [2012/04/26 03:14:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/04/26 03:14:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012/04/26 03:14:14 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012/04/26 03:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/04/26 03:01:52 | 000,000,000 | ---D | C] -- C:\Program Files\DealPly [2012/04/26 03:01:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Creator [2012/04/26 03:01:00 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS [2012/04/26 03:00:59 | 000,000,000 | ---D | C] -- C:\Program1 [2012/04/26 03:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator [2012/04/26 03:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\BabylonToolbar [2012/04/26 03:00:40 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Babylon [2012/04/26 03:00:40 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Local\Babylon [2012/04/26 03:00:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon [2012/04/25 09:12:39 | 000,000,000 | ---D | C] -- C:\ProgramData\clp [2012/04/25 09:12:30 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fighters [2012/04/25 09:12:30 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Fighters [2012/04/25 09:12:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Common Toolkit Suite [2012/04/25 09:12:02 | 000,000,000 | ---D | C] -- C:\Program Files\Fighters [2012/04/25 09:11:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Common Toolkit Suite [2012/04/25 09:10:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Fighters [2012/04/25 08:20:30 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2012/04/25 06:24:45 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Realtec [2012/04/11 18:19:08 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2012/04/11 18:19:07 | 001,799,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2012/04/11 18:19:07 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll [2012/04/11 18:19:06 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2012/04/11 18:19:05 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2012/04/11 18:19:05 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2012/04/11 18:19:05 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2012/04/11 18:17:37 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2012/04/11 18:17:37 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/04/26 05:21:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012/04/26 05:21:42 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2012/04/26 05:20:28 | 000,000,522 | ---- | M] () -- C:\Windows\tasks\1-Klick-Wartung.job [2012/04/26 05:20:10 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012/04/26 05:20:10 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012/04/26 05:20:09 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012/04/26 04:34:12 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012/04/26 03:14:17 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012/04/26 03:14:17 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/04/26 03:10:17 | 000,000,711 | ---- | M] () -- C:\user.js [2012/04/26 03:01:01 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Creator [2012/04/26 02:53:18 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012/04/26 02:53:18 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012/04/26 02:53:18 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012/04/26 02:53:17 | 000,126,248 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012/04/25 09:12:30 | 000,001,931 | ---- | M] () -- C:\Users\Wilko\Desktop\SPYWAREfighter.lnk [2012/04/25 08:20:32 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012/04/25 08:18:00 | 003,077,764 | ---- | M] () -- C:\Users\Wilko\Desktop\MD001764.JPG [2012/04/25 08:12:31 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft Public Test [2012/04/25 08:12:31 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft [2012/04/25 06:29:49 | 021,073,936 | ---- | M] () -- C:\Users\Wilko\Documents\locked-vlc-1.1.11-win32.exe.pppw [2012/04/25 06:29:49 | 020,533,281 | ---- | M] () -- C:\Users\Wilko\Documents\locked-vlc-1.1.9-win32.exe.nnnb [2012/04/25 06:29:49 | 000,000,348 | ---- | M] () -- C:\Users\Wilko\Documents\locked-test.fdb.aaee [2012/04/25 06:29:48 | 899,012,795 | ---- | M] () -- C:\Users\Wilko\Documents\locked-ADBEPHSPCS4_LS4.7z.nnni [2012/04/25 06:29:48 | 001,228,240 | ---- | M] () -- C:\Users\Wilko\Documents\locked-ADBEPHSPCS4_LS4.exe.jjnn [2012/04/25 06:29:38 | 000,975,140 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\locked-PandaIDProtectHelp_de.chm.eeaa [2012/04/11 18:18:58 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works [2012/04/04 09:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/04/26 03:14:17 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012/04/26 03:01:00 | 000,086,016 | ---- | C] () -- C:\Windows\System32\custmon32i.dll [2012/04/26 03:00:59 | 000,000,711 | ---- | C] () -- C:\user.js [2012/04/25 15:16:40 | 003,077,764 | ---- | C] () -- C:\Users\Wilko\Desktop\MD001764.JPG [2012/04/25 09:12:30 | 000,001,931 | ---- | C] () -- C:\Users\Wilko\Desktop\SPYWAREfighter.lnk [2012/04/25 08:20:32 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012/04/25 08:18:37 | 000,001,096 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012/04/25 08:18:36 | 000,001,092 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012/03/14 17:28:06 | 000,278,728 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys [2012/03/14 17:28:06 | 000,025,416 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys [2012/02/02 07:26:40 | 000,010,264 | ---- | C] () -- C:\Windows\System32\drivers\avfsfilter.sys [2011/06/24 15:01:43 | 000,000,000 | ---- | C] () -- C:\Windows\cdplayer.ini [2011/01/23 11:59:59 | 000,975,140 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\locked-PandaIDProtectHelp_de.chm.eeaa [2010/09/05 04:50:28 | 000,000,000 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\wklnhst.dat [2010/03/26 17:04:41 | 000,000,008 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\jasltw.dat [2010/01/07 08:53:46 | 000,000,680 | ---- | C] () -- C:\Users\Wilko\AppData\Local\d3d9caps.dat [2009/12/10 10:50:56 | 000,069,632 | R--- | C] () -- C:\Windows\System32\xmltok.dll [2009/12/10 10:50:56 | 000,036,864 | R--- | C] () -- C:\Windows\System32\xmlparse.dll [2009/10/08 10:29:57 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat [2009/09/03 14:32:17 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini [2009/08/03 11:46:24 | 000,017,408 | ---- | C] () -- C:\Users\Wilko\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/06/24 15:59:42 | 000,628,504 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2009/06/24 15:59:42 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2009/06/24 15:59:42 | 000,126,248 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2009/06/24 15:59:42 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2009/06/24 06:43:05 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009/06/24 06:42:47 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2009/06/24 06:29:16 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2006/11/02 08:47:37 | 002,224,768 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006/11/02 06:33:01 | 000,595,798 | ---- | C] () -- C:\Windows\System32\perfh009.dat [2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat [2006/11/02 06:33:01 | 000,103,872 | ---- | C] () -- C:\Windows\System32\perfc009.dat [2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat [2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat [2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT [2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat ========== LOP Check ========== [2009/08/16 09:20:02 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Acreon [2012/04/26 03:00:40 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Babylon [2012/04/25 06:29:09 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\DVDVideoSoftIEHelpers [2012/04/25 09:12:41 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Fighters [2012/04/25 06:29:09 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\FRITZ! [2010/09/19 11:16:30 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\gtk-2.0 [2010/12/27 18:09:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Local [2012/04/25 08:06:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\MobMapUpdater [2011/01/07 06:01:17 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Panda Security [2012/04/25 08:06:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\RIFT [2012/04/25 06:29:38 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\SurfSecret Privacy Suite [2012/04/25 08:35:48 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\TS3Client [2011/11/18 07:24:14 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\TuneUp Software [2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Anwendungsdaten [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data [2012/03/07 13:05:47 | 000,000,000 | ---D | M] -- C:\ProgramData\AVG Secure Search [2012/04/26 03:00:40 | 000,000,000 | ---D | M] -- C:\ProgramData\Babylon [2009/07/25 10:55:22 | 000,000,000 | ---D | M] -- C:\ProgramData\BullGuard [2010/05/01 06:00:53 | 000,000,000 | -H-D | M] -- C:\ProgramData\CanonBJ [2012/04/25 09:42:41 | 000,000,000 | ---D | M] -- C:\ProgramData\clp [2011/12/21 11:02:26 | 000,000,000 | -H-D | M] -- C:\ProgramData\Common Files [2012/04/25 09:11:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Common Toolkit Suite [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents [2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Dokumente [2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favoriten [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites [2012/04/25 09:12:30 | 000,000,000 | ---D | M] -- C:\ProgramData\Fighters [2011/01/07 06:00:02 | 000,000,000 | ---D | M] -- C:\ProgramData\Panda Security [2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu [2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Startmenü [2006/11/02 09:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates [2011/11/18 07:24:16 | 000,000,000 | ---D | M] -- C:\ProgramData\TuneUp Software [2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Vorlagen [2010/08/13 11:41:36 | 000,000,000 | ---D | M] -- C:\ProgramData\Zylom [2009/06/24 08:11:28 | 000,000,000 | ---D | M] -- C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3} [2011/11/18 07:23:14 | 000,000,000 | -HSD | M] -- C:\ProgramData\{32364CEA-7855-4A3C-B674-53D8E9B97936} [2009/07/25 16:12:35 | 000,000,000 | -HSD | M] -- C:\ProgramData\{55A29068-F2CE-456C-9148-C869879E2357} [2010/09/06 15:26:43 | 000,000,000 | -HSD | M] -- C:\ProgramData\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC} [2012/04/26 05:20:28 | 000,000,522 | ---- | M] () -- C:\Windows\Tasks\1-Klick-Wartung.job [2012/04/26 05:21:43 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > |
26.04.2012, 13:05 | #4 | |
/// Helfer-Team | Windows-Verschlüsselungs Trojaner 1. Zitat:
Code:
ATTFilter :OTL SRV - [2009/01/26 10:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService) SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=110819&babsrc=HP_ss&mntrId=a2f009d3000000000000002421791008 IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\Wilko_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) [2012/03/07 13:05:42 | 000,003,768 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012/04/26 03:10:16 | 000,002,313 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml [2010/01/15 21:15:29 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found. O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found. O3 - HKU\Wilko_ON_C\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found. [2012/04/26 05:20:10 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012/04/26 04:34:12 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job :Files C:\ProgramData\BullGuard C:\Users\Wilko\AppData\Roaming\Panda Security C:\ProgramData\Panda Security ipconfig /flushdns /c :Commands [purity] [emptytemp]
2. Boote neu und schaue nach, ob Du schon im normalen Modus arbeiten kannst? wenn ja, so geht es weiter: 3. Deinstalliere, falls unter Systemsteuerung-> Software/Programme existiert: AVG Secure Search <- unnötig Babylon 4. Systemscan mit OTL - nicht mehr das OTLPE starten! Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop.
5. Um festzustellen, ob veraltete oder schädliche Software unter Programme installiert sind, ich würde gerne noch all deine installierten Programme sehen:
__________________ Warnung!: Vorsicht beim Rechnungen per Email mit ZIP-Datei als Anhang! Kann mit einen Verschlüsselungs-Trojaner infiziert sein! Anhang nicht öffnen, in unserem Forum erst nachfragen! Sichere regelmäßig deine Daten, auf CD/DVD, USB-Sticks oder externe Festplatten, am besten 2x an verschiedenen Orten! Bitte diese Warnung weitergeben, wo Du nur kannst! |
26.04.2012, 14:04 | #5 |
| Windows-Verschlüsselungs Trojaner Hi Kira Ich habe den Skript eingefügt,alle Programme geschlossen und den Run Fix Button benutzt.Danach kam auch eine Frage die ich mit ok bestätigt habe aber es wird kein neustart verlangt. Habe es schon zwei mal versucht . Dann habe ich einen neustart gemacht und er fuhr auch ganz normal hoch(normal Modus)Aber ich habe kein Textdokument auf dem Desktop.Sorry aber wie soll ich weiter vorgehen versuche deine anweisung bestmöglich aus zu führen. |
26.04.2012, 14:06 | #6 |
/// Helfer-Team | Windows-Verschlüsselungs Trojaner Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert: :\_OTL\Moved Files In den meisten Fällen wird dies C:\_OTL\Moved Files sein
__________________ --> Windows-Verschlüsselungs Trojaner |
26.04.2012, 14:21 | #7 |
| Windows-Verschlüsselungs Trojaner Arbeitsschritt 3 Code:
ATTFilter ========== OTL ========== Service\Driver key SBSDWSCService not found. File C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe not found. Service\Driver key WinDefend not found. File C:\Program Files\Windows Defender\MpSvc.dll not found. HKLM\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully! HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully! HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully! HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main\\StartPageCache| /E : value set successfully! HKU\Wilko_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=3\ not found. File C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) not found. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=9\ not found. File C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) not found. File C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml not found. File C:\Program Files\mozilla firefox\searchplugins\babylon.xml not found. File C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{326E768D-4182-46FD-9C16-1449A49795F4}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326E768D-4182-46FD-9C16-1449A49795F4}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{593DDEC6-7468-4cdd-90E1-42DADAA222E9}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{593DDEC6-7468-4cdd-90E1-42DADAA222E9}\ not found. Registry value HKEY_USERS\Wilko_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ not found. File C:\Windows\tasks\GoogleUpdateTaskMachineCore.job not found. File C:\Windows\tasks\GoogleUpdateTaskMachineUA.job not found. ========== FILES ========== File\Folder C:\ProgramData\BullGuard not found. File\Folder C:\Users\Wilko\AppData\Roaming\Panda Security not found. File\Folder C:\ProgramData\Panda Security not found. < ipconfig /flushdns /c > Windows IP Configuration An internal error occurred: The system cannot find the file specified. Please contact Microsoft Product Support Services for further help. Additional information: Unable to open registry key for tcpip. C:\cmd.bat deleted successfully. C:\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] Empty user temp failed. Cannot find local settings folders. Empty user temp failed. Cannot find local settings folders. Empty user temp failed. Cannot find local settings folders. Empty user temp failed. Cannot find local settings folders. Empty user temp failed. Cannot find local settings folders. Empty user temp failed. Cannot find local settings folders. %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 1394363 bytes Total Files Cleaned = 1.00 mb OTLPE by OldTimer - Version 3.1.48.0 log created on 04262012_184944 Ich hoffe es ist das richtige Danke für deine Mühe Arbeitsschritt 4/OTL Code:
ATTFilter OTL logfile created on: 26.04.2012 19:28:01 - Run 1 OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Wilko\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 1,91 Gb Available Physical Memory | 63,67% Memory free 6,22 Gb Paging File | 5,10 Gb Available in Paging File | 82,10% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 911,48 Gb Total Space | 673,17 Gb Free Space | 73,85% Space Free | Partition Type: NTFS Drive D: | 20,01 Gb Total Space | 10,77 Gb Free Space | 53,81% Space Free | Partition Type: FAT32 Computer Name: WILKO-PC | User Name: Wilko | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.04.26 19:25:43 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Wilko\Desktop\OTL.exe PRC - [2012.04.26 12:58:59 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe PRC - [2012.03.07 19:05:44 | 000,918,880 | ---- | M] () -- C:\Programme\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe PRC - [2012.03.07 19:05:43 | 000,982,880 | ---- | M] () -- C:\Programme\AVG Secure Search\vprot.exe PRC - [2012.02.02 13:58:06 | 001,196,168 | ---- | M] (SPAMfighter) -- C:\Programme\Fighters\SPYWAREfighter\swproTray.exe PRC - [2012.02.02 13:26:38 | 000,666,200 | ---- | M] (Preventon Technologies Limited) -- C:\Programme\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe PRC - [2012.02.02 13:26:38 | 000,204,760 | ---- | M] (Preventon Technologies Limited) -- C:\Programme\Common Files\Common Toolkit Suite\AVEngine\AVWatchService.exe PRC - [2012.01.23 13:40:12 | 001,324,680 | ---- | M] (SPAMfighter ApS) -- C:\Programme\Fighters\FighterSuiteService.exe PRC - [2012.01.18 17:36:46 | 001,452,680 | ---- | M] (SPAMfighter ApS) -- C:\Programme\Fighters\Tray\FightersTray.exe PRC - [2011.06.28 23:03:07 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2011.05.21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe PRC - [2011.05.21 06:01:00 | 000,839,272 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\NvXDSync.exe PRC - [2011.05.21 06:01:00 | 000,373,864 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\nvtray.exe PRC - [2011.03.28 16:15:17 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2011.03.28 16:15:04 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2011.03.28 16:14:56 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2009.11.26 14:28:22 | 000,604,488 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TUProgSt.exe PRC - [2009.04.10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.03.05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy\TeaTimer.exe PRC - [2007.10.09 00:19:22 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe PRC - [2007.10.09 00:19:20 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe ========== Modules (No Company Name) ========== MOD - [2012.04.26 12:58:59 | 001,014,744 | ---- | M] () -- C:\Programme\Mozilla Firefox\js3250.dll MOD - [2012.03.07 19:05:43 | 000,982,880 | ---- | M] () -- C:\Programme\AVG Secure Search\vprot.exe MOD - [2011.06.16 09:57:49 | 006,271,136 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll MOD - [2008.09.16 20:18:06 | 000,132,608 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll ========== Win32 Services (SafeList) ========== SRV - [2012.03.07 19:05:44 | 000,918,880 | ---- | M] () [Auto | Running] -- C:\Programme\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe -- (vToolbarUpdater10.2.0) SRV - [2012.02.02 13:26:38 | 000,666,200 | ---- | M] () [Auto | Running] -- C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVScanningService.exe -- (AV Engine Scanning Service) SRV - [2012.02.02 13:26:38 | 000,204,760 | ---- | M] () [Auto | Running] -- C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVWatchService.exe -- (AV Watch Service) SRV - [2012.01.23 13:40:12 | 001,324,680 | ---- | M] (SPAMfighter ApS) [Auto | Running] -- C:\Programme\Fighters\FighterSuiteService.exe -- (Suite Service) SRV - [2011.07.20 06:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2011.06.28 23:03:07 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.05.21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService) SRV - [2011.03.28 16:15:04 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2011.01.07 02:00:40 | 000,361,288 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Windows\System32\TuneUpDefragService.exe -- (TuneUp.Defrag) SRV - [2009.11.26 14:28:22 | 000,604,488 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Windows\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc) SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2007.10.09 00:19:22 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R) SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | Auto | Stopped] -- -- (adfs) DRV - [2012.03.14 23:28:06 | 000,278,728 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt) DRV - [2012.03.14 23:28:06 | 000,025,416 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt) DRV - [2012.02.09 22:43:00 | 010,816,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2012.02.02 13:26:40 | 000,010,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avfsfilter.sys -- (AVFSFilter) DRV - [2011.06.28 23:03:07 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2011.06.28 23:03:07 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2010.06.17 15:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.02.13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio) DRV - [2007.09.21 10:38:22 | 000,554,496 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u) DRV - [2007.04.13 13:22:56 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233} IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=110819&babsrc=SP_ss&mntrId=a2f009d3000000000000002421791008 IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={F2E3B8DF-87A0-4600-A9DD-4A4533047630}&mid=19cc6e041dff47d19306d16d679df9fb-e8408699c5a580a42d9153b1ea19a2065cc8677d&lang=de&ds=tt014&pr=sa&d=2011-12-21 16:02:27&v=10.0.0.7&sap=dsp&q={searchTerms} IE - HKCU\..\SearchScopes\Plasmoo: "URL" = hxxp://plasmoo.com/index.htm?SearchMashine=true&q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)" FF - prefs.js..browser.search.defaultthis.engineName: "Plasmoo" FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)" FF - prefs.js..browser.startup.homepage: "hxxp://search.babylon.com/?babsrc=HP_Prot" FF - prefs.js..extensions.enabledItems: engine@plasmoo.com:1.0.0.32 FF - prefs.js..extensions.enabledItems: crossriderapp2258@crossrider.com:0.80.26 FF - prefs.js..extensions.enabledItems: ffxtlbr@babylon.com:1.2.0 FF - prefs.js..extensions.enabledItems: {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}:2.0 FF - prefs.js..keyword.URL: "hxxp://search.babylon.com/?affID=110819&babsrc=KW_ss&mntrId=a2f009d3000000000000002421791008&q=" FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll File not found FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\10.2.0.3\ [2012.04.25 14:06:11 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.04.26 12:59:05 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.04.26 12:59:06 | 000,000,000 | ---D | M] [2010.03.18 14:12:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Extensions [2012.04.26 19:18:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions [2012.04.25 14:16:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2012.04.25 14:06:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644} [2012.04.25 14:06:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [2012.04.25 14:06:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2012.04.26 09:02:01 | 000,000,000 | ---D | M] (DealPly) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF} [2012.04.26 09:01:52 | 000,000,000 | ---D | M] ("I Want This") -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com [2011.06.24 20:23:21 | 000,000,000 | ---D | M] (Plasmoo Search Engine) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com [2012.04.26 09:00:58 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com [2012.04.25 12:29:38 | 000,001,975 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\locked-plasmoo.xml.mmww [2011.04.28 19:42:58 | 000,001,975 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\plasmoo.xml [2010.03.18 14:12:03 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.04.26 12:59:02 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.04.26 12:59:02 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.04.26 12:59:02 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.04.26 12:59:02 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found. O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found. O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Programme\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll () O2 - BHO: (DealPly) - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Programme\DealPly\DealPlyIE.dll (DealPly Technologies Ltd) O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Programme\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll () O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [CommonToolkitTray] C:\Programme\Fighters\Tray\FightersTray.exe (SPAMfighter ApS) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation) O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe () O4 - HKLM..\Run: [Skytel] C:\Programme\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [SWPROguard] C:\Programme\Fighters\SPYWAREfighter\swproTray.exe (SPAMfighter) O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe () O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - Startup: C:\Users\Wilko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip () O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Wilko\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: fritz.box ([]* in Local intranet) O15 - HKCU\..Trusted Ranges: Range1 ([*] in Local intranet) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4E86B437-C739-441A-8278-65540A0B6C17}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Programme\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll () O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: O24 - Desktop BackupWallPaper: O32 - HKLM CDRom: AutoRun - 0 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012.04.26 23:30:44 | 000,000,000 | ---D | C] -- C:\_OTL [2012.04.26 23:30:44 | 000,000,000 | ---D | C] -- \_OTL [2012.04.26 19:25:41 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Wilko\Desktop\OTL.exe [2012.04.26 09:14:28 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Malwarebytes [2012.04.26 09:14:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.04.26 09:14:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.04.26 09:14:14 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.04.26 09:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.04.26 09:01:52 | 000,000,000 | ---D | C] -- C:\Program Files\DealPly [2012.04.26 09:01:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Creator [2012.04.26 09:01:00 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS [2012.04.26 09:00:59 | 000,000,000 | ---D | C] -- C:\Program1 [2012.04.26 09:00:59 | 000,000,000 | ---D | C] -- \Program1 [2012.04.26 09:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator [2012.04.26 09:00:40 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Babylon [2012.04.26 09:00:40 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Local\Babylon [2012.04.26 09:00:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon [2012.04.25 15:12:39 | 000,000,000 | ---D | C] -- C:\ProgramData\clp [2012.04.25 15:12:30 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fighters [2012.04.25 15:12:30 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Fighters [2012.04.25 15:12:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Common Toolkit Suite [2012.04.25 15:12:02 | 000,000,000 | ---D | C] -- C:\Program Files\Fighters [2012.04.25 15:11:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Common Toolkit Suite [2012.04.25 15:10:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Fighters [2012.04.25 14:20:30 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2012.04.25 12:24:45 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Realtec [2012.04.12 00:19:08 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2012.04.12 00:19:07 | 001,799,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2012.04.12 00:19:06 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2012.04.12 00:19:05 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2012.04.12 00:19:05 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2012.04.12 00:19:05 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2012.04.12 00:17:37 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2012.04.12 00:17:37 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe ========== Files - Modified Within 30 Days ========== [2012.04.26 19:25:43 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Wilko\Desktop\OTL.exe [2012.04.26 19:20:11 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.04.26 19:20:11 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.04.26 19:20:11 | 000,126,248 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.04.26 19:20:11 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.04.26 19:15:43 | 000,000,522 | ---- | M] () -- C:\Windows\tasks\1-Klick-Wartung.job [2012.04.26 19:15:23 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.04.26 19:15:23 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.04.26 19:15:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.04.26 17:35:38 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2012.04.26 09:14:17 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.04.26 09:10:17 | 000,000,711 | ---- | M] () -- C:\user.js [2012.04.25 15:12:30 | 000,001,931 | ---- | M] () -- C:\Users\Wilko\Desktop\SPYWAREfighter.lnk [2012.04.25 14:20:32 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012.04.25 14:18:00 | 003,077,764 | ---- | M] () -- C:\Users\Wilko\Desktop\MD001764.JPG [2012.04.25 12:29:49 | 021,073,936 | ---- | M] () -- C:\Users\Wilko\Documents\locked-vlc-1.1.11-win32.exe.pppw [2012.04.25 12:29:49 | 020,533,281 | ---- | M] () -- C:\Users\Wilko\Documents\locked-vlc-1.1.9-win32.exe.nnnb [2012.04.25 12:29:49 | 000,000,348 | ---- | M] () -- C:\Users\Wilko\Documents\locked-test.fdb.aaee [2012.04.25 12:29:48 | 899,012,795 | ---- | M] () -- C:\Users\Wilko\Documents\locked-ADBEPHSPCS4_LS4.7z.nnni [2012.04.25 12:29:48 | 001,228,240 | ---- | M] () -- C:\Users\Wilko\Documents\locked-ADBEPHSPCS4_LS4.exe.jjnn [2012.04.25 12:29:38 | 000,975,140 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\locked-PandaIDProtectHelp_de.chm.eeaa [2012.04.25 12:28:28 | 000,005,199 | ---- | M] () -- C:\Users\Wilko\locked-.recently-used.xbel.kwpp [2012.04.25 12:28:28 | 000,001,024 | ---- | M] () -- C:\Users\Wilko\locked-.rnd.lllr [2012.04.04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys ========== Files Created - No Company Name ========== [2012.04.26 09:14:17 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.04.26 09:01:00 | 000,086,016 | ---- | C] () -- C:\Windows\System32\custmon32i.dll [2012.04.26 09:00:59 | 000,000,711 | ---- | C] () -- C:\user.js [2012.04.26 09:00:59 | 000,000,711 | ---- | C] () -- \user.js [2012.04.25 21:16:40 | 003,077,764 | ---- | C] () -- C:\Users\Wilko\Desktop\MD001764.JPG [2012.04.25 15:12:30 | 000,001,931 | ---- | C] () -- C:\Users\Wilko\Desktop\SPYWAREfighter.lnk [2012.04.25 14:20:32 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012.03.14 23:28:06 | 000,278,728 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys [2012.03.14 23:28:06 | 000,025,416 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys [2012.02.02 13:26:40 | 000,010,264 | ---- | C] () -- C:\Windows\System32\drivers\avfsfilter.sys [2011.06.24 21:01:43 | 000,000,000 | ---- | C] () -- C:\Windows\cdplayer.ini [2011.01.23 17:59:59 | 000,975,140 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\locked-PandaIDProtectHelp_de.chm.eeaa [2010.09.05 10:50:28 | 000,000,000 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\wklnhst.dat ========== LOP Check ========== [2009.08.16 15:20:02 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Acreon [2012.04.26 09:00:40 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Babylon [2012.04.25 12:29:09 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\DVDVideoSoftIEHelpers [2012.04.25 15:12:41 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Fighters [2012.04.25 12:29:09 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\FRITZ! [2010.09.19 17:16:30 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\gtk-2.0 [2010.12.28 00:09:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Local [2012.04.25 14:06:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\MobMapUpdater [2012.04.25 14:06:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\RIFT [2012.04.25 12:29:38 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\SurfSecret Privacy Suite [2012.04.25 14:35:48 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\TS3Client [2011.11.18 13:24:14 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\TuneUp Software [2012.04.26 19:15:43 | 000,000,522 | ---- | M] () -- C:\Windows\Tasks\1-Klick-Wartung.job [2012.04.26 17:35:38 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Arbeitsschritt 4/Extras Code:
ATTFilter OTL Extras logfile created on: 26.04.2012 19:28:01 - Run 1 OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Wilko\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 1,91 Gb Available Physical Memory | 63,67% Memory free 6,22 Gb Paging File | 5,10 Gb Available in Paging File | 82,10% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 911,48 Gb Total Space | 673,17 Gb Free Space | 73,85% Space Free | Partition Type: NTFS Drive D: | 20,01 Gb Total Space | 10,77 Gb Free Space | 53,81% Space Free | Partition Type: FAT32 Computer Name: WILKO-PC | User Name: Wilko | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Directory [scan_with_SPYWAREfighter] -- C:\Program Files\Fighters\SPYWAREfighter\swproTray.exe /scan "%1" (SPAMfighter) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0576484B-CFDF-4578-938E-BA37897346F9}" = rport=445 | protocol=6 | dir=out | app=system | "{0FD94D0D-A4DF-4168-AE74-D22A00E48FA4}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{2681CE1A-C4D6-471B-B5B7-0894CAC6DB53}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 | "{26C1D7EA-940A-4124-9E6E-5CB7C909047F}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{559BBAC4-D482-4A7A-B6D6-4C3B00B0F17A}" = rport=138 | protocol=17 | dir=out | app=system | "{65525969-717A-44D4-AE69-ADA9B6573838}" = lport=137 | protocol=17 | dir=in | app=system | "{90F842E7-65A8-420D-838F-6C99FCEB45FF}" = lport=139 | protocol=6 | dir=in | app=system | "{925EB8A1-F219-45F4-BBF2-26F589EB34B9}" = rport=137 | protocol=17 | dir=out | app=system | "{C2533CE6-01EE-4C29-B674-2259A26F5F5B}" = lport=138 | protocol=17 | dir=in | app=system | "{D1E2B418-1654-499F-AF12-C8A2FFCB0D5F}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 | "{DE025F95-B9B6-4380-B434-D8590FF9CE20}" = lport=445 | protocol=6 | dir=in | app=system | "{F2FB3BB9-213F-4295-AE0F-75AB1A5C0AF4}" = rport=139 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{02AB6182-D21C-4BBF-9909-7E0E4B416CFB}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft public test\launcher.exe | "{294D2D70-8E03-43F0-BF94-1BEA03D83C14}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{2D7ED276-8504-4DFB-BE11-F58CBA20A4A0}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-dede-downloader.exe | "{39E6641B-70BA-41F4-B317-4DDE9D5341CE}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-dede-downloader.exe | "{4CE0D565-E626-4D6F-BB0E-887FF92BEA05}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft public test\launcher.exe | "{5327DE85-2141-4473-8B13-DC851EA37CBC}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{59583D79-806A-4852-B716-E12C7C0B35B8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{5F2079AF-FC02-4D10-B544-33B3CEB7C030}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | "{6747681A-80FD-456C-86BB-252E671571CA}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-dede-downloader.exe | "{68320C18-5129-4CAF-B925-E20B2D3169FF}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-dede-downloader.exe | "{6C3FDFDF-9EF2-4693-B13A-7BE49248DFE7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{6FF565E2-1756-463F-B5EB-9C2CC85DA4B2}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | "{736F6E3D-F158-4451-B0A4-17BC2E176E8D}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-dede-downloader.exe | "{7C1F5820-76BE-4824-8D80-FCF846369930}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-dede-downloader.exe | "{8390C588-0905-4B22-BDA9-486A0B88CEE6}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{8AF6042F-44E6-4CF4-AA02-571EA07B79A9}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{9067DCC7-1091-4812-9544-E07E05B880E9}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | "{92930DC7-B3A4-4052-861B-904A2444B657}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | "{9399F18A-F449-4691-B8B5-02CD6814BD2F}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | "{946BC3A3-0A7C-45FA-8345-13900A4DBE6E}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | "{A38FE3B4-EAA4-4FDF-A1B1-A91AB7A940C9}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.3.0.10522-dede-ptr-downloader.exe | "{A45BC1A1-BC30-4DDB-9597-A7ED7C83E19C}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-dede-downloader.exe | "{B52F6506-9B41-4120-8860-40CEE06BA907}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.patch.exe | "{B7285437-C0A4-4FE3-A4ED-23A4FAA7BEBB}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | "{BD0D44AC-C225-44AC-A669-DB927626DDBF}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{C1F1BB38-1BD3-4DA0-A838-C27DF1E92AB1}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.3.0.10522-dede-ptr-downloader.exe | "{CC590FEC-8E46-4B5F-8B3F-46F6B419E138}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-dede-downloader.exe | "{D6C8855E-A738-49F0-9E5A-355DDF448582}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | "{E1E217FA-3A0E-4508-8897-8E5591D01053}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{E510A1C7-1EB3-4B1B-927B-24BFF6F1D89B}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.patch.exe | "{FFC3EB0B-B88A-4AC0-8F85-E76D8F068EB6}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "TCP Query User{036B3229-B927-4A26-BF9A-ABD2D2A451E5}C:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-dede-downloader.exe | "TCP Query User{04F528B8-A11B-4A6E-AE0E-45516BD15A52}C:\users\public\games\world of warcraft\blizzard downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\blizzard downloader.exe | "TCP Query User{0BB4E001-2EB2-49B5-8B92-9D5DA1374436}C:\users\public\games\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-dede-downloader.exe | "TCP Query User{0C76E885-CDAE-443B-9889-411D4116086A}C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-dede-downloader.exe | "TCP Query User{21B2A59F-0872-46D7-84CE-997BEE7019DB}C:\users\public\games\world of warcraft\repair.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\repair.exe | "TCP Query User{31241318-CDA1-4E48-A08D-B94FD1203220}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | "TCP Query User{47BE296B-AECB-4927-9262-5A248B15F6A9}C:\users\public\games\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe | "TCP Query User{59D4DEAF-F870-422D-A35A-0F05340EE54D}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-dede-downloader.exe | "TCP Query User{6BE3C736-280E-44F3-BB47-1B54934921E7}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | "TCP Query User{7CA71000-EEFC-4B6A-9C4A-ED8F4521DE7C}C:\users\public\games\world of warcraft\temp\wow-4.0.0.1807-to-4.0.0.1987-enus-tools-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\temp\wow-4.0.0.1807-to-4.0.0.1987-enus-tools-downloader.exe | "TCP Query User{7D330FEB-F041-4757-86AD-C8127BC0F0D8}C:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-dede-downloader.exe | "TCP Query User{7E6D6AD4-8853-4479-9A99-606C36F3815D}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe | "TCP Query User{E6ACB204-84F8-466D-AB9E-92971061F8AB}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "TCP Query User{F83FF41E-ABE2-40DE-AACD-458C3B02869F}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe | "UDP Query User{0C8BCE82-801F-4872-8F4E-0CD039BA8FCC}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | "UDP Query User{34AB392B-DFB6-4973-BFBD-00BC3DBEF053}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-dede-downloader.exe | "UDP Query User{3F2DD4BB-371E-4107-ABE0-90D4EFFC330E}C:\users\public\games\world of warcraft\temp\wow-4.0.0.1807-to-4.0.0.1987-enus-tools-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\temp\wow-4.0.0.1807-to-4.0.0.1987-enus-tools-downloader.exe | "UDP Query User{4B87675B-29B4-4E8F-8C3B-A7AD897C31EE}C:\users\public\games\world of warcraft\repair.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\repair.exe | "UDP Query User{56697D47-352C-4989-A8BA-A8E67D12FB3A}C:\users\public\games\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-dede-downloader.exe | "UDP Query User{5A6B024F-7BA7-4629-A927-0A8C1831590C}C:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-dede-downloader.exe | "UDP Query User{5B7444B1-6D08-4561-99FA-C6C3C8DDE5DE}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "UDP Query User{6DA3A4F2-EFDB-44B7-95D9-6821242FB8E1}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | "UDP Query User{6E16473C-0D40-4466-9ABB-F41DFBDA1401}C:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-dede-downloader.exe | "UDP Query User{8CB7A0DA-6CC0-486C-897A-AF4C17BC963F}C:\users\public\games\world of warcraft\blizzard downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\blizzard downloader.exe | "UDP Query User{9766B614-0D24-4B0C-B1AA-D17AB31141F1}C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-dede-downloader.exe | "UDP Query User{E50789E4-BB9A-47F0-8779-7839BE9AC599}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe | "UDP Query User{EDA0633E-6733-49EC-AF9B-B5E7A22A5B3B}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe | "UDP Query User{F188E26F-F376-4D92-93EF-029298BB8989}C:\users\public\games\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 14 "{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup "{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update "{55A29068-F2CE-456C-9148-C869879E2357}" = TuneUp Utilities 2009 "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3 "{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites "{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0 "{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer "{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call "{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync "{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3) "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9A4D182C-35C7-4791-8484-4304EBC9101A}" = Windows 7 Upgrade Advisor "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.5 - Deutsch "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9 "{B108EF72-A5F3-4C9E-AA47-3E8474D1B5A2}" = Fighters "{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 275.33 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 275.33 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.10.0514 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX "{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU] "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "AVG Secure Search" = AVG Security Toolbar "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "CCleaner" = CCleaner "DealPly" = DealPly "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.61.0.1400 "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mozilla Firefox (3.6.28)" = Mozilla Firefox (3.6.28) "PDF Creator" = PDF Creator "PROSetDX" = Intel(R) PRO Network Connections 12.1.12.0 "SPYWAREfighter" = SPYWAREfighter "TeamSpeak 3 Client" = TeamSpeak 3 Client "VLC media player" = VLC media player 1.1.11 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR "World of Warcraft" = World of Warcraft "World of Warcraft Public Test" = World of Warcraft Public Test ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "090215de958f1060" = Curse Client ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 27.10.2011 10:08:56 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 28.10.2011 05:00:56 | Computer Name = Wilko-PC | Source = WinMgmt | ID = 10 Description = Error - 28.10.2011 05:01:09 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 28.10.2011 05:01:09 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 28.10.2011 11:16:47 | Computer Name = Wilko-PC | Source = WinMgmt | ID = 10 Description = Error - 28.10.2011 11:16:59 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 28.10.2011 11:16:59 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 29.10.2011 04:21:06 | Computer Name = Wilko-PC | Source = WinMgmt | ID = 10 Description = Error - 29.10.2011 04:21:26 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 29.10.2011 04:21:26 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = [ System Events ] Error - 26.04.2012 02:48:46 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000 Description = Error - 26.04.2012 02:48:56 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026 Description = Error - 26.04.2012 05:20:18 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000 Description = Error - 26.04.2012 05:20:27 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026 Description = Error - 26.04.2012 06:57:42 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000 Description = Error - 26.04.2012 06:57:51 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026 Description = Error - 26.04.2012 11:34:12 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000 Description = Error - 26.04.2012 11:34:12 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026 Description = Error - 26.04.2012 13:15:54 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000 Description = Error - 26.04.2012 13:15:54 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026 Description = [ TuneUp Events ] Error - 21.12.2011 11:00:06 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300 Description = Error - 21.12.2011 15:24:38 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300 Description = Error - 22.12.2011 04:54:20 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300 Description = Error - 22.12.2011 11:29:35 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300 Description = Error - 23.12.2011 04:14:21 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300 Description = Error - 23.12.2011 12:10:55 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300 Description = Error - 25.12.2011 06:31:00 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300 Description = Error - 26.04.2012 03:14:31 | Computer Name = Wilko-PC | Source = TuneUp Program Statistics | ID = 131840 Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2012-04-26 09:14:31', '\device\harddiskvolume1\program files\malwarebytes' anti-malware\mbam.exe','2204',0) Error - 26.04.2012 03:15:11 | Computer Name = Wilko-PC | Source = TuneUp Program Statistics | ID = 131840 Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2012-04-26 09:15:11', '\device\harddiskvolume1\program files\malwarebytes' anti-malware\mbam.exe','2380',0) Error - 26.04.2012 04:14:37 | Computer Name = Wilko-PC | Source = TuneUp Program Statistics | ID = 131840 Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2012-04-26 10:14:37', '\device\harddiskvolume1\program files\malwarebytes' anti-malware\mbam.exe','3608',0) < End of report > Vielen Dank Arbeitsschritt 5/meine Programme Code:
ATTFilter Activation Assistant for the 2007 Microsoft Office suites Microsoft Corporation 24.07.2009 14,0MB Adobe AIR Adobe Systems Inc. 02.10.2009 1.1.0.5790 Adobe Flash Player 10 ActiveX Adobe Systems Incorporated 28.05.2011 10.3.181.14 Adobe Flash Player 10 Plugin Adobe Systems Incorporated 15.06.2011 2,95MB 10.3.181.26 Adobe Reader 9.4.5 - Deutsch Adobe Systems Incorporated 15.06.2011 167,4MB 9.4.5 Adobe Shockwave Player 11.5 Adobe Systems, Inc. 15.12.2010 8,95MB 11.5.9.615 AVG Security Toolbar AVG Technologies 06.03.2012 10,00MB 10.2.0.3 Avira AntiVir Personal - Free Antivirus Avira GmbH 13.02.2012 73,0MB 10.2.0.707 CCleaner Piriform 24.04.2012 4,46MB 3.17 Compatibility Pack für 2007 Office System Microsoft Corporation 19.03.2012 70,6MB 12.0.6612.1000 Curse Client Curse 20.02.2012 4.0.1.180 DealPly DealPly 25.04.2012 0,46MB Intel(R) Matrix Storage Manager 24.07.2009 3,77MB Intel(R) PRO Network Connections 12.1.12.0 Intel 23.06.2009 8,21MB Java(TM) 6 Update 14 Sun Microsystems, Inc. 23.06.2009 97,5MB 6.0.140 Malwarebytes Anti-Malware Version 1.61.0.1400 Malwarebytes Corporation 25.04.2012 11,7MB 1.61.0.1400 Microsoft .NET Framework 3.5 Language Pack SP1 - DEU Microsoft Corporation 23.06.2009 37,6MB Microsoft .NET Framework 3.5 SP1 Microsoft Corporation 23.06.2009 37,6MB Microsoft .NET Framework 4 Client Profile Microsoft Corporation 25.06.2010 120,3MB 4.0.30319 Microsoft Office File Validation Add-In Microsoft Corporation 15.09.2011 7,95MB 14.0.5130.5003 Microsoft Office Home and Student 2007 Microsoft Corporation 20.03.2012 320MB 12.0.6612.1000 Microsoft Office Live Add-in 1.3 Microsoft Corporation 23.06.2009 0,48MB 2.0.2313.0 Microsoft Office PowerPoint Viewer 2007 (German) Microsoft Corporation 19.03.2012 62,2MB 12.0.6612.1000 Microsoft Silverlight Microsoft Corporation 14.02.2012 25,9MB 4.1.10111.0 Microsoft SQL Server 2005 Compact Edition [DEU] Microsoft Corporation 23.06.2009 0,32MB 3.1.0000 Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Corporation 23.06.2009 1,74MB 3.1.0000 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Corporation 05.09.2010 0,25MB 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 16.06.2011 0,29MB 8.0.61001 Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Corporation 05.09.2010 0,19MB 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 Microsoft Corporation 11.04.2011 0,58MB 9.0.30729.5570 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Corporation 30.06.2011 1,41MB 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 24.07.2009 0,58MB 9.0.30729 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 16.06.2011 0,58MB 9.0.30729.6161 Microsoft Works Microsoft Corporation 11.04.2012 711MB 9.7.0621 Mozilla Firefox (3.6.28) Mozilla 25.04.2012 28,3MB 3.6.28 (de) MSXML 4.0 SP2 (KB936181) Microsoft Corporation 23.06.2009 1,28MB 4.20.9848.0 MSXML 4.0 SP2 (KB941833) Microsoft Corporation 23.06.2009 1,28MB 4.20.9849.0 MSXML 4.0 SP2 (KB954430) Microsoft Corporation 23.06.2009 1,29MB 4.20.9870.0 MSXML 4.0 SP2 (KB973688) Microsoft Corporation 25.11.2009 1,35MB 4.20.9876.0 NVIDIA Grafiktreiber 275.33 NVIDIA Corporation 18.07.2011 89,7MB 275.33 NVIDIA PhysX-Systemsoftware 9.10.0514 NVIDIA Corporation 06.01.2011 73,3MB 9.10.0514 NVIDIA Update 1.3.5 NVIDIA Corporation 18.07.2011 6,37MB 1.3.5 PDF Creator 25.04.2012 Realtek High Definition Audio Driver Realtek Semiconductor Corp. 23.06.2009 9,79MB 6.0.1.5783 Spelling Dictionaries Support For Adobe Reader 9 Adobe Systems Incorporated 20.01.2011 29,7MB 9.0.0 Spybot - Search & Destroy Safer Networking Limited 16.01.2010 59,9MB 1.6.2 SPYWAREfighter SPAMFIGHTER ApS 24.04.2012 17,3MB 4.1.133 TeamSpeak 3 Client TeamSpeak Systems GmbH 26.01.2010 27,9MB TuneUp Utilities 2009 TuneUp Software 25.11.2009 47,0MB 8.0.3310.3 VLC media player 1.1.11 VideoLAN 23.08.2011 78,1MB 1.1.11 Windows 7 Upgrade Advisor Microsoft Corporation 02.01.2010 8,77MB 2.0.5000.0 Windows Live Anmelde-Assistent Microsoft Corporation 23.06.2009 1,93MB 5.000.818.6 Windows Live Essentials Microsoft Corporation 23.06.2009 136,5MB 14.0.8050.1202 Windows Live Sync Microsoft Corporation 23.06.2009 2,80MB 14.0.8050.1202 Windows Live-Uploadtool Microsoft Corporation 23.06.2009 0,22MB 14.0.8014.1029 WinRAR 24.07.2009 3,73MB World of Warcraft Blizzard Entertainment 28.02.2012 29.377MB 4.3.3.15354 World of Warcraft Public Test Blizzard Entertainment 16.01.2011 12.762MB 0.0.0.0 Geändert von Toront (26.04.2012 um 14:46 Uhr) |
26.04.2012, 16:46 | #8 | |||
/// Helfer-Team | Windows-Verschlüsselungs Trojaner Systemreinigung und Prüfung: 1. Ich vermute, dass Du nicht absichtlich installiert hast? Auf jeden Fall absolut unnötig, ich würde an deiner Stelle deinstallieren: Zitat:
Zitat:
meiner Meinung nach bietet nicht mehr ausreichenden Schutz gegen "moderne Malwarearten"... ► Falls Du doch es behalten möchtest: Stelle bitte den TeaTimer ab: Gehe bei Spybot-S&D in den Erweiterten Modus und wähle dort Werkzeuge -> Resident. Deaktiviere hier den "Resident TeaTimer aktiv". (Tea Timer versucht positive änderungen auch zu blockieren) - soll für immer deaktiviert bleiben! 3. Zitat:
Code:
ATTFilter :OTL IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233} IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110819&babsrc=SP_ss&mntrId=a2f009d3000000000000002421791008 IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={F2E3B8DF-87A0-4600-A9DD-4A4533047630}&mid=19cc6e041dff47d19306d16d679df9fb-e8408699c5a580a42d9153b1ea19a2065cc8677d&lang=de&ds=tt014&pr=sa&d=2011-12-21 16:02:27&v=10.0.0.7&sap=dsp&q={searchTerms} IE - HKCU\..\SearchScopes\Plasmoo: "URL" = hxxp://plasmoo.com/index.htm?SearchMashine=true&q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)" FF - prefs.js..browser.search.defaultthis.engineName: "Plasmoo" FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)" FF - prefs.js..browser.startup.homepage: "hxxp://search.babylon.com/?babsrc=HP_Prot" FF - prefs.js..extensions.enabledItems: engine@plasmoo.com:1.0.0.32 prefs.js..extensions.enabledItems: ffxtlbr@babylon.com:1.2.0 prefs.js..extensions.enabledItems: {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}:2.0 FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=110819&babsrc=KW_ss&mntrId=a2f009d3000000000000002421791008&q=" [2012.04.26 09:01:52 | 000,000,000 | ---D | M] ("I Want This") -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com [2011.06.24 20:23:21 | 000,000,000 | ---D | M] (Plasmoo Search Engine) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com [2012.04.26 09:00:58 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com [2012.04.25 12:29:38 | 000,001,975 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\locked-plasmoo.xml.mmww [2011.04.28 19:42:58 | 000,001,975 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\plasmoo.xml O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found. O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found. :Files C:\Users\Wilko\AppData\Roaming\Babylon C:\Users\Wilko\AppData\Local\Babylon C:\ProgramData\Babylon ipconfig /flushdns /c :Commands [purity] [emptytemp]
4. Aktualisieren: Alte Version deinstallieren und neue herunterladen:-> http://filepony.de/download-firefox/ Code:
ATTFilter Mozilla Firefox ..falls nötig, vorher für dich wichtige (Benutzerdefinierte) Einstellungen zu speichern:-> Mozilla Firefox Backup erstellen 5. Deine Javaversion ist nicht aktuell! Da aufgrund alter Sicherheitslücken ist Java sehr anfällig, deinstalliere zunächst alle vorhandenen Java-Versionen: → Systemsteuerung → Software → deinstallieren... → Rechner neu aufstarten → Downloade nun die Offline-Version von Java "Empfohlen Version 6 Update 31 " von Oracle herunter Achte darauf, eventuell angebotene Toolbars abwählen (den Haken bei der Toolbar entfernen)! 6. Adobe Reader aktualisieren : - Bei Installation aufpassen/mitlesen!: Wenn irgendeine Software, Toolbar etc angeboten wird, bitte abwählen! - (z.B "McAfee Security Scan Plus") Adobe Reader Oder: Adobe starten-> gehe auf "Hilfe"-> "Nach Update suchen..." 7. Tipps (unabhängig davon ob man ihn benutzt oder nicht!): -> Tipps zu Internet Explorer -> Standard Suchmaschine des Explorers ändern -> Wie kann ich den Cache im Internet Explorer leeren? -> Verwalten von Add-Ons in Internet Explorer -> Firefox mit Add-ons anpassen -> Firefox Add-Ons endgültig löschen | PcBeirat.de 8. reinige dein System mit CCleaner:
9. läuft unter XP, Vista mit (32Bit) und Windows 7 (32Bit) Achtung!: WENN GMER NICHT AUSGEFÜHRT WERDEN KANN ODER PROBMLEME VERURSACHT, fahre mit dem nächsten Punkt fort!- Es ist NICHT sinnvoll einen zweiten Versuch zu starten! Um einen tieferen Einblick in dein System, um eine mögliche Infektion mit einem Rootkit/Info v.wikipedia.org) aufzuspüren, werden wir ein Tool - Gmer - einsetzen :
** keine Verbindung zu einem Netzwerk und Internet - WLAN nicht vergessen Wenn der Scan beendet ist, bitte alle Programme und Tools wieder aktivieren! Anleitung:-> GMER - Rootkit Scanner 10. Kontrolle mit MBR -t, ob Master Boot Record in Ordnung ist (MBR-Rootkit) Mit dem folgenden Tool prüfen wir, ob sich etwas Schädliches im Master Boot Record eingenistet hat.
__________________ Warnung!: Vorsicht beim Rechnungen per Email mit ZIP-Datei als Anhang! Kann mit einen Verschlüsselungs-Trojaner infiziert sein! Anhang nicht öffnen, in unserem Forum erst nachfragen! Sichere regelmäßig deine Daten, auf CD/DVD, USB-Sticks oder externe Festplatten, am besten 2x an verschiedenen Orten! Bitte diese Warnung weitergeben, wo Du nur kannst! |
26.04.2012, 17:31 | #9 |
| Windows-Verschlüsselungs Trojaner Hallo Kira Arbeitsschritt 1 Deinstalliert Arbeitsschritt 2 Deinstalliert Arbeitsschritt 3 Code:
ATTFilter All processes killed ========== OTL ========== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ not found. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{searchTerms}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{searchTerms}\ not found. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename Prefs.js: "Plasmoo" removed from browser.search.defaultthis.engineName Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1 Prefs.js: "Search the web (Babylon)" removed from browser.search.selectedEngine Prefs.js: "hxxp://search.babylon.com/?babsrc=HP_Prot" removed from browser.startup.homepage Prefs.js: engine@plasmoo.com:1.0.0.32 removed from extensions.enabledItems Prefs.js: "hxxp://search.babylon.com/?affID=110819&babsrc=KW_ss&mntrId=a2f009d3000000000000002421791008&q=" removed from keyword.URL C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\skin folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\locale\en-US folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\locale folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\defaults\preferences folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\defaults folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\chrome\content\lib folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\chrome\content folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\chrome folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com\skin folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com\searchplugin folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com\chrome\content folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com\chrome folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\defaults\preferences folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\defaults folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\content\imgs\flgs folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\content\imgs folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\content folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\components folder moved successfully. C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com folder moved successfully. C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\locked-plasmoo.xml.mmww moved successfully. C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\plasmoo.xml moved successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{326E768D-4182-46FD-9C16-1449A49795F4}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326E768D-4182-46FD-9C16-1449A49795F4}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{593DDEC6-7468-4cdd-90E1-42DADAA222E9}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{593DDEC6-7468-4cdd-90E1-42DADAA222E9}\ not found. ========== FILES ========== C:\Users\Wilko\AppData\Roaming\Babylon folder moved successfully. C:\Users\Wilko\AppData\Local\Babylon\Setup\HtmlScreens folder moved successfully. C:\Users\Wilko\AppData\Local\Babylon\Setup folder moved successfully. C:\Users\Wilko\AppData\Local\Babylon folder moved successfully. C:\ProgramData\Babylon folder moved successfully. < ipconfig /flushdns /c > Windows-IP-Konfiguration Der DNS-Aufl”sungscache wurde geleert. C:\Users\Wilko\Desktop\cmd.bat deleted successfully. C:\Users\Wilko\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 83 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Public User: UpdatusUser ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 83 bytes User: Wilko ->Temp folder emptied: 21803909 bytes ->Temporary Internet Files folder emptied: 61385263 bytes ->Java cache emptied: 8711320 bytes ->FireFox cache emptied: 58428103 bytes ->Flash cache emptied: 2328 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 2808998 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 146,00 mb OTL by OldTimer - Version 3.2.42.1 log created on 04262012_222553 Files\Folders moved on Reboot... C:\Windows\temp\h1p6f1zp.vbt moved successfully. Registry entries deleted on Reboot... Arbeitsschritt 9 Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2012-04-27 00:21:44 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.ST6O Running: tfptc0hf.exe; Driver: C:\Users\Wilko\AppData\Local\Temp\uwloqpoc.sys ---- System - GMER 1.0.15 ---- SSDT 8B62EAFE ZwCreateSection SSDT 8B62EB03 ZwSetContextThread SSDT 8B62EA9F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 215 81EB4998 4 Bytes JMP FD2F8B62 .text ntkrnlpa.exe!KeSetEvent + 56D 81EB4CF0 4 Bytes [03, EB, 62, 8B] .text ntkrnlpa.exe!KeSetEvent + 621 81EB4DA4 4 Bytes [9F, EA, 62, 8B] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9E683300, 0x3ACC8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9E6C6300, 0x1B7E, 0xE8000020] ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a9413a527 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a9413a527 (not active ControlSet) ---- EOF - GMER 1.0.15 ---- Arbeitsschritt 5 neue Version installiert Arbeitsschritt 6 ebenfals deinstalliert und neue istalliert Arbeitsschritt 7 Tipps angeschaut und teilweise genutzt Arbeitsschritt 8 von CCleaner alle Fehler beheben lassen Arbeitsschritt 10 ist gerade in Arbeit Hm Kira mit Arbeitsschritt 10 siehts schlecht aus, sobald ich die mbr.exe downloaden will springt mein Spywarefighter an und meldet gefundene infektion - Trojan.Kryptik!zdyqs+PkYQ4 |
Themen zu Windows-Verschlüsselungs Trojaner |
abgesicherten, andere, anderen, anhang, beiträge, bilder, dahinter, dateien, email, email anhang, festgestellt, hoffe, jahre, konnte, modus, nichts, rechner, retten, sache, sachen, systemwiederherstellung, systemwiederherstellung gemacht, thema, trojane, trojaner, vorhanden, wichtig, würde |